TechSpot

Bamital , Patched-Rp , Smitnyl Trojan infection

By AlbionPT
Apr 6, 2011
  1. Greetings all.

    I'm trying to fix a friend's laptop from a serious virus/malware/trojan infection.

    I have ran a few anti-virus/spyware softwares in order to solve the situation (Avast, MalwareBytes, ESET Online Check , Hitman Pro 3.5) to see if I could clean the computer but after removing an absurd amount of "infected junk" (close to 900 files/entries!) I slammed aggainst a wall.


    Step 1: Avast detected:

    explorer.exe, useriniti.exe , winlogon.exe &
    Master Boot Record infected with Bamital/Patched-RP and Smitnyl. Deleting/Quarentine/Heal didn't work.

    Step 2: Ok

    Step 3:

    I was having a few issues in here. I had to use an outdated database 1st because whenever I tried to update I got a BSOD. After removing a few virus I managed to update without BSOD.

    Step 4 to 7: OK

    Extra: Even if it was not asked I ran HiJackthis and found a few "suspicious" entries on the "Host files", so I'm also adding a HJ Log to the thread.

    Also the computer is giving me a ' "explorer.exe" can't start cause a DLL is missing' but I see an explorer.exe instance on Task Manager.

    Since this is not my laptop I would really like to fix the issues without having to format...
    (Logs follow)

    Thanks in advance.
     
  2. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ======================================================================

    Please, post all required logs.
     
  3. AlbionPT

    AlbionPT TS Rookie Topic Starter Posts: 31

    Ok, 1st off thanks for killing the other thread. I only noticed that posts had to be confirmed by a mod after my 2nd entry.

    Now the logs:

    Malware Bytes Log:

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6288

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    07-04-2011 20:44:52
    mbam-log-2011-04-07 (20-44-52).txt

    Scan type: Full scan (C:\|D:\|)
    Objects scanned: 208150
    Time elapsed: 22 minute(s), 57 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 7
    Registry Values Infected: 1
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C597AEFF-0239-426B-939C-509D9A61B015} (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\OTGV1DNWQQ (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\YXE7DXCQ37 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{6B457D83-0365-D3B2-64C4-A6E680046383} (Trojan.ZbotR.Gen) -> Value: {6B457D83-0365-D3B2-64C4-A6E680046383} -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_CLASSES_ROOT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=302&q={searchTerms}) Good: (http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\utilizador\definições locais\Temp\explorer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
     
  4. AlbionPT

    AlbionPT TS Rookie Topic Starter Posts: 31

    GMER Log

    GMER 1.0.15.15570 - http://www.gmer.net
    Rootkit quick scan 2011-04-07 22:19:03
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HTS541080G9SA00 rev.MB4OC60D
    Running: d76w6zpe.exe; Driver: C:\DOCUME~1\UTILIZ~1\DEFINI~1\Temp\fwpdrfoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xA9C74026]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xA9C73E91]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xA9CBD8DE]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.SYS (avast! TDI RDR Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp aswRdr.SYS (avast! TDI RDR Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswRdr.SYS (avast! TDI RDR Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

    ---- EOF - GMER 1.0.15 ----
     
  5. AlbionPT

    AlbionPT TS Rookie Topic Starter Posts: 31

    DDS Log (part 1)

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Utilizador at 22:19:41,81 on 07-04-2011
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.351.2070.18.1022.448 [GMT 4,5:30]
    .
    AV: My Security Shield *Enabled/Updated* {BCAB80E9-F911-4572-AE67-7F1626E5BDB1}
    AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: My Security Shield *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Programas\Intel\WiFi\bin\S24EvMon.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Programas\AVAST Software\Avast\AvastSvc.exe
    C:\WINDOWS\explorer.exe
    C:\Programas\AVAST Software\Avast\avastUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Programas\Microsoft Office\Office12\ONENOTEM.EXE
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Programas\Bonjour\mDNSResponder.exe
    svchost.exe
    C:\Programas\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\system32\DVDRAMSV.exe
    C:\Programas\Intel\WiFi\bin\EvtEng.exe
    C:\Programas\Java\jre6\bin\jqs.exe
    C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Programas\Ficheiros comuns\Intel\WirelessCommon\RegSrvc.exe
    C:\Programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Programas\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
    C:\WINDOWS\system32\wbem\wmiapsrv.exe
    C:\Programas\Internet Explorer\iexplore.exe
    C:\Programas\Internet Explorer\iexplore.exe
    C:\Programas\Windows Live\Toolbar\wltuser.exe
    C:\Programas\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Utilizador\Ambiente de trabalho\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    mWinlogon: Userinit=userinit.exe,
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\programas\ficheiros comuns\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\programas\avg\avg9\avgssie.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\programas\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\programas\microsoft office\office12\GrooveShellExtensions.dll
    BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\programas\avast software\avast\aswWebRepIE.dll
    BHO: Auxiliar de Conexão do Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\programas\ficheiros comuns\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programas\java\jre6\bin\jp2ssv.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\programas\windows live\toolbar\wltcore.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programas\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: CescrtHlpr Object: {f9b72325-a029-4a39-943a-02433c978829} - c:\programas\esnips.com\esnipstoolbar\1.3.0.3\escort.dll
    TB: esnips Toolbar: {3132f1df-2c69-49f5-aca5-69965fc18e59} - c:\programas\esnips.com\esnipstoolbar\1.3.0.3\escorTlbr.dll
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\programas\windows live\toolbar\wltcore.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\programas\avast software\avast\aswWebRepIE.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
    mRun: [Malwarebytes Anti-Malware (reboot)] "c:\programas\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mRun: [HitmanPro35] "c:\programas\hitman pro 3.5\HitmanPro35.exe" /scan:boot
    mRun: [avast] "c:\programas\avast software\avast\avastUI.exe" /nogui
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32
    dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
    StartupFolder: c:\docume~1\utiliz~1\menuin~1\progra~1\arranque\inicia~1.lnk - c:\programas\microsoft office\office12\ONENOTEM.EXE
    StartupFolder: c:\documents and settings\utilizador\menu iniciar\programas\arranque\Índice do OneNote.onetoc2
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    IE: E&xportar para o Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programas\messenger\msmsgs.exe
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\programas\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242890722484
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1242890714281
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\programas\microsoft office\office12\GrooveSystemServices.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\programas\avg\avg9\avgpp.dll
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: avgrsstarter - avgrsstx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\programas\microsoft office\office12\GrooveShellExtensions.dll
    mASetup: {D58F39FF-953E-4F45-898F-59F243B9A523} - RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register
    IFEO: image file execution options - svchost.exe
    Hosts: 74.125.45.100 4-open-davinci.com
    Hosts: 74.125.45.100 securitysoftwarepayments.com
    Hosts: 74.125.45.100 privatesecuredpayments.com
    Hosts: 74.125.45.100 secure.privatesecuredpayments.com
    Hosts: 74.125.45.100 getantivirusplusnow.com
    .
    Note: multiple HOSTS entries found. Please refer to Attach.txt
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-4-7 371544]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-4-7 301528]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-12-16 216400]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-12-16 29584]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-12-16 243024]
    R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.SYS [2009-5-21 5888]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-4-7 19544]
    R2 avast! Antivirus;avast! Antivirus;c:\programas\avast software\avast\AvastSvc.exe [2011-4-7 42184]
    R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-7-30 54760]
    S2 avg9emc;AVG Free E-mail Scanner;c:\programas\avg\avg9\avgemc.exe --> c:\programas\avg\avg9\avgemc.exe [?]
    S2 avg9wd;AVG Free WatchDog;c:\programas\avg\avg9\avgwdsvc.exe --> c:\programas\avg\avg9\avgwdsvc.exe [?]
    S2 Tmesrv;Tmesrv3;c:\programas\toshiba\tme3\TMESRV31.EXE [2009-5-21 118784]
    S2 wlknvoym;Boot Server;c:\windows\system32\svchost.exe -k netsvcs [2008-4-15 14336]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-5-21 1684736]
    S3 fsssvc;Serviço Windows Live Proteção para a Família;c:\programas\windows live\family safety\fsssvc.exe [2010-4-28 704872]
    S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2010-9-11 50704]
    .
    =============== Created Last 30 ================
    .
    2011-04-07 14:13:17 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-04-07 14:13:02 40648 ----a-w- c:\windows\avastSS.scr
    2011-04-07 14:12:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVAST Software
    2011-04-07 13:55:02 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2011-04-07 13:55:00 -------- d-----w- c:\programas\Hitman Pro 3.5
    2011-04-07 13:54:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
    2011-04-07 12:57:39 -------- d-----w- c:\programas\ESET
    2011-04-07 12:25:54 -------- d-----w- c:\programas\AVAST Software
    2011-04-07 09:41:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-04-07 09:41:32 -------- d-----w- c:\programas\Malwarebytes' Anti-Malware
    2011-04-07 09:38:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-07 09:20:46 -------- d-----w- c:\docume~1\utiliz~1\applic~1\Malwarebytes
    2011-04-07 08:37:25 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-04-07 07:43:30 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
    2011-04-06 18:04:50 -------- d-----w- c:\windows\pss
    .
    ==================== Find3M ====================
    .
    .
    ============= FINISH: 22:20:38,21 ===============
     
