Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Problem after pendrive connection


  • This topic is locked This topic is locked

#1
Kelendril

Kelendril

    New Member

  • Member
  • Pip
  • 6 posts
Good Night everyone.

First of all, I'd like to say that I am from Brazil and, therefore, my english may be filled with mistakes ^^

Well, to the problem then:

A week ago, aproximately, my uncle opened his pendrive in my PC and installed a software (i don't remember the name) that enabled him to download videos from youtube. When the installation was complete, some error messages started appearing from like 2 to 2 seconds. My brother then messed up with something here that made those messages stop (EDIT: We removed the program my uncle installed). We thought the problem was over but since then the computer has not been the same. It got slowed down and i've been receiving error messages much frequently, like this one when i try to execute some programs:

Microsfot C++ Runtime Library

Program: C:\Program Files\Garena\Garena.exe

R6002
-floating point support not loaded


That one when windows starts up, from DAEMON Tools:

DAEMONS Tools Lite


This program requires at least Windows 2000 with SPTD 1.60 or higher.
Kernel debugger must be deactivated


And that one from Google Chrome, when I open some web pages:

Windows - Application Error


The application was unable to start correctly (0xc0000135). Click OK to close the application.



After the error message, even when I click OK, nothing happens and the page does not get loaded. I must close it manually and open a new tab to continue using the internet. That is very annoying.

Well, with the help from a brazillian help forum like this (BABOO's forum), i ran HijackThis several times, used ComboFix and MBAM but the problems persisted. After MBAM got installed, it detects malwares from the internet all the time and I always send them to quarentine. After this, I ran the "FixIt" program from this page " http://support.microsoft.com/kb/822798 ". The problems were not solved. I tried to run windows update but one updated between 83 could'nt be installed and I got error message 800B0100. At this very time, i've been running the "Microsoft Windows malicious software removal tool sep/2011" for two hours and the progress bar isn't eve near 30%. Aproximately 850 thousand files have been examinated, with 600 infected files encountered so far.

It might be important to say that I use Windows 7.

Sorry for the long text and possible bad english here, I tried to explain the problem as best as I could.

OTL's Log is below:

OTL logfile created on: 10/4/2011 7:18:30 PM - Run 1
OTL by OldTimer - Version 3.2.29.1 Folder = C:\Users\Matheus\Desktop
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

990.67 Mb Total Physical Memory | 141.53 Mb Available Physical Memory | 14.29% Memory free
1.97 Gb Paging File | 0.66 Gb Available in Paging File | 33.72% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 228.44 Gb Total Space | 50.55 Gb Free Space | 22.13% Space Free | Partition Type: NTFS

Computer Name: PC | User Name: Matheus | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/10/04 18:48:32 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\Users\Matheus\Desktop\OTL.exe
PRC - [2011/10/04 16:33:01 | 000,031,402 | ---- | M] () -- C:\Users\Matheus\AppData\Local\Temp\dukks.exe
PRC - [2011/10/04 16:32:51 | 000,012,970 | ---- | M] () -- C:\Users\Matheus\AppData\Local\Temp\ytgrj.exe
PRC - [2011/08/31 17:00:48 | 000,449,608 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2011/07/08 04:50:33 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/10/31 02:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/07/13 22:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe


========== Modules (No Company Name) ==========

MOD - [2011/10/04 16:33:01 | 000,031,402 | ---- | M] () -- C:\Users\Matheus\AppData\Local\Temp\dukks.exe
MOD - [2011/10/04 16:32:51 | 000,012,970 | ---- | M] () -- C:\Users\Matheus\AppData\Local\Temp\ytgrj.exe
MOD - [2011/10/01 17:40:54 | 000,076,288 | ---- | M] () -- C:\Users\Matheus\AppData\Roaming\Mozilla\Firefox\Profiles\9z5063qn.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko5.dll
MOD - [2011/07/08 04:50:33 | 001,850,328 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2010/06/12 16:55:37 | 005,612,496 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32.dll
MOD - [2010/03/15 15:28:24 | 000,141,824 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (gusvc)
SRV - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/05/25 04:24:45 | 002,288,232 | ---- | M] (NVIDIA Corporation) [Disabled | Stopped] -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)
SRV - [2011/01/16 20:09:00 | 004,077,936 | ---- | M] (INCA Internet Co., Ltd.) [Disabled | Stopped] -- C:\Windows\System32\GameMon.des -- (npggsvc)
SRV - [2010/08/05 08:46:02 | 000,653,272 | ---- | M] (PC Tools) [Disabled | Stopped] -- C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe -- (PCToolsSSDMonitorSvc)
SRV - [2010/04/30 06:30:42 | 001,343,400 | ---- | M] () [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2010/02/19 13:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [Disabled | Stopped] -- C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)
SRV - [2009/07/13 22:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 22:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - [2011/08/31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/05/25 04:24:42 | 010,589,800 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2010/07/13 21:24:29 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009/07/13 20:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2009/07/13 19:13:47 | 000,266,752 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VSTBS23.SYS -- (VSTHWBS2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = F8 9E 28 68 39 44 CC 01 [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultthis.engineName: " "
FF - prefs.js..browser.search.defaulturl: "http://search.condui...={searchTerms}"
FF - prefs.js..keyword.URL: "http://search.condui...d=CT2790392&q="

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf: C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@Webzen.com/NPGameWebStarter: C:\Program Files\WEBZEN\WebzenGameStarter\NPGameWebStarter.dll (WEBZEN)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Matheus\AppData\Local\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Matheus\AppData\Local\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/07/17 01:32:53 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2010/04/29 16:24:00 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Matheus\AppData\Roaming\mozilla\Extensions
[2011/10/02 12:43:36 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Matheus\AppData\Roaming\mozilla\Firefox\Profiles\9z5063qn.default\extensions
[2011/10/02 10:51:46 | 000,000,000 | ---D | M] (BitTorrentBar Community Toolbar) -- C:\Users\Matheus\AppData\Roaming\mozilla\Firefox\Profiles\9z5063qn.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}
[2010/12/07 11:33:35 | 000,000,000 | ---D | M] (Conduit Engine) -- C:\Users\Matheus\AppData\Roaming\mozilla\Firefox\Profiles\9z5063qn.default\extensions\[email protected]
[2011/10/04 16:40:55 | 000,000,000 | ---D | M] (Ask Toolbar) -- C:\Users\Matheus\AppData\Roaming\mozilla\Firefox\Profiles\9z5063qn.default\extensions\[email protected]
[2011/06/20 14:07:00 | 000,000,863 | ---- | M] () -- C:\Users\Matheus\AppData\Roaming\Mozilla\Firefox\Profiles\9z5063qn.default\searchplugins\conduit.xml
[2011/09/12 21:30:36 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/09/12 21:30:36 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}
[2011/07/08 04:50:33 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/01/01 05:00:00 | 000,001,027 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\buscape.xml
[2010/01/01 05:00:00 | 000,001,212 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\mercadolivre.xml
[2010/01/01 05:00:00 | 000,001,168 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-br.xml
[2010/01/01 05:00:00 | 000,000,952 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-br.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Matheus\AppData\Local\Google\Chrome\Application\14.0.835.187\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Java Deployment Toolkit 6.0.270.7 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U27 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Microsoft\u00AE Windows Media Player Firefox Plugin (Enabled) = C:\PFiles\Plugins\np-mswmp.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\Matheus\AppData\Local\Google\Chrome\Application\14.0.835.187\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Matheus\AppData\Local\Google\Chrome\Application\14.0.835.187\pdf.dll
CHR - plugin: Foxit Reader Plugin for Mozilla (Enabled) = C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Picasa (Enabled) = C:\Program Files\Google\Picasa3\npPicasa3.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll
CHR - plugin: NPGameWebStarter (Enabled) = C:\Program Files\WEBZEN\WebzenGameStarter\NPGameWebStarter.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: Angry Birds = C:\Users\Matheus\AppData\Local\Google\Chrome\User Data\Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj\1.1.2_0\

O1 HOSTS File: ([2011/10/01 10:24:39 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {977AE9CC-AF83-45E8-9E03-E2798216E2D5} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKCU..\Run: [Extraram] C:\Program Files\Extra RAM\ExtraRAM.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O8 - Extra context menu item: &Winamp Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html File not found
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zon...kr.cab56986.cab (Checkers Class)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zon...1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zon...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 201.17.128.109 201.17.128.103
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{EF129B70-3092-4EE2-908D-5C1567260413}: DhcpNameServer = 201.17.128.109 201.17.128.103
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) -C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 18:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2011/10/01 10:25:38 | 000,000,239 | RHS- | M] () - C:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/10/04 18:47:27 | 000,582,656 | ---- | C] (OldTimer Tools) -- C:\Users\Matheus\Desktop\OTL.exe
[2011/10/04 17:07:23 | 000,000,000 | ---D | C] -- C:\Windows\System32\EventProviders
[2011/10/04 13:55:51 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 4.0
[2011/10/04 13:31:02 | 000,000,000 | ---D | C] -- C:\Windows\System32\catroot2
[2011/10/03 20:05:03 | 000,000,000 | ---D | C] -- C:\Users\Matheus\AppData\Local\AskToolbar
[2011/10/03 19:45:22 | 000,000,000 | ---D | C] -- C:\Users\Matheus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome
[2011/10/02 23:15:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Foxit Reader 5.0
[2011/10/02 23:15:02 | 000,000,000 | ---D | C] -- C:\Program Files\Foxit Software
[2011/10/02 15:44:27 | 000,000,000 | ---D | C] -- C:\Users\Matheus\Desktop\epidemio
[2011/10/02 13:17:50 | 000,000,000 | ---D | C] -- C:\Users\Matheus\AppData\Roaming\GlarySoft
[2011/10/02 12:44:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Extra RAM
[2011/10/02 12:44:17 | 000,000,000 | ---D | C] -- C:\Program Files\Extra RAM
[2011/10/02 12:43:37 | 000,000,000 | ---D | C] -- C:\Program Files\Ask.com
[2011/10/02 12:43:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Glary Utilities
[2011/10/02 12:43:04 | 000,000,000 | ---D | C] -- C:\Program Files\Glary Utilities
[2011/10/01 15:01:28 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2011/10/01 10:30:47 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/10/01 10:22:25 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/10/01 10:22:25 | 000,000,000 | ---D | C] -- C:\Users\Matheus\AppData\Local\temp
[2011/10/01 10:13:12 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
[2011/10/01 10:06:02 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/10/01 10:06:02 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/10/01 10:06:02 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/10/01 10:05:51 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/10/01 10:05:45 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/09/30 21:28:48 | 004,311,925 | R--- | C] (Swearware) -- C:\Users\Matheus\Desktop\ComboFix.exe
[2011/09/28 16:41:16 | 000,000,000 | ---D | C] -- C:\Users\Matheus\AppData\Roaming\Malwarebytes
[2011/09/28 16:39:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/09/28 16:39:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/09/28 16:39:43 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011/09/28 16:39:43 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/09/27 13:18:51 | 000,462,848 | ---- | C] (Trend Micro Inc.) -- C:\Users\Matheus\Desktop\HijackThis.exe
[2011/09/27 13:09:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
[2011/09/27 13:09:34 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2011/09/25 19:22:46 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2011/09/25 14:57:40 | 000,026,416 | ---- | C] (Nitro PDF Software) -- C:\Windows\System32\nitrolocalmon2.dll
[2011/09/25 14:57:40 | 000,017,712 | ---- | C] (Nitro PDF Software) -- C:\Windows\System32\nitrolocalui2.dll
[2011/09/25 14:54:55 | 000,000,000 | ---D | C] -- C:\Program Files\DsNET Corp
[2011/09/24 23:48:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Epi Info
[2011/09/24 23:47:43 | 000,000,000 | ---D | C] -- C:\Program Files\DCube
[2011/09/24 23:47:41 | 000,000,000 | ---D | C] -- C:\Program Files\FathZip
[2011/09/24 23:47:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\ESRI
[2011/09/24 23:47:30 | 000,000,000 | ---D | C] -- C:\Epi_Info
[2011/09/24 23:44:18 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2011/09/17 22:18:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth
[2011/09/12 21:31:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2011/09/12 21:31:00 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/09/12 21:29:06 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Users\Matheus\Desktop\*.tmp files -> C:\Users\Matheus\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/10/04 19:27:08 | 000,000,916 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3495871300-68735504-1991991994-1001UA.job
[2011/10/04 19:25:10 | 000,000,888 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/10/04 18:48:32 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\Users\Matheus\Desktop\OTL.exe
[2011/10/04 18:32:00 | 000,000,920 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3495871300-68735504-1991991994-1003UA.job
[2011/10/04 18:26:37 | 000,017,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/10/04 18:26:37 | 000,017,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/10/04 18:25:23 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/10/04 16:27:39 | 000,000,314 | ---- | M] () -- C:\Windows\tasks\GlaryInitialize.job
[2011/10/04 16:26:03 | 003,764,648 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/10/04 16:25:50 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/10/04 16:25:35 | 779,096,064 | -HS- | M] () -- C:\hiberfil.sys
[2011/10/04 14:07:28 | 000,025,713 | ---- | M] () -- C:\Windows\System32\MRT.INI
[2011/10/03 22:32:00 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3495871300-68735504-1991991994-1003Core.job
[2011/10/03 19:45:28 | 000,002,324 | ---- | M] () -- C:\Users\Matheus\Desktop\Google Chrome.lnk
[2011/10/02 23:15:11 | 000,001,063 | ---- | M] () -- C:\Users\Public\Desktop\Foxit Reader 5.0.lnk
[2011/10/02 21:39:08 | 000,001,956 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk
[2011/10/02 13:27:02 | 000,000,864 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3495871300-68735504-1991991994-1001Core.job
[2011/10/02 12:44:17 | 000,000,885 | ---- | M] () -- C:\Users\Public\Desktop\Extra RAM.lnk
[2011/10/02 12:43:10 | 000,000,991 | ---- | M] () -- C:\Users\Matheus\Desktop\Glary Utilities.lnk
[2011/10/01 10:25:38 | 000,103,140 | RHS- | M] () -- C:\ddtep.pif
[2011/10/01 10:25:38 | 000,000,239 | RHS- | M] () -- C:\autorun.inf
[2011/10/01 10:24:39 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/09/30 21:29:11 | 004,311,925 | R--- | M] (Swearware) -- C:\Users\Matheus\Desktop\ComboFix.exe
[2011/09/28 21:49:49 | 116,006,378 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/09/28 16:39:48 | 000,001,034 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/09/27 13:18:54 | 000,462,848 | ---- | M] (Trend Micro Inc.) -- C:\Users\Matheus\Desktop\HijackThis.exe
[2011/09/27 13:18:34 | 000,390,514 | ---- | M] () -- C:\Users\Matheus\Documents\cc_20110927_131816.reg
[2011/09/27 13:09:36 | 000,000,932 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2011/09/25 14:49:44 | 000,665,306 | ---- | M] () -- C:\Windows\System32\prfh0416.dat
[2011/09/25 14:49:44 | 000,618,026 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/09/25 14:49:44 | 000,125,694 | ---- | M] () -- C:\Windows\System32\prfc0416.dat
[2011/09/25 14:49:44 | 000,104,340 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/09/24 23:48:51 | 000,000,542 | ---- | M] () -- C:\Windows\openrda.ini
[2011/09/24 23:48:09 | 000,002,453 | ---- | M] () -- C:\Users\Matheus\Documents\Epi Info.lnk
[2011/09/23 09:51:28 | 000,002,409 | ---- | M] () -- C:\Users\Matheus\Documents\Google Chrome.lnk
[2011/09/17 22:18:28 | 000,002,209 | ---- | M] () -- C:\Users\Matheus\Documents\Google Earth.lnk
[2011/09/15 20:35:12 | 000,080,535 | ---- | M] () -- C:\Users\Matheus\Documents\asdasads.png
[2011/09/15 20:25:07 | 000,118,145 | ---- | M] () -- C:\Users\Matheus\Documents\asdasasd.png
[2011/09/15 20:23:16 | 000,110,783 | ---- | M] () -- C:\Users\Matheus\Documents\fotenha.png
[2011/09/15 20:19:06 | 000,066,349 | ---- | M] () -- C:\Users\Matheus\Documents\PQAAALv_m_2cOlwJuZp_m6rqSEE391q9cytn4vbN_6ckykc8WGfGvuJh9JGuESPB2pofiFuk6J4qQOj576Itrs44YREAm1T1UMP_rT_FbYA2Hy9grx7a73PjUpS5.jpg
[2011/09/15 20:12:39 | 000,074,086 | ---- | M] () -- C:\Users\Matheus\Documents\PQAAAOKK-54a3usUIIYqRxKQAMn2dfMIZw5z278jKGDX9NpT5ObgjeEK43qJgi_pObLdq13uEKDff8qGEwACFId6D_wAm1T1UFL7k94_YlGf05E8cyG692Fk8Tuh.jpg
[2011/09/15 01:37:58 | 000,145,997 | ---- | M] () -- C:\Users\Matheus\Documents\Untitled.png
[2011/09/15 01:22:00 | 000,055,930 | ---- | M] () -- C:\Users\Matheus\Documents\asdf.jpg
[2011/09/15 01:20:13 | 000,049,557 | ---- | M] () -- C:\Users\Matheus\Documents\ú.jpg
[2011/09/10 14:25:35 | 000,065,988 | ---- | M] () -- C:\Users\Matheus\Documents\jacekyerka12sx8.jpg
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Users\Matheus\Desktop\*.tmp files -> C:\Users\Matheus\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/10/04 14:07:27 | 000,025,713 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2011/10/03 19:45:28 | 000,002,324 | ---- | C] () -- C:\Users\Matheus\Desktop\Google Chrome.lnk
[2011/10/02 23:15:11 | 000,001,063 | ---- | C] () -- C:\Users\Public\Desktop\Foxit Reader 5.0.lnk
[2011/10/02 12:44:17 | 000,000,885 | ---- | C] () -- C:\Users\Public\Desktop\Extra RAM.lnk
[2011/10/02 12:43:18 | 000,000,314 | ---- | C] () -- C:\Windows\tasks\GlaryInitialize.job
[2011/10/02 12:43:10 | 000,000,991 | ---- | C] () -- C:\Users\Matheus\Desktop\Glary Utilities.lnk
[2011/10/01 10:25:38 | 000,103,140 | RHS- | C] () -- C:\ddtep.pif
[2011/10/01 10:25:20 | 000,000,239 | RHS- | C] () -- C:\autorun.inf
[2011/10/01 10:06:02 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2011/10/01 10:06:02 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2011/10/01 10:06:02 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/10/01 10:06:02 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/10/01 10:06:02 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/09/28 21:49:49 | 116,006,378 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2011/09/28 16:39:48 | 000,001,034 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/09/27 13:18:28 | 000,390,514 | ---- | C] () -- C:\Users\Matheus\Documents\cc_20110927_131816.reg
[2011/09/27 13:09:36 | 000,000,932 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2011/09/24 23:48:09 | 000,002,453 | ---- | C] () -- C:\Users\Matheus\Documents\Epi Info.lnk
[2011/09/24 23:46:51 | 000,240,128 | ---- | C] () -- C:\Program Files\UNWISE.EXE
[2011/09/17 22:18:28 | 000,002,209 | ---- | C] () -- C:\Users\Matheus\Documents\Google Earth.lnk
[2011/09/15 20:35:11 | 000,080,535 | ---- | C] () -- C:\Users\Matheus\Documents\asdasads.png
[2011/09/15 20:24:28 | 000,118,145 | ---- | C] () -- C:\Users\Matheus\Documents\asdasasd.png
[2011/09/15 20:23:16 | 000,110,783 | ---- | C] () -- C:\Users\Matheus\Documents\fotenha.png
[2011/09/15 20:19:10 | 000,066,349 | ---- | C] () -- C:\Users\Matheus\Documents\PQAAALv_m_2cOlwJuZp_m6rqSEE391q9cytn4vbN_6ckykc8WGfGvuJh9JGuESPB2pofiFuk6J4qQOj576Itrs44YREAm1T1UMP_rT_FbYA2Hy9grx7a73PjUpS5.jpg
[2011/09/15 20:12:59 | 000,074,086 | ---- | C] () -- C:\Users\Matheus\Documents\PQAAAOKK-54a3usUIIYqRxKQAMn2dfMIZw5z278jKGDX9NpT5ObgjeEK43qJgi_pObLdq13uEKDff8qGEwACFId6D_wAm1T1UFL7k94_YlGf05E8cyG692Fk8Tuh.jpg
[2011/09/15 01:37:58 | 000,145,997 | ---- | C] () -- C:\Users\Matheus\Documents\Untitled.png
[2011/09/15 01:22:05 | 000,055,930 | ---- | C] () -- C:\Users\Matheus\Documents\asdf.jpg
[2011/09/15 01:20:36 | 000,049,557 | ---- | C] () -- C:\Users\Matheus\Documents\ú.jpg
[2011/09/10 14:25:51 | 000,065,988 | ---- | C] () -- C:\Users\Matheus\Documents\jacekyerka12sx8.jpg
[2011/08/27 12:01:43 | 000,116,224 | ---- | C] () -- C:\Windows\System32\pdfmonnt.dll
[2011/08/27 12:01:39 | 000,000,164 | ---- | C] () -- C:\Windows\System32\psconv.ini
[2011/02/13 02:00:45 | 000,037,336 | ---- | C] () -- C:\Windows\System32\CleanMFT32.exe
[2010/12/10 22:11:53 | 001,970,176 | ---- | C] () -- C:\Windows\System32\d3dx9.dll
[2010/12/09 22:44:33 | 000,000,286 | ---- | C] () -- C:\Windows\SIERRA.INI
[2010/11/17 11:50:04 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/05/14 00:35:26 | 000,170,061 | ---- | C] () -- C:\Windows\hpoins14.dat
[2010/05/14 00:35:26 | 000,001,498 | ---- | C] () -- C:\Windows\hpomdl14.dat
[2010/05/04 16:12:54 | 000,000,418 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/07/21 18:51:23 | 000,665,306 | ---- | C] () -- C:\Windows\System32\prfh0416.dat
[2009/07/21 18:51:23 | 000,323,154 | ---- | C] () -- C:\Windows\System32\prfi0416.dat
[2009/07/21 18:51:23 | 000,125,694 | ---- | C] () -- C:\Windows\System32\prfc0416.dat
[2009/07/21 18:51:23 | 000,038,536 | ---- | C] () -- C:\Windows\System32\prfd0416.dat
[2009/07/14 01:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/14 01:33:53 | 003,764,648 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/07/13 23:05:48 | 000,618,026 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2009/07/13 23:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2009/07/13 23:05:48 | 000,104,340 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2009/07/13 23:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2009/07/13 23:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2009/07/13 23:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2009/07/13 20:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 20:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 20:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/06/10 18:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/11/30 10:14:26 | 000,000,542 | ---- | C] () -- C:\Windows\openrda.ini

========== LOP Check ==========

[2011/03/08 16:53:22 | 000,000,000 | ---D | M] -- C:\Users\Matheus\AppData\Roaming\.bsnes
[2011/09/27 13:14:12 | 000,000,000 | ---D | M] -- C:\Users\Matheus\AppData\Roaming\BitTorrent
[2011/07/15 11:38:22 | 000,000,000 | ---D | M] -- C:\Users\Matheus\AppData\Roaming\com.adobe.downloadassistant.AdobeDownloadAssistant
[2011/09/27 13:15:12 | 000,000,000 | ---D | M] -- C:\Users\Matheus\AppData\Roaming\DAEMON Tools Lite
[2011/08/27 12:31:51 | 000,000,000 | ---D | M] -- C:\Users\Matheus\AppData\Roaming\Docx2Rtf
[2011/10/02 13:17:50 | 000,000,000 | ---D | M] -- C:\Users\Matheus\AppData\Roaming\GlarySoft
[2011/08/17 23:02:20 | 000,000,000 | ---D | M] -- C:\Users\Matheus\AppData\Roaming\InternetTV
[2011/08/27 12:31:21 | 000,000,000 | ---D | M] -- C:\Users\Matheus\AppData\Roaming\NwDocx
[2011/10/04 16:27:39 | 000,000,314 | ---- | M] () -- C:\Windows\Tasks\GlaryInitialize.job
[2011/08/09 14:35:50 | 000,032,636 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 102 bytes -> C:\ProgramData\TEMP:D1B5B4F1

< End of report >


OTL Extras logfile created on: 10/4/2011 7:18:30 PM - Run 1
OTL by OldTimer - Version 3.2.29.1 Folder = C:\Users\Matheus\Desktop
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

990.67 Mb Total Physical Memory | 141.53 Mb Available Physical Memory | 14.29% Memory free
1.97 Gb Paging File | 0.66 Gb Available in Paging File | 33.72% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 228.44 Gb Total Space | 50.55 Gb Free Space | 22.13% Space Free | Partition Type: NTFS