  6. AlbionPT

    AlbionPT TS Rookie Topic Starter Posts: 31

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 21-05-2009 13:31:48
    System Uptime: 07-04-2011 22:06:23 (0 hours ago)
    .
    Motherboard: Intel Corporation | | MPAD-MSAE Customer Reference Boards
    Processor: Genuine Intel(R) CPU T2400 @ 1.83GHz | U1 | 1828/mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 64 GiB total, 47,52 GiB free.
    D: is FIXED (NTFS) - 5 GiB total, 1,578 GiB free.
    E: is CDROM (CDFS)
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: 1394 Net Adapter
    Device ID: V1394\NIC1394\D134F24380DA0
    Manufacturer: Microsoft
    Name: 1394 Net Adapter
    PNP Device ID: V1394\NIC1394\D134F24380DA0
    Service: NIC1394
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description:
    Device ID: ACPI\TOS620A\2&DABA3FF&0
    Manufacturer:
    Name:
    PNP Device ID: ACPI\TOS620A\2&DABA3FF&0
    Service:
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description:
    Device ID: ACPI\TOS6205\2&DABA3FF&0
    Manufacturer:
    Name:
    PNP Device ID: ACPI\TOS6205\2&DABA3FF&0
    Service:
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Hosts File Hijack ======================
    .
    Hosts: 74.125.45.100 4-open-davinci.com
    Hosts: 74.125.45.100 securitysoftwarepayments.com
    Hosts: 74.125.45.100 privatesecuredpayments.com
    Hosts: 74.125.45.100 secure.privatesecuredpayments.com
    Hosts: 74.125.45.100 getantivirusplusnow.com
    Hosts: 74.125.45.100 secure-plus-payments.com
    Hosts: 74.125.45.100 www.getantivirusplusnow.com
    Hosts: 74.125.45.100 www.secure-plus-payments.com
    Hosts: 74.125.45.100 www.getavplusnow.com
    Hosts: 74.125.45.100 safebrowsing-cache.google.com
    Hosts: 74.125.45.100 urs.microsoft.com
    Hosts: 74.125.45.100 www.securesoftwarebill.com
    Hosts: 74.125.45.100 secure.paysecuresystem.com
    Hosts: 74.125.45.100 paysoftbillsolution.com
    Hosts: 74.125.45.100 protected.maxisoftwaremart.com
    Hosts: 74.55.176.156 www.google.com
    Hosts: 74.55.176.156 google.com
    Hosts: 74.55.176.156 google.com.au
    Hosts: 74.55.176.156 www.google.com.au
    Hosts: 74.55.176.156 google.be
    Hosts: 74.55.176.156 www.google.be
    Hosts: 74.55.176.156 google.com.br
    Hosts: 74.55.176.156 www.google.com.br
    Hosts: 74.55.176.156 google.ca
    Hosts: 74.55.176.156 www.google.ca
    Hosts: 74.55.176.156 google.ch
    Hosts: 74.55.176.156 www.google.ch
    Hosts: 74.55.176.156 google.de
    Hosts: 74.55.176.156 www.google.de
    Hosts: 74.55.176.156 google.dk
    Hosts: 74.55.176.156 www.google.dk
    Hosts: 74.55.176.156 google.fr
    Hosts: 74.55.176.156 www.google.fr
    Hosts: 74.55.176.156 google.ie
    Hosts: 74.55.176.156 www.google.ie
    Hosts: 74.55.176.156 google.it
    Hosts: 74.55.176.156 www.google.it
    Hosts: 74.55.176.156 google.co.jp
    Hosts: 74.55.176.156 www.google.co.jp
    Hosts: 74.55.176.156 google.nl
    Hosts: 74.55.176.156 www.google.nl
    Hosts: 74.55.176.156 google.no
    Hosts: 74.55.176.156 www.google.no
    Hosts: 74.55.176.156 google.co.nz
    Hosts: 74.55.176.156 www.google.co.nz
    Hosts: 74.55.176.156 google.pl
    Hosts: 74.55.176.156 www.google.pl
    Hosts: 74.55.176.156 google.se
    Hosts: 74.55.176.156 www.google.se
    Hosts: 74.55.176.156 google.co.uk
    Hosts: 74.55.176.156 www.google.co.uk
    Hosts: 74.55.176.156 google.co.za
    Hosts: 74.55.176.156 www.google.co.za
    Hosts: 74.55.176.156 www.google-analytics.com
    Hosts: 74.55.176.156 www.bing.com
    Hosts: 74.55.176.156 search.yahoo.com
    Hosts: 74.55.176.156 www.search.yahoo.com
    Hosts: 74.55.176.156 uk.search.yahoo.com
    Hosts: 74.55.176.156 ca.search.yahoo.com
    Hosts: 74.55.176.156 de.search.yahoo.com
    Hosts: 74.55.176.156 fr.search.yahoo.com
    Hosts: 74.55.176.156 au.search.yahoo.com
    .
    ==== Installed Programs ======================
    .
    Actualização Crítica para o Windows Media Player 11 (KB959772)
    Actualização de Segurança para o Windows Media Player (KB954155)
    Actualização de Segurança para o Windows Media Player (KB968816)
    Actualização de Segurança para o Windows Media Player (KB973540)
    Actualização de Segurança para o Windows Media Player (KB978695)
    Actualização de Segurança para o Windows Media Player 11 (KB954154)
    Actualização de segurança para Windows Internet Explorer 7 (KB938127-v2)
    Actualização de segurança para Windows Internet Explorer 7 (KB961260)
    Actualização de segurança para Windows Internet Explorer 7 (KB963027)
    Actualização de segurança para Windows Internet Explorer 8 (KB2183461)
    Actualização de segurança para Windows Internet Explorer 8 (KB969897)
    Actualização de segurança para Windows Internet Explorer 8 (KB971961)
    Actualização de segurança para Windows Internet Explorer 8 (KB972260)
    Actualização de segurança para Windows Internet Explorer 8 (KB974455)
    Actualização de segurança para Windows Internet Explorer 8 (KB976325)
    Actualização de segurança para Windows Internet Explorer 8 (KB978207)
    Actualização de segurança para Windows Internet Explorer 8 (KB981332)
    Actualização de segurança para Windows Internet Explorer 8 (KB982381)
    Actualização de segurança para Windows XP (KB2079403)
    Actualização de segurança para Windows XP (KB2115168)
    Actualização de segurança para Windows XP (KB2160329)
    Actualização de segurança para Windows XP (KB2229593)
    Actualização de segurança para Windows XP (KB2286198)
    Actualização de segurança para Windows XP (KB923561)
    Actualização de segurança para Windows XP (KB923789)
    Actualização de Segurança para Windows XP (KB941569)
    Actualização de segurança para Windows XP (KB950760)
    Actualização de segurança para Windows XP (KB952004)
    Actualização de segurança para Windows XP (KB956572)
    Actualização de segurança para Windows XP (KB956744)
    Actualização de segurança para Windows XP (KB956844)
    Actualização de segurança para Windows XP (KB958690)
    Actualização de segurança para Windows XP (KB958869)
    Actualização de segurança para Windows XP (KB959426)
    Actualização de segurança para Windows XP (KB960225)
    Actualização de segurança para Windows XP (KB960715)
    Actualização de segurança para Windows XP (KB960803)
    Actualização de segurança para Windows XP (KB960859)
    Actualização de segurança para Windows XP (KB961371)
    Actualização de segurança para Windows XP (KB961373)
    Actualização de segurança para Windows XP (KB961501)
    Actualização de segurança para Windows XP (KB968537)
    Actualização de segurança para Windows XP (KB969059)
    Actualização de segurança para Windows XP (KB969898)
    Actualização de segurança para Windows XP (KB969947)
    Actualização de segurança para Windows XP (KB970238)
    Actualização de segurança para Windows XP (KB970430)
    Actualização de segurança para Windows XP (KB971468)
    Actualização de segurança para Windows XP (KB971486)
    Actualização de segurança para Windows XP (KB971557)
    Actualização de segurança para Windows XP (KB971633)
    Actualização de segurança para Windows XP (KB971657)
    Actualização de segurança para Windows XP (KB972270)
    Actualização de segurança para Windows XP (KB973346)
    Actualização de segurança para Windows XP (KB973354)
    Actualização de segurança para Windows XP (KB973507)
    Actualização de segurança para Windows XP (KB973525)
    Actualização de segurança para Windows XP (KB973869)
    Actualização de segurança para Windows XP (KB973904)
    Actualização de segurança para Windows XP (KB974112)
    Actualização de segurança para Windows XP (KB974318)
    Actualização de segurança para Windows XP (KB974392)
    Actualização de segurança para Windows XP (KB974571)
    Actualização de segurança para Windows XP (KB975025)
    Actualização de segurança para Windows XP (KB975467)
    Actualização de segurança para Windows XP (KB975560)
    Actualização de segurança para Windows XP (KB975561)
    Actualização de segurança para Windows XP (KB975562)
    Actualização de segurança para Windows XP (KB975713)
    Actualização de segurança para Windows XP (KB977165)
    Actualização de segurança para Windows XP (KB977816)
    Actualização de segurança para Windows XP (KB977914)
    Actualização de segurança para Windows XP (KB978037)
    Actualização de segurança para Windows XP (KB978251)
    Actualização de segurança para Windows XP (KB978262)
    Actualização de segurança para Windows XP (KB978338)
    Actualização de segurança para Windows XP (KB978542)
    Actualização de segurança para Windows XP (KB978601)
    Actualização de segurança para Windows XP (KB978706)
    Actualização de segurança para Windows XP (KB979309)
    Actualização de segurança para Windows XP (KB979482)
    Actualização de segurança para Windows XP (KB979559)
    Actualização de segurança para Windows XP (KB979683)
    Actualização de segurança para Windows XP (KB980195)
    Actualização de segurança para Windows XP (KB980218)
    Actualização de segurança para Windows XP (KB980232)
    Actualização de segurança para Windows XP (KB980436)
    Actualização de segurança para Windows XP (KB981852)
    Actualização de segurança para Windows XP (KB981997)
    Actualização de segurança para Windows XP (KB982214)
    Actualização de segurança para Windows XP (KB982665)
    Actualização para o Windows XP (KB943729)
    Actualização para Windows Internet Explorer 8 (KB969497)
    Actualização para Windows Internet Explorer 8 (KB976662)
    Actualização para Windows Internet Explorer 8 (KB976749)
    Actualização para Windows Internet Explorer 8 (KB980182)
    Actualização para Windows XP (KB898461)
    Actualização para Windows XP (KB955759)
    Actualização para Windows XP (KB961503)
    Actualização para Windows XP (KB968389)
    Actualização para Windows XP (KB971737)
    Actualização para Windows XP (KB973687)
    Actualização para Windows XP (KB973815)
    Adobe Flash Player 10 ActiveX
    Adobe Reader 9.1.1 - Português
    Adobe Shockwave Player 11.5
    Alky for Applications (Windows XP)
    Any Video Converter 3.0.3
    Apple Mobile Device Support
    Apple Software Update
    Assist TOSHIBA
    Assistente de Conexão do Windows Live
    ATI - Utilitário de desinstalação de software
    ATI Catalyst Control Center
    ATI Display Driver
    avast! Free Antivirus
    Barra Lateral do Windows
    Bonjour
    Bullzip PDF Printer 6.0.0.865
    CD/DVD Drive Acoustic Silencer
    Compatibility Pack for Office system de 2007
    Compressor WinRAR
    Controlador de DVD-RAM
    Controlos TOSHIBA
    CyberLink PowerDVD 9
    ESET Online Scanner v3
    eSnips
    Extensão Móvel TOSHIBA 3 para Windows XP V3.79.00.XP.C
    Ferramenta de Carregamento do Windows Live
    Formatar Placa de Memória SD TOSHIBA
    Free Mp3 Wma Converter V 1.81
    Gadget Documentos Recentes do Microsoft Office 2007
    GPL Ghostscript Lite 8.64
    Hitman Pro 3.5
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix para Windows XP (KB970653-v3)
    Hotfix para Windows XP (KB976098-v2)
    Hotfix para Windows XP (KB979306)
    Hotfix para Windows XP (KB981793)
    Intel PROSet Wireless
    Intel(R) PRO Network Connections Drivers
    iTunes
    Java(TM) 6 Update 13
    Junk Mail filter update
    K-Lite Mega Codec Pack 4.8.0
    Módulo seguro SD
    Malwarebytes' Anti-Malware
    Math-A-Maze
    Media Player Product Tool 5.25
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Portuguese Language Pack
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 2.0 Service Pack 2 Language Pack - PTG
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2 Language Pack - PTG
    Microsoft .NET Framework 3.5 Language Pack SP1 - ptg
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (Portuguese (Portugal)) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (Portuguese (Portugal)) 2007
    Microsoft Office Groove MUI (Portuguese (Portugal)) 2007
    Microsoft Office InfoPath MUI (Portuguese (Portugal)) 2007
    Microsoft Office Live Add-in 1.3
    Microsoft Office OneNote MUI (Portuguese (Portugal)) 2007
    Microsoft Office Outlook Connector
    Microsoft Office Outlook MUI (Portuguese (Portugal)) 2007
    Microsoft Office PowerPoint MUI (Portuguese (Portugal)) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Portuguese (Portugal)) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (Portuguese (Portugal)) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (Portuguese (Portugal)) 2007
    Microsoft Office Shared MUI (Portuguese (Portugal)) 2007
    Microsoft Office Word MUI (Portuguese (Portugal)) 2007
    Microsoft Picture It! Express 7.0
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (Portuguese (Portugal)) 12
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Sync Framework Runtime Native v1.0 (x86)
    Microsoft Sync Framework Services Native v1.0 (x86)
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft WinUsb 1.0
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    neroxml
    Pacote do Fornecedor de Serviço Criptográfico para Cartão Inteligente Base da Microsoft
    Paint Shop Pro 6.02 ESD
    PC Diagnostic Tool da TOSHIBA
    QuickTime
    RealPlayer
    Realtek High Definition Audio Driver
    Search Settings 1.2.2
    Security Update for 2007 Microsoft Office System (KB2277947)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for 2007 Microsoft Office System (KB982312)
    Security Update for 2007 Microsoft Office System (KB982331)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB982308)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office Outlook 2007 (KB980376)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office Publisher 2007 (KB982124)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2251419)
    Segoe UI
    SMSC IrCC V5.1.3600.7
    Software Intel(R) PROSet/Wireless WiFi
    Spelling Dictionaries Support For Adobe Reader 9
    Synaptics Pointing Device Driver
    Texas Instruments PCIxx21/x515/xx12 drivers.
    TIPCI
    TOSHIBA ConfigFree
    TOSHIBA Hotkey Utility
    TOSHIBA Management Console Version 3.5 (3.5.4)
    TOSHIBA Power Saver
    TOSHIBA Software Modem
    TOSHIBA TouchPad ON/Off Utility
    TOSHIBA Utilities
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Outlook 2007 Junk Email Filter (kb2279264)
    Utilitário de Zooming da TOSHIBA
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Galeria de Fotos
    Windows Live Mail
    Windows Live Messenger
    Windows Live Proteção para a Família
    Windows Live Sync
    Windows Live Toolbar
    Windows Live Writer
    XML Paper Specification Shared Components Language Pack 1.0
    .
    ==== Event Viewer Messages From Past Week ========
    .
    07-04-2011 20:08:51, Informações: Windows File Protection [64002] - Foi tentada a substituição de ficheiro no ficheiro de sistema protegido c:\windows\system32\userinit.exe. Este ficheiro foi restaurado para a versão original para manter a estabilidade do sistema. A versão do ficheiro danificado é 5.1.2600.5512!.
    07-04-2011 18:38:51, Informações: Windows File Protection [64004] - O ficheiro de sistema protegido explorer.exe não pôde ser restaurado para a versão válida, original. A versão do ficheiro incorrecto é 6.0.2900.2180 O código de erro específico é 0x800b0100 [Nenhuma assinatura estava presente no sujeito. ].
    07-04-2011 18:32:51, Informações: Windows File Protection [64001] - Foi tentada a substituição de ficheiro no ficheiro de sistema protegido c:\windows\system32\userinit.exe. Este ficheiro foi restaurado para a versão original para manter a estabilidade do sistema. A versão do ficheiro danificado é 5.1.2600.2180, a versão do ficheiro de sistema é 5.1.2600.5512.
    07-04-2011 18:31:00, Informações: Windows File Protection [64001] - Foi tentada a substituição de ficheiro no ficheiro de sistema protegido c:\windows\system32\userinit.exe. Este ficheiro foi restaurado para a versão original para manter a estabilidade do sistema. A versão do ficheiro danificado é 5.1.2600.2180, a versão do ficheiro de sistema é 5.1.2600.5512.
    .
    ==== End Of File ===========================
     
  7. AlbionPT

    AlbionPT TS Rookie Topic Starter Posts: 31

    2 things:

    - Sorry if some lines are in Portuguese but this is Portuguese Windows

    - I see AVG on the logs but it was never available to use. The virus probably disabled it.
     
  8. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    You're running two AV programs, Avast and AVG.
    One of them has to go.
    I suggest, AVG goes.
    If so, use AVG Remover to uninstall it: http://www.avg.com/us-en/download-tools

    ======================================================================

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    =====================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  9. AlbionPT

    AlbionPT TS Rookie Topic Starter Posts: 31

    So MBRCheck run correctly but I'm having issues with AVG vs ComboFix

    Combofix States that:"COmboFix cannot run when AVG is installed" even after running AVG Remover.

    I tried to run on Safe mode and after RKill but no avail. Same message.

    rKill Log:

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 08-04-2011 at 4:39:14.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:



    Rkill completed on 08-04-2011 at 4:39:19.

    ------------------------------------------------------------------

    MBRCheck log:

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000001c

    Kernel Drivers (total 141):
    0x804D7000 \WINDOWS\system32\ntoskrnl.exe
    0x80700000 \WINDOWS\system32\hal.dll
    0xF7996000 \WINDOWS\system32\KDCOM.DLL
    0xF78A6000 \WINDOWS\system32\BOOTVID.dll
    0xF7446000 ACPI.sys
    0xF7998000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF7435000 pci.sys
    0xF7496000 isapnp.sys
    0xF74A6000 ohci1394.sys
    0xF74B6000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
    0xF78AA000 compbatt.sys
    0xF78AE000 \WINDOWS\system32\DRIVERS\BATTC.SYS
    0xF7A5E000 pciide.sys
    0xF7716000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF7417000 pcmcia.sys
    0xF74C6000 MountMgr.sys
    0xF73F8000 ftdisk.sys
    0xF799A000 dmload.sys
    0xF73D2000 dmio.sys
    0xF78B2000 ACPIEC.sys
    0xF7A5F000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
    0xF771E000 PartMgr.sys
    0xF74D6000 VolSnap.sys
    0xF73BA000 atapi.sys
    0xF74E6000 disk.sys
    0xF74F6000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF739A000 fltMgr.sys
    0xF7388000 sr.sys
    0xF7371000 KSecDD.sys
    0xF72E4000 Ntfs.sys
    0xF72B7000 NDIS.sys
    0xF799C000 TVALG.SYS
    0xF729D000 Mup.sys
    0xF7556000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xF797E000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0xF6C00000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
    0xF6BEC000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF6BC4000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xF6B98000 \SystemRoot\system32\DRIVERS\e1e5132.sys
    0xF6796000 \SystemRoot\system32\DRIVERS\NETw5x32.sys
    0xF77D6000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xF6772000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF77DE000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF674A000 \SystemRoot\system32\drivers\tifm21.sys
    0xF6736000 \SystemRoot\system32\DRIVERS\sdbus.sys
    0xF6725000 \SystemRoot\system32\DRIVERS\serial.sys
    0xF7982000 \SystemRoot\system32\DRIVERS\serenum.sys
    0xF7566000 \SystemRoot\system32\DRIVERS\smcirda.sys
    0xF7986000 \SystemRoot\system32\DRIVERS\irenum.sys
    0xF6711000 \SystemRoot\system32\DRIVERS\parport.sys
    0xF7576000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xF77E6000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF66E2000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0xF79B8000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF77EE000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF7586000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF7596000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF75A6000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xF66BF000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF75B6000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    0xF7ADF000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF77F6000 \SystemRoot\system32\DRIVERS\rasirda.sys
    0xF77FE000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF75C6000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF7279000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF66A8000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF75D6000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF75E6000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF6697000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF75F6000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF7806000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF780E000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF6667000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xF7606000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF79BA000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF6609000 \SystemRoot\system32\DRIVERS\update.sys
    0xF725D000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF79BC000 \SystemRoot\system32\DRIVERS\NBSMI.sys
    0xF7616000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xAA2FF000 \SystemRoot\system32\drivers\RtkHDAud.sys
    0xAA2DB000 \SystemRoot\system32\drivers\portcls.sys
    0xF7646000 \SystemRoot\system32\drivers\drmk.sys
    0xAA1C8000 \SystemRoot\system32\DRIVERS\AGRSM.sys
    0xF7816000 \SystemRoot\System32\Drivers\Modem.SYS
    0xF7666000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF79C6000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7BCA000 \SystemRoot\System32\Drivers\Null.SYS
    0xF79C8000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF783E000 \SystemRoot\System32\drivers\vga.sys
    0xF79CA000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF79CC000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xAA0A2000 \SystemRoot\System32\Drivers\meiudf.sys
    0xAA091000 \SystemRoot\System32\Drivers\Udfs.SYS
    0xF7846000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF784E000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF7976000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xAA07E000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xAA025000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xA9FFF000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xF76A6000 \SystemRoot\System32\Drivers\aswTdi.SYS
    0xA9FD7000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xF76B6000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xF7856000 \SystemRoot\System32\Drivers\aswRdr.SYS
    0xA9EED000 \SystemRoot\System32\drivers\afd.sys
    0xF76C6000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xF79CE000 \SystemRoot\System32\Drivers\TMEI3E.SYS
    0xA9EC2000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xA9E52000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xF76D6000 \SystemRoot\System32\Drivers\Fips.SYS
    0xA9E0A000 \SystemRoot\System32\Drivers\aswSP.SYS
    0xA9DAC000 \SystemRoot\System32\Drivers\aswSnx.SYS
    0xF7876000 \SystemRoot\System32\Drivers\Aavmker4.SYS
    0xF657E000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xA9D6C000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF79A0000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xA9F0F000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF775E000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7BCF000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\ati2dvag.dll
    0xBF055000 \SystemRoot\System32\ati2cqag.dll
    0xBF09C000 \SystemRoot\System32\atikvmag.dll
    0xBF0E2000 \SystemRoot\System32\ati3duag.dll
    0xBF32D000 \SystemRoot\System32\ativvaxx.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xA7B50000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
    0xA7B04000 \SystemRoot\system32\DRIVERS\fssfltr_tdi.sys
    0xA7926000 \SystemRoot\system32\DRIVERS\irda.sys
    0xA7A58000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xA7A50000 \SystemRoot\system32\DRIVERS\netdevio.sys
    0xA7A44000 \SystemRoot\system32\DRIVERS\s24trans.sys
    0xA76DF000 \SystemRoot\System32\Drivers\aswMon2.SYS
    0xA7482000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xF7A12000 \SystemRoot\System32\Drivers\ParVdm.SYS
    0xA724B000 \SystemRoot\system32\DRIVERS\srv.sys
    0xA716E000 \SystemRoot\system32\drivers\wdmaud.sys
    0xA7527000 \SystemRoot\system32\drivers\sysaudio.sys
    0xA6B15000 \SystemRoot\System32\Drivers\HTTP.sys
    0xA69FA000
    0x7C910000 \WINDOWS\system32\ntdll.dll

    Processes (total 40):
    0 System Idle Process
    4 System
    860 C:\WINDOWS\system32\smss.exe
    916 csrss.exe
    944 C:\WINDOWS\system32\winlogon.exe
    996 C:\WINDOWS\system32\services.exe
    1008 C:\WINDOWS\system32\lsass.exe
    1168 C:\WINDOWS\system32\ati2evxx.exe
    1188 C:\WINDOWS\system32\svchost.exe
    1256 svchost.exe
    1308 C:\WINDOWS\system32\svchost.exe
    1452 C:\Programas\Intel\WiFi\bin\S24EvMon.exe
    1532 svchost.exe
    1620 C:\WINDOWS\system32\ati2evxx.exe
    1636 svchost.exe
    2012 C:\Programas\AVAST Software\Avast\AvastSvc.exe
    300 C:\WINDOWS\explorer.exe
    708 C:\WINDOWS\system32\spoolsv.exe
    1012 svchost.exe
    1356 C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    1376 C:\Programas\Bonjour\mDNSResponder.exe
    1404 svchost.exe
    1416 C:\Programas\TOSHIBA\ConfigFree\CFSvcs.exe
    1388 C:\WINDOWS\system32\DVDRAMSV.exe
    1648 C:\Programas\Intel\WiFi\bin\EvtEng.exe
    1684 C:\Programas\Java\jre6\bin\jqs.exe
    1880 C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
    1712 C:\Programas\Ficheiros comuns\Intel\WirelessCommon\RegSrvc.exe
    2068 C:\Programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    2228 C:\Programas\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
    2304 C:\Programas\TOSHIBA\TME3\TMESRV31.EXE
    2432 C:\WINDOWS\system32\wuauclt.exe
    2676 wmiprvse.exe
    2828 alg.exe
    2888 C:\WINDOWS\system32\wbem\wmiapsrv.exe
    3636 C:\Programas\Hitman Pro 3.5\HitmanPro35.exe
    3644 C:\Programas\AVAST Software\Avast\AvastUI.exe
    3652 C:\WINDOWS\system32\ctfmon.exe
    3664 C:\Programas\Microsoft Office\Office12\ONENOTEM.EXE
    2272 C:\Documents and Settings\Utilizador\Ambiente de trabalho\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000011`5563b400 (NTFS)

    PhysicalDrive0 Model Number: HTS541080G9SA00, Rev: MB4OC60D

    Size Device Name MBR Status
    --------------------------------------------
    74 GB \\.\PhysicalDrive0 Unknown MBR code
    SHA1: A3CF0C5E0DDB481C20C91FE98105799CE54C7986


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Done!