Computer Name: PC | User Name: Matheus | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [Bridge] -- C:\Program Files\Adobe\Adobe Bridge CS5\Bridge.exe "%L" (Adobe Systems, Inc.)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"AntiVirusOverride" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"FirewallOverride" = 1
"UpdatesDisableNotify" = 1
"UacDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 1
"AntiSpywareOverride" = 0
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"UacDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 1
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\DAEMON Tools Lite\DTLite.exe" = C:\Program Files\DAEMON Tools Lite\DTLite.exe:*:Enabled:ipsec -- (DT Soft Ltd)
"C:\ComboFix\NircmdB.exe" = C:\ComboFix\NircmdB.exe:*:Enabled:ipsec
"C:\Windows\system32\conhost.exe" = C:\Windows\system32\conhost.exe:*:Enabled:ipsec -- (Microsoft Corporation)
"C:\Windows\TEMP\winxareic.exe" = C:\Windows\TEMP\winxareic.exe:*:Enabled:ipsec
"C:\Windows\TEMP\winekdj.exe" = C:\Windows\TEMP\winekdj.exe:*:Enabled:ipsec
"C:\Windows\TEMP\winotsfvp.exe" = C:\Windows\TEMP\winotsfvp.exe:*:Enabled:ipsec
"C:\Windows\TEMP\cujweg.exe" = C:\Windows\TEMP\cujweg.exe:*:Enabled:ipsec
"C:\Windows\TEMP\wsng.exe" = C:\Windows\TEMP\wsng.exe:*:Enabled:ipsec
"C:\Windows\TEMP\dcdjm.exe" = C:\Windows\TEMP\dcdjm.exe:*:Enabled:ipsec
"C:\Windows\system32\taskhost.exe" = C:\Windows\system32\taskhost.exe:*:Enabled:ipsec -- (Microsoft Corporation)
"C:\Users\Matheus\AppData\Local\Temp\wingtip.exe" = C:\Users\Matheus\AppData\Local\Temp\wingtip.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\kutg.exe" = C:\Users\Matheus\AppData\Local\Temp\kutg.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winspbvf.exe" = C:\Users\Matheus\AppData\Local\Temp\winspbvf.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winbnvr.exe" = C:\Users\Matheus\AppData\Local\Temp\winbnvr.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winylgyo.exe" = C:\Users\Matheus\AppData\Local\Temp\winylgyo.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winpxmumc.exe" = C:\Users\Matheus\AppData\Local\Temp\winpxmumc.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\dxvsfx.exe" = C:\Users\Matheus\AppData\Local\Temp\dxvsfx.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\bmjpex.exe" = C:\Users\Matheus\AppData\Local\Temp\bmjpex.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\ximqbh.exe" = C:\Users\Matheus\AppData\Local\Temp\ximqbh.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winfbdjwr.exe" = C:\Users\Matheus\AppData\Local\Temp\winfbdjwr.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\pokdlb.exe" = C:\Users\Matheus\AppData\Local\Temp\pokdlb.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winbutqv.exe" = C:\Users\Matheus\AppData\Local\Temp\winbutqv.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\tyjlge.exe" = C:\Users\Matheus\AppData\Local\Temp\tyjlge.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\fkjae.exe" = C:\Users\Matheus\AppData\Local\Temp\fkjae.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winnvex.exe" = C:\Users\Matheus\AppData\Local\Temp\winnvex.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winbipc.exe" = C:\Users\Matheus\AppData\Local\Temp\winbipc.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\aouy.exe" = C:\Users\Matheus\AppData\Local\Temp\aouy.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\vkfxya.exe" = C:\Users\Matheus\AppData\Local\Temp\vkfxya.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winmxnba.exe" = C:\Users\Matheus\AppData\Local\Temp\winmxnba.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\mcqe.exe" = C:\Users\Matheus\AppData\Local\Temp\mcqe.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winqwqe.exe" = C:\Users\Matheus\AppData\Local\Temp\winqwqe.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\obbdj.exe" = C:\Users\Matheus\AppData\Local\Temp\obbdj.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winksok.exe" = C:\Users\Matheus\AppData\Local\Temp\winksok.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winmwdxvr.exe" = C:\Users\Matheus\AppData\Local\Temp\winmwdxvr.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\wintpyqnf.exe" = C:\Users\Matheus\AppData\Local\Temp\wintpyqnf.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winvwrbh.exe" = C:\Users\Matheus\AppData\Local\Temp\winvwrbh.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\dhkjia.exe" = C:\Users\Matheus\AppData\Local\Temp\dhkjia.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winmbmef.exe" = C:\Users\Matheus\AppData\Local\Temp\winmbmef.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winecmwc.exe" = C:\Users\Matheus\AppData\Local\Temp\winecmwc.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\bufj.exe" = C:\Users\Matheus\AppData\Local\Temp\bufj.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winkmblwp.exe" = C:\Users\Matheus\AppData\Local\Temp\winkmblwp.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\grvseb.exe" = C:\Users\Matheus\AppData\Local\Temp\grvseb.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winlaah.exe" = C:\Users\Matheus\AppData\Local\Temp\winlaah.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winahmsk.exe" = C:\Users\Matheus\AppData\Local\Temp\winahmsk.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\hghucn.exe" = C:\Users\Matheus\AppData\Local\Temp\hghucn.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winnhkwiq.exe" = C:\Users\Matheus\AppData\Local\Temp\winnhkwiq.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winffoeda.exe" = C:\Users\Matheus\AppData\Local\Temp\winffoeda.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\dmgixu.exe" = C:\Users\Matheus\AppData\Local\Temp\dmgixu.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winmwfcjs.exe" = C:\Users\Matheus\AppData\Local\Temp\winmwfcjs.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winqvmes.exe" = C:\Users\Matheus\AppData\Local\Temp\winqvmes.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winpbmxg.exe" = C:\Users\Matheus\AppData\Local\Temp\winpbmxg.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winmfay.exe" = C:\Users\Matheus\AppData\Local\Temp\winmfay.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\wvkns.exe" = C:\Users\Matheus\AppData\Local\Temp\wvkns.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winamkpbg.exe" = C:\Users\Matheus\AppData\Local\Temp\winamkpbg.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winitvwha.exe" = C:\Users\Matheus\AppData\Local\Temp\winitvwha.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\ptqymr.exe" = C:\Users\Matheus\AppData\Local\Temp\ptqymr.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\palgf.exe" = C:\Users\Matheus\AppData\Local\Temp\palgf.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\mhnk.exe" = C:\Users\Matheus\AppData\Local\Temp\mhnk.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\civv.exe" = C:\Users\Matheus\AppData\Local\Temp\civv.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\pgsr.exe" = C:\Users\Matheus\AppData\Local\Temp\pgsr.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\hmsqn.exe" = C:\Users\Matheus\AppData\Local\Temp\hmsqn.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winpflsr.exe" = C:\Users\Matheus\AppData\Local\Temp\winpflsr.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winfbpm.exe" = C:\Users\Matheus\AppData\Local\Temp\winfbpm.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\bipw.exe" = C:\Users\Matheus\AppData\Local\Temp\bipw.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\bxnwu.exe" = C:\Users\Matheus\AppData\Local\Temp\bxnwu.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\wingiglr.exe" = C:\Users\Matheus\AppData\Local\Temp\wingiglr.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\wincfsbd.exe" = C:\Users\Matheus\AppData\Local\Temp\wincfsbd.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winxpwpi.exe" = C:\Users\Matheus\AppData\Local\Temp\winxpwpi.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\cxkhw.exe" = C:\Users\Matheus\AppData\Local\Temp\cxkhw.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\wineuwc.exe" = C:\Users\Matheus\AppData\Local\Temp\wineuwc.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winfyrt.exe" = C:\Users\Matheus\AppData\Local\Temp\winfyrt.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winnyaram.exe" = C:\Users\Matheus\AppData\Local\Temp\winnyaram.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winiotbs.exe" = C:\Users\Matheus\AppData\Local\Temp\winiotbs.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\auqk.exe" = C:\Users\Matheus\AppData\Local\Temp\auqk.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winepdnj.exe" = C:\Users\Matheus\AppData\Local\Temp\winepdnj.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winieggxc.exe" = C:\Users\Matheus\AppData\Local\Temp\winieggxc.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\wineqwh.exe" = C:\Users\Matheus\AppData\Local\Temp\wineqwh.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winrvmfp.exe" = C:\Users\Matheus\AppData\Local\Temp\winrvmfp.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winklyt.exe" = C:\Users\Matheus\AppData\Local\Temp\winklyt.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\ropd.exe" = C:\Users\Matheus\AppData\Local\Temp\ropd.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\ysqft.exe" = C:\Users\Matheus\AppData\Local\Temp\ysqft.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\busffv.exe" = C:\Users\Matheus\AppData\Local\Temp\busffv.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winhuwjae.exe" = C:\Users\Matheus\AppData\Local\Temp\winhuwjae.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winqfgjby.exe" = C:\Users\Matheus\AppData\Local\Temp\winqfgjby.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\dlqedx.exe" = C:\Users\Matheus\AppData\Local\Temp\dlqedx.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winotwc.exe" = C:\Users\Matheus\AppData\Local\Temp\winotwc.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winsspk.exe" = C:\Users\Matheus\AppData\Local\Temp\winsspk.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\mpksj.exe" = C:\Users\Matheus\AppData\Local\Temp\mpksj.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\uldjyr.exe" = C:\Users\Matheus\AppData\Local\Temp\uldjyr.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winsyvi.exe" = C:\Users\Matheus\AppData\Local\Temp\winsyvi.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winmlfi.exe" = C:\Users\Matheus\AppData\Local\Temp\winmlfi.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winyxyaxj.exe" = C:\Users\Matheus\AppData\Local\Temp\winyxyaxj.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\kapdti.exe" = C:\Users\Matheus\AppData\Local\Temp\kapdti.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\yptl.exe" = C:\Users\Matheus\AppData\Local\Temp\yptl.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winodxs.exe" = C:\Users\Matheus\AppData\Local\Temp\winodxs.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winygtakw.exe" = C:\Users\Matheus\AppData\Local\Temp\winygtakw.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winsyulix.exe" = C:\Users\Matheus\AppData\Local\Temp\winsyulix.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\windepf.exe" = C:\Users\Matheus\AppData\Local\Temp\windepf.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\mptl.exe" = C:\Users\Matheus\AppData\Local\Temp\mptl.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\qijix.exe" = C:\Users\Matheus\AppData\Local\Temp\qijix.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\jlxb.exe" = C:\Users\Matheus\AppData\Local\Temp\jlxb.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winjitn.exe" = C:\Users\Matheus\AppData\Local\Temp\winjitn.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\ilxbdp.exe" = C:\Users\Matheus\AppData\Local\Temp\ilxbdp.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winvixg.exe" = C:\Users\Matheus\AppData\Local\Temp\winvixg.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winydswoh.exe" = C:\Users\Matheus\AppData\Local\Temp\winydswoh.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\jmxlp.exe" = C:\Users\Matheus\AppData\Local\Temp\jmxlp.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\tymsi.exe" = C:\Users\Matheus\AppData\Local\Temp\tymsi.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winpodshm.exe" = C:\Users\Matheus\AppData\Local\Temp\winpodshm.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winvnqlh.exe" = C:\Users\Matheus\AppData\Local\Temp\winvnqlh.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winuvlmh.exe" = C:\Users\Matheus\AppData\Local\Temp\winuvlmh.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\dxshbr.exe" = C:\Users\Matheus\AppData\Local\Temp\dxshbr.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\wingwrjxr.exe" = C:\Users\Matheus\AppData\Local\Temp\wingwrjxr.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\qglrcj.exe" = C:\Users\Matheus\AppData\Local\Temp\qglrcj.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\fnji.exe" = C:\Users\Matheus\AppData\Local\Temp\fnji.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winmiiaqe.exe" = C:\Users\Matheus\AppData\Local\Temp\winmiiaqe.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\nkrj.exe" = C:\Users\Matheus\AppData\Local\Temp\nkrj.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\jtodi.exe" = C:\Users\Matheus\AppData\Local\Temp\jtodi.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winarwy.exe" = C:\Users\Matheus\AppData\Local\Temp\winarwy.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\wincjaml.exe" = C:\Users\Matheus\AppData\Local\Temp\wincjaml.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winapms.exe" = C:\Users\Matheus\AppData\Local\Temp\winapms.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winoqbe.exe" = C:\Users\Matheus\AppData\Local\Temp\winoqbe.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\amffh.exe" = C:\Users\Matheus\AppData\Local\Temp\amffh.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\hhsj.exe" = C:\Users\Matheus\AppData\Local\Temp\hhsj.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winicyfk.exe" = C:\Users\Matheus\AppData\Local\Temp\winicyfk.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\geev.exe" = C:\Users\Matheus\AppData\Local\Temp\geev.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winjnhuef.exe" = C:\Users\Matheus\AppData\Local\Temp\winjnhuef.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winolwv.exe" = C:\Users\Matheus\AppData\Local\Temp\winolwv.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\mcuy.exe" = C:\Users\Matheus\AppData\Local\Temp\mcuy.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\hiahpy.exe" = C:\Users\Matheus\AppData\Local\Temp\hiahpy.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winbxxmvt.exe" = C:\Users\Matheus\AppData\Local\Temp\winbxxmvt.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\wintaxynr.exe" = C:\Users\Matheus\AppData\Local\Temp\wintaxynr.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\redyvl.exe" = C:\Users\Matheus\AppData\Local\Temp\redyvl.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\lhhfr.exe" = C:\Users\Matheus\AppData\Local\Temp\lhhfr.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winawdvc.exe" = C:\Users\Matheus\AppData\Local\Temp\winawdvc.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\wincjhsqs.exe" = C:\Users\Matheus\AppData\Local\Temp\wincjhsqs.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winwwky.exe" = C:\Users\Matheus\AppData\Local\Temp\winwwky.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winrdomjh.exe" = C:\Users\Matheus\AppData\Local\Temp\winrdomjh.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winikhimr.exe" = C:\Users\Matheus\AppData\Local\Temp\winikhimr.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winlhnmi.exe" = C:\Users\Matheus\AppData\Local\Temp\winlhnmi.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\wincvbkjk.exe" = C:\Users\Matheus\AppData\Local\Temp\wincvbkjk.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winsybi.exe" = C:\Users\Matheus\AppData\Local\Temp\winsybi.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\goqlh.exe" = C:\Users\Matheus\AppData\Local\Temp\goqlh.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\wsidm.exe" = C:\Users\Matheus\AppData\Local\Temp\wsidm.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\rkad.exe" = C:\Users\Matheus\AppData\Local\Temp\rkad.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winhgkfir.exe" = C:\Users\Matheus\AppData\Local\Temp\winhgkfir.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\mvqu.exe" = C:\Users\Matheus\AppData\Local\Temp\mvqu.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winfjamk.exe" = C:\Users\Matheus\AppData\Local\Temp\winfjamk.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\yxpvyg.exe" = C:\Users\Matheus\AppData\Local\Temp\yxpvyg.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\yfngf.exe" = C:\Users\Matheus\AppData\Local\Temp\yfngf.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winbwtmt.exe" = C:\Users\Matheus\AppData\Local\Temp\winbwtmt.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winafgd.exe" = C:\Users\Matheus\AppData\Local\Temp\winafgd.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\oqtmf.exe" = C:\Users\Matheus\AppData\Local\Temp\oqtmf.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\windjau.exe" = C:\Users\Matheus\AppData\Local\Temp\windjau.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\btfe.exe" = C:\Users\Matheus\AppData\Local\Temp\btfe.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\qlac.exe" = C:\Users\Matheus\AppData\Local\Temp\qlac.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\hslbqv.exe" = C:\Users\Matheus\AppData\Local\Temp\hslbqv.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winwmvyi.exe" = C:\Users\Matheus\AppData\Local\Temp\winwmvyi.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\bivr.exe" = C:\Users\Matheus\AppData\Local\Temp\bivr.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\xqclmy.exe" = C:\Users\Matheus\AppData\Local\Temp\xqclmy.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\dyepf.exe" = C:\Users\Matheus\AppData\Local\Temp\dyepf.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\wmwri.exe" = C:\Users\Matheus\AppData\Local\Temp\wmwri.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winrdsu.exe" = C:\Users\Matheus\AppData\Local\Temp\winrdsu.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\aiysn.exe" = C:\Users\Matheus\AppData\Local\Temp\aiysn.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winjwnjq.exe" = C:\Users\Matheus\AppData\Local\Temp\winjwnjq.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winlwjn.exe" = C:\Users\Matheus\AppData\Local\Temp\winlwjn.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\windyunim.exe" = C:\Users\Matheus\AppData\Local\Temp\windyunim.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\bqtjmv.exe" = C:\Users\Matheus\AppData\Local\Temp\bqtjmv.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winbauqs.exe" = C:\Users\Matheus\AppData\Local\Temp\winbauqs.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winsvibpr.exe" = C:\Users\Matheus\AppData\Local\Temp\winsvibpr.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winfhwp.exe" = C:\Users\Matheus\AppData\Local\Temp\winfhwp.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winwgyin.exe" = C:\Users\Matheus\AppData\Local\Temp\winwgyin.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winwohf.exe" = C:\Users\Matheus\AppData\Local\Temp\winwohf.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\jyhsu.exe" = C:\Users\Matheus\AppData\Local\Temp\jyhsu.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winxtdk.exe" = C:\Users\Matheus\AppData\Local\Temp\winxtdk.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\ihbo.exe" = C:\Users\Matheus\AppData\Local\Temp\ihbo.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\csenn.exe" = C:\Users\Matheus\AppData\Local\Temp\csenn.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winiwwfaj.exe" = C:\Users\Matheus\AppData\Local\Temp\winiwwfaj.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winxclhga.exe" = C:\Users\Matheus\AppData\Local\Temp\winxclhga.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\wingdki.exe" = C:\Users\Matheus\AppData\Local\Temp\wingdki.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\wkwd.exe" = C:\Users\Matheus\AppData\Local\Temp\wkwd.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winulssj.exe" = C:\Users\Matheus\AppData\Local\Temp\winulssj.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\ccvx.exe" = C:\Users\Matheus\AppData\Local\Temp\ccvx.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winoptoa.exe" = C:\Users\Matheus\AppData\Local\Temp\winoptoa.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\llhww.exe" = C:\Users\Matheus\AppData\Local\Temp\llhww.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\oibg.exe" = C:\Users\Matheus\AppData\Local\Temp\oibg.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\ghxa.exe" = C:\Users\Matheus\AppData\Local\Temp\ghxa.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winsgmujp.exe" = C:\Users\Matheus\AppData\Local\Temp\winsgmujp.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\yxmnld.exe" = C:\Users\Matheus\AppData\Local\Temp\yxmnld.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winjrni.exe" = C:\Users\Matheus\AppData\Local\Temp\winjrni.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winejqe.exe" = C:\Users\Matheus\AppData\Local\Temp\winejqe.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winogcpy.exe" = C:\Users\Matheus\AppData\Local\Temp\winogcpy.exe:*:Enabled:ipsec
"C:\Program Files\Extra RAM\ExtraRAM.exe" = C:\Program Files\Extra RAM\ExtraRAM.exe:*:Enabled:ipsec -- ()
"C:\Users\Matheus\AppData\Local\Temp\jifex.exe" = C:\Users\Matheus\AppData\Local\Temp\jifex.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\mgjuxk.exe" = C:\Users\Matheus\AppData\Local\Temp\mgjuxk.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\txst.exe" = C:\Users\Matheus\AppData\Local\Temp\txst.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winntjdxr.exe" = C:\Users\Matheus\AppData\Local\Temp\winntjdxr.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winjlxgn.exe" = C:\Users\Matheus\AppData\Local\Temp\winjlxgn.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winvhegw.exe" = C:\Users\Matheus\AppData\Local\Temp\winvhegw.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winkvoku.exe" = C:\Users\Matheus\AppData\Local\Temp\winkvoku.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\lvxvux.exe" = C:\Users\Matheus\AppData\Local\Temp\lvxvux.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winqiks.exe" = C:\Users\Matheus\AppData\Local\Temp\winqiks.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\wincpavla.exe" = C:\Users\Matheus\AppData\Local\Temp\wincpavla.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\vrkcu.exe" = C:\Users\Matheus\AppData\Local\Temp\vrkcu.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\gbtlxa.exe" = C:\Users\Matheus\AppData\Local\Temp\gbtlxa.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winqfgt.exe" = C:\Users\Matheus\AppData\Local\Temp\winqfgt.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winsfjfb.exe" = C:\Users\Matheus\AppData\Local\Temp\winsfjfb.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\jespy.exe" = C:\Users\Matheus\AppData\Local\Temp\jespy.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winrxpcld.exe" = C:\Users\Matheus\AppData\Local\Temp\winrxpcld.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winbjpe.exe" = C:\Users\Matheus\AppData\Local\Temp\winbjpe.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winhpjpww.exe" = C:\Users\Matheus\AppData\Local\Temp\winhpjpww.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\vmnprj.exe" = C:\Users\Matheus\AppData\Local\Temp\vmnprj.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winojkeb.exe" = C:\Users\Matheus\AppData\Local\Temp\winojkeb.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\hdqf.exe" = C:\Users\Matheus\AppData\Local\Temp\hdqf.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winufom.exe" = C:\Users\Matheus\AppData\Local\Temp\winufom.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\wktw.exe" = C:\Users\Matheus\AppData\Local\Temp\wktw.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\tamx.exe" = C:\Users\Matheus\AppData\Local\Temp\tamx.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winahbmv.exe" = C:\Users\Matheus\AppData\Local\Temp\winahbmv.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\ttnbqx.exe" = C:\Users\Matheus\AppData\Local\Temp\ttnbqx.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winjjio.exe" = C:\Users\Matheus\AppData\Local\Temp\winjjio.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winvatss.exe" = C:\Users\Matheus\AppData\Local\Temp\winvatss.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\wintahis.exe" = C:\Users\Matheus\AppData\Local\Temp\wintahis.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winrshnh.exe" = C:\Users\Matheus\AppData\Local\Temp\winrshnh.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\xifntb.exe" = C:\Users\Matheus\AppData\Local\Temp\xifntb.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winddhuq.exe" = C:\Users\Matheus\AppData\Local\Temp\winddhuq.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winywlq.exe" = C:\Users\Matheus\AppData\Local\Temp\winywlq.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\vsipma.exe" = C:\Users\Matheus\AppData\Local\Temp\vsipma.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\lwdu.exe" = C:\Users\Matheus\AppData\Local\Temp\lwdu.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\wintwrk.exe" = C:\Users\Matheus\AppData\Local\Temp\wintwrk.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\wincffq.exe" = C:\Users\Matheus\AppData\Local\Temp\wincffq.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winnxaffy.exe" = C:\Users\Matheus\AppData\Local\Temp\winnxaffy.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\mtfh.exe" = C:\Users\Matheus\AppData\Local\Temp\mtfh.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\hvgs.exe" = C:\Users\Matheus\AppData\Local\Temp\hvgs.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\wingmbc.exe" = C:\Users\Matheus\AppData\Local\Temp\wingmbc.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\ebcais.exe" = C:\Users\Matheus\AppData\Local\Temp\ebcais.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winptqwe.exe" = C:\Users\Matheus\AppData\Local\Temp\winptqwe.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winjsgshl.exe" = C:\Users\Matheus\AppData\Local\Temp\winjsgshl.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winviti.exe" = C:\Users\Matheus\AppData\Local\Temp\winviti.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winvmtv.exe" = C:\Users\Matheus\AppData\Local\Temp\winvmtv.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winxxvbr.exe" = C:\Users\Matheus\AppData\Local\Temp\winxxvbr.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\jhsat.exe" = C:\Users\Matheus\AppData\Local\Temp\jhsat.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\qxyr.exe" = C:\Users\Matheus\AppData\Local\Temp\qxyr.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winxnbiob.exe" = C:\Users\Matheus\AppData\Local\Temp\winxnbiob.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winlifrof.exe" = C:\Users\Matheus\AppData\Local\Temp\winlifrof.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\bohvjo.exe" = C:\Users\Matheus\AppData\Local\Temp\bohvjo.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\wingxvbrj.exe" = C:\Users\Matheus\AppData\Local\Temp\wingxvbrj.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\windfrny.exe" = C:\Users\Matheus\AppData\Local\Temp\windfrny.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winhdxb.exe" = C:\Users\Matheus\AppData\Local\Temp\winhdxb.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winfynbim.exe" = C:\Users\Matheus\AppData\Local\Temp\winfynbim.exe:*:Enabled:ipsec
"C:\Program Files\Adobe\Reader 10.0\Reader\reader_sl.exe" = C:\Program Files\Adobe\Reader 10.0\Reader\reader_sl.exe:*:Enabled:ipsec -- (Adobe Systems Incorporated)
"C:\Users\Matheus\AppData\Local\Temp\winjepb.exe" = C:\Users\Matheus\AppData\Local\Temp\winjepb.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winkgal.exe" = C:\Users\Matheus\AppData\Local\Temp\winkgal.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winxtpuff.exe" = C:\Users\Matheus\AppData\Local\Temp\winxtpuff.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\nhlk.exe" = C:\Users\Matheus\AppData\Local\Temp\nhlk.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\nxda.exe" = C:\Users\Matheus\AppData\Local\Temp\nxda.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winouuc.exe" = C:\Users\Matheus\AppData\Local\Temp\winouuc.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winnfhb.exe" = C:\Users\Matheus\AppData\Local\Temp\winnfhb.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winesysow.exe" = C:\Users\Matheus\AppData\Local\Temp\winesysow.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winxytdti.exe" = C:\Users\Matheus\AppData\Local\Temp\winxytdti.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\ayklb.exe" = C:\Users\Matheus\AppData\Local\Temp\ayklb.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\pdjyld.exe" = C:\Users\Matheus\AppData\Local\Temp\pdjyld.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\wincsmdx.exe" = C:\Users\Matheus\AppData\Local\Temp\wincsmdx.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winxvpuq.exe" = C:\Users\Matheus\AppData\Local\Temp\winxvpuq.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\ytwy.exe" = C:\Users\Matheus\AppData\Local\Temp\ytwy.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\qpivwa.exe" = C:\Users\Matheus\AppData\Local\Temp\qpivwa.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\qpcx.exe" = C:\Users\Matheus\AppData\Local\Temp\qpcx.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\fwmh.exe" = C:\Users\Matheus\AppData\Local\Temp\fwmh.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winexpd.exe" = C:\Users\Matheus\AppData\Local\Temp\winexpd.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\yyrcl.exe" = C:\Users\Matheus\AppData\Local\Temp\yyrcl.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winjqiask.exe" = C:\Users\Matheus\AppData\Local\Temp\winjqiask.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winnldrop.exe" = C:\Users\Matheus\AppData\Local\Temp\winnldrop.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winacps.exe" = C:\Users\Matheus\AppData\Local\Temp\winacps.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\tkkwkq.exe" = C:\Users\Matheus\AppData\Local\Temp\tkkwkq.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winsqgro.exe" = C:\Users\Matheus\AppData\Local\Temp\winsqgro.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\htft.exe" = C:\Users\Matheus\AppData\Local\Temp\htft.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winyrrhey.exe" = C:\Users\Matheus\AppData\Local\Temp\winyrrhey.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\ktatf.exe" = C:\Users\Matheus\AppData\Local\Temp\ktatf.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winnilt.exe" = C:\Users\Matheus\AppData\Local\Temp\winnilt.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\wktplg.exe" = C:\Users\Matheus\AppData\Local\Temp\wktplg.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winekvi.exe" = C:\Users\Matheus\AppData\Local\Temp\winekvi.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\rxram.exe" = C:\Users\Matheus\AppData\Local\Temp\rxram.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\jivnm.exe" = C:\Users\Matheus\AppData\Local\Temp\jivnm.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winwpfp.exe" = C:\Users\Matheus\AppData\Local\Temp\winwpfp.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\yawsx.exe" = C:\Users\Matheus\AppData\Local\Temp\yawsx.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winwsed.exe" = C:\Users\Matheus\AppData\Local\Temp\winwsed.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\ktkqqp.exe" = C:\Users\Matheus\AppData\Local\Temp\ktkqqp.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\renqpi.exe" = C:\Users\Matheus\AppData\Local\Temp\renqpi.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winxrcnpf.exe" = C:\Users\Matheus\AppData\Local\Temp\winxrcnpf.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winjrofd.exe" = C:\Users\Matheus\AppData\Local\Temp\winjrofd.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\waxx.exe" = C:\Users\Matheus\AppData\Local\Temp\waxx.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winqiouyr.exe" = C:\Users\Matheus\AppData\Local\Temp\winqiouyr.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\kplaqp.exe" = C:\Users\Matheus\AppData\Local\Temp\kplaqp.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\wixaj.exe" = C:\Users\Matheus\AppData\Local\Temp\wixaj.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\wintxmub.exe" = C:\Users\Matheus\AppData\Local\Temp\wintxmub.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\gwlo.exe" = C:\Users\Matheus\AppData\Local\Temp\gwlo.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winesnl.exe" = C:\Users\Matheus\AppData\Local\Temp\winesnl.exe:*:Enabled:ipsec
"C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" = C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe:*:Enabled:ipsec -- (Malwarebytes Corporation)
"C:\Users\Matheus\AppData\Local\Temp\ytgrj.exe" = C:\Users\Matheus\AppData\Local\Temp\ytgrj.exe:*:Enabled:ipsec -- ()
"C:\Users\Matheus\AppData\Local\Temp\wincwuu.exe" = C:\Users\Matheus\AppData\Local\Temp\wincwuu.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\dukks.exe" = C:\Users\Matheus\AppData\Local\Temp\dukks.exe:*:Enabled:ipsec -- ()
"C:\Users\Matheus\AppData\Local\Temp\winhfoms.exe" = C:\Users\Matheus\AppData\Local\Temp\winhfoms.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winfubgy.exe" = C:\Users\Matheus\AppData\Local\Temp\winfubgy.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winelrm.exe" = C:\Users\Matheus\AppData\Local\Temp\winelrm.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\xgwg.exe" = C:\Users\Matheus\AppData\Local\Temp\xgwg.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winehstwp.exe" = C:\Users\Matheus\AppData\Local\Temp\winehstwp.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\kqpult.exe" = C:\Users\Matheus\AppData\Local\Temp\kqpult.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winewgi.exe" = C:\Users\Matheus\AppData\Local\Temp\winewgi.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\kbjyuh.exe" = C:\Users\Matheus\AppData\Local\Temp\kbjyuh.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winqusf.exe" = C:\Users\Matheus\AppData\Local\Temp\winqusf.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winuxajik.exe" = C:\Users\Matheus\AppData\Local\Temp\winuxajik.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\xshojw.exe" = C:\Users\Matheus\AppData\Local\Temp\xshojw.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\nwce.exe" = C:\Users\Matheus\AppData\Local\Temp\nwce.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\winjmsu.exe" = C:\Users\Matheus\AppData\Local\Temp\winjmsu.exe:*:Enabled:ipsec
"C:\Users\Matheus\AppData\Local\Temp\gsicl.exe" = C:\Users\Matheus\AppData\Local\Temp\gsicl.exe:*:Enabled:ipsec -- ()
"C:\Users\Matheus\AppData\Local\Temp\winsyhgav.exe" = C:\Users\Matheus\AppData\Local\Temp\winsyhgav.exe:*:Enabled:ipsec -- ()
"C:\Users\Matheus\AppData\Local\Temp\winqjqf.exe" = C:\Users\Matheus\AppData\Local\Temp\winqjqf.exe:*:Enabled:ipsec -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01501EBA-EC35-4F9F-8889-3BE346E5DA13}" = MSXML4 Parser
"{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}" = Microsoft_VC90_ATL_x86
"{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86
"{0D2DBE8A-43D0-7830-7AE7-CA6C99A832E7}" = Adobe Community Help
"{0EF5BEA9-B9D3-46d7-8958-FB69A0BAEACC}" = Status
"{0F3647F8-E51D-4FCC-8862-9A8D0C5ACF25}" = Microsoft_VC80_ATL_x86
"{0F367CA3-3B2F-43F9-A44A-25A8EE69E45D}" = Scan
"{0FFEA8EE-7BC7-4C9D-8CC6-5B8C891BA3F2}" = Windows Live Essentials
"{15FEDA5F-141C-4127-8D7E-B962D1742728}" = Adobe Photoshop CS5
"{1EC71BFB-01A3-4239-B6AF-B1AE656B15C0}" = TrayApp
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Ferramenta de Carregamento do Windows Live
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{255FC1CF-2620-4B64-BE02-79B9E609BB3D}" = Webzen Game Starter
"{2640314A-2D9A-4F58-B501-DB109CD9DBA2}" = DJ_AIO_ProductContext
"{26A24AE4-039D-4CA4-87B4-2F83216027FF}" = Java™ 6 Update 27
"{2EEA7AA4-C203-4b90-A34F-19FB7EF1C81C}" = BufferChm
"{2FF8C687-DB7D-4adc-A5DC-57983EC25046}" = DeviceDiscovery
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{32DACAC3-6538-405D-915E-8F2D026F199C}" = DJ_AIO_Software_min
"{3C92B2E6-380D-4fef-B4DF-4A3B4B669771}" = Copy
"{43CDF946-F5D9-4292-B006-BA0D92013021}" = WebReg
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A70EF07-7F88-4434-BB61-D1DE8AE93DD4}" = SolutionCenter
"{4CFDA3C2-6F0A-49EF-85DF-D4D928142D91}_is1" = Extra RAM 1.7
"{4E7C28C7-D5DA-4E9F-A1CA-60490B54AE35}" = UnloadSupport
"{4EC1177C-E3E8-4CEE-8E9F-E6D4E6F7B2E2}_is1" = WinDS PRO DSi 2.2.1
"{51A9E3DD-37B8-47BB-8E67-5B76B3EFBC48}" = Assistente de Conexão do Windows Live
"{590035D9-BFA0-406A-A7F0-479C72C0DDB2}" = Windows Live Call
"{5D90E53A-BD7C-8F32-9B82-7733D0F0BC8E}" = Adobe Download Assistant
"{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86
"{63FF21C9-A810-464F-B60A-3111747B1A6D}" = GPBaseService2
"{681B698F-C997-42C3-B184-B489C6CA24C9}" = HPPhotoSmartDiscLabelContent1
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6B2FFB21-AC88-45C3-9A7D-4BB3E744EC91}" = HPSSupply
"{6BBA26E9-AB03-4FE7-831A-3535584CA002}" = Toolbox
"{7059BDA7-E1DB-442C-B7A1-6144596720A4}" = HP Update
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{90120000-0015-0416-0000-0000000FF1CE}" = Microsoft Office Access MUI (Portuguese (Brazil)) 2007
"{90120000-0015-0416-0000-0000000FF1CE}_ENTERPRISE_{02A880E2-B8B9-4BF5-8822-EA1374734E2E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0416-0000-0000000FF1CE}" = Microsoft Office Excel MUI (Portuguese (Brazil)) 2007
"{90120000-0016-0416-0000-0000000FF1CE}_ENTERPRISE_{02A880E2-B8B9-4BF5-8822-EA1374734E2E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0416-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2007
"{90120000-0018-0416-0000-0000000FF1CE}_ENTERPRISE_{02A880E2-B8B9-4BF5-8822-EA1374734E2E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0416-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (Portuguese (Brazil)) 2007
"{90120000-0019-0416-0000-0000000FF1CE}_ENTERPRISE_{02A880E2-B8B9-4BF5-8822-EA1374734E2E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0416-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (Portuguese (Brazil)) 2007
"{90120000-001A-0416-0000-0000000FF1CE}_ENTERPRISE_{02A880E2-B8B9-4BF5-8822-EA1374734E2E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0416-0000-0000000FF1CE}" = Microsoft Office Word MUI (Portuguese (Brazil)) 2007
"{90120000-001B-0416-0000-0000000FF1CE}_ENTERPRISE_{02A880E2-B8B9-4BF5-8822-EA1374734E2E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0416-0000-0000000FF1CE}" = Microsoft Office Proof (Portuguese (Brazil)) 2007
"{90120000-001F-0416-0000-0000000FF1CE}_ENTERPRISE_{75EBE365-7FC5-4720-A7D3-804BF550D1BC}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0416-0000-0000000FF1CE}" = Pacote de Compatibilidade para o sistema Office 2007
"{90120000-002C-0416-0000-0000000FF1CE}" = Microsoft Office Proofing (Portuguese (Brazil)) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0416-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2007
"{90120000-0044-0416-0000-0000000FF1CE}_ENTERPRISE_{02A880E2-B8B9-4BF5-8822-EA1374734E2E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0416-0000-0000000FF1CE}" = Microsoft Office Shared MUI (Portuguese (Brazil)) 2007
"{90120000-006E-0416-0000-0000000FF1CE}_ENTERPRISE_{9A141B2B-7C5E-47D2-8E9E-9AC6018F3C42}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0416-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (Portuguese (Brazil)) 2007
"{90120000-00A1-0416-0000-0000000FF1CE}_ENTERPRISE_{02A880E2-B8B9-4BF5-8822-EA1374734E2E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0416-0000-0000000FF1CE}" = Microsoft Office Groove MUI (Portuguese (Brazil)) 2007
"{90120000-00BA-0416-0000-0000000FF1CE}_ENTERPRISE_{02A880E2-B8B9-4BF5-8822-EA1374734E2E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{92127AF5-FDD8-4ADF-BC40-C356C9EE0B7D}" = 32 Bit HP CIO Components Installer
"{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{99E16265-E162-43E7-B3C5-D28640E23AE9}" = PSP ISO Shrink
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9ADC3E4F-34DA-48CD-8727-BB26D90257BD}" = Windows Live Messenger
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A6B90148-02C5-4fd3-8D7A-EF2386835CB9}" = F4100_Help
"{A78FE97A-C0C8-49CE-89D0-EDD524A17392}" = PDF Settings CS5
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-AA0000000001}" = Adobe Reader X (10.0.1)
"{AD99B476-6FB7-4985-A3C3-E40595A7E6DE}" = DJ_AIO_Software
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 275.33
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 275.33
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB" = NVIDIA 3D Vision Controller Driver 275.33
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.3.5
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
"{B3FED300-806C-11E0-A0D0-B8AC6F97B88E}" = Google Earth
"{BD7204BA-DD64-499E-9B55-6A282CDF4FA4}" = Destinations
"{C3C9EB3D-24FA-4462-B784-0EC6AAFCD2DD}" = Fable - The Lost Chapters
"{C43326F5-F135-4551-8270-7F7ABA0462E1}" = HPProductAssistant
"{CAE4213F-F797-439D-BD9E-79B71D115BE3}" = HPPhotoGadget
"{d05a1414-a955-4c5c-9716-b7777ef86e85}" = F4100
"{D1A19B02-817E-4296-A45B-07853FD74D57}" = Microsoft_VC80_MFC_x86
"{D79113E7-274C-470B-BD46-01B10219DF6A}" = HPPhotosmartEssential
"{D86B0E2E-DF9A-441C-AF77-8D1A0FF00FA6}" = AIO_Scan
"{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}" = Microsoft_VC80_MFCLOC_x86
"{DE3A9DC5-9A5D-6485-9662-347162C7E4CA}" = Adobe Media Player
"{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}" = Skype™ 5.1
"{E8E2B4D8-503C-46C7-A6CE-BC78CC3D4F9A}" = Epi Info
"{EB773820-0871-46A8-9B96-F2B04F8B34F0}" = HP Deskjet All-In-One Driver Software 13.0 Rel. 1
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{FDB3B167-F4FA-461D-976F-286304A57B2A}" = Adobe AIR
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Age of Mythology 1.0" = Age of Mythology
"AviSynth" = AviSynth 2.5
"BitTorrent" = BitTorrent
"CCleaner" = CCleaner
"chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Community Help
"Cheat Engine 5.6.1_is1" = Cheat Engine 5.6.1
"Cliente MuSteam 99z" = Cliente MuSteam 99z
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"com.adobe.downloadassistant.AdobeDownloadAssistant" = Adobe Download Assistant
"Dev-C++" = Dev-C++ 5 beta 9 release (4.9.9.2)
"DivX Codec" = DivX Codec
"DivX Player" = DivX Player
"DivX Subtitle Displayer 4.54" = DivX Subtitle Displayer 4.54
"Doro_is1" = Doro 1.64
"ENTERPRISE" = Microsoft Office Enterprise 2007
"Foxit Reader_is1" = Foxit Reader 5.0
"Free DVD Burner (by minidvdsoft)_is1" = Free DVD Burner version 3.0
"Free PS Convert driver_is1" = Free PS Convert driver 8.15
"Garena 2010" = Garena 2010
"Glary Utilities_is1" = Glary Utilities 2.38.0.1288
"HP Imaging Device Functions" = HP Imaging Device Functions 13.0
"HP Photosmart Essential" = HP Photosmart Essential 3.5
"HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0
"InstallShield_{C3C9EB3D-24FA-4462-B784-0EC6AAFCD2DD}" = Fable - The Lost Chapters
"Internet TV_is1" = Internet TV 8.1
"LastFM_is1" = Last.fm 1.5.4.27091
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware versão 1.51.2.1300
"Messenger Plus! Live" = Messenger Plus! Live
"Mozilla Firefox 5.0.1 (x86 pt-BR)" = Mozilla Firefox 5.0.1 (x86 pt-BR)
"Network Play System (Patching)" = Network Play System (Patching)
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA StereoUSB Driver" = NVIDIA 3D Vision Controller Driver
"PDFConverter Printer Driver_is1" = PDFConverter Printer Driver version 2.00
"Picasa 3" = Picasa 3
"Plugin Letras.mus.br" = Plugin Letras.mus.br 1.10
"RealAlt_is1" = Real Alternative 2.0.2
"Registry Mechanic_is1" = Registry Mechanic 10.0
"Shop for HP Supplies" = Shop for HP Supplies
"Sierra Utilities" = Sierra Utilities
"The Sims" = The Sims
"VLC media player" = VLC media player 1.1.11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = Arquivo do WinRAR
"Word to PDF Converter_is1" = Word to PDF Converter 4.00