    Any other ideas?
     
  10. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    explorer.exe
    userinit.exe
    winlogon.exe
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  11. AlbionPT

    AlbionPT TS Rookie Topic Starter Posts: 31

    All right here are the logs:

    OTL LOG:

    OTL logfile created on: 08-04-2011 13:55:42 - Run 1
    OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Utilizador\Ambiente de trabalho
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000816 | Country: Portugal | Language: PTG | Date Format: dd-MM-yyyy

    1.022,00 Mb Total Physical Memory | 426,00 Mb Available Physical Memory | 42,00% Memory free
    2,00 Gb Paging File | 2,00 Gb Available in Paging File | 81,00% Paging File free
    Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programas
    Drive C: | 63,52 Gb Total Space | 47,73 Gb Free Space | 75,14% Space Free | Partition Type: NTFS
    Drive D: | 5,19 Gb Total Space | 1,58 Gb Free Space | 30,43% Space Free | Partition Type: NTFS
    Drive E: | 563,69 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS

    Computer Name: UTILIZAD-D3390B | User Name: Utilizador | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011-04-08 13:54:36 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\OTL.exe
    PRC - [2011-02-23 19:34:20 | 003,451,496 | ---- | M] (AVAST Software) -- C:\Programas\AVAST Software\Avast\AvastUI.exe
    PRC - [2011-02-23 19:34:19 | 000,042,184 | ---- | M] (AVAST Software) -- C:\Programas\AVAST Software\Avast\AvastSvc.exe
    PRC - [2009-03-26 15:31:20 | 000,132,424 | ---- | M] (Apple Inc.) -- C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    PRC - [2009-02-27 07:54:22 | 000,870,672 | ---- | M] (Intel(R) Corporation) -- C:\Programas\Intel\WiFi\bin\EvtEng.exe
    PRC - [2009-02-27 06:55:20 | 000,909,312 | ---- | M] (Intel(R) Corporation) -- C:\Programas\Intel\WiFi\bin\S24EvMon.exe
    PRC - [2009-02-27 06:38:38 | 000,473,360 | ---- | M] (Intel(R) Corporation) -- C:\Programas\Ficheiros comuns\Intel\WirelessCommon\RegSrvc.exe
    PRC - [2005-12-20 11:22:14 | 000,035,328 | ---- | M] (TOSHIBA Corp.) -- C:\Programas\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
    PRC - [2005-01-17 16:38:38 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Programas\TOSHIBA\ConfigFree\CFSvcs.exe
    PRC - [2004-08-28 02:33:00 | 000,110,592 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\DVDRAMSV.exe
    PRC - [2004-08-04 00:57:04 | 001,034,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2003-06-20 03:55:00 | 000,322,120 | ---- | M] (Microsoft Corporation) -- C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE


    ========== Modules (SafeList) ==========

    MOD - [2011-04-08 13:54:36 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\OTL.exe
    MOD - [2008-04-15 15:30:00 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Auto | Stopped] -- -- (wlknvoym)
    SRV - File not found [Disabled | Stopped] -- -- (HidServ)
    SRV - [2011-02-23 19:34:19 | 000,042,184 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Programas\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
    SRV - [2009-03-26 15:31:20 | 000,132,424 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
    SRV - [2009-02-27 07:54:22 | 000,870,672 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Programas\Intel\WiFi\bin\EvtEng.exe -- (EvtEng) Intel(R)
    SRV - [2009-02-27 06:55:20 | 000,909,312 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Programas\Intel\WiFi\bin\S24EvMon.exe -- (S24EventMonitor) Intel(R)
    SRV - [2009-02-27 06:38:38 | 000,473,360 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Programas\Ficheiros comuns\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc) Intel(R)
    SRV - [2008-11-04 01:06:28 | 000,441,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programas\Ficheiros comuns\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
    SRV - [2006-10-26 13:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programas\Ficheiros comuns\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
    SRV - [2005-12-20 11:22:14 | 000,035,328 | ---- | M] (TOSHIBA Corp.) [Auto | Running] -- C:\Programas\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe -- (TAPPSRV)
    SRV - [2005-04-05 09:37:04 | 000,118,784 | ---- | M] (TOSHIBA) [Auto | Stopped] -- C:\Programas\TOSHIBA\TME3\Tmesrv31.exe -- (Tmesrv)
    SRV - [2005-01-17 16:38:38 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Programas\TOSHIBA\ConfigFree\CFSvcs.exe -- (CFSvcs)
    SRV - [2004-08-28 02:33:00 | 000,110,592 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) [Auto | Running] -- C:\WINDOWS\system32\DVDRAMSV.exe -- (DVD-RAM_Service)
    SRV - [2003-06-20 03:55:00 | 000,322,120 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM)


    ========== Driver Services (SafeList) ==========

    DRV - [2011-02-23 19:26:55 | 000,371,544 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
    DRV - [2011-02-23 19:26:45 | 000,301,528 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
    DRV - [2011-02-23 19:25:49 | 000,049,240 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
    DRV - [2011-02-23 19:25:47 | 000,102,232 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
    DRV - [2011-02-23 19:25:10 | 000,025,432 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
    DRV - [2011-02-23 19:24:57 | 000,030,680 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
    DRV - [2011-02-23 19:24:55 | 000,019,544 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
    DRV - [2010-09-11 17:14:42 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF) WinPcap Packet Driver (NPF)
    DRV - [2010-04-28 07:44:02 | 000,054,760 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
    DRV - [2009-04-14 16:09:56 | 005,069,312 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
    DRV - [2009-03-04 22:01:31 | 004,202,496 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel(R)
    DRV - [2008-08-13 17:23:56 | 000,011,904 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
    DRV - [2008-08-05 20:10:12 | 001,684,736 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
    DRV - [2007-09-26 06:01:32 | 002,236,032 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32) Controlador do Adaptador da ligação WiFi sem fios Intel(R)
    DRV - [2006-08-29 21:09:12 | 001,723,904 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
    DRV - [2006-01-04 15:41:48 | 001,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)
    DRV - [2005-12-26 13:49:00 | 000,005,888 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\TVALG.SYS -- (TVALG)
    DRV - [2005-11-30 11:12:00 | 000,162,560 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
    DRV - [2005-11-15 11:00:22 | 001,122,656 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
    DRV - [2005-10-20 14:03:42 | 000,006,144 | ---- | M] (Toshiba Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NBSMI.sys -- (TVALD)
    DRV - [2005-06-02 05:33:00 | 000,102,384 | ---- | M] (Matsushita Electric Industrial Co.,Ltd.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\meiudf.sys -- (meiudf)
    DRV - [2004-12-09 14:54:12 | 000,046,592 | ---- | M] (SMSC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)
    DRV - [2004-06-16 11:08:48 | 000,005,888 | ---- | M] (Toshiba Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TMEI3E.SYS -- (TMEI3E)
    DRV - [2003-01-29 14:35:00 | 000,012,032 | ---- | M] (TOSHIBA Corporation.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Netdevio.sys -- (Netdevio)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========


    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://pt.msn.com/?ocid=iehp
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = pt
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 1A DA F0 04 35 F5 CB 01 [binary data]
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

    FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2009-05-24 20:00:45 | 000,000,000 | ---D | M]


    O1 HOSTS File: ([2010-09-11 16:06:33 | 000,002,828 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: 74.125.45.100 4-open-davinci.com
    O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
    O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
    O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
    O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
    O1 - Hosts: 74.125.45.100 secure-plus-payments.com
    O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
    O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
    O1 - Hosts: 74.125.45.100 www.getavplusnow.com
    O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
    O1 - Hosts: 74.125.45.100 urs.microsoft.com
    O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
    O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
    O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
    O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
    O1 - Hosts: 74.55.176.156 www.google.com
    O1 - Hosts: 74.55.176.156 google.com
    O1 - Hosts: 74.55.176.156 google.com.au
    O1 - Hosts: 74.55.176.156 www.google.com.au
    O1 - Hosts: 74.55.176.156 google.be
    O1 - Hosts: 74.55.176.156 www.google.be
    O1 - Hosts: 74.55.176.156 google.com.br
    O1 - Hosts: 74.55.176.156 www.google.com.br
    O1 - Hosts: 74.55.176.156 google.ca
    O1 - Hosts: 38 more lines...
    O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
    O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
    O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programas\AVAST Software\Avast\aswWebRepIE.dll ()
    O2 - BHO: (Auxiliar de Conexão do Windows Live) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
    O2 - BHO: (CescrtHlpr Object) - {F9B72325-A029-4a39-943A-02433C978829} - C:\Programas\eSnips.com\eSnipsToolbar\1.3.0.3\escort.dll (esnips)
    O3 - HKLM\..\Toolbar: (esnips Toolbar) - {3132F1DF-2C69-49f5-ACA5-69965FC18E59} - C:\Programas\eSnips.com\eSnipsToolbar\1.3.0.3\escorTlbr.dll (esnips)
    O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programas\AVAST Software\Avast\aswWebRepIE.dll ()
    O4 - HKLM..\Run: [avast] C:\Programas\AVAST Software\Avast\avastUI.exe (AVAST Software)
    O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Programas\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
    O4 - Startup: C:\Documents and Settings\Utilizador\Menu Iniciar\Programas\Arranque\Índice do OneNote.onetoc2 ()
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Programas\Bonjour\mdnsNSP.dll (Apple Inc.)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242890722484 (WUWebControl Class)
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1242890714281 (MUWebControl Class)
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
    O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
    O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programas\Ficheiros comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programas\Ficheiros comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programas\Ficheiros comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programas\Ficheiros comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programas\Ficheiros comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programas\Ficheiros comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programas\Ficheiros comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programas\Ficheiros comuns\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
    O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programas\Ficheiros comuns\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe ()
    O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
    O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - File not found
    O24 - Desktop Components:0 (A minha home page actual) - About:Home
    O24 - Desktop WallPaper: C:\Documents and Settings\Utilizador\Definições locais\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\Utilizador\Definições locais\Application Data\Microsoft\Wallpaper1.bmp
    O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2009-05-21 13:27:10 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2004-08-04 15:30:00 | 000,000,112 | R--- | M] () - E:\AUTORUN.INF -- [ CDFS ]
    O33 - MountPoints2\{31186f16-9471-11de-b8a2-001302156640}\Shell\AutoRun\command - "" = F:\DRIVE\file.exe
    O33 - MountPoints2\{31186f16-9471-11de-b8a2-001302156640}\Shell\open\command - "" = F:\DRIVE\file.exe
    O33 - MountPoints2\{378a741a-5b4c-11de-b817-001302156640}\Shell\AutoRun\command - "" = F:\ojcIHq.eXE
    O33 - MountPoints2\{378a741a-5b4c-11de-b817-001302156640}\Shell\OPen\cOMMaNd - "" = F:\OJCihQ.eXE
    O33 - MountPoints2\{496d0e74-2953-11df-ba21-001302156640}\Shell\AutoRun\command - "" = F:\NhnjVS.exe
    O33 - MountPoints2\{496d0e74-2953-11df-ba21-001302156640}\Shell\opeN\commANd - "" = F:\nhnJvS.eXe
    O33 - MountPoints2\{5944b642-45eb-11de-b7b8-806d6172696f}\Shell - "" = AutoRun
    O33 - MountPoints2\{5944b642-45eb-11de-b7b8-806d6172696f}\Shell\AutoRun\command - "" = E:\SETUP.EXE -- [2004-08-04 15:30:00 | 002,584,576 | R--- | M] (Microsoft Corporation)
    O33 - MountPoints2\{6ca7cabc-741f-11de-b855-001302156640}\Shell\AutoRun\command - "" = G:\DRIVE\file.exe
    O33 - MountPoints2\{6ca7cabc-741f-11de-b855-001302156640}\Shell\open\command - "" = G:\DRIVE\file.exe
    O33 - MountPoints2\{ec523b58-461e-11de-b7ce-001302156640}\Shell - "" = AutoRun
    O33 - MountPoints2\{ec523b58-461e-11de-b7ce-001302156640}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL GERaL.eXe
    O33 - MountPoints2\{f686aaec-57f9-11de-b80a-001302156640}\Shell\AutoRun\command - "" = F:\DRIVE\file.exe
    O33 - MountPoints2\{f686aaec-57f9-11de-b80a-001302156640}\Shell\open\command - "" = F:\DRIVE\file.exe
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: HidServ - File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found
    NetSvcs: SSHNAS - File not found

    Drivers32: msacm.ac3acm - C:\WINDOWS\System32\ac3acm.acm (fccHandler)
    Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.lameacm - C:\WINDOWS\System32\lameACM.acm (http://www.mp3dev.org/)
    Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
    Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
    Drivers32: VIDC.DIVX - C:\WINDOWS\System32\divx.dll (DivX, Inc.)
    Drivers32: VIDC.FFDS - C:\WINDOWS\System32\ff_vfw.dll ()
    Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
    Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
    Drivers32: VIDC.XVID - C:\WINDOWS\System32\xvidvfw.dll ()
    Drivers32: VIDC.YV12 - C:\WINDOWS\System32\yv12vfw.dll (www.helixcommunity.org)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point (54619756233228288)

    ========== Files/Folders - Created Within 30 Days ==========

    [2011-04-08 13:55:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
    [2011-04-08 13:54:33 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\OTL.exe
    [2011-04-08 03:16:35 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011-04-08 03:02:49 | 001,090,912 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\avg_remover_stf_x86_2011_1184.exe
    [2011-04-07 19:35:07 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\TFC.exe
    [2011-04-07 18:43:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menu Iniciar\Programas\avast! Free Antivirus
    [2011-04-07 18:43:20 | 000,301,528 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
    [2011-04-07 18:43:20 | 000,019,544 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
    [2011-04-07 18:43:18 | 000,025,432 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
    [2011-04-07 18:43:17 | 000,371,544 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
    [2011-04-07 18:43:17 | 000,049,240 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
    [2011-04-07 18:43:16 | 000,102,232 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
    [2011-04-07 18:43:16 | 000,096,344 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
    [2011-04-07 18:43:16 | 000,030,680 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
    [2011-04-07 18:43:02 | 000,190,016 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
    [2011-04-07 18:43:02 | 000,040,648 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
    [2011-04-07 18:42:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
    [2011-04-07 18:25:00 | 000,000,000 | ---D | C] -- C:\Programas\Hitman Pro 3.5
    [2011-04-07 18:24:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
    [2011-04-07 18:24:07 | 006,449,984 | ---- | C] (SurfRight B.V.) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\HitmanPro35.exe
    [2011-04-07 17:27:39 | 000,000,000 | ---D | C] -- C:\Programas\ESET
    [2011-04-07 16:55:54 | 000,000,000 | ---D | C] -- C:\Programas\AVAST Software
    [2011-04-07 14:11:35 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2011-04-07 14:11:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menu Iniciar\Programas\Malwarebytes' Anti-Malware
    [2011-04-07 14:11:32 | 000,000,000 | ---D | C] -- C:\Programas\Malwarebytes' Anti-Malware
    [2011-04-07 14:08:56 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2011-04-07 13:50:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Utilizador\Application Data\Malwarebytes
    [2011-04-07 13:07:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2011-04-07 12:22:57 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
    [2011-04-07 12:13:30 | 000,000,000 | ---D | C] -- C:\Programas\Alwil Software
    [2011-04-07 12:13:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
    [2011-04-06 22:34:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
    [2009-05-21 12:23:08 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\DLLVGA.dll