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"Google Chrome SxS" = Google Chrome Canary

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/2/2011 8:31:12 AM | Computer Name = PC | Source = Winlogon | ID = 4103
Description = Windows license activation failed. Error 0x80070005.

Error - 10/2/2011 2:20:17 PM | Computer Name = PC | Source = Winlogon | ID = 4103
Description = Windows license activation failed. Error 0x80070005.

Error - 10/2/2011 8:35:41 PM | Computer Name = PC | Source = MsiInstaller | ID = 1013
Description =

Error - 10/2/2011 8:42:27 PM | Computer Name = PC | Source = Winlogon | ID = 4103
Description = Windows license activation failed. Error 0x80070005.

Error - 10/3/2011 5:58:00 PM | Computer Name = PC | Source = Winlogon | ID = 4103
Description = Windows license activation failed. Error 0x80070005.

Error - 10/4/2011 8:29:39 AM | Computer Name = PC | Source = Winlogon | ID = 4103
Description = Windows license activation failed. Error 0x80070005.

Error - 10/4/2011 12:28:52 PM | Computer Name = PC | Source = Winlogon | ID = 4103
Description = Windows license activation failed. Error 0x80070005.

Error - 10/4/2011 1:21:41 PM | Computer Name = PC | Source = Windows Search Service | ID = 3007
Description =

Error - 10/4/2011 3:27:28 PM | Computer Name = PC | Source = Winlogon | ID = 4103
Description = Windows license activation failed. Error 0x80070005.

Error - 10/4/2011 3:55:52 PM | Computer Name = PC | Source = Application Hang | ID = 1002
Description = The program firefox.exe version 5.0.1.4205 stopped interacting with
Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: 7fc Start
Time: 01cc82cd8c268130 Termination Time: 292 Application Path: C:\Program Files\Mozilla
Firefox\firefox.exe Report Id: c06a9f11-eec2-11e0-9435-001617ae3ddf

[ OSession Events ]
Error - 6/15/2011 9:45:51 PM | Computer Name = PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.4518.1014, Microsoft Office Version: 12.0.6514.5001. This session
lasted 1582 seconds with 1080 seconds of active time. This session ended with a
crash.

Error - 6/21/2011 2:51:52 PM | Computer Name = PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.4518.1014, Microsoft Office Version: 12.0.6514.5001. This session
lasted 2270 seconds with 1440 seconds of active time. This session ended with a
crash.

Error - 6/26/2011 12:13:00 AM | Computer Name = PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.4518.1014, Microsoft Office Version: 12.0.6514.5001. This session
lasted 11829 seconds with 1020 seconds of active time. This session ended with
a crash.

Error - 8/27/2011 11:03:39 AM | Computer Name = PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.6514.5001. This session lasted 70
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 10/4/2011 12:57:01 PM | Computer Name = PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80080005: Security Update for Windows 7 (KB979688).

Error - 10/4/2011 1:04:34 PM | Computer Name = PC | Source = Service Control Manager | ID = 7023
Description = The SPP Notification Service service terminated with the following
error: %%5

Error - 10/4/2011 2:04:33 PM | Computer Name = PC | Source = Service Control Manager | ID = 7023
Description = The SPP Notification Service service terminated with the following
error: %%5

Error - 10/4/2011 3:04:31 PM | Computer Name = PC | Source = Service Control Manager | ID = 7023
Description = The SPP Notification Service service terminated with the following
error: %%5

Error - 10/4/2011 3:31:08 PM | Computer Name = PC | Source = DCOM | ID = 10001
Description =

Error - 10/4/2011 3:56:37 PM | Computer Name = PC | Source = Service Control Manager | ID = 7023
Description = The SPP Notification Service service terminated with the following
error: %%5

Error - 10/4/2011 4:07:40 PM | Computer Name = PC | Source = Microsoft-Windows-Service Pack Installer | ID = 8
Description = Service Pack installation failed with error code 0x800b0100.

Error - 10/4/2011 4:12:41 PM | Computer Name = PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Windows 7 Service Pack 1 (KB976932).

Error - 10/4/2011 4:56:36 PM | Computer Name = PC | Source = Service Control Manager | ID = 7023
Description = The SPP Notification Service service terminated with the following
error: %%5

Error - 10/4/2011 5:56:36 PM | Computer Name = PC | Source = Service Control Manager | ID = 7023
Description = The SPP Notification Service service terminated with the following
error: %%5


< End of report >


Thank you very much!

Edited by Kelendril, 04 October 2011 - 04:52 PM.

  • 0

Advertisements


#2
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. :yes:

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:


  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together :)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

I'm reviewing your log right now, and will post back with instructions shortly.
  • 0

#3
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Do you recognize the following files?

[2011/09/15 20:35:12 | 000,080,535 | ---- | M] () -- C:\Users\Matheus\Documents\asdasads.png
[2011/09/15 20:25:07 | 000,118,145 | ---- | M] () -- C:\Users\Matheus\Documents\asdasasd.png
[2011/09/15 20:23:16 | 000,110,783 | ---- | M] () -- C:\Users\Matheus\Documents\fotenha.png
[2011/09/15 20:19:06 | 000,066,349 | ---- | M] () -- C:\Users\Matheus\Documents\PQAAALv_m_2cOlwJuZp_m6rqSEE391q9cytn4vbN_6ckykc8WGfGvuJh9JGuESPB2pofiFuk6J4qQOj576Itrs44YREAm1T1UMP_rT_FbYA2Hy9grx7a73PjUpS5.jpg
[2011/09/15 20:12:39 | 000,074,086 | ---- | M] () -- C:\Users\Matheus\Documents\PQAAAOKK-54a3usUIIYqRxKQAMn2dfMIZw5z278jKGDX9NpT5ObgjeEK43qJgi_pObLdq13uEKDff8qGEwACFId6D_wAm1T1UFL7k94_YlGf05E8cyG692Fk8Tuh.jpg
[2011/09/15 01:37:58 | 000,145,997 | ---- | M] () -- C:\Users\Matheus\Documents\Untitled.png
[2011/09/15 01:22:00 | 000,055,930 | ---- | M] () -- C:\Users\Matheus\Documents\asdf.jpg
[2011/09/15 01:20:13 | 000,049,557 | ---- | M] () -- C:\Users\Matheus\Documents\ú.jpg
[2011/09/10 14:25:35 | 000,065,988 | ---- | M] () -- C:\Users\Matheus\Documents\jacekyerka12sx8.jpg



Scanning with GMER

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.


Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.

Notes:
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.



NEXT:



Back-Up Registry
First, we need to backup your registry:
Please go to Start > Run
Paste in the following line:

regedit /e c:\registrybackup.reg

Click OK.
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.


NEXT:



OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
    :Processes
    KILLALLPROCESSES
    :OTL
    PRC - [2011/10/04 16:33:01 | 000,031,402 | ---- | M] () -- C:\Users\Matheus\AppData\Local\Temp\dukks.exe
    PRC - [2011/10/04 16:32:51 | 000,012,970 | ---- | M] () -- C:\Users\Matheus\AppData\Local\Temp\ytgrj.exe
    MOD - [2011/10/04 16:33:01 | 000,031,402 | ---- | M] () -- C:\Users\Matheus\AppData\Local\Temp\dukks.exe
    MOD - [2011/10/04 16:32:51 | 000,012,970 | ---- | M] () -- C:\Users\Matheus\AppData\Local\Temp\ytgrj.exe
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {977AE9CC-AF83-45E8-9E03-E2798216E2D5} - No CLSID value found.
    O8 - Extra context menu item: &Winamp Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html File not found
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_27)
    O16 - DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_27)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_27)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
    [2011/10/01 10:13:12 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
    [1 C:\Users\Matheus\Desktop\*.tmp files -> C:\Users\Matheus\Desktop\*.tmp -> ]
    @Alternate Data Stream - 102 bytes -> C:\ProgramData\TEMP:D1B5B4F1
    
    :Reg
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Windows\TEMP\winxareic.exe"=-
    "C:\Windows\TEMP\winekdj.exe"=-
    "C:\Windows\TEMP\winotsfvp.exe"=-
    "C:\Windows\TEMP\cujweg.exe"=-
    "C:\Windows\TEMP\wsng.exe"=-
    "C:\Windows\TEMP\dcdjm.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\wingtip.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\kutg.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winspbvf.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winbnvr.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winylgyo.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winpxmumc.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\dxvsfx.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\bmjpex.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\ximqbh.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winfbdjwr.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\pokdlb.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winbutqv.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\tyjlge.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\fkjae.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winnvex.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winbipc.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\aouy.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\vkfxya.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winmxnba.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\mcqe.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winqwqe.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\obbdj.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winksok.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winmwdxvr.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\wintpyqnf.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winvwrbh.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\dhkjia.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winmbmef.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winecmwc.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\bufj.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winkmblwp.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\grvseb.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winlaah.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winahmsk.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\hghucn.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winnhkwiq.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winffoeda.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\dmgixu.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winmwfcjs.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winqvmes.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winpbmxg.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winmfay.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\wvkns.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winamkpbg.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winitvwha.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\ptqymr.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\palgf.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\mhnk.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\civv.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\pgsr.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\hmsqn.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winpflsr.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winfbpm.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\bipw.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\bxnwu.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\wingiglr.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\wincfsbd.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winxpwpi.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\cxkhw.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\wineuwc.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winfyrt.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winnyaram.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winiotbs.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\auqk.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winepdnj.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winieggxc.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\wineqwh.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winrvmfp.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winklyt.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\ropd.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\ysqft.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\busffv.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winhuwjae.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winqfgjby.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\dlqedx.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winotwc.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winsspk.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\mpksj.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\uldjyr.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winsyvi.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winmlfi.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winyxyaxj.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\kapdti.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\yptl.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winodxs.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winygtakw.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winsyulix.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\windepf.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\mptl.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\qijix.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\jlxb.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winjitn.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\ilxbdp.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winvixg.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winydswoh.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\jmxlp.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\tymsi.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winpodshm.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winvnqlh.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winuvlmh.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\dxshbr.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\wingwrjxr.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\qglrcj.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\fnji.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winmiiaqe.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\nkrj.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\jtodi.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winarwy.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\wincjaml.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winapms.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winoqbe.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\amffh.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\hhsj.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winicyfk.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\geev.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winjnhuef.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winolwv.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\mcuy.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\hiahpy.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winbxxmvt.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\wintaxynr.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\redyvl.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\lhhfr.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winawdvc.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\wincjhsqs.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winwwky.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winrdomjh.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winikhimr.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winlhnmi.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\wincvbkjk.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winsybi.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\goqlh.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\wsidm.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\rkad.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winhgkfir.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\mvqu.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winfjamk.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\yxpvyg.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\yfngf.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winbwtmt.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winafgd.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\oqtmf.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\windjau.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\btfe.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\qlac.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\hslbqv.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winwmvyi.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\bivr.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\xqclmy.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\dyepf.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\wmwri.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winrdsu.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\aiysn.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winjwnjq.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winlwjn.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\windyunim.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\bqtjmv.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winbauqs.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winsvibpr.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winfhwp.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winwgyin.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winwohf.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\jyhsu.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winxtdk.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\ihbo.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\csenn.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winiwwfaj.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winxclhga.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\wingdki.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\wkwd.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winulssj.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\ccvx.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winoptoa.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\llhww.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\oibg.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\ghxa.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winsgmujp.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\yxmnld.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winjrni.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winejqe.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winogcpy.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\jifex.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\mgjuxk.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\txst.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winntjdxr.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winjlxgn.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winvhegw.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winkvoku.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\lvxvux.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winqiks.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\wincpavla.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\vrkcu.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\gbtlxa.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winqfgt.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winsfjfb.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\jespy.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winrxpcld.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winbjpe.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winhpjpww.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\vmnprj.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winojkeb.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\hdqf.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winufom.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\wktw.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\tamx.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winahbmv.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\ttnbqx.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winjjio.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winvatss.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\wintahis.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winrshnh.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\xifntb.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winddhuq.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winywlq.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\vsipma.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\lwdu.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\wintwrk.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\wincffq.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winnxaffy.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\mtfh.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\hvgs.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\wingmbc.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\ebcais.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winptqwe.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winjsgshl.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winviti.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winvmtv.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winxxvbr.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\jhsat.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\qxyr.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winxnbiob.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winlifrof.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\bohvjo.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\wingxvbrj.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\windfrny.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winhdxb.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winfynbim.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winjepb.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winkgal.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winxtpuff.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\nhlk.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\nxda.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winouuc.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winnfhb.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winesysow.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winxytdti.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\ayklb.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\pdjyld.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\wincsmdx.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winxvpuq.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\ytwy.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\qpivwa.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\qpcx.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\fwmh.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winexpd.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\yyrcl.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winjqiask.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winnldrop.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winacps.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\tkkwkq.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winsqgro.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\htft.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winyrrhey.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\ktatf.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winnilt.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\wktplg.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winekvi.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\rxram.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\jivnm.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winwpfp.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\yawsx.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winwsed.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\ktkqqp.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\renqpi.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winxrcnpf.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winjrofd.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\waxx.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winqiouyr.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\kplaqp.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\wixaj.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\wintxmub.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\gwlo.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winesnl.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\ytgrj.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\wincwuu.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\dukks.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winhfoms.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winfubgy.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winelrm.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\xgwg.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winehstwp.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\kqpult.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winewgi.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\kbjyuh.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winqusf.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winuxajik.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\xshojw.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\nwce.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winjmsu.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\gsicl.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winsyhgav.exe"=-
    "C:\Users\Matheus\AppData\Local\Temp\winqjqf.exe"=-
    
    :Files
    type "C:\ComboFix.txt" /c
    echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    [emptytemp]
    [EMPTYFLASH]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



VirusTotal File Scan
Please go to: VirusTotal
  • Posted Image
  • Click the Choose File button and search for the following file: C:\ddtep.pif
  • Click Open
  • Then click Send File
If it says already scanned -- click "reanalyze now"

  • Please be patient while the file is scanned.
  • Once the scan results appear, please click on the Compact button.
  • A new window should appear with a bunch of tabs at the top. Please click on the BBCode tab.
  • Copy and Paste the contents of the text in the BBCode into your next reply for me to review.


Please post the results in your next reply
  • 0

#4
Kelendril

Kelendril

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi SweetTech, it is very nice to meet you too!

Yeah, I recognize those files, mainly photographs from me or my bro, or something from the internet. So, I was doing as you said. I did the whole "Scanning with GMER" step normally. So I then created the backup registry as you told me to do and started the OTL fix. I copied the text and pasted it properly into the program, and it started running. All of a sudden, the program showed an error message (I didn't get it, but it was something like "unable to stop a certain process", or to delete it...). The program then just stopped working. I waited kinda 30 minutes and it wouldn't work anymore. I closed it and will attach an image showing how the program was when it stopped working; as it may be useful.

Well, as you said in your first post, I chose to stop and ask, because something unnexpected happened.

I will also paste here the GMER log, it might be useful.

Thanks a lot for the attention and help, I hope we can make it till this pc here is clean =)


GMER Log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-05 21:42:10
Windows 6.1.7600 Harddisk0\DR0 -> \Device\00000059 WDC_WD25 rev.10.0
Running: gmer.exe; Driver: C:\Users\Matheus\AppData\Local\Temp\ugldapow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A43539 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A68092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? System32\Drivers\spws.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 8E189CA0 5 Bytes JMP 858964E0
.text ae6g5byy.SYS 9233D000 12 Bytes [44, 58, E1, 82, EE, 56, E1, ...]
.text ae6g5byy.SYS 9233D00D 9 Bytes [37, E1, 82, 48, 5B, E1, 82, ...] {AAA ; LOOPZ 0xffffffffffffff85; DEC EAX; POP EBX; LOOPZ 0xffffffffffffff89; ADD [EAX], AL}
.text ae6g5byy.SYS 9233D017 41 Bytes [00, DE, E7, EF, 86, E6, E5, ...]
.text ae6g5byy.SYS 9233D041 128 Bytes [86, A6, 82, 60, 85, A6, 82, ...]
.text ae6g5byy.SYS 9233D0C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
.text ...

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 843371F8
Device \FileSystem\fastfat \FatCdrom 867711F8
Device \Driver\ACPI_HAL \Device\00000041 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
Device \Driver\volmgr \Device\VolMgrControl 843321F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{EF129B70-3092-4EE2-908D-5C1567260413} 853D84A0
Device \Driver\usbohci \Device\USBPDO-0 8573E500
Device \Driver\usbehci \Device\USBPDO-1 8588F1F8
Device \Driver\USBSTOR \Device\00000061 856861F8
Device \Driver\USBSTOR \Device\00000062 856861F8
Device \Driver\USBSTOR \Device\00000063 856861F8
Device \Driver\volmgr \Device\HarddiskVolume1 843321F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\USBSTOR \Device\00000064 856861F8
Device \Driver\nvstor \Device\00000059 843351F8
Device \Driver\USBSTOR \Device\00000065 856861F8
Device \Driver\cdrom \Device\CdRom0 8562F1F8
Device \Driver\volmgr \Device\HarddiskVolume2 843321F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 843341F8
Device \Driver\atapi \Device\Ide\IdePort0 843341F8
Device \Driver\atapi \Device\Ide\IdePort1 843341F8
Device \Driver\volmgr \Device\HarddiskVolume3 843321F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom1 8562F1F8
Device \Driver\volmgr \Device\HarddiskVolume4 843321F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\volmgr \Device\HarddiskVolume5 843321F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\volmgr \Device\HarddiskVolume6 843321F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\NetBT \Device\NetBt_Wins_Export 853D84A0
Device \Driver\PCI_PNP6448 \Device\0000004a spws.sys
Device \Driver\nvstor \Device\RaidPort0 843351F8
Device \Driver\nvstor \Device\RaidPort1 843351F8
Device \Driver\usbohci \Device\USBFDO-0 8573E500
Device \Driver\usbehci \Device\USBFDO-1 8588F1F8
Device \Driver\sptd \Device\1271660448 spws.sys
Device \Driver\ae6g5byy \Device\Scsi\ae6g5byy1Port4Path0Target0Lun0 858FD3C0
Device \Driver\ae6g5byy \Device\Scsi\ae6g5byy1 858FD3C0
Device \FileSystem\fastfat \Fat 867711F8

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\[email protected] 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\[email protected] 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\[email protected] 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\[email protected] C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\[email protected] 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\[email protected] 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\[email protected] 0xCC 0xC3 0xBD 0xAA ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\[email protected] 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\[email protected] 0xB4 0x14 0x65 0x5F ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\[email protected] 0xA4 0x17 0xEF 0x88 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\[email protected] C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\[email protected] 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\[email protected] 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\[email protected] 0xCC 0xC3 0xBD 0xAA ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\[email protected] 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\[email protected] 0xB4 0x14 0x65 0x5F ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\[email protected] 0xA4 0x17 0xEF 0x88 ...

---- EOF - GMER 1.0.15 ----

Attached Thumbnails

  • something.jpeg

  • 0

#5
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hi!

Thanks for the clarification on those files.

Please run this tool:

Running ComboFix
Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Note: If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If for some reason these applications will not uninstall, try uninstalling with AppRemover by Opswat.
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.

  • 0

#6
Kelendril

Kelendril

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hello again!

I already had ComboFix. I tried to unninstal it, but some kind of error occurred. I just deleted it then and downloaded again from your link 1. The program was installed then. I turned off the anti-virus (MBAM) and restarted the computer before running the ComboFix. It ran normally but, at the end of the scan, I forgot that MBAM was not turned off after the PC had restarted xD.

So I did another ComboFix scan. I will post both of them here for you to analyze. Thank you very much and sorry for any troule I might have caused =/


First log (without turning MBAM off)

ComboFix 11-10-06.03 - Matheus 10/06/2011 15:00:37.2.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.991.457 [GMT -3:00]
Running from: c:\users\Matheus\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Autorun.inf
C:\ddtep.pif
.
.
((((((((((((((((((((((((( Files Created from 2011-09-06 to 2011-10-06 )))))))))))))))))))))))))))))))
.
.
2011-10-06 18:14 . 2011-10-06 18:14 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2011-10-06 18:14 . 2011-10-06 18:14 -------- d-----w- c:\users\Matheuss\AppData\Local\temp
2011-10-06 18:14 . 2011-10-06 18:14 -------- d-----w- c:\users\Matheus\AppData\Local\temp
2011-10-06 18:14 . 2011-10-06 18:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-06 18:04 . 2011-10-06 18:04 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E3F7C90B-2B2E-480E-B4FF-B840A014014C}\offreg.dll
2011-10-06 00:44 . 2011-10-06 00:44 -------- d-----w- C:\_OTL
2011-10-06 00:42 . 2011-10-06 00:43 172454188 ----a-w- C:\registrybackup.reg
2011-10-04 20:07 . 2011-10-04 20:07 -------- d-----w- c:\windows\system32\EventProviders
2011-10-04 17:43 . 2009-09-10 05:52 257024 ----a-w- c:\windows\system32\msv1_0.dll
2011-10-04 17:35 . 2009-11-25 15:47 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2011-10-04 17:35 . 2009-11-25 15:47 49472 ----a-w- c:\windows\system32\netfxperf.dll
2011-10-04 17:35 . 2009-11-25 15:47 297808 ----a-w- c:\windows\system32\mscoree.dll
2011-10-04 17:35 . 2009-11-25 15:47 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2011-10-04 17:35 . 2009-11-25 15:47 1130824 ----a-w- c:\windows\system32\dfshim.dll
2011-10-04 17:32 . 2011-09-21 12:00 7269712 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E3F7C90B-2B2E-480E-B4FF-B840A014014C}\mpengine.dll
2011-10-04 16:55 . 2011-10-04 16:55 -------- d-----w- c:\program files\MSXML 4.0
2011-10-04 16:52 . 2011-05-03 04:50 740864 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-04 16:52 . 2011-02-23 05:05 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-10-04 16:50 . 2011-06-15 09:04 86016 ----a-w- c:\windows\system32\odbccu32.dll
2011-10-04 16:49 . 2010-10-16 04:36 314368 ----a-w- c:\windows\system32\webio.dll
2011-10-04 16:49 . 2009-10-19 14:10 70656 ----a-w- c:\windows\system32\fontsub.dll
2011-10-04 16:49 . 2010-08-21 05:33 530432 ----a-w- c:\windows\system32\comctl32.dll
2011-10-04 16:49 . 2010-06-29 04:57 4247040 ----a-w- c:\program files\Windows NT\Accessories\wordpad.exe
2011-10-04 16:49 . 2010-06-29 05:02 1413632 ----a-w- c:\windows\system32\ole32.dll
2011-10-04 16:49 . 2010-03-05 07:42 67584 ----a-w- c:\windows\system32\asycfilt.dll
2011-10-04 16:49 . 2011-05-24 10:35 294912 ----a-w- c:\windows\system32\umpnpmgr.dll
2011-10-04 16:48 . 2011-04-29 05:08 759296 ----a-w- c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
2011-10-04 16:44 . 2009-08-29 06:57 34816 ----a-w- c:\windows\system32\msasn1.dll
2011-10-04 16:44 . 2010-10-16 04:41 101760 ----a-w- c:\windows\system32\consent.exe
2011-10-04 16:42 . 2011-03-11 05:40 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-10-04 16:42 . 2011-03-11 05:40 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-10-04 16:40 . 2011-04-09 05:56 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-10-04 16:40 . 2010-05-05 06:46 363520 ----a-w- c:\windows\system32\StructuredQuery.dll
2011-10-04 16:31 . 2011-10-04 19:37 -------- d-----w- c:\windows\system32\catroot2
2011-10-03 23:05 . 2011-10-03 23:05 -------- d-----w- c:\users\Matheus\AppData\Local\AskToolbar
2011-10-03 02:15 . 2011-10-03 02:15 -------- d-----w- c:\program files\Foxit Software
2011-10-02 16:17 . 2011-10-02 16:17 -------- d-----w- c:\users\Matheus\AppData\Roaming\GlarySoft
2011-10-02 15:44 . 2011-10-05 11:29 -------- d-----w- c:\program files\Extra RAM
2011-10-02 15:43 . 2011-10-06 17:07 -------- d-----w- c:\program files\Ask.com
2011-10-02 15:43 . 2011-10-05 11:29 -------- d-----w- c:\program files\Glary Utilities
2011-10-01 18:01 . 2011-10-01 18:01 -------- d-----w- c:\windows\Sun
2011-09-28 23:20 . 2011-09-28 23:20 -------- d-----w- c:\users\Matheuss\AppData\Roaming\Malwarebytes
2011-09-28 19:41 . 2011-09-28 19:41 -------- d-----w- c:\users\Matheus\AppData\Roaming\Malwarebytes
2011-09-28 19:39 . 2011-09-28 19:39 -------- d-----w- c:\programdata\Malwarebytes
2011-09-28 19:39 . 2011-10-05 11:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-28 19:39 . 2011-08-31 20:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-27 16:09 . 2011-10-05 11:30 -------- d-----w- c:\program files\CCleaner
2011-09-26 04:55 . 2011-09-26 04:55 -------- d-----w- c:\users\Matheuss\AppData\Local\Microsoft Help
2011-09-25 17:57 . 2011-06-21 21:56 17712 ----a-w- c:\windows\system32\nitrolocalui2.dll
2011-09-25 17:57 . 2011-06-21 21:56 26416 ----a-w- c:\windows\system32\nitrolocalmon2.dll
2011-09-25 17:55 . 2011-09-25 21:17 -------- d-----w- c:\users\Matheuss\AppData\Local\OpenCandy
2011-09-25 17:55 . 2011-09-25 17:55 -------- d-----w- c:\users\Matheuss\AppData\Roaming\OpenCandy
2011-09-25 17:55 . 2011-09-25 17:55 -------- d-----w- c:\users\Matheuss\AppData\Local\QuickStores
2011-09-25 17:54 . 2011-09-25 21:18 -------- d-----w- c:\program files\DsNET Corp
2011-09-25 02:47 . 2011-09-25 02:47 -------- d-----w- c:\program files\DCube
2011-09-25 02:47 . 2011-09-25 02:47 -------- d-----w- c:\program files\FathZip
2011-09-25 02:47 . 2011-10-05 11:35 -------- d-----w- C:\Epi_Info
2011-09-25 02:47 . 2011-09-25 02:47 -------- d-----w- c:\program files\Common Files\ESRI
2011-09-25 02:46 . 2001-05-24 15:59 162304 ----a-w- c:\program files\UNWISE.EXE
2011-09-25 02:46 . 2003-06-02 13:14 80480 ----a-w- c:\windows\system32\Msrpfs40.dll
2011-09-25 02:46 . 2003-06-02 13:14 80480 ----a-w- c:\windows\system32\Msrclr40.dll
2011-09-25 02:46 . 2003-06-02 13:14 52048 ----a-w- c:\windows\system32\Mstran40.exe
2011-09-25 02:46 . 2003-06-02 13:14 43856 ----a-w- c:\windows\system32\Mstrai40.exe
2011-09-25 02:46 . 2003-06-02 13:14 35424 ----a-w- c:\windows\system32\Msrecr40.dll
2011-09-25 02:46 . 1998-06-18 02:00 89360 ----a-w- c:\windows\system32\vb5db.dll
2011-09-25 02:44 . 2011-09-25 02:44 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2011-09-13 00:31 . 2011-09-13 00:31 -------- d-----w- c:\program files\Common Files\Java
2011-09-13 00:30 . 2011-09-13 00:29 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-13 00:29 . 2011-09-13 00:29 -------- d-----w- c:\program files\Java
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-06 01:03 . 2011-07-17 04:32 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2010-05-05 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7600.16385] . . c:\windows\System32\user32.dll
[7] 2009-07-14 . 34B7E222E81FAFA885F0C5F2CFA56861 . 811520 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-08-24 00:20 1515688 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-08-24 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-08-24 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-17 3872080]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"Extraram"="c:\program files\Extra RAM\ExtraRAM.exe" [2010-05-01 554496]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-08-24 887976]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 17:29 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-30 15:45 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-06 06:44 500208 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]
2010-02-22 07:57 406992 ----a-w- c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DoroServer]
2011-05-12 00:45 167936 ----a-w- c:\program files\DoroPDFWriter\DoroServer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-04-30 01:56 136176 ----atw- c:\users\Matheus\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 14:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 23:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-07-23 01:33 150528 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 01:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSDMonitor]
2010-08-05 11:46 104408 ----a-w- c:\program files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 16:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 16:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
.
R3 GGSAFERDriver;GGSAFER Driver;c:\program files\Garena\safedrv.sys [x]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-08-16 136176]
R4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-08-16 136176]
R4 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2011-01-16 4077936]
R4 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-25 2214504]
R4 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [2010-08-05 583640]
R4 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R4 WatAdminSvc;WatAdminSvc;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-30 1343400]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-07-14 691696]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2009-07-13 266752]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-06 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2011-10-02 12:07]
.
2011-10-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-30 21:08]
.
2011-10-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-30 21:08]
.
2011-10-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3495871300-68735504-1991991994-1001Core.job
- c:\users\Matheus\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-30 01:56]
.
2011-10-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3495871300-68735504-1991991994-1001UA.job
- c:\users\Matheus\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-30 01:56]
.
2011-10-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3495871300-68735504-1991991994-1003Core.job
- c:\users\Matheuss\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-30 02:55]
.
2011-10-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3495871300-68735504-1991991994-1003UA.job
- c:\users\Matheuss\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-30 02:55]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 201.17.128.109 201.17.128.103
FF - ProfilePath - c:\users\Matheus\AppData\Roaming\Mozilla\Firefox\Profiles\9z5063qn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2790392&SearchSource=3&q={searchTerms}
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-10-06 15:19:52
ComboFix-quarantined-files.txt 2011-10-06 18:19
.
Pre-Run: 45,752,139,776 bytes free
Post-Run: 45,755,617,280 bytes free
.
- - End Of File - - AF395083DDCF6CAB9E0E427B8FC753EB