    ========== Files - Modified Within 30 Days ==========

    [2011-04-08 13:54:36 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\OTL.exe
    [2011-04-08 13:52:56 | 000,000,211 | -HS- | M] () -- C:\boot.ini
    [2011-04-08 13:47:01 | 000,000,444 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{1BB5BD40-03C6-418F-95E6-5D2A018F5870}.job
    [2011-04-08 13:45:18 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2011-04-08 13:45:05 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2011-04-08 03:03:32 | 004,315,416 | R--- | M] () -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\ComboFix.exe
    [2011-04-08 03:03:03 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\MBRCheck.exe
    [2011-04-08 03:02:51 | 001,090,912 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\avg_remover_stf_x86_2011_1184.exe
    [2011-04-08 00:03:20 | 000,016,968 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
    [2011-04-07 22:13:22 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\dds.scr
    [2011-04-07 22:12:22 | 000,301,568 | ---- | M] () -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\d76w6zpe.exe
    [2011-04-07 19:35:14 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\TFC.exe
    [2011-04-07 19:21:03 | 000,000,276 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    [2011-04-07 18:43:21 | 000,001,658 | ---- | M] () -- C:\Documents and Settings\All Users\Ambiente de trabalho\avast! Free Antivirus.lnk
    [2011-04-07 18:43:17 | 000,003,100 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
    [2011-04-07 18:30:55 | 000,002,176 | ---- | M] () -- C:\WINDOWS\System32\.crusader
    [2011-04-07 18:24:07 | 006,449,984 | ---- | M] (SurfRight B.V.) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\HitmanPro35.exe
    [2011-04-07 14:36:13 | 000,500,618 | ---- | M] () -- C:\WINDOWS\System32\perfh016.dat
    [2011-04-07 14:36:13 | 000,444,236 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2011-04-07 14:36:13 | 000,088,472 | ---- | M] () -- C:\WINDOWS\System32\perfc016.dat
    [2011-04-07 14:36:13 | 000,072,494 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2011-04-07 14:11:36 | 000,000,761 | ---- | M] () -- C:\Documents and Settings\All Users\Ambiente de trabalho\Malwarebytes' Anti-Malware.lnk

    ========== Files Created - No Company Name ==========

    [2011-04-08 03:03:32 | 004,315,416 | R--- | C] () -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\ComboFix.exe
    [2011-04-08 03:03:01 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\MBRCheck.exe
    [2011-04-07 22:13:14 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\dds.scr
    [2011-04-07 22:12:17 | 000,301,568 | ---- | C] () -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\d76w6zpe.exe
    [2011-04-07 18:43:21 | 000,001,658 | ---- | C] () -- C:\Documents and Settings\All Users\Ambiente de trabalho\avast! Free Antivirus.lnk
    [2011-04-07 18:30:55 | 000,002,176 | ---- | C] () -- C:\WINDOWS\System32\.crusader
    [2011-04-07 18:25:02 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
    [2011-04-07 14:11:36 | 000,000,761 | ---- | C] () -- C:\Documents and Settings\All Users\Ambiente de trabalho\Malwarebytes' Anti-Malware.lnk
    [2010-07-24 18:20:03 | 000,000,001 | ---- | C] () -- C:\Documents and Settings\Utilizador\Application Data\ecfnhyma
    [2010-07-18 23:48:31 | 000,017,712 | ---- | C] () -- C:\Documents and Settings\Utilizador\Application Data\etec.drv
    [2010-07-18 23:46:42 | 000,000,466 | ---- | C] () -- C:\Documents and Settings\Utilizador\Application Data\atec.drv
    [2010-07-18 23:43:40 | 000,000,010 | ---- | C] () -- C:\Documents and Settings\Utilizador\Application Data\fhmi
    [2010-07-18 23:43:27 | 000,003,509 | ---- | C] () -- C:\Documents and Settings\Utilizador\Application Data\Cerulean.lic
    [2010-02-27 21:42:04 | 002,887,680 | ---- | C] () -- C:\WINDOWS\System32\VagalumePluginWMP.dll
    [2009-12-16 19:28:38 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2009-12-16 19:28:38 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2009-12-16 19:28:38 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2009-12-16 19:28:38 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2009-12-16 19:28:38 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2009-11-13 02:31:38 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
    [2009-10-31 22:28:17 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Irremote.ini
    [2009-10-28 18:00:43 | 000,484,352 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
    [2009-05-24 15:46:58 | 000,000,164 | ---- | C] () -- C:\Documents and Settings\Utilizador\Application Data\default.pls
    [2009-05-22 23:38:59 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
    [2009-05-21 20:18:51 | 000,170,496 | ---- | C] () -- C:\Documents and Settings\Utilizador\Definições locais\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2009-05-21 16:02:38 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\TOSMgmt.dll
    [2009-05-21 15:54:44 | 000,047,104 | ---- | C] () -- C:\WINDOWS\System32\Wh2Robo.dll
    [2009-05-21 15:53:05 | 000,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
    [2009-05-21 15:53:03 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
    [2009-05-21 15:53:03 | 000,795,648 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
    [2009-05-21 15:53:03 | 000,130,048 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
    [2009-05-21 15:53:01 | 000,084,480 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
    [2009-05-21 14:11:43 | 000,004,205 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2009-05-21 14:10:12 | 000,271,784 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2009-05-21 13:36:57 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
    [2009-05-21 13:31:53 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2009-05-21 13:28:22 | 000,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
    [2009-05-21 13:23:15 | 000,021,924 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2009-05-21 13:01:25 | 000,000,413 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2009-05-21 12:33:40 | 000,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
    [2009-05-21 12:33:40 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
    [2009-05-21 12:33:40 | 000,010,166 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
    [2009-05-21 12:33:40 | 000,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
    [2009-05-21 12:27:45 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
    [2009-05-21 12:23:08 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\TCtrlIO.dll
    [2009-05-21 11:32:36 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Utilizador\Definições locais\Application Data\fusioncache.dat
    [2009-05-21 11:25:55 | 000,133,583 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
    [2008-04-15 15:30:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2008-04-15 15:30:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2008-04-15 15:30:00 | 000,500,618 | ---- | C] () -- C:\WINDOWS\System32\perfh016.dat
    [2008-04-15 15:30:00 | 000,444,236 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2008-04-15 15:30:00 | 000,314,414 | ---- | C] () -- C:\WINDOWS\System32\perfi016.dat
    [2008-04-15 15:30:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2008-04-15 15:30:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2008-04-15 15:30:00 | 000,088,472 | ---- | C] () -- C:\WINDOWS\System32\perfc016.dat
    [2008-04-15 15:30:00 | 000,072,494 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2008-04-15 15:30:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2008-04-15 15:30:00 | 000,036,952 | ---- | C] () -- C:\WINDOWS\System32\perfd016.dat
    [2008-04-15 15:30:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2008-04-15 15:30:00 | 000,026,624 | ---- | C] () -- C:\WINDOWS\System32\userinit.exe
    [2008-04-15 15:30:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2008-04-15 15:30:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2008-04-15 15:30:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
    [2008-04-15 15:30:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

    ========== LOP Check ==========

    [2011-04-07 14:00:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
    [2011-04-07 18:42:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
    [2011-04-08 03:05:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
    [2009-05-21 17:34:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DriverScanner
    [2011-04-07 17:34:10 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\faa01a9
    [2011-04-07 18:30:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
    [2010-09-02 21:54:25 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\MSTSZERUFS
    [2009-05-21 16:05:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Temp
    [2009-05-21 15:56:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
    [2010-02-27 21:39:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\AnvSoft
    [2010-02-27 18:23:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\Any Video Converter
    [2009-05-21 18:25:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\Bullzip
    [2011-04-07 17:34:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\CAAC8D2ED80A65103FBE3F97655A3DAF
    [2009-08-22 01:14:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\esnips.com
    [2011-02-25 01:53:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\Oxudn
    [2009-10-28 18:06:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\Search Settings
    [2009-05-21 12:33:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\toshiba
    [2009-05-21 17:34:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\Uniblue
    [2011-04-08 13:47:01 | 000,000,444 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{1BB5BD40-03C6-418F-95E6-5D2A018F5870}.job

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2009-05-21 13:27:10 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
    [2011-04-08 13:52:56 | 000,000,211 | -HS- | M] () -- C:\boot.ini
    [2008-04-15 15:30:00 | 000,004,952 | RHS- | M] () -- C:\bootfont.bin
    [2011-04-07 18:14:07 | 000,003,948 | ---- | M] () -- C:\BrmiT.txt
    [2009-05-21 13:27:10 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
    [2009-05-21 13:27:10 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2009-05-21 13:27:10 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2008-04-15 15:30:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
    [2008-04-15 15:30:00 | 000,251,120 | RHS- | M] () -- C:\ntldr
    [2011-04-08 13:45:00 | 1610,612,736 | -HS- | M] () -- C:\pagefile.sys
    [2011-04-08 04:39:19 | 000,000,359 | ---- | M] () -- C:\rkill.log

    < %systemroot%\Fonts\*.com >
    [2006-04-18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
    [2006-06-29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
    [2006-04-18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
    [2006-06-29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2009-05-21 13:26:36 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2008-07-06 16:36:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    [2007-04-09 13:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
    [2006-10-26 19:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\msonpppr.dll
    [2008-07-06 15:20:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >
    [2011-02-23 19:34:21 | 000,040,648 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr
    [2010-04-17 00:21:08 | 000,306,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WLXPGSS.SCR

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2009-05-21 14:09:24 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
    [2009-05-21 14:09:24 | 001,097,728 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
    [2009-05-21 14:09:24 | 000,466,944 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >
    [2008-06-23 16:36:24 | 000,773,120 | ---- | M] () -- C:\WINDOWS\system32\NEROINSTAEC43759.DB

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2009-05-21 13:34:20 | 000,000,076 | -HS- | M] () -- C:\Documents and Settings\Utilizador\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
    [2009-05-21 13:34:19 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Utilizador\Application Data\Microsoft\Internet Explorer\Quick Launch\Mostrar ambiente de trabalho.scf

    < %USERPROFILE%\Desktop\*.exe >

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >
    [1 C:\Programas\Internet Explorer\*.tmp files -> C:\Programas\Internet Explorer\*.tmp -> ]

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2011-04-08 13:53:49 | 000,163,840 | -HS- | M] () -- C:\Documents and Settings\Utilizador\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2009-02-27 20:27:02 | 000,318,976 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >
    [2009-02-27 19:51:37 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Programas\Messenger\custsat.dll
    [2008-04-15 15:30:00 | 000,004,821 | R--- | M] () -- C:\Programas\Messenger\logowin.gif
    [2007-04-03 03:07:24 | 000,007,047 | ---- | M] () -- C:\Programas\Messenger\lvback.gif
    [2008-05-02 17:14:34 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Programas\Messenger\msgsc.dll
    [2008-04-14 02:30:30 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Programas\Messenger\msgslang.dll
    [2008-04-15 01:09:56 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Programas\Messenger\msmsgs.exe
    [2008-04-15 15:30:00 | 000,009,306 | ---- | M] () -- C:\Programas\Messenger\newalert.wav
    [2008-04-15 15:30:00 | 000,018,052 | ---- | M] () -- C:\Programas\Messenger\newemail.wav
    [2008-04-15 15:30:00 | 000,009,306 | ---- | M] () -- C:\Programas\Messenger\online.wav
    [2007-04-03 03:07:28 | 000,004,454 | ---- | M] () -- C:\Programas\Messenger\type.wav
    [2007-01-24 15:53:00 | 000,123,995 | ---- | M] () -- C:\Programas\Messenger\xpmsgr.chm

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    < MD5 for: EXPLORER.EXE >
    [2008-04-15 15:30:00 | 001,035,776 | ---- | M] (Microsoft Corporation) MD5=73BF5036A2ABA403DB078C65B1A29A99 -- C:\WINDOWS\ERDNT\cache\explorer.exe
    [2004-08-04 00:57:04 | 001,034,240 | ---- | M] (Microsoft Corporation) MD5=8CE8153D67135457E215C733BAFBF508 -- C:\WINDOWS\explorer.exe
    [2011-04-08 13:45:09 | 000,004,608 | ---- | M] () MD5=AF7DB267EF18C63ABDB6292FEC17993C -- C:\Documents and Settings\Utilizador\Definições locais\Temp\explorer.exe
    [2008-04-15 15:30:00 | 001,035,776 | ---- | M] (Microsoft Corporation) MD5=D2D6BF11A956FCE4DCBE77F3199F39C1 -- C:\WINDOWS\system32\dllcache\explorer.exe

    < MD5 for: USERINIT.EXE >
    [2008-04-15 15:30:00 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=714EE56EF817A7E1F80C57D41149A07F -- C:\WINDOWS\ERDNT\cache\userinit.exe
    [2008-04-15 15:30:00 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=714EE56EF817A7E1F80C57D41149A07F -- C:\WINDOWS\system32\dllcache\userinit.exe
    [2008-04-15 15:30:00 | 000,026,624 | ---- | M] () MD5=8068F7FEF4242B07525DBDA8AB9D1051 -- C:\WINDOWS\system32\userinit.exe

    < MD5 for: WINLOGON.EXE >
    [2008-04-15 15:30:00 | 000,510,976 | ---- | M] (Microsoft Corporation) MD5=2EFCB948E7DA1B6D6FE351032FF76391 -- C:\WINDOWS\ERDNT\cache\winlogon.exe
    [2008-04-15 15:30:00 | 000,510,976 | ---- | M] (Microsoft Corporation) MD5=83B4911B8E667F9648753A8928131636 -- C:\WINDOWS\system32\winlogon.exe
    [2008-04-15 15:30:00 | 000,510,976 | ---- | M] (Microsoft Corporation) MD5=AB7F1E796C2D4D1B81349198050DE5C0 -- C:\WINDOWS\system32\dllcache\winlogon.exe

    < End of report >
     
  12. AlbionPT

    AlbionPT TS Rookie Topic Starter Posts: 31

    Extras:

    OTL Extras logfile created on: 08-04-2011 13:55:43 - Run 1
    OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Utilizador\Ambiente de trabalho
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000816 | Country: Portugal | Language: PTG | Date Format: dd-MM-yyyy

    1.022,00 Mb Total Physical Memory | 426,00 Mb Available Physical Memory | 42,00% Memory free
    2,00 Gb Paging File | 2,00 Gb Available in Paging File | 81,00% Paging File free
    Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programas
    Drive C: | 63,52 Gb Total Space | 47,73 Gb Free Space | 75,14% Space Free | Partition Type: NTFS
    Drive D: | 5,19 Gb Total Space | 1,58 Gb Free Space | 30,43% Space Free | Partition Type: NTFS
    Drive E: | 563,69 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS

    Computer Name: UTILIZAD-D3390B | User Name: Utilizador | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "1900:UDP" = 1900:UDP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22008

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Programas\Java\jre6\bin\java.exe" = C:\Programas\Java\jre6\bin\java.exe:*:Disabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)
    "C:\Documents and Settings\All Users\Application Data\faa01a9\MSfaa0_302.exe" = C:\Documents and Settings\All Users\Application Data\faa01a9\MSfaa0_302.exe:*:Enabled:My Security Shield
    "C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Disabled:Explorador do Windows -- (Microsoft Corporation)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
    "{0800E395-4DD7-3A93-BB96-08596C0D725F}" = Microsoft .NET Framework 3.0 Service Pack 2 Language Pack - PTG
    "{0B1AAC97-8563-41D9-AE47-58E6A222F0E1}" = Search Settings 1.2.2
    "{0D70FCFE-2102-4951-A56E-22DD07DFA5B6}" = Microsoft .NET Framework 1.1 Portuguese Language Pack
    "{0FFEA8EE-7BC7-4C9D-8CC6-5B8C891BA3F2}" = Windows Live Essentials
    "{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = Assist TOSHIBA
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Ferramenta de Carregamento do Windows Live
    "{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
    "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
    "{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java(TM) 6 Update 13
    "{2DF215E0-BD3C-4C98-8616-AFEF09747285}" = Windows Live Sync
    "{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
    "{350C9816-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{369B36BE-3D64-4641-9AEA-808D436FE130}" = Microsoft Picture It! Express 7.0
    "{4497AFF6-98C4-4F49-B073-F48F42BCBF9E}" = TIPCI
    "{48CF9A66-5F03-4025-ABD0-B3A3FA095A59}" = Formatar Placa de Memória SD TOSHIBA
    "{4A460FEA-AF9C-416F-BA6E-EE239609BD1D}" = ATI Catalyst Control Center
    "{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
    "{51A9E3DD-37B8-47BB-8E67-5B76B3EFBC48}" = Assistente de Conexão do Windows Live
    "{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
    "{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
    "{590035D9-BFA0-406A-A7F0-479C72C0DDB2}" = Windows Live Call
    "{5EFCBB42-36AB-4FF9-B90C-E78C7B9EE7B3}" = iTunes
    "{64212898-097F-4F3F-AECA-6D34A7EF82DF}" = Utilitário de Zooming da TOSHIBA
    "{64DD71BC-3109-4C88-9AD3-D5422644B722}" = TOSHIBA Hotkey Utility
    "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
    "{69BE47C2-36FE-4397-8199-85D8EAE69982}" = TOSHIBA TouchPad ON/Off Utility
    "{74AD1846-2010-4FB1-8E24-B6F2B87150C2}" = Windows Live Mail
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{78C68CB9-3DF5-44F3-AB9D-FA305C5EB85C}" = TOSHIBA Utilities
    "{7B1DBCBE-DF17-3B58-844C-F572F70EF5C4}" = Microsoft .NET Framework 3.5 Language Pack SP1 - ptg
    "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
    "{87A9C015-C2BA-44EE-9C20-6E1A764B8E23}" = Windows Live Galeria de Fotos
    "{88528F28-E04A-3A93-B3C0-14651148FE82}" = Microsoft .NET Framework 2.0 Service Pack 2 Language Pack - PTG
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
    "{8E5233E1-7495-44FB-8DEB-4BE906D59619}" = Junk Mail filter update
    "{90120000-0010-0816-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (Portuguese (Portugal)) 12
    "{90120000-0015-0816-0000-0000000FF1CE}" = Microsoft Office Access MUI (Portuguese (Portugal)) 2007
    "{90120000-0015-0816-0000-0000000FF1CE}_ENTERPRISE_{C2EC91A8-CC39-45F7-9E46-62B85ADF9DF5}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0016-0816-0000-0000000FF1CE}" = Microsoft Office Excel MUI (Portuguese (Portugal)) 2007
    "{90120000-0016-0816-0000-0000000FF1CE}_ENTERPRISE_{C2EC91A8-CC39-45F7-9E46-62B85ADF9DF5}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0018-0816-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (Portuguese (Portugal)) 2007
    "{90120000-0018-0816-0000-0000000FF1CE}_ENTERPRISE_{C2EC91A8-CC39-45F7-9E46-62B85ADF9DF5}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0019-0816-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (Portuguese (Portugal)) 2007
    "{90120000-0019-0816-0000-0000000FF1CE}_ENTERPRISE_{C2EC91A8-CC39-45F7-9E46-62B85ADF9DF5}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-001A-0816-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (Portuguese (Portugal)) 2007
    "{90120000-001A-0816-0000-0000000FF1CE}_ENTERPRISE_{C2EC91A8-CC39-45F7-9E46-62B85ADF9DF5}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-001B-0816-0000-0000000FF1CE}" = Microsoft Office Word MUI (Portuguese (Portugal)) 2007
    "{90120000-001B-0816-0000-0000000FF1CE}_ENTERPRISE_{C2EC91A8-CC39-45F7-9E46-62B85ADF9DF5}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
    "{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
    "{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    "{90120000-001F-0816-0000-0000000FF1CE}" = Microsoft Office Proof (Portuguese (Portugal)) 2007
    "{90120000-001F-0816-0000-0000000FF1CE}_ENTERPRISE_{C312E1CD-EC19-4270-A072-F36F634DFF79}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
    "{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    "{90120000-0020-0816-0000-0000000FF1CE}" = Compatibility Pack for Office system de 2007
    "{90120000-002C-0816-0000-0000000FF1CE}" = Microsoft Office Proofing (Portuguese (Portugal)) 2007
    "{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
    "{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
    "{90120000-0044-0816-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (Portuguese (Portugal)) 2007
    "{90120000-0044-0816-0000-0000000FF1CE}_ENTERPRISE_{C2EC91A8-CC39-45F7-9E46-62B85ADF9DF5}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-006E-0816-0000-0000000FF1CE}" = Microsoft Office Shared MUI (Portuguese (Portugal)) 2007
    "{90120000-006E-0816-0000-0000000FF1CE}_ENTERPRISE_{A8523DA4-5563-4F0E-BD9D-4E4CC3CF7239}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-008A-0816-0000-0000000FF1CE}" = Gadget Documentos Recentes do Microsoft Office 2007
    "{90120000-00A1-0816-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (Portuguese (Portugal)) 2007
    "{90120000-00A1-0816-0000-0000000FF1CE}_ENTERPRISE_{C2EC91A8-CC39-45F7-9E46-62B85ADF9DF5}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-00BA-0816-0000-0000000FF1CE}" = Microsoft Office Groove MUI (Portuguese (Portugal)) 2007
    "{90120000-00BA-0816-0000-0000000FF1CE}_ENTERPRISE_{C2EC91A8-CC39-45F7-9E46-62B85ADF9DF5}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{95120000-0122-0416-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
    "{9555B4ED-09A3-4722-8E8C-57A49401D059}" = Windows Live Writer
    "{9ADC3E4F-34DA-48CD-8727-BB26D90257BD}" = Windows Live Messenger
    "{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}" = Controlador de DVD-RAM
    "{9E17C94B-913A-48A4-B1A8-8CE25157C170}" = Media Player Product Tool 5.25
    "{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer
    "{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{A6690C0E-B96E-4F0F-A8EB-D5B332454AC6}" = Controlos TOSHIBA
    "{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}" = CyberLink PowerDVD 9
    "{AC76BA86-7AD7-1046-7B44-A91000000001}" = Adobe Reader 9.1.1 - Português
    "{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
    "{AFA20D47-69C3-4030-8DF8-D37466E70F13}" = Apple Mobile Device Support
    "{B0D71B3D-D679-4BF7-9F9C-5C98F34345DF}" = Windows Live Proteção para a Família
    "{BB05D173-9681-4812-A7FA-BD4042A3DA00}" = Alky for Applications (Windows XP)
    "{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
    "{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}" = TOSHIBA ConfigFree
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{C45F4811-31D5-4786-801D-F79CD06EDD85}" = Módulo seguro SD
    "{C50BF854-E881-434F-9C67-5A73EBB58F06}" = Windows Live Toolbar
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
    "{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
    "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
    "{F1B8DB67-D30E-4FF9-A85F-3CEE51825AA2}" = SMSC IrCC V5.1.3600.7
    "{F22FD942-651D-4EE8-BD6F-7E0AF5E17625}" = Software Intel(R) PROSet/Wireless WiFi
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Adobe Shockwave Player" = Adobe Shockwave Player 11.5
    "All ATI Software" = ATI - Utilitário de desinstalação de software
    "Any Video Converter_is1" = Any Video Converter 3.0.3
    "ATI Display Driver" = ATI Display Driver
    "avast" = avast! Free Antivirus
    "Bullzip PDF Printer_is1" = Bullzip PDF Printer 6.0.0.865
    "ENTERPRISE" = Microsoft Office Enterprise 2007
    "ESET Online Scanner" = ESET Online Scanner v3
    "eSnipsToolbar" = eSnips
    "Free Mp3 Wma Converter_is1" = Free Mp3 Wma Converter V 1.81
    "GPL Ghostscript Lite_is1" = GPL Ghostscript Lite 8.64
    "ie8" = Windows Internet Explorer 8
    "InstallShield_{4497AFF6-98C4-4F49-B073-F48F42BCBF9E}" = Texas Instruments PCIxx21/x515/xx12 drivers.
    "InstallShield_{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}" = CyberLink PowerDVD 9
    "KLiteCodecPack_is1" = K-Lite Mega Codec Pack 4.8.0
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "Math-A-Maze" = Math-A-Maze
    "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
    "Microsoft .NET Framework 3.5 Language Pack SP1 - ptg" = Microsoft .NET Framework 3.5 Language Pack SP1 - PTG
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
    "Paint Shop Pro 6" = Paint Shop Pro 6.02 ESD
    "PC Diagnostic Tool" = PC Diagnostic Tool da TOSHIBA
    "Power Saver" = TOSHIBA Power Saver
    "ProInst" = Intel PROSet Wireless
    "PROSet" = Intel(R) PRO Network Connections Drivers
    "RealPlayer 6.0" = RealPlayer
    "SynTPDeinstKey" = Synaptics Pointing Device Driver
    "TME3" = Extensão Móvel TOSHIBA 3 para Windows XP V3.79.00.XP.C
    "TOSHIBA Management Console" = TOSHIBA Management Console Version 3.5 (3.5.4)
    "TOSHIBA Software Modem" = TOSHIBA Software Modem
    "Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    "Windows Sidebar" = Barra Lateral do Windows
    "WinLiveSuite_Wave3" = Windows Live Essentials
    "WinRAR archiver" = Compressor WinRAR
    "winusb0100" = Microsoft WinUsb 1.0
    "XPSEPSCLP" = XML Paper Specification Shared Components Language Pack 1.0

    ========== HKEY_CURRENT_USER Uninstall List ==========

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 06-04-2011 14:33:47 | Computer Name = UTILIZAD-D3390B | Source = Application Error | ID = 1000
    Description = Aplicação em falha 566.exe, versão 0.0.0.0, módulo em falha 566.exe,
    versão 0.0.0.0, endereço em falha 0x0000003f.

    Error - 06-04-2011 14:33:57 | Computer Name = UTILIZAD-D3390B | Source = Application Error | ID = 1000
    Description = Aplicação em falha 566.exe, versão 0.0.0.0, módulo em falha unknown,
    versão 0.0.0.0, endereço em falha 0x00002f2f.

    Error - 07-04-2011 8:25:28 | Computer Name = UTILIZAD-D3390B | Source = crypt32 | ID = 131080
    Description = Ocorreu uma falha na actualização automática do número de sequência
    da lista de raiz de terceiros de: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    com o erro: The connection with the server was terminated abnormally

    Error - 07-04-2011 8:56:45 | Computer Name = UTILIZAD-D3390B | Source = crypt32 | ID = 131080
    Description = Ocorreu uma falha na actualização automática do número de sequência
    da lista de raiz de terceiros de: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    com o erro: The connection with the server was terminated abnormally

    Error - 07-04-2011 8:56:45 | Computer Name = UTILIZAD-D3390B | Source = crypt32 | ID = 131080
    Description = Ocorreu uma falha na actualização automática do número de sequência
    da lista de raiz de terceiros de: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    com o erro: Esta ligação de rede não existe.

    Error - 07-04-2011 8:57:16 | Computer Name = UTILIZAD-D3390B | Source = crypt32 | ID = 131080
    Description = Ocorreu uma falha na actualização automática do número de sequência
    da lista de raiz de terceiros de: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    com o erro: The connection with the server was terminated abnormally

    Error - 07-04-2011 8:57:16 | Computer Name = UTILIZAD-D3390B | Source = crypt32 | ID = 131080
    Description = Ocorreu uma falha na actualização automática do número de sequência
    da lista de raiz de terceiros de: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    com o erro: Esta ligação de rede não existe.

    Error - 07-04-2011 8:57:16 | Computer Name = UTILIZAD-D3390B | Source = crypt32 | ID = 131080
    Description = Ocorreu uma falha na actualização automática do número de sequência
    da lista de raiz de terceiros de: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    com o erro: Esta ligação de rede não existe.

    Error - 07-04-2011 9:56:06 | Computer Name = UTILIZAD-D3390B | Source = crypt32 | ID = 131083
    Description = Ocorreu uma falha na extracção da lista de raiz de terceiros do cab
    de actualização automática em: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
    com o erro: Um certificado necessário não está no seu período de validade ao ser
    verificado contra o relógio do sistema actual ou a assinatura de data/hora no ficheiro
    assinado.

    Error - 07-04-2011 9:56:06 | Computer Name = UTILIZAD-D3390B | Source = crypt32 | ID = 131083
    Description = Ocorreu uma falha na extracção da lista de raiz de terceiros do cab
    de actualização automática em: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
    com o erro: Um certificado necessário não está no seu período de validade ao ser
    verificado contra o relógio do sistema actual ou a assinatura de data/hora no ficheiro
    assinado.

    [ OSession Events ]
    Error - 12-06-2009 14:13:42 | Computer Name = UTILIZAD-D3390B | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
    12.0.4518.1014, Microsoft Office Version: 12.0.6425.1000. This session lasted 28
    seconds with 0 seconds of active time. This session ended with a crash.

    Error - 30-06-2009 13:41:34 | Computer Name = UTILIZAD-D3390B | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
    12.0.4518.1014, Microsoft Office Version: 12.0.6425.1000. This session lasted 61
    seconds with 60 seconds of active time. This session ended with a crash.

    Error - 16-10-2009 0:44:22 | Computer Name = UTILIZAD-D3390B | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
    12.0.4518.1014, Microsoft Office Version: 12.0.6425.1000. This session lasted 26
    seconds with 0 seconds of active time. This session ended with a crash.

    Error - 11-06-2010 9:00:47 | Computer Name = UTILIZAD-D3390B | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
    12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 98
    seconds with 0 seconds of active time. This session ended with a crash.

    [ System Events ]
    Error - 07-04-2011 17:00:42 | Computer Name = UTILIZAD-D3390B | Source = Service Control Manager | ID = 7000
    Description = O serviço AVG Free WatchDog falhou o arranque devido ao seguinte erro:
    %%2

    Error - 07-04-2011 17:00:42 | Computer Name = UTILIZAD-D3390B | Source = Service Control Manager | ID = 7023
    Description = O serviço Serviço de 'Restauro do sistema' terminou com o seguinte
    erro: %%2

    Error - 07-04-2011 17:00:42 | Computer Name = UTILIZAD-D3390B | Source = Service Control Manager | ID = 7001
    Description = O serviço AVG Free E-mail Scanner depende do serviço AVG Free WatchDog
    o qual falhou o arranque devido ao seguinte erro: %%2

    Error - 07-04-2011 18:57:42 | Computer Name = UTILIZAD-D3390B | Source = DCOM | ID = 10005
    Description = O DCOM obteve o erro "%1084" ao tentar iniciar o serviço EventSystem
    com os argumentos "" de forma a executar o servidor: {1BE1F766-5536-11D1-B726-00C04FB926AF}

    Error - 07-04-2011 18:58:02 | Computer Name = UTILIZAD-D3390B | Source = DCOM | ID = 10005
    Description = O DCOM obteve o erro "%1084" ao tentar iniciar o serviço EventSystem
    com os argumentos "" de forma a executar o servidor: {1BE1F766-5536-11D1-B726-00C04FB926AF}

    Error - 07-04-2011 18:58:13 | Computer Name = UTILIZAD-D3390B | Source = DCOM | ID = 10005
    Description = O DCOM obteve o erro "%1084" ao tentar iniciar o serviço EventSystem
    com os argumentos "" de forma a executar o servidor: {1BE1F766-5536-11D1-B726-00C04FB926AF}

    Error - 07-04-2011 18:59:08 | Computer Name = UTILIZAD-D3390B | Source = Service Control Manager | ID = 7026
    Description = Falhou o carregamento dos seguintes controladores de início de arranque
    ou de início do sistema: Aavmker4 aswSnx aswSP aswTdi Fips intelppm TMEI3E

    Error - 07-04-2011 19:18:57 | Computer Name = UTILIZAD-D3390B | Source = DCOM | ID = 10005
    Description = O DCOM obteve o erro "%1084" ao tentar iniciar o serviço wuauserv
    com os argumentos "" de forma a executar o servidor: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

    Error - 07-04-2011 19:23:39 | Computer Name = UTILIZAD-D3390B | Source = DCOM | ID = 10005
    Description = O DCOM obteve o erro "%1084" ao tentar iniciar o serviço EventSystem
    com os argumentos "" de forma a executar o servidor: {1BE1F766-5536-11D1-B726-00C04FB926AF}

    Error - 08-04-2011 5:20:15 | Computer Name = UTILIZAD-D3390B | Source = Dhcp | ID = 1002
    Description = A concessão 192.168.2.3 do endereço IP para a placa de rede com o
    endereço de rede 00A0D134F243 foi negado pelo servidor DHCP 192.168.2.1 (O servidor
    DHCP enviou uma mensagem DHCPNACK).


    < End of report >
     
  13. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Download BlitzBlank and save it to your desktop.
    Double click on Blitzblank.exe

    • Click OK at the warning (and take note of it, this is a VERY powerful tool!).
    • Click the Script tab and copy/paste the following text there:
    Code:
    CopyFile:
    C:\WINDOWS\system32\dllcache\userinit.exe C:\WINDOWS\system32\userinit.exe
    DeleteFile:
    C:\Documents and Settings\Utilizador\Definições locais\Temp\explorer.exe
    

    • Click Execute Now. Your computer will need to reboot in order to replace the files.
    • When done, post the report created by Blitzblank.
      You can find it in the root of the drive, normally C:\
     
  14. AlbionPT

    AlbionPT TS Rookie Topic Starter Posts: 31

    It gives me a "Syntax error in line 4, Invalid file path."

    It seems it doesn't like 'spaces'?
     
  15. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Ooops, sorry about that...

    New script:
     
  16. AlbionPT

    AlbionPT TS Rookie Topic Starter Posts: 31

    :p

    Is this the report? It looks a tiny bit "small" (I couldn't find any other log created)


    BlitzBlank 1.0.0.32

    File/Registry Modification Engine native application
    CopyFileOnReboot: sourceFile = "\??\c:\windows\system32\dllcache\userinit.exe", destinationFile = "\??\c:\windows\system32\userinit.exe"MoveFileOnReboot: sourceFile = "\??\c:\documents and settings\utilizador\definições locais\temp\explorer.exe", destinationFile = "(null)", replaceWithDummy = 0
     
  17. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    You did fine :)

    Now re-run OTL with exactly same custom script as in my reply #10
    Only one log will be created.
     
  18. AlbionPT

    AlbionPT TS Rookie Topic Starter Posts: 31

    And here it is the log:

    OTL logfile created on: 08-04-2011 19:18:33 - Run 2
    OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Utilizador\Ambiente de trabalho
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000816 | Country: Portugal | Language: PTG | Date Format: dd-MM-yyyy

    1.022,00 Mb Total Physical Memory | 552,00 Mb Available Physical Memory | 54,00% Memory free
    2,00 Gb Paging File | 2,00 Gb Available in Paging File | 86,00% Paging File free
    Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programas
    Drive C: | 63,52 Gb Total Space | 47,38 Gb Free Space | 74,59% Space Free | Partition Type: NTFS
    Drive D: | 5,19 Gb Total Space | 1,58 Gb Free Space | 30,43% Space Free | Partition Type: NTFS
    Drive E: | 563,69 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS

    Computer Name: UTILIZAD-D3390B | User Name: Utilizador | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011-04-08 13:54:36 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\OTL.exe
    PRC - [2011-02-23 19:34:20 | 003,451,496 | ---- | M] (AVAST Software) -- C:\Programas\AVAST Software\Avast\AvastUI.exe
    PRC - [2011-02-23 19:34:19 | 000,042,184 | ---- | M] (AVAST Software) -- C:\Programas\AVAST Software\Avast\AvastSvc.exe
    PRC - [2009-03-26 15:31:20 | 000,132,424 | ---- | M] (Apple Inc.) -- C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    PRC - [2009-02-27 07:54:22 | 000,870,672 | ---- | M] (Intel(R) Corporation) -- C:\Programas\Intel\WiFi\bin\EvtEng.exe
    PRC - [2009-02-27 06:55:20 | 000,909,312 | ---- | M] (Intel(R) Corporation) -- C:\Programas\Intel\WiFi\bin\S24EvMon.exe
    PRC - [2009-02-27 06:38:38 | 000,473,360 | ---- | M] (Intel(R) Corporation) -- C:\Programas\Ficheiros comuns\Intel\WirelessCommon\RegSrvc.exe
    PRC - [2005-12-20 11:22:14 | 000,035,328 | ---- | M] (TOSHIBA Corp.) -- C:\Programas\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
    PRC - [2005-04-05 09:37:04 | 000,118,784 | ---- | M] (TOSHIBA) -- C:\Programas\TOSHIBA\TME3\TMESRV31.EXE
    PRC - [2005-01-17 16:38:38 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Programas\TOSHIBA\ConfigFree\CFSvcs.exe
    PRC - [2004-12-28 16:53:02 | 000,077,824 | ---- | M] (TOSHIBA) -- C:\Programas\TOSHIBA\TME3\TMEEJME.exe
    PRC - [2004-08-28 02:33:00 | 000,110,592 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\DVDRAMSV.exe
    PRC - [2004-08-04 00:57:04 | 001,034,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2003-06-20 03:55:00 | 000,322,120 | ---- | M] (Microsoft Corporation) -- C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE


    ========== Modules (SafeList) ==========

    MOD - [2011-04-08 13:54:36 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\OTL.exe
    MOD - [2008-04-15 15:30:00 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Auto | Stopped] -- -- (wlknvoym)
    SRV - File not found [Disabled | Stopped] -- -- (HidServ)
    SRV - [2011-02-23 19:34:19 | 000,042,184 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Programas\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
    SRV - [2009-03-26 15:31:20 | 000,132,424 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
    SRV - [2009-02-27 07:54:22 | 000,870,672 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Programas\Intel\WiFi\bin\EvtEng.exe -- (EvtEng) Intel(R)
    SRV - [2009-02-27 06:55:20 | 000,909,312 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Programas\Intel\WiFi\bin\S24EvMon.exe -- (S24EventMonitor) Intel(R)
    SRV - [2009-02-27 06:38:38 | 000,473,360 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Programas\Ficheiros comuns\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc) Intel(R)
    SRV - [2008-11-04 01:06:28 | 000,441,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programas\Ficheiros comuns\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
    SRV - [2006-10-26 13:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programas\Ficheiros comuns\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
    SRV - [2005-12-20 11:22:14 | 000,035,328 | ---- | M] (TOSHIBA Corp.) [Auto | Running] -- C:\Programas\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe -- (TAPPSRV)
    SRV - [2005-04-05 09:37:04 | 000,118,784 | ---- | M] (TOSHIBA) [Auto | Running] -- C:\Programas\TOSHIBA\TME3\Tmesrv31.exe -- (Tmesrv)
    SRV - [2005-01-17 16:38:38 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Programas\TOSHIBA\ConfigFree\CFSvcs.exe -- (CFSvcs)
    SRV - [2004-08-28 02:33:00 | 000,110,592 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) [Auto | Running] -- C:\WINDOWS\system32\DVDRAMSV.exe -- (DVD-RAM_Service)
    SRV - [2003-06-20 03:55:00 | 000,322,120 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM)


    ========== Driver Services (SafeList) ==========

    DRV - [2011-02-23 19:26:55 | 000,371,544 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
    DRV - [2011-02-23 19:26:45 | 000,301,528 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
    DRV - [2011-02-23 19:25:49 | 000,049,240 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
    DRV - [2011-02-23 19:25:47 | 000,102,232 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
    DRV - [2011-02-23 19:25:10 | 000,025,432 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
    DRV - [2011-02-23 19:24:57 | 000,030,680 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
    DRV - [2011-02-23 19:24:55 | 000,019,544 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
    DRV - [2010-09-11 17:14:42 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF) WinPcap Packet Driver (NPF)
    DRV - [2010-04-28 07:44:02 | 000,054,760 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
    DRV - [2009-04-14 16:09:56 | 005,069,312 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
    DRV - [2009-03-04 22:01:31 | 004,202,496 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel(R)
    DRV - [2008-08-13 17:23:56 | 000,011,904 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
    DRV - [2008-08-05 20:10:12 | 001,684,736 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
    DRV - [2007-09-26 06:01:32 | 002,236,032 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32) Controlador do Adaptador da ligação WiFi sem fios Intel(R)
    DRV - [2006-08-29 21:09:12 | 001,723,904 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
    DRV - [2006-01-04 15:41:48 | 001,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)
    DRV - [2005-12-26 13:49:00 | 000,005,888 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\TVALG.SYS -- (TVALG)
    DRV - [2005-11-30 11:12:00 | 000,162,560 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
    DRV - [2005-11-15 11:00:22 | 001,122,656 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
    DRV - [2005-10-20 14:03:42 | 000,006,144 | ---- | M] (Toshiba Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NBSMI.sys -- (TVALD)
    DRV - [2005-06-02 05:33:00 | 000,102,384 | ---- | M] (Matsushita Electric Industrial Co.,Ltd.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\meiudf.sys -- (meiudf)
    DRV - [2004-12-09 14:54:12 | 000,046,592 | ---- | M] (SMSC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)
    DRV - [2004-06-16 11:08:48 | 000,005,888 | ---- | M] (Toshiba Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TMEI3E.SYS -- (TMEI3E)
    DRV - [2003-01-29 14:35:00 | 000,012,032 | ---- | M] (TOSHIBA Corporation.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Netdevio.sys -- (Netdevio)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========


    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://pt.msn.com/?ocid=iehp
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = pt
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 1A DA F0 04 35 F5 CB 01 [binary data]
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

    FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2009-05-24 20:00:45 | 000,000,000 | ---D | M]


    O1 HOSTS File: ([2010-09-11 16:06:33 | 000,002,828 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: 74.125.45.100 4-open-davinci.com
    O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
    O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
    O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
    O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
    O1 - Hosts: 74.125.45.100 secure-plus-payments.com
    O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
    O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
    O1 - Hosts: 74.125.45.100 www.getavplusnow.com
    O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
    O1 - Hosts: 74.125.45.100 urs.microsoft.com
    O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
    O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
    O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
    O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
    O1 - Hosts: 74.55.176.156 www.google.com
    O1 - Hosts: 74.55.176.156 google.com
    O1 - Hosts: 74.55.176.156 google.com.au
    O1 - Hosts: 74.55.176.156 www.google.com.au
    O1 - Hosts: 74.55.176.156 google.be
    O1 - Hosts: 74.55.176.156 www.google.be
    O1 - Hosts: 74.55.176.156 google.com.br
    O1 - Hosts: 74.55.176.156 www.google.com.br
    O1 - Hosts: 74.55.176.156 google.ca
    O1 - Hosts: 38 more lines...
    O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
    O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
    O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programas\AVAST Software\Avast\aswWebRepIE.dll ()
    O2 - BHO: (Auxiliar de Conexão do Windows Live) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
    O2 - BHO: (CescrtHlpr Object) - {F9B72325-A029-4a39-943A-02433C978829} - C:\Programas\eSnips.com\eSnipsToolbar\1.3.0.3\escort.dll (esnips)
    O3 - HKLM\..\Toolbar: (esnips Toolbar) - {3132F1DF-2C69-49f5-ACA5-69965FC18E59} - C:\Programas\eSnips.com\eSnipsToolbar\1.3.0.3\escorTlbr.dll (esnips)
    O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programas\AVAST Software\Avast\aswWebRepIE.dll ()
    O4 - HKLM..\Run: [avast] C:\Programas\AVAST Software\Avast\avastUI.exe (AVAST Software)
    O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Programas\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
    O4 - Startup: C:\Documents and Settings\Utilizador\Menu Iniciar\Programas\Arranque\Índice do OneNote.onetoc2 ()
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Programas\Bonjour\mdnsNSP.dll (Apple Inc.)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242890722484 (WUWebControl Class)
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1242890714281 (MUWebControl Class)
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
    O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programas\Ficheiros comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programas\Ficheiros comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programas\Ficheiros comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programas\Ficheiros comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programas\Ficheiros comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programas\Ficheiros comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programas\Ficheiros comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programas\Ficheiros comuns\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
    O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programas\Ficheiros comuns\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
    O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - File not found
    O24 - Desktop Components:0 (A minha home page actual) - About:Home
    O24 - Desktop WallPaper: C:\Documents and Settings\Utilizador\Definições locais\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\Utilizador\Definições locais\Application Data\Microsoft\Wallpaper1.bmp
    O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2009-05-21 13:27:10 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2004-08-04 15:30:00 | 000,000,112 | R--- | M] () - E:\AUTORUN.INF -- [ CDFS ]
    O33 - MountPoints2\{31186f16-9471-11de-b8a2-001302156640}\Shell\AutoRun\command - "" = F:\DRIVE\file.exe
    O33 - MountPoints2\{31186f16-9471-11de-b8a2-001302156640}\Shell\open\command - "" = F:\DRIVE\file.exe
    O33 - MountPoints2\{378a741a-5b4c-11de-b817-001302156640}\Shell\AutoRun\command - "" = F:\ojcIHq.eXE
    O33 - MountPoints2\{378a741a-5b4c-11de-b817-001302156640}\Shell\OPen\cOMMaNd - "" = F:\OJCihQ.eXE
    O33 - MountPoints2\{496d0e74-2953-11df-ba21-001302156640}\Shell\AutoRun\command - "" = F:\NhnjVS.exe
    O33 - MountPoints2\{496d0e74-2953-11df-ba21-001302156640}\Shell\opeN\commANd - "" = F:\nhnJvS.eXe
    O33 - MountPoints2\{5944b642-45eb-11de-b7b8-806d6172696f}\Shell - "" = AutoRun
    O33 - MountPoints2\{5944b642-45eb-11de-b7b8-806d6172696f}\Shell\AutoRun\command - "" = E:\SETUP.EXE -- [2004-08-04 15:30:00 | 002,584,576 | R--- | M] (Microsoft Corporation)
    O33 - MountPoints2\{6ca7cabc-741f-11de-b855-001302156640}\Shell\AutoRun\command - "" = G:\DRIVE\file.exe
    O33 - MountPoints2\{6ca7cabc-741f-11de-b855-001302156640}\Shell\open\command - "" = G:\DRIVE\file.exe
    O33 - MountPoints2\{ec523b58-461e-11de-b7ce-001302156640}\Shell - "" = AutoRun
    O33 - MountPoints2\{ec523b58-461e-11de-b7ce-001302156640}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL GERaL.eXe
    O33 - MountPoints2\{f686aaec-57f9-11de-b80a-001302156640}\Shell\AutoRun\command - "" = F:\DRIVE\file.exe
    O33 - MountPoints2\{f686aaec-57f9-11de-b80a-001302156640}\Shell\open\command - "" = F:\DRIVE\file.exe
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: HidServ - File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found
    NetSvcs: SSHNAS - File not found

    Drivers32: msacm.ac3acm - C:\WINDOWS\System32\ac3acm.acm (fccHandler)
    Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.lameacm - C:\WINDOWS\System32\lameACM.acm (http://www.mp3dev.org/)
    Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
    Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
    Drivers32: VIDC.DIVX - C:\WINDOWS\System32\divx.dll (DivX, Inc.)
    Drivers32: VIDC.FFDS - C:\WINDOWS\System32\ff_vfw.dll ()
    Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
    Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
    Drivers32: VIDC.XVID - C:\WINDOWS\System32\xvidvfw.dll ()
    Drivers32: VIDC.YV12 - C:\WINDOWS\System32\yv12vfw.dll (www.helixcommunity.org)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point (54619756233228288)

    ========== Files/Folders - Created Within 30 Days ==========

    [2011-04-08 19:13:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\OTL v1
    [2011-04-08 18:32:42 | 001,153,912 | ---- | C] (Emsi Software GmbH) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\BlitzBlank.exe
    [2011-04-08 13:54:33 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\OTL.exe
    [2011-04-08 03:16:35 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011-04-08 03:02:49 | 001,090,912 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\avg_remover_stf_x86_2011_1184.exe
    [2011-04-07 19:35:07 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\TFC.exe
    [2011-04-07 18:43:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menu Iniciar\Programas\avast! Free Antivirus
    [2011-04-07 18:43:20 | 000,301,528 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
    [2011-04-07 18:43:20 | 000,019,544 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
    [2011-04-07 18:43:18 | 000,025,432 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
    [2011-04-07 18:43:17 | 000,371,544 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
    [2011-04-07 18:43:17 | 000,049,240 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
    [2011-04-07 18:43:16 | 000,102,232 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
    [2011-04-07 18:43:16 | 000,096,344 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
    [2011-04-07 18:43:16 | 000,030,680 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
    [2011-04-07 18:43:02 | 000,190,016 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
    [2011-04-07 18:43:02 | 000,040,648 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
    [2011-04-07 18:42:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
    [2011-04-07 18:25:00 | 000,000,000 | ---D | C] -- C:\Programas\Hitman Pro 3.5
    [2011-04-07 18:24:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
    [2011-04-07 18:24:07 | 006,449,984 | ---- | C] (SurfRight B.V.) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\HitmanPro35.exe
    [2011-04-07 17:27:39 | 000,000,000 | ---D | C] -- C:\Programas\ESET
    [2011-04-07 16:55:54 | 000,000,000 | ---D | C] -- C:\Programas\AVAST Software
    [2011-04-07 14:11:35 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2011-04-07 14:11:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menu Iniciar\Programas\Malwarebytes' Anti-Malware
    [2011-04-07 14:11:32 | 000,000,000 | ---D | C] -- C:\Programas\Malwarebytes' Anti-Malware
    [2011-04-07 14:08:56 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2011-04-07 13:50:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Utilizador\Application Data\Malwarebytes
    [2011-04-07 13:07:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2011-04-07 12:22:57 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
    [2011-04-07 12:13:30 | 000,000,000 | ---D | C] -- C:\Programas\Alwil Software
    [2011-04-07 12:13:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
    [2011-04-06 22:34:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
    [2009-05-21 12:23:08 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\DLLVGA.dll

    ========== Files - Modified Within 30 Days ==========

    [2011-04-08 18:53:21 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2011-04-08 18:53:06 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2011-04-08 18:32:44 | 001,153,912 | ---- | M] (Emsi Software GmbH) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\BlitzBlank.exe
    [2011-04-08 14:02:45 | 000,000,444 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{1BB5BD40-03C6-418F-95E6-5D2A018F5870}.job
    [2011-04-08 13:54:36 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\OTL.exe
    [2011-04-08 13:52:56 | 000,000,211 | -HS- | M] () -- C:\boot.ini
    [2011-04-08 03:03:32 | 004,315,416 | R--- | M] () -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\ComboFix.exe
    [2011-04-08 03:03:03 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\MBRCheck.exe
    [2011-04-08 03:02:51 | 001,090,912 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\avg_remover_stf_x86_2011_1184.exe
    [2011-04-08 00:03:20 | 000,016,968 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
    [2011-04-07 22:13:22 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\dds.scr
    [2011-04-07 22:12:22 | 000,301,568 | ---- | M] () -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\d76w6zpe.exe
    [2011-04-07 19:35:14 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\TFC.exe
    [2011-04-07 19:21:03 | 000,000,276 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    [2011-04-07 18:43:21 | 000,001,658 | ---- | M] () -- C:\Documents and Settings\All Users\Ambiente de trabalho\avast! Free Antivirus.lnk
    [2011-04-07 18:43:17 | 000,003,100 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
    [2011-04-07 18:30:55 | 000,002,176 | ---- | M] () -- C:\WINDOWS\System32\.crusader
    [2011-04-07 18:24:07 | 006,449,984 | ---- | M] (SurfRight B.V.) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\HitmanPro35.exe
    [2011-04-07 14:36:13 | 000,500,618 | ---- | M] () -- C:\WINDOWS\System32\perfh016.dat
    [2011-04-07 14:36:13 | 000,444,236 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2011-04-07 14:36:13 | 000,088,472 | ---- | M] () -- C:\WINDOWS\System32\perfc016.dat
    [2011-04-07 14:36:13 | 000,072,494 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2011-04-07 14:11:36 | 000,000,761 | ---- | M] () -- C:\Documents and Settings\All Users\Ambiente de trabalho\Malwarebytes' Anti-Malware.lnk

    ========== Files Created - No Company Name ==========

    [2011-04-08 03:03:32 | 004,315,416 | R--- | C] () -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\ComboFix.exe
    [2011-04-08 03:03:01 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\MBRCheck.exe
    [2011-04-07 22:13:14 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\dds.scr
    [2011-04-07 22:12:17 | 000,301,568 | ---- | C] () -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\d76w6zpe.exe
    [2011-04-07 18:43:21 | 000,001,658 | ---- | C] () -- C:\Documents and Settings\All Users\Ambiente de trabalho\avast! Free Antivirus.lnk
    [2011-04-07 18:30:55 | 000,002,176 | ---- | C] () -- C:\WINDOWS\System32\.crusader
    [2011-04-07 18:25:02 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
    [2011-04-07 14:11:36 | 000,000,761 | ---- | C] () -- C:\Documents and Settings\All Users\Ambiente de trabalho\Malwarebytes' Anti-Malware.lnk
    [2010-07-24 18:20:03 | 000,000,001 | ---- | C] () -- C:\Documents and Settings\Utilizador\Application Data\ecfnhyma
    [2010-07-18 23:48:31 | 000,017,712 | ---- | C] () -- C:\Documents and Settings\Utilizador\Application Data\etec.drv
    [2010-07-18 23:46:42 | 000,000,466 | ---- | C] () -- C:\Documents and Settings\Utilizador\Application Data\atec.drv
    [2010-07-18 23:43:40 | 000,000,010 | ---- | C] () -- C:\Documents and Settings\Utilizador\Application Data\fhmi
    [2010-07-18 23:43:27 | 000,003,509 | ---- | C] () -- C:\Documents and Settings\Utilizador\Application Data\Cerulean.lic
    [2010-02-27 21:42:04 | 002,887,680 | ---- | C] () -- C:\WINDOWS\System32\VagalumePluginWMP.dll
    [2009-12-16 19:28:38 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2009-12-16 19:28:38 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2009-12-16 19:28:38 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2009-12-16 19:28:38 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2009-12-16 19:28:38 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2009-11-13 02:31:38 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
    [2009-10-31 22:28:17 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Irremote.ini
    [2009-10-28 18:00:43 | 000,484,352 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
    [2009-05-24 15:46:58 | 000,000,164 | ---- | C] () -- C:\Documents and Settings\Utilizador\Application Data\default.pls
    [2009-05-22 23:38:59 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
    [2009-05-21 20:18:51 | 000,170,496 | ---- | C] () -- C:\Documents and Settings\Utilizador\Definições locais\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2009-05-21 16:02:38 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\TOSMgmt.dll
    [2009-05-21 15:54:44 | 000,047,104 | ---- | C] () -- C:\WINDOWS\System32\Wh2Robo.dll
    [2009-05-21 15:53:05 | 000,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
    [2009-05-21 15:53:03 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
    [2009-05-21 15:53:03 | 000,795,648 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
    [2009-05-21 15:53:03 | 000,130,048 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
    [2009-05-21 15:53:01 | 000,084,480 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
    [2009-05-21 14:11:43 | 000,004,205 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2009-05-21 14:10:12 | 000,271,784 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2009-05-21 13:36:57 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
    [2009-05-21 13:31:53 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2009-05-21 13:28:22 | 000,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
    [2009-05-21 13:23:15 | 000,021,924 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2009-05-21 13:01:25 | 000,000,413 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2009-05-21 12:33:40 | 000,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
    [2009-05-21 12:33:40 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
    [2009-05-21 12:33:40 | 000,010,166 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
    [2009-05-21 12:33:40 | 000,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
    [2009-05-21 12:27:45 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
    [2009-05-21 12:23:08 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\TCtrlIO.dll
    [2009-05-21 11:32:36 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Utilizador\Definições locais\Application Data\fusioncache.dat
    [2009-05-21 11:25:55 | 000,133,583 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
    [2008-04-15 15:30:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2008-04-15 15:30:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2008-04-15 15:30:00 | 000,500,618 | ---- | C] () -- C:\WINDOWS\System32\perfh016.dat
    [2008-04-15 15:30:00 | 000,444,236 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2008-04-15 15:30:00 | 000,314,414 | ---- | C] () -- C:\WINDOWS\System32\perfi016.dat
    [2008-04-15 15:30:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2008-04-15 15:30:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2008-04-15 15:30:00 | 000,088,472 | ---- | C] () -- C:\WINDOWS\System32\perfc016.dat
    [2008-04-15 15:30:00 | 000,072,494 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2008-04-15 15:30:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2008-04-15 15:30:00 | 000,036,952 | ---- | C] () -- C:\WINDOWS\System32\perfd016.dat
    [2008-04-15 15:30:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2008-04-15 15:30:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2008-04-15 15:30:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2008-04-15 15:30:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
    [2008-04-15 15:30:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

    ========== LOP Check ==========

    [2011-04-07 14:00:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
    [2011-04-07 18:42:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
    [2011-04-08 03:05:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
    [2009-05-21 17:34:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DriverScanner
    [2011-04-07 17:34:10 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\faa01a9
    [2011-04-07 18:30:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
    [2010-09-02 21:54:25 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\MSTSZERUFS
    [2009-05-21 16:05:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Temp
    [2009-05-21 15:56:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
    [2010-02-27 21:39:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\AnvSoft
    [2010-02-27 18:23:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\Any Video Converter
    [2009-05-21 18:25:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\Bullzip
    [2011-04-07 17:34:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\CAAC8D2ED80A65103FBE3F97655A3DAF
    [2009-08-22 01:14:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\esnips.com
    [2011-02-25 01:53:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\Oxudn
    [2009-10-28 18:06:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\Search Settings
    [2009-05-21 12:33:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\toshiba
    [2009-05-21 17:34:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\Uniblue
    [2011-04-08 14:02:45 | 000,000,444 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{1BB5BD40-03C6-418F-95E6-5D2A018F5870}.job

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2009-05-21 13:27:10 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
    [2011-04-08 18:52:27 | 000,000,754 | ---- | M] () -- C:\blitzblank.log
    [2011-04-08 13:52:56 | 000,000,211 | -HS- | M] () -- C:\boot.ini
    [2008-04-15 15:30:00 | 000,004,952 | RHS- | M] () -- C:\bootfont.bin
    [2011-04-07 18:14:07 | 000,003,948 | ---- | M] () -- C:\BrmiT.txt
    [2009-05-21 13:27:10 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
    [2009-05-21 13:27:10 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2009-05-21 13:27:10 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2008-04-15 15:30:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
    [2008-04-15 15:30:00 | 000,251,120 | RHS- | M] () -- C:\ntldr
    [2011-04-08 18:53:02 | 1610,612,736 | -HS- | M] () -- C:\pagefile.sys
    [2011-04-08 04:39:19 | 000,000,359 | ---- | M] () -- C:\rkill.log

    < %systemroot%\Fonts\*.com >
    [2006-04-18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
    [2006-06-29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
    [2006-04-18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
    [2006-06-29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2009-05-21 13:26:36 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2008-07-06 16:36:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    [2007-04-09 13:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
    [2006-10-26 19:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\msonpppr.dll
    [2008-07-06 15:20:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >
    [2011-02-23 19:34:21 | 000,040,648 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr
    [2010-04-17 00:21:08 | 000,306,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WLXPGSS.SCR

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2009-05-21 14:09:24 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
    [2009-05-21 14:09:24 | 001,097,728 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
    [2009-05-21 14:09:24 | 000,466,944 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >
    [2008-06-23 16:36:24 | 000,773,120 | ---- | M] () -- C:\WINDOWS\system32\NEROINSTAEC43759.DB

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2009-05-21 13:34:20 | 000,000,076 | -HS- | M] () -- C:\Documents and Settings\Utilizador\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
    [2009-05-21 13:34:19 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Utilizador\Application Data\Microsoft\Internet Explorer\Quick Launch\Mostrar ambiente de trabalho.scf

    < %USERPROFILE%\Desktop\*.exe >

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >
    [1 C:\Programas\Internet Explorer\*.tmp files -> C:\Programas\Internet Explorer\*.tmp -> ]

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2011-04-08 19:01:43 | 000,163,840 | -HS- | M] () -- C:\Documents and Settings\Utilizador\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2009-02-27 20:27:02 | 000,318,976 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >
    [2009-02-27 19:51:37 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Programas\Messenger\custsat.dll
    [2008-04-15 15:30:00 | 000,004,821 | R--- | M] () -- C:\Programas\Messenger\logowin.gif
    [2007-04-03 03:07:24 | 000,007,047 | ---- | M] () -- C:\Programas\Messenger\lvback.gif
    [2008-05-02 17:14:34 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Programas\Messenger\msgsc.dll
    [2008-04-14 02:30:30 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Programas\Messenger\msgslang.dll
    [2008-04-15 01:09:56 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Programas\Messenger\msmsgs.exe
    [2008-04-15 15:30:00 | 000,009,306 | ---- | M] () -- C:\Programas\Messenger\newalert.wav
    [2008-04-15 15:30:00 | 000,018,052 | ---- | M] () -- C:\Programas\Messenger\newemail.wav
    [2008-04-15 15:30:00 | 000,009,306 | ---- | M] () -- C:\Programas\Messenger\online.wav
    [2007-04-03 03:07:28 | 000,004,454 | ---- | M] () -- C:\Programas\Messenger\type.wav
    [2007-01-24 15:53:00 | 000,123,995 | ---- | M] () -- C:\Programas\Messenger\xpmsgr.chm

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    < MD5 for: EXPLORER.EXE >
    [2008-04-15 15:30:00 | 001,035,776 | ---- | M] (Microsoft Corporation) MD5=73BF5036A2ABA403DB078C65B1A29A99 -- C:\WINDOWS\ERDNT\cache\explorer.exe
    [2004-08-04 00:57:04 | 001,034,240 | ---- | M] (Microsoft Corporation) MD5=8CE8153D67135457E215C733BAFBF508 -- C:\WINDOWS\explorer.exe
    [2008-04-15 15:30:00 | 001,035,776 | ---- | M] (Microsoft Corporation) MD5=D2D6BF11A956FCE4DCBE77F3199F39C1 -- C:\WINDOWS\system32\dllcache\explorer.exe

    < MD5 for: USERINIT.EXE >
    [2008-04-15 15:30:00 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=714EE56EF817A7E1F80C57D41149A07F -- C:\WINDOWS\ERDNT\cache\userinit.exe
    [2008-04-15 15:30:00 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=714EE56EF817A7E1F80C57D41149A07F -- C:\WINDOWS\system32\dllcache\userinit.exe
    [2011-04-08 18:52:27 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=714EE56EF817A7E1F80C57D41149A07F -- C:\WINDOWS\system32\userinit.exe

    < MD5 for: WINLOGON.EXE >
    [2008-04-15 15:30:00 | 000,510,976 | ---- | M] (Microsoft Corporation) MD5=2EFCB948E7DA1B6D6FE351032FF76391 -- C:\WINDOWS\ERDNT\cache\winlogon.exe
    [2008-04-15 15:30:00 | 000,510,976 | ---- | M] (Microsoft Corporation) MD5=83B4911B8E667F9648753A8928131636 -- C:\WINDOWS\system32\winlogon.exe
    [2008-04-15 15:30:00 | 000,510,976 | ---- | M] (Microsoft Corporation) MD5=AB7F1E796C2D4D1B81349198050DE5C0 -- C:\WINDOWS\system32\dllcache\winlogon.exe

    < End of report >
     
  19. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      SRV - File not found [Auto | Stopped] -- -- (wlknvoym)
      O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
      O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
      O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - File not found
      O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
      O33 - MountPoints2\{31186f16-9471-11de-b8a2-001302156640}\Shell\AutoRun\command - "" = F:\DRIVE\file.exe
      O33 - MountPoints2\{31186f16-9471-11de-b8a2-001302156640}\Shell\open\command - "" = F:\DRIVE\file.exe
      O33 - MountPoints2\{378a741a-5b4c-11de-b817-001302156640}\Shell\AutoRun\command - "" = F:\ojcIHq.eXE
      O33 - MountPoints2\{378a741a-5b4c-11de-b817-001302156640}\Shell\OPen\cOMMaNd - "" = F:\OJCihQ.eXE
      O33 - MountPoints2\{496d0e74-2953-11df-ba21-001302156640}\Shell\AutoRun\command - "" = F:\NhnjVS.exe
      O33 - MountPoints2\{496d0e74-2953-11df-ba21-001302156640}\Shell\opeN\commANd - "" = F:\nhnJvS.eXe
      O33 - MountPoints2\{5944b642-45eb-11de-b7b8-806d6172696f}\Shell - "" = AutoRun
      O33 - MountPoints2\{5944b642-45eb-11de-b7b8-806d6172696f}\Shell\AutoRun\command - "" = E:\SETUP.EXE -- [2004-08-04 15:30:00 | 002,584,576 | R--- | M] (Microsoft Corporation)
      O33 - MountPoints2\{6ca7cabc-741f-11de-b855-001302156640}\Shell\AutoRun\command - "" = G:\DRIVE\file.exe
      O33 - MountPoints2\{6ca7cabc-741f-11de-b855-001302156640}\Shell\open\command - "" = G:\DRIVE\file.exe
      O33 - MountPoints2\{ec523b58-461e-11de-b7ce-001302156640}\Shell - "" = AutoRun
      O33 - MountPoints2\{ec523b58-461e-11de-b7ce-001302156640}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL GERaL.eXe
      O33 - MountPoints2\{f686aaec-57f9-11de-b80a-001302156640}\Shell\AutoRun\command - "" = F:\DRIVE\file.exe
      O33 - MountPoints2\{f686aaec-57f9-11de-b80a-001302156640}\Shell\open\command - "" = F:\DRIVE\file.exe
      [2011-04-08 03:02:49 | 001,090,912 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\avg_remover_stf_x86_2011_1184.exe
      [2011-04-08 03:05:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
      [2009-05-21 17:34:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\Uniblue
      
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [resethosts]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
     
  20. AlbionPT

    AlbionPT TS Rookie Topic Starter Posts: 31

    Done! Here is the log:

    All processes killed
    ========== OTL ==========
    Service wlknvoym stopped successfully!
    Service wlknvoym deleted successfully!
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ not found.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter\ deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{31186f16-9471-11de-b8a2-001302156640}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31186f16-9471-11de-b8a2-001302156640}\ not found.
    File F:\DRIVE\file.exe not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{31186f16-9471-11de-b8a2-001302156640}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31186f16-9471-11de-b8a2-001302156640}\ not found.
    File F:\DRIVE\file.exe not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{378a741a-5b4c-11de-b817-001302156640}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{378a741a-5b4c-11de-b817-001302156640}\ not found.
    File F:\ojcIHq.eXE not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{378a741a-5b4c-11de-b817-001302156640}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{378a741a-5b4c-11de-b817-001302156640}\ not found.
    File F:\OJCihQ.eXE not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{496d0e74-2953-11df-ba21-001302156640}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{496d0e74-2953-11df-ba21-001302156640}\ not found.
    File F:\NhnjVS.exe not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{496d0e74-2953-11df-ba21-001302156640}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{496d0e74-2953-11df-ba21-001302156640}\ not found.
    File F:\nhnJvS.eXe not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5944b642-45eb-11de-b7b8-806d6172696f}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5944b642-45eb-11de-b7b8-806d6172696f}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5944b642-45eb-11de-b7b8-806d6172696f}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5944b642-45eb-11de-b7b8-806d6172696f}\ not found.
    File move failed. E:\SETUP.EXE scheduled to be moved on reboot.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6ca7cabc-741f-11de-b855-001302156640}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6ca7cabc-741f-11de-b855-001302156640}\ not found.
    File G:\DRIVE\file.exe not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6ca7cabc-741f-11de-b855-001302156640}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6ca7cabc-741f-11de-b855-001302156640}\ not found.
    File G:\DRIVE\file.exe not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ec523b58-461e-11de-b7ce-001302156640}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ec523b58-461e-11de-b7ce-001302156640}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ec523b58-461e-11de-b7ce-001302156640}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ec523b58-461e-11de-b7ce-001302156640}\ not found.
    File C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL GERaL.eXe not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f686aaec-57f9-11de-b80a-001302156640}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f686aaec-57f9-11de-b80a-001302156640}\ not found.
    File F:\DRIVE\file.exe not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f686aaec-57f9-11de-b80a-001302156640}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f686aaec-57f9-11de-b80a-001302156640}\ not found.
    File F:\DRIVE\file.exe not found.
    C:\Documents and Settings\Utilizador\Ambiente de trabalho\avg_remover_stf_x86_2011_1184.exe moved successfully.
    C:\Documents and Settings\All Users\Application Data\avg9\update\prepare\temp folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\avg9\update\prepare folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\avg9\update folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\avg9 folder moved successfully.
    C:\Documents and Settings\Utilizador\Application Data\Uniblue folder moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrador
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 3000344 bytes
    ->Flash cache emptied: 405 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 66016 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Utilizador
    ->Temp folder emptied: 108571 bytes
    ->Temporary Internet Files folder emptied: 29044518 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 405 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 483 bytes
    RecycleBin emptied: 2111 bytes

    Total Files Cleaned = 31,00 mb


    [EMPTYFLASH]

    User: Administrador
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Default User

    User: LocalService

    User: NetworkService

    User: Utilizador
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0,00 mb

    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    OTL by OldTimer - Version 3.2.22.3 log created on 04082011_232539

    Files\Folders moved on Reboot...
    File move failed. E:\SETUP.EXE scheduled to be moved on reboot.

    Registry entries deleted on Reboot...
     
  21. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Delete your Combofix file, download fresh one and see, if it'll run now.
     
  22. AlbionPT

    AlbionPT TS Rookie Topic Starter Posts: 31

    Still the same problem. "Combofix cannot run when AVG is installed"

    I don't know if it helps but I found an AVG folder on C:\Programas with 19MB and about 20 files.

    Any other ideas?
     
  23. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Possibly, I missed that folder, when we ran OTL fix.
    Delete it and attempt Combofix again.
     
  24. AlbionPT

    AlbionPT TS Rookie Topic Starter Posts: 31

    Well it seems it worked. I got a different AVG warning but the program ran (In fact ComboFix forced me to continue)

    Here is the log (Some sentences are in Portuguese, if you need help understanding just let me know):

    ComboFix 11-04-07.08 - Utilizador 09-04-2011 13:46:26.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.351.2070.18.1022.529 [GMT 4,5:30]
    Executando de: c:\documents and settings\Utilizador\Ambiente de trabalho\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    .
    ((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Documentos\Server\admin.txt
    c:\documents and settings\All Users\Documentos\Server\server.dat
    c:\documents and settings\Utilizador\Application Data\Cerulean.lic
    c:\documents and settings\Utilizador\Application Data\Microsoft\Media Player\Licence
    c:\documents and settings\Utilizador\Application Data\Microsoft\Media Player\Licence\Anemone.lic
    c:\documents and settings\Utilizador\Application Data\Microsoft\Media Player\Licence\blueray.lic
    c:\documents and settings\Utilizador\Application Data\Microsoft\Media Player\Licence\Cablemusic.lic
    c:\documents and settings\Utilizador\Application Data\Microsoft\Media Player\Licence\Constantine.lic
    c:\documents and settings\Utilizador\Application Data\Microsoft\Media Player\Licence\eyed.lic
    c:\documents and settings\Utilizador\Application Data\Microsoft\Media Player\Licence\Featured.lic
    c:\documents and settings\Utilizador\Application Data\Microsoft\Media Player\Licence\mistic.lic
    c:\documents and settings\Utilizador\Application Data\Microsoft\Media Player\Licence\mistic.lic.ZIP
    c:\documents and settings\Utilizador\Application Data\Microsoft\Media Player\Licence\peaz.lic
    c:\documents and settings\Utilizador\Recent\ANTIGEN.exe
    c:\documents and settings\Utilizador\Recent\ANTIGEN.tmp
    c:\documents and settings\Utilizador\Recent\CLSV.drv
    c:\documents and settings\Utilizador\Recent\DBOLE.dll
    c:\documents and settings\Utilizador\Recent\energy.dll
    c:\documents and settings\Utilizador\Recent\energy.drv
    c:\documents and settings\Utilizador\Recent\energy.tmp
    c:\documents and settings\Utilizador\Recent\exec.dll
    c:\documents and settings\Utilizador\Recent\fix.drv
    c:\documents and settings\Utilizador\Recent\kernel32.exe
    c:\documents and settings\Utilizador\Recent\pal.sys
    c:\documents and settings\Utilizador\Recent\PE.sys
    c:\documents and settings\Utilizador\Recent\runddlkey.exe
    c:\documents and settings\Utilizador\Recent\runddlkey.tmp
    c:\documents and settings\Utilizador\Recent\SICKBOY.exe
    c:\documents and settings\Utilizador\Recent\sld.exe
    c:\documents and settings\Utilizador\Recent\SM.exe
    c:\documents and settings\Utilizador\Recent\snl2w.drv
    c:\documents and settings\Utilizador\Recent\snl2w.sys
    c:\documents and settings\Utilizador\Recent\tjd.dll
    c:\documents and settings\Utilizador\WINDOWS
    c:\programas\Internet Explorer\iexplore.exe.tmp
    c:\windows\system32\drivers\npf.sys
    c:\windows\system32\Install.txt
    c:\windows\system32\Packet.dll
    c:\windows\system32\szetyj67v.txt
    c:\windows\system32\wpcap.dll
    .
    -- Execuções precedente --
    .
    A cópia de c:\windows\system32\userinit.exe foi encontrada e desinfectada
    Cópia restaurada de - c:\windows\system32\dllcache\userinit.exe
    .
    --------
    .
    A cópia de c:\windows\system32\winlogon.exe foi encontrada e desinfectada
    Cópia restaurada de - c:\windows\ERDNT\cache\winlogon.exe
    .
    A cópia de c:\windows\explorer.exe foi encontrada e desinfectada
    Cópia restaurada de - c:\windows\ERDNT\cache\explorer.exe
    .
    .
    \\.\PhysicalDrive0 - Bootkit Agent was found and disinfected
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_NPF
    -------\Legacy_SSHNAS
    -------\Service_NPF
    .
    .
    (((((((((((((((( Arquivos/Ficheiros criados de 2011-03-09 to 2011-04-09 ))))))))))))))))))))))))))))
    .
    .
    2011-04-08 18:55 . 2011-04-08 18:55 -------- d-----w- C:\_OTL
    2011-04-07 14:13 . 2011-02-23 14:56 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-04-07 14:13 . 2011-02-23 14:54 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-04-07 14:13 . 2011-02-23 14:55 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-04-07 14:13 . 2011-02-23 14:56 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-04-07 14:13 . 2011-02-23 14:55 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-04-07 14:13 . 2011-02-23 14:55 102232 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-04-07 14:13 . 2011-02-23 14:55 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-04-07 14:13 . 2011-02-23 14:54 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-04-07 14:13 . 2011-02-23 15:04 40648 ----a-w- c:\windows\avastSS.scr
    2011-04-07 14:13 . 2011-02-23 15:04 190016 ----a-w- c:\windows\system32\aswBoot.exe
    2011-04-07 14:12 . 2011-04-07 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2011-04-07 13:55 . 2011-04-07 19:33 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2011-04-07 13:55 . 2011-04-07 13:55 -------- d-----w- c:\programas\Hitman Pro 3.5
    2011-04-07 13:54 . 2011-04-07 14:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
    2011-04-07 12:57 . 2011-04-07 12:57 -------- d-----w- c:\programas\ESET
    2011-04-07 12:25 . 2011-04-07 12:25 -------- d-----w- c:\programas\AVAST Software
    2011-04-07 09:41 . 2010-12-20 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-04-07 09:41 . 2011-04-07 09:41 -------- d-----w- c:\programas\Malwarebytes' Anti-Malware
    2011-04-07 09:38 . 2010-12-20 13:38 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-07 09:20 . 2011-04-07 09:20 -------- d-----w- c:\documents and settings\Utilizador\Application Data\Malwarebytes
    2011-04-07 08:37 . 2011-04-07 08:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-04-07 07:43 . 2011-04-07 09:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2011-04-07 07:43 . 2011-04-07 07:43 -------- d-----w- c:\programas\Alwil Software
    2011-04-06 18:37 . 2011-04-07 08:22 -------- d-----w- c:\documents and settings\Administrador
    .
    .
    ((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ------- Sigcheck -------
    .
    [-] 2009-02-27 . 1F39C7BDBA4C5F3F01C4EABF7EDBF4B3 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
    .
    [-] 2009-02-27 . 7847E2A6B90729DE0ADC71033F2BE590 . 1572352 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
    .
    (((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
    .
    .
    *Nota* entradas vazias e legítimas por defeito não são mostradas.
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-02-23 15:04 122512 ----a-w- c:\programas\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Malwarebytes Anti-Malware (reboot)"="c:\programas\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
    "avast"="c:\programas\AVAST Software\Avast\avastUI.exe" [2011-02-23 3451496]
    "GrooveMonitor"="c:\programas\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "_nltide_2"="shell32" [X]
    "_nltide_3"="advpack.dll" [2009-03-08 128512]
    .
    c:\documents and settings\Utilizador\Menu Iniciar\Programas\Arranque\
    Inicia‡Æo R*pida do Microsoft Office OneNote 2007.lnk - c:\programas\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    Öndice do OneNote.onetoc2 [2010-8-31 3656]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^PC Health.lnk]
    path=c:\documents and settings\All Users\Menu Iniciar\Programas\Arranque\PC Health.lnk
    backup=c:\windows\pss\PC Health.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^RAMASST.lnk]
    path=c:\documents and settings\All Users\Menu Iniciar\Programas\Arranque\RAMASST.lnk
    backup=c:\windows\pss\RAMASST.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
    2008-04-15 11:00 15360 ------w- c:\windows\system32\ctfmon.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Programas\\Bonjour\\mDNSResponder.exe"=
    "c:\\Programas\\iTunes\\iTunes.exe"=
    "c:\\Programas\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Programas\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Programas\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Programas\\Java\\jre6\\bin\\java.exe"=
    "c:\\Programas\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Programas\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [07-04-2011 18:43 371544]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [07-04-2011 18:43 301528]
    R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.SYS [21-05-2009 12:31 5888]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [07-04-2011 18:43 19544]
    R2 Tmesrv;Tmesrv3;c:\programas\TOSHIBA\TME3\TMESRV31.EXE [21-05-2009 12:31 118784]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [21-05-2009 11:35 1684736]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
    2009-03-08 00:02 128512 ----a-w- c:\windows\system32\advpack.dll
    .
    Conteúdo da pasta 'Tarefas Agendadas'
    .
    2011-04-07 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\programas\Apple Software Update\SoftwareUpdate.exe [2008-07-30 08:04]
    .
    2011-04-09 c:\windows\Tasks\User_Feed_Synchronization-{1BB5BD40-03C6-418F-95E6-5D2A018F5870}.job
    - c:\windows\system32\msfeedssync.exe [2009-02-27 00:01]
    .
    .
    ------- Scan Suplementar -------
    .
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
    .
    - - - - ORFÃOS REMOVIDOS - - - -
    .
    MSConfigStartUp-29212 - c:\docume~1\UTILIZ~1\DEFINI~1\Temp\566.exe
    MSConfigStartUp-avast5 - c:\progra~1\ALWILS~1\Avast5\avastUI.exe
    MSConfigStartUp-{6B457D83-0365-D3B2-64C4-A6E680046383} - c:\documents and settings\Utilizador\Application Data\Anupxu\imky.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-04-09 13:58
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    Procurando processos ocultos ...
    .
    Procurando entradas auto inicializáveis ocultas ...
    .
    Procurando ficheiros/arquivos ocultos ...
    .
    Varredura completada com sucesso
    arquivos/ficheiros ocultos: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Carregadas Sob os Processos em Execução ---------------------
    .
    - - - - - - - > 'winlogon.exe'(952)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\netprovcredman.dll
    .
    - - - - - - - > 'explorer.exe'(3740)
    c:\programas\TOSHIBA\TME3\TMEEJMD.DLL
    c:\windows\system32\webcheck.dll
    c:\windows\system32\wpdshserviceobj.dll
    c:\windows\system32\portabledevicetypes.dll
    c:\windows\system32\portabledeviceapi.dll
    .
    ------------------------ Outros Processos em Execução ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\programas\Intel\WiFi\bin\S24EvMon.exe
    c:\windows\system32\Ati2evxx.exe
    c:\programas\AVAST Software\Avast\AvastSvc.exe
    c:\programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\programas\Bonjour\mDNSResponder.exe
    c:\programas\TOSHIBA\ConfigFree\CFSvcs.exe
    c:\windows\system32\DVDRAMSV.exe
    c:\programas\Intel\WiFi\bin\EvtEng.exe
    c:\programas\Java\jre6\bin\jqs.exe
    c:\programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\programas\Ficheiros comuns\Intel\WirelessCommon\RegSrvc.exe
    c:\programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\programas\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
    c:\programas\TOSHIBA\TME3\TMEEJME.EXE
    c:\windows\system32\wbem\wmiapsrv.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Tempo para conclusão: 2011-04-09 14:03:20 - Máquina reiniciou
    ComboFix-quarantined-files.txt 2011-04-09 09:33
    .
    Pré-execução: 50.154.569.728 bytes livres
    Pós execução: 50.099.671.040 bytes livres
    .
    - - End Of File - - 4F9EF02FA18C57E80CA533E9AB5D6FC6
     
  25. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Very good :)

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    SecCenter::
    {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...