Second log (with MBAM turned off)

ComboFix 11-10-06.03 - Matheus 10/06/2011 15:29:11.3.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.991.208 [GMT -3:00]
Running from: c:\users\Matheus\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-09-06 to 2011-10-06 )))))))))))))))))))))))))))))))
.
.
2011-10-06 18:40 . 2011-10-06 18:40 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2011-10-06 18:40 . 2011-10-06 18:40 -------- d-----w- c:\users\Matheuss\AppData\Local\temp
2011-10-06 18:40 . 2011-10-06 18:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-06 18:19 . 2011-10-06 18:40 -------- d-----w- c:\users\Matheus\AppData\Local\temp
2011-10-06 18:04 . 2011-10-06 18:04 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E3F7C90B-2B2E-480E-B4FF-B840A014014C}\offreg.dll
2011-10-06 00:44 . 2011-10-06 00:44 -------- d-----w- C:\_OTL
2011-10-06 00:42 . 2011-10-06 00:43 172454188 ----a-w- C:\registrybackup.reg
2011-10-04 20:07 . 2011-10-04 20:07 -------- d-----w- c:\windows\system32\EventProviders
2011-10-04 17:43 . 2009-09-10 05:52 257024 ----a-w- c:\windows\system32\msv1_0.dll
2011-10-04 17:35 . 2009-11-25 15:47 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2011-10-04 17:35 . 2009-11-25 15:47 49472 ----a-w- c:\windows\system32\netfxperf.dll
2011-10-04 17:35 . 2009-11-25 15:47 297808 ----a-w- c:\windows\system32\mscoree.dll
2011-10-04 17:35 . 2009-11-25 15:47 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2011-10-04 17:35 . 2009-11-25 15:47 1130824 ----a-w- c:\windows\system32\dfshim.dll
2011-10-04 17:32 . 2011-09-21 12:00 7269712 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E3F7C90B-2B2E-480E-B4FF-B840A014014C}\mpengine.dll
2011-10-04 16:55 . 2011-10-04 16:55 -------- d-----w- c:\program files\MSXML 4.0
2011-10-04 16:52 . 2011-05-03 04:50 740864 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-04 16:52 . 2011-02-23 05:05 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-10-04 16:50 . 2011-06-15 09:04 86016 ----a-w- c:\windows\system32\odbccu32.dll
2011-10-04 16:49 . 2010-10-16 04:36 314368 ----a-w- c:\windows\system32\webio.dll
2011-10-04 16:49 . 2009-10-19 14:10 70656 ----a-w- c:\windows\system32\fontsub.dll
2011-10-04 16:49 . 2010-08-21 05:33 530432 ----a-w- c:\windows\system32\comctl32.dll
2011-10-04 16:49 . 2010-06-29 04:57 4247040 ----a-w- c:\program files\Windows NT\Accessories\wordpad.exe
2011-10-04 16:49 . 2010-06-29 05:02 1413632 ----a-w- c:\windows\system32\ole32.dll
2011-10-04 16:49 . 2010-03-05 07:42 67584 ----a-w- c:\windows\system32\asycfilt.dll
2011-10-04 16:49 . 2011-05-24 10:35 294912 ----a-w- c:\windows\system32\umpnpmgr.dll
2011-10-04 16:48 . 2011-04-29 05:08 759296 ----a-w- c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
2011-10-04 16:44 . 2009-08-29 06:57 34816 ----a-w- c:\windows\system32\msasn1.dll
2011-10-04 16:44 . 2010-10-16 04:41 101760 ----a-w- c:\windows\system32\consent.exe
2011-10-04 16:42 . 2011-03-11 05:40 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-10-04 16:42 . 2011-03-11 05:40 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-10-04 16:40 . 2011-04-09 05:56 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-10-04 16:40 . 2010-05-05 06:46 363520 ----a-w- c:\windows\system32\StructuredQuery.dll
2011-10-04 16:31 . 2011-10-04 19:37 -------- d-----w- c:\windows\system32\catroot2
2011-10-03 23:05 . 2011-10-03 23:05 -------- d-----w- c:\users\Matheus\AppData\Local\AskToolbar
2011-10-03 02:15 . 2011-10-03 02:15 -------- d-----w- c:\program files\Foxit Software
2011-10-02 16:17 . 2011-10-02 16:17 -------- d-----w- c:\users\Matheus\AppData\Roaming\GlarySoft
2011-10-02 15:44 . 2011-10-05 11:29 -------- d-----w- c:\program files\Extra RAM
2011-10-02 15:43 . 2011-10-06 17:07 -------- d-----w- c:\program files\Ask.com
2011-10-02 15:43 . 2011-10-05 11:29 -------- d-----w- c:\program files\Glary Utilities
2011-10-01 18:01 . 2011-10-01 18:01 -------- d-----w- c:\windows\Sun
2011-09-28 23:20 . 2011-09-28 23:20 -------- d-----w- c:\users\Matheuss\AppData\Roaming\Malwarebytes
2011-09-28 19:41 . 2011-09-28 19:41 -------- d-----w- c:\users\Matheus\AppData\Roaming\Malwarebytes
2011-09-28 19:39 . 2011-09-28 19:39 -------- d-----w- c:\programdata\Malwarebytes
2011-09-28 19:39 . 2011-10-05 11:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-28 19:39 . 2011-08-31 20:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-27 16:09 . 2011-10-05 11:30 -------- d-----w- c:\program files\CCleaner
2011-09-26 04:55 . 2011-09-26 04:55 -------- d-----w- c:\users\Matheuss\AppData\Local\Microsoft Help
2011-09-25 17:57 . 2011-06-21 21:56 17712 ----a-w- c:\windows\system32\nitrolocalui2.dll
2011-09-25 17:57 . 2011-06-21 21:56 26416 ----a-w- c:\windows\system32\nitrolocalmon2.dll
2011-09-25 17:55 . 2011-09-25 21:17 -------- d-----w- c:\users\Matheuss\AppData\Local\OpenCandy
2011-09-25 17:55 . 2011-09-25 17:55 -------- d-----w- c:\users\Matheuss\AppData\Roaming\OpenCandy
2011-09-25 17:55 . 2011-09-25 17:55 -------- d-----w- c:\users\Matheuss\AppData\Local\QuickStores
2011-09-25 17:54 . 2011-09-25 21:18 -------- d-----w- c:\program files\DsNET Corp
2011-09-25 02:47 . 2011-09-25 02:47 -------- d-----w- c:\program files\DCube
2011-09-25 02:47 . 2011-09-25 02:47 -------- d-----w- c:\program files\FathZip
2011-09-25 02:47 . 2011-10-05 11:35 -------- d-----w- C:\Epi_Info
2011-09-25 02:47 . 2011-09-25 02:47 -------- d-----w- c:\program files\Common Files\ESRI
2011-09-25 02:46 . 2001-05-24 15:59 162304 ----a-w- c:\program files\UNWISE.EXE
2011-09-25 02:46 . 2003-06-02 13:14 80480 ----a-w- c:\windows\system32\Msrpfs40.dll
2011-09-25 02:46 . 2003-06-02 13:14 80480 ----a-w- c:\windows\system32\Msrclr40.dll
2011-09-25 02:46 . 2003-06-02 13:14 52048 ----a-w- c:\windows\system32\Mstran40.exe
2011-09-25 02:46 . 2003-06-02 13:14 43856 ----a-w- c:\windows\system32\Mstrai40.exe
2011-09-25 02:46 . 2003-06-02 13:14 35424 ----a-w- c:\windows\system32\Msrecr40.dll
2011-09-25 02:46 . 1998-06-18 02:00 89360 ----a-w- c:\windows\system32\vb5db.dll
2011-09-25 02:44 . 2011-09-25 02:44 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2011-09-13 00:31 . 2011-09-13 00:31 -------- d-----w- c:\program files\Common Files\Java
2011-09-13 00:30 . 2011-09-13 00:29 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-13 00:29 . 2011-09-13 00:29 -------- d-----w- c:\program files\Java
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-06 01:03 . 2011-07-17 04:32 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2010-05-05 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7600.16385] . . c:\windows\System32\user32.dll
[7] 2009-07-14 . 34B7E222E81FAFA885F0C5F2CFA56861 . 811520 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-08-24 00:20 1515688 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-08-24 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-08-24 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-17 3872080]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"Extraram"="c:\program files\Extra RAM\ExtraRAM.exe" [2010-05-01 554496]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-08-24 887976]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 17:29 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-30 15:45 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-06 06:44 500208 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]
2010-02-22 07:57 406992 ----a-w- c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DoroServer]
2011-05-12 00:45 167936 ----a-w- c:\program files\DoroPDFWriter\DoroServer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-04-30 01:56 136176 ----atw- c:\users\Matheus\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 14:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 23:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-07-23 01:33 150528 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 01:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSDMonitor]
2010-08-05 11:46 104408 ----a-w- c:\program files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 16:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 16:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
.
R3 GGSAFERDriver;GGSAFER Driver;c:\program files\Garena\safedrv.sys [x]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-08-16 136176]
R4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-08-16 136176]
R4 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2011-01-16 4077936]
R4 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-25 2214504]
R4 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [2010-08-05 583640]
R4 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R4 WatAdminSvc;WatAdminSvc;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-30 1343400]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-07-14 691696]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2009-07-13 266752]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-06 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2011-10-02 12:07]
.
2011-10-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-30 21:08]
.
2011-10-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-30 21:08]
.
2011-10-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3495871300-68735504-1991991994-1001Core.job
- c:\users\Matheus\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-30 01:56]
.
2011-10-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3495871300-68735504-1991991994-1001UA.job
- c:\users\Matheus\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-30 01:56]
.
2011-10-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3495871300-68735504-1991991994-1003Core.job
- c:\users\Matheuss\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-30 02:55]
.
2011-10-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3495871300-68735504-1991991994-1003UA.job
- c:\users\Matheuss\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-30 02:55]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 201.17.128.109 201.17.128.103
FF - ProfilePath - c:\users\Matheus\AppData\Roaming\Mozilla\Firefox\Profiles\9z5063qn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2790392&SearchSource=3&q={searchTerms}
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-10-06 15:45:00
ComboFix-quarantined-files.txt 2011-10-06 18:44
ComboFix2.txt 2011-10-06 18:19
.
Pre-Run: 45,803,524,096 bytes free
Post-Run: 45,753,159,680 bytes free
.
- - End Of File - - 59C7B5E53B78539EA17A65814C6D4C59


Once again, thank you very much!
  • 0

#7
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hi!

No worries, you didn't mess anything up.

ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
File::
FCopy::
c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll | c:\windows\System32\user32.dll

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



NEXT:



Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



What issues are you currently experiencing with your computer?
  • 0

#8
Kelendril

Kelendril

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hello!

Here are the logs:

ComboFix:

ComboFix 11-10-07.04 - Matheus 10/07/2011 22:14:26.4.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.991.369 [GMT -3:00]
Running from: c:\users\Matheus\Desktop\ComboFix.exe
Command switches used :: c:\users\Matheus\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll --> c:\windows\System32\user32.dll
.
((((((((((((((((((((((((( Files Created from 2011-09-08 to 2011-10-08 )))))))))))))))))))))))))))))))
.
.
2011-10-08 01:27 . 2011-10-08 01:27 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2011-10-08 01:27 . 2011-10-08 01:27 -------- d-----w- c:\users\Matheuss\AppData\Local\temp
2011-10-08 01:27 . 2011-10-08 01:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-08 01:11 . 2011-10-08 01:11 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E3F7C90B-2B2E-480E-B4FF-B840A014014C}\offreg.dll
2011-10-06 18:19 . 2011-10-08 01:29 -------- d-----w- c:\users\Matheus\AppData\Local\temp
2011-10-06 00:44 . 2011-10-06 00:44 -------- d-----w- C:\_OTL
2011-10-06 00:42 . 2011-10-06 00:43 172454188 ----a-w- C:\registrybackup.reg
2011-10-04 20:07 . 2011-10-04 20:07 -------- d-----w- c:\windows\system32\EventProviders
2011-10-04 17:43 . 2009-09-10 05:52 257024 ----a-w- c:\windows\system32\msv1_0.dll
2011-10-04 17:35 . 2009-11-25 15:47 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2011-10-04 17:35 . 2009-11-25 15:47 49472 ----a-w- c:\windows\system32\netfxperf.dll
2011-10-04 17:35 . 2009-11-25 15:47 297808 ----a-w- c:\windows\system32\mscoree.dll
2011-10-04 17:35 . 2009-11-25 15:47 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2011-10-04 17:35 . 2009-11-25 15:47 1130824 ----a-w- c:\windows\system32\dfshim.dll
2011-10-04 17:32 . 2011-09-21 12:00 7269712 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E3F7C90B-2B2E-480E-B4FF-B840A014014C}\mpengine.dll
2011-10-04 16:55 . 2011-10-04 16:55 -------- d-----w- c:\program files\MSXML 4.0
2011-10-04 16:52 . 2011-05-03 04:50 740864 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-04 16:52 . 2011-02-23 05:05 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-10-04 16:50 . 2011-06-15 09:04 86016 ----a-w- c:\windows\system32\odbccu32.dll
2011-10-04 16:49 . 2010-10-16 04:36 314368 ----a-w- c:\windows\system32\webio.dll
2011-10-04 16:49 . 2009-10-19 14:10 70656 ----a-w- c:\windows\system32\fontsub.dll
2011-10-04 16:49 . 2010-08-21 05:33 530432 ----a-w- c:\windows\system32\comctl32.dll
2011-10-04 16:49 . 2010-06-29 04:57 4247040 ----a-w- c:\program files\Windows NT\Accessories\wordpad.exe
2011-10-04 16:49 . 2010-06-29 05:02 1413632 ----a-w- c:\windows\system32\ole32.dll
2011-10-04 16:49 . 2010-03-05 07:42 67584 ----a-w- c:\windows\system32\asycfilt.dll
2011-10-04 16:49 . 2011-05-24 10:35 294912 ----a-w- c:\windows\system32\umpnpmgr.dll
2011-10-04 16:48 . 2011-04-29 05:08 759296 ----a-w- c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
2011-10-04 16:44 . 2009-08-29 06:57 34816 ----a-w- c:\windows\system32\msasn1.dll
2011-10-04 16:44 . 2010-10-16 04:41 101760 ----a-w- c:\windows\system32\consent.exe
2011-10-04 16:42 . 2011-03-11 05:40 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-10-04 16:42 . 2011-03-11 05:40 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-10-04 16:40 . 2011-04-09 05:56 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-10-04 16:40 . 2010-05-05 06:46 363520 ----a-w- c:\windows\system32\StructuredQuery.dll
2011-10-04 16:31 . 2011-10-04 19:37 -------- d-----w- c:\windows\system32\catroot2
2011-10-03 02:15 . 2011-10-03 02:15 -------- d-----w- c:\program files\Foxit Software
2011-10-02 16:17 . 2011-10-02 16:17 -------- d-----w- c:\users\Matheus\AppData\Roaming\GlarySoft
2011-10-02 15:44 . 2011-10-05 11:29 -------- d-----w- c:\program files\Extra RAM
2011-10-02 15:43 . 2011-10-05 11:29 -------- d-----w- c:\program files\Glary Utilities
2011-10-01 18:01 . 2011-10-01 18:01 -------- d-----w- c:\windows\Sun
2011-09-28 23:20 . 2011-09-28 23:20 -------- d-----w- c:\users\Matheuss\AppData\Roaming\Malwarebytes
2011-09-28 19:41 . 2011-09-28 19:41 -------- d-----w- c:\users\Matheus\AppData\Roaming\Malwarebytes
2011-09-28 19:39 . 2011-09-28 19:39 -------- d-----w- c:\programdata\Malwarebytes
2011-09-28 19:39 . 2011-10-05 11:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-28 19:39 . 2011-08-31 20:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-27 16:09 . 2011-10-05 11:30 -------- d-----w- c:\program files\CCleaner
2011-09-26 04:55 . 2011-09-26 04:55 -------- d-----w- c:\users\Matheuss\AppData\Local\Microsoft Help
2011-09-25 17:57 . 2011-06-21 21:56 17712 ----a-w- c:\windows\system32\nitrolocalui2.dll
2011-09-25 17:57 . 2011-06-21 21:56 26416 ----a-w- c:\windows\system32\nitrolocalmon2.dll
2011-09-25 17:55 . 2011-09-25 21:17 -------- d-----w- c:\users\Matheuss\AppData\Local\OpenCandy
2011-09-25 17:55 . 2011-09-25 17:55 -------- d-----w- c:\users\Matheuss\AppData\Roaming\OpenCandy
2011-09-25 17:55 . 2011-09-25 17:55 -------- d-----w- c:\users\Matheuss\AppData\Local\QuickStores
2011-09-25 17:54 . 2011-09-25 21:18 -------- d-----w- c:\program files\DsNET Corp
2011-09-25 02:47 . 2011-09-25 02:47 -------- d-----w- c:\program files\DCube
2011-09-25 02:47 . 2011-09-25 02:47 -------- d-----w- c:\program files\FathZip
2011-09-25 02:47 . 2011-10-05 11:35 -------- d-----w- C:\Epi_Info
2011-09-25 02:47 . 2011-09-25 02:47 -------- d-----w- c:\program files\Common Files\ESRI
2011-09-25 02:46 . 2001-05-24 15:59 162304 ----a-w- c:\program files\UNWISE.EXE
2011-09-25 02:46 . 2003-06-02 13:14 80480 ----a-w- c:\windows\system32\Msrpfs40.dll
2011-09-25 02:46 . 2003-06-02 13:14 80480 ----a-w- c:\windows\system32\Msrclr40.dll
2011-09-25 02:46 . 2003-06-02 13:14 52048 ----a-w- c:\windows\system32\Mstran40.exe
2011-09-25 02:46 . 2003-06-02 13:14 43856 ----a-w- c:\windows\system32\Mstrai40.exe
2011-09-25 02:46 . 2003-06-02 13:14 35424 ----a-w- c:\windows\system32\Msrecr40.dll
2011-09-25 02:46 . 1998-06-18 02:00 89360 ----a-w- c:\windows\system32\vb5db.dll
2011-09-25 02:44 . 2011-09-25 02:44 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2011-09-13 00:31 . 2011-09-13 00:31 -------- d-----w- c:\program files\Common Files\Java
2011-09-13 00:30 . 2011-09-13 00:29 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-13 00:29 . 2011-09-13 00:29 -------- d-----w- c:\program files\Java
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-06 01:03 . 2011-07-17 04:32 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-17 3872080]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"Extraram"="c:\program files\Extra RAM\ExtraRAM.exe" [2010-05-01 554496]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 17:29 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-30 15:45 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-06 06:44 500208 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]
2010-02-22 07:57 406992 ----a-w- c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DoroServer]
2011-05-12 00:45 167936 ----a-w- c:\program files\DoroPDFWriter\DoroServer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-04-30 01:56 136176 ----atw- c:\users\Matheus\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 14:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 23:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-07-23 01:33 150528 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 01:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSDMonitor]
2010-08-05 11:46 104408 ----a-w- c:\program files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 16:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 16:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
.
R3 GGSAFERDriver;GGSAFER Driver;c:\program files\Garena\safedrv.sys [x]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-08-16 136176]
R4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-08-16 136176]
R4 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2011-01-16 4077936]
R4 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-25 2214504]
R4 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [2010-08-05 583640]
R4 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R4 WatAdminSvc;WatAdminSvc;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-30 1343400]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-07-14 691696]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2009-07-13 266752]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-08 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2011-10-02 12:07]
.
2011-10-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-30 21:08]
.
2011-10-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-30 21:08]
.
2011-10-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3495871300-68735504-1991991994-1001Core.job
- c:\users\Matheus\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-30 01:56]
.
2011-10-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3495871300-68735504-1991991994-1001UA.job
- c:\users\Matheus\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-30 01:56]
.
2011-10-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3495871300-68735504-1991991994-1003Core.job
- c:\users\Matheuss\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-30 02:55]
.
2011-10-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3495871300-68735504-1991991994-1003UA.job
- c:\users\Matheuss\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-30 02:55]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 201.17.128.109 201.17.128.103
FF - ProfilePath - c:\users\Matheus\AppData\Roaming\Mozilla\Firefox\Profiles\9z5063qn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2790392&SearchSource=3&q={searchTerms}
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2011-10-07 22:35:28 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-08 01:35
ComboFix2.txt 2011-10-06 18:45
ComboFix3.txt 2011-10-06 18:19
.
Pre-Run: 42,821,599,232 bytes free
Post-Run: 42,755,235,840 bytes free
.
- - End Of File - - 9FE3E9A2AB2637F1BEE3ACB7DD628E61


MBAM:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7901

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

10/8/2011 12:30:57 PM
mbam-log-2011-10-08 (12-30-57).txt

Scan type: Quick scan
Objects scanned: 201031
Time elapsed: 5 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

___________________________________________________________________________

Well, it looks like there are no more viruses in the computer, but those problems I listed in my first post are still occurring, with the exception of the Chrome problem, wich seems to be solved; and one more problem started with firefox, the screen gets stripped everytime and nothing in the page can be seen. I don't know, therefore, if there is really a virus causing theses problems. Maybe, it's a major bug in the computer. But i don't really have the knowledge to say this. What do you think?

Thanks!
  • 0

#9
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hi!

Thanks for that information. You were definitely infected with malware. Your logs are looking better, lets see what the following scans find:


ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
    • Enable Anti-Stealth technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NEXT:


Security Check
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

  • 0

#10
Kelendril

Kelendril

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi!

i've been busy these days...

tomorrow i post the results!

thank u very much!
  • 0

#11
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Okay. Thanks for the update.
  • 0

#12
Kelendril

Kelendril

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hello!

Phew... sorry for being abscent for so long. Like I said, there was many things going on in my life these days. I am back now =)

Here are the logs:


Results of screen317's Security Check version 0.99.24
Windows 7 x86 (UAC is disabled!)
Internet Explorer 8 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
ESET Online Scanner v3
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 27
Adobe Flash Player ( 10.1.53.64) Flash Player Out of Date!
Adobe Reader X (10.0.1) Adobe Reader Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
``````````End of Log````````````

_____________________


C:\NVIDIA\DisplayDriver\191.07\WinXP\English\PhysX_9.09.0814_SystemSoftware.exe.7CAE15A807487F80 Win32/Sality.NBA virus
C:\Program Files\DivX\DivX Codec\config.exe.70137E9A62E22B7C Win32/Sality.NBA virus
C:\Program Files\Free DVD Burner\databurner.exe probably a variant of Win32/IRCBot.JGLVNTV trojan
C:\Program Files\HP\Digital Imaging\bin\hpqtax11.exe.F5B62256E9529A14 Win32/Sality.NBA virus
C:\Program Files\HP\Digital Imaging\help\player\FlashPla.exe.DDECBD2DB09C52D8 Win32/Sality.NBA virus
C:\Program Files\HP\Digital Imaging\help\player\fscommand\F4100_load_env.exe.BB677FF45B18DEB2 Win32/Sality.NBA virus
C:\Program Files\HP\Digital Imaging\help\player\fscommand\F4100_load_letter.exe.1AD535F08C5E7C40 Win32/Sality.NBA virus
C:\Program Files\HP\Digital Imaging\help\player\fscommand\F4100_load_original.exe.4FA947EF799D4A53 Win32/Sality.NBA virus
C:\Program Files\HP\Digital Imaging\help\player\fscommand\F4100_load_small.exe.EB12C32D7570CEEE Win32/Sality.NBA virus
C:\Program Files\HP\Digital Imaging\help\player\fscommand\F4100_paperjam.exe.EDC1137E54E4489E Win32/Sality.NBA virus
C:\Program Files\HP\Digital Imaging\help\player\fscommand\F4100_printcart.exe.B036EC1AF130717C Win32/Sality.NBA virus
C:\Program Files\HP\Digital Imaging\help\player\fscommand\F4100_transfer_scan.exe.50826E294F61E078 Win32/Sality.NBA virus
C:\Program Files\Microsoft Office\Office12\DRAT.EXE Win32/Sality.NBA virus
C:\Program Files\Microsoft Office\Office12\GROOVE.EXE Win32/Sality.NBA virus
C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe Win32/Sality.NBA virus
C:\Program Files\Microsoft Office\Office12\GrooveClean.exe Win32/Sality.NBA virus
C:\Program Files\Microsoft Office\Office12\GrooveMigrator.exe Win32/Sality.NBA virus
C:\Program Files\Microsoft Office\Office12\GrooveStdURLLauncher.exe Win32/Sality.NBA virus
C:\Program Files\PSP\PSP ISO Shrink\Compressor\ciso.exe.6A8F1AF3203FCB5B Win32/Sality.NBA virus
C:\Program Files\PSP\PSP ISO Shrink\Compressor\daxcr.exe.8430D9522284A3FF Win32/Sality.NBA virus
C:\Program Files\Skype\Phone\Skype.exe.3E6AF08B8ABEE8AF Win32/Sality.NBA virus
C:\Program Files\Warcraft III\BNUpdate.bak.exe.7442B54D98C1731B Win32/Sality.NBA virus
C:\Program Files\Warcraft III\Frozen Throne.exe.75EE74B3D48B281C Win32/Sality.NBA virus
C:\Program Files\Warcraft III\w3battle_122a.exe.834D09A947E13BDB Win32/Sality.NBA virus
C:\Program Files\Warcraft III\War3Patches_TFT_121b_122a_enUS.exe.7756CCFE28CA3520 Win32/Sality.NBA virus
C:\Program Files\Warcraft III\War3TFT_121b_122a_English.exe.D417C15E312A7100 Win32/Sality.NBA virus
C:\Program Files\Warcraft III\Warcraft III.exe.7892F6AD0E27C508 Win32/Sality.NBA virus
C:\Program Files\Warcraft III\World Editor.exe.9D9621A9527E757A Win32/Sality.NBA virus
C:\Program Files\Warcraft III\Patches\w3battle_122a.exe.AEEAD550757751E0 Win32/Sality.NBA virus
C:\Program Files\Warcraft III\Patches\War3TFT_121b_122a_English.exe.7694184A1BD8957D Win32/Sality.NBA virus
C:\Qoobox\Quarantine\C\Autorun.inf.vir INF/Autorun.gen trojan
C:\Qoobox\Quarantine\C\ddtep.pif.vir Win32/Sality.NBA virus
C:\Qoobox\Quarantine\C\_autorun_.inf.zip INF/Autorun.gen trojan
C:\Users\Matheus\Desktop\OTL.exe Win32/Sality.NBA virus
C:\Users\Matheus\Documents\Empire Earth\Empire Earth.exe.DFE0057E9800D9AB Win32/Sality.NBA virus
C:\Users\Matheus\Downloads\extraramsetup.exe Win32/Sality.NBA virus
C:\Users\Matheus\Downloads\gusetup.exe Win32/Sality.NBA virus
C:\Users\Matheus\Downloads\MsgPlusLive-484.exe a variant of Win32/MessengerPlus application
C:\Users\Matheus\Downloads\NameGen_eng.rar Win32/Packed.Autoit.A.Gen application
C:\Users\Matheuss\Downloads\freedvdburner.exe probably a variant of Win32/IRCBot.JGLVNTV trojan
C:\Users\Matheuss\Downloads\MsgPlusLive-485.exe a variant of Win32/MessengerPlus application
C:\Users\Matheuss\Downloads\SoftonicDownloader42923.exe a variant of Win32/SoftonicDownloader.A application
C:\Users\Matheuss\Downloads\SoftonicDownloader_for_divx-subtitle-displayer.exe a variant of Win32/SoftonicDownloader.A application
C:\Users\Matheuss\Downloads\VideoConverterSetup.exe a variant of Win32/SweetIM.A application
C:\Users\Public\Documents\Drivers\DRIVERS\q1mdm02us13.exe Win32/Sality.NBA virus
C:\Users\Public\Documents\Drivers\DRIVERS 1\LAN\Broadcom\B44L735\Drivers\DrvInst\x64\setup.exe Win32/Sality.NBA virus
C:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\DRAT.EXE.D26A1A8E5CC4AAD6 Win32/Sality.NBA virus
C:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\GROOVE.EXE.123238653467699F Win32/Sality.NBA virus
C:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\GROOVEAUDITSERVICE.EXE.B377C124830FFEAA Win32/Sality.NBA virus
C:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\GROOVECLEAN.EXE.831D497DBA3167F3 Win32/Sality.NBA virus
C:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\GROOVEMIGRATOR.EXE.697ED3DF7BEB4435 Win32/Sality.NBA virus
C:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\GROOVEMONITOR.EXE.8611DA00C454DA9D Win32/Sality.NBA virus
C:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\GROOVESTDURLLAUNCHER.EXE.8B2FE15351D7C1B4 Win32/Sality.NBA virus



Thank you very much once again!
  • 0

#13
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hi!

No worries.

Uh Oh. I'm afraid I have some bad news for you.

The ESET Online Scanner seems to indicate that you have some files infected with an infection known as Sality.


Please see ThreatExpert's awareness of Win32.Sality.

Sality Family is a family of a polymorphic file infectors which infects .exe, .scr files, downloads more malicious files to your computer, steals sensitive system information/passwords and sends it back to the attacker.

With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

As with many other malware, Sality disables anti-virus software and prevents access to certain anti-virus and security websites. Sality can also prevent booting into Safe Mode and may delete security-related files found on infected systems. To spread via the autorun component, Sality generally drops a .cmd, .pif, and .exe to the root of discoverable drives, along with an autorun.inf file which contains instructions to load the dropped file(s) when the drive is accessed.

About Sality Virus

If the computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach.

Sality/Win32.Sector is not effectively disinfectable. Your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once
infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there
afterwords. Please read:
  • 0

#14
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP