Solved Bamital , Patched-Rp , Smitnyl Trojan infection

AlbionPT · Apr 6, 2011

Greetings all.

I'm trying to fix a friend's laptop from a serious virus/malware/trojan infection.

I have ran a few anti-virus/spyware softwares in order to solve the situation (Avast, MalwareBytes, ESET Online Check , Hitman Pro 3.5) to see if I could clean the computer but after removing an absurd amount of "infected junk" (close to 900 files/entries!) I slammed aggainst a wall.

Step 1: Avast detected:

explorer.exe, useriniti.exe , winlogon.exe &
Master Boot Record infected with Bamital/Patched-RP and Smitnyl. Deleting/Quarentine/Heal didn't work.

Step 2: Ok

Step 3:

I was having a few issues in here. I had to use an outdated database 1st because whenever I tried to update I got a BSOD. After removing a few virus I managed to update without BSOD.

Step 4 to 7: OK

Extra: Even if it was not asked I ran HiJackthis and found a few "suspicious" entries on the "Host files", so I'm also adding a HJ Log to the thread.

Also the computer is giving me a ' "explorer.exe" can't start cause a DLL is missing' but I see an explorer.exe instance on Task Manager.

Since this is not my laptop I would really like to fix the issues without having to format...
(Logs follow)

Thanks in advance.

Broni · Apr 6, 2011

Welcome aboard

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
If you're stuck, or you're not sure about certain step, always ask before doing anything else.
Please refrain from running tools or applying updates other than those I suggest.
Never run more than one scan at a time.
Keep updating me regarding your computer behavior, good, or bad.
The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

======================================================================

Please, post all required logs.

AlbionPT · Apr 6, 2011

Ok, 1st off thanks for killing the other thread. I only noticed that posts had to be confirmed by a mod after my 2nd entry.

Now the logs:

Malware Bytes Log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6288

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

07-04-2011 20:44:52
mbam-log-2011-04-07 (20-44-52).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 208150
Time elapsed: 22 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C597AEFF-0239-426B-939C-509D9A61B015} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\OTGV1DNWQQ (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\YXE7DXCQ37 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{6B457D83-0365-D3B2-64C4-A6E680046383} (Trojan.ZbotR.Gen) -> Value: {6B457D83-0365-D3B2-64C4-A6E680046383} -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=302&q={searchTerms}) Good: (http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\utilizador\definições locais\Temp\explorer.exe (Trojan.Agent) -> Quarantined and deleted successfully.

AlbionPT · Apr 6, 2011

GMER Log

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit quick scan 2011-04-07 22:19:03
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HTS541080G9SA00 rev.MB4OC60D
Running: d76w6zpe.exe; Driver: C:\DOCUME~1\UTILIZ~1\DEFINI~1\Temp\fwpdrfoc.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xA9C74026]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xA9C73E91]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xA9CBD8DE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.SYS (avast! TDI RDR Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp aswRdr.SYS (avast! TDI RDR Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp aswRdr.SYS (avast! TDI RDR Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.15 ----

AlbionPT · Apr 6, 2011

DDS Log (part 1)

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Utilizador at 22:19:41,81 on 07-04-2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.351.2070.18.1022.448 [GMT 4,5:30]
.
AV: My Security Shield *Enabled/Updated* {BCAB80E9-F911-4572-AE67-7F1626E5BDB1}
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: My Security Shield *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Programas\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programas\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\explorer.exe
C:\Programas\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programas\Bonjour\mDNSResponder.exe
svchost.exe
C:\Programas\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Programas\Intel\WiFi\bin\EvtEng.exe
C:\Programas\Java\jre6\bin\jqs.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programas\Ficheiros comuns\Intel\WirelessCommon\RegSrvc.exe
C:\Programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Programas\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programas\Internet Explorer\iexplore.exe
C:\Programas\Internet Explorer\iexplore.exe
C:\Programas\Windows Live\Toolbar\wltuser.exe
C:\Programas\Internet Explorer\iexplore.exe
C:\Documents and Settings\Utilizador\Ambiente de trabalho\dds.scr
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\programas\ficheiros comuns\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\programas\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\programas\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\programas\microsoft office\office12\GrooveShellExtensions.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\programas\avast software\avast\aswWebRepIE.dll
BHO: Auxiliar de Conexão do Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\programas\ficheiros comuns\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programas\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\programas\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programas\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: CescrtHlpr Object: {f9b72325-a029-4a39-943a-02433c978829} - c:\programas\esnips.com\esnipstoolbar\1.3.0.3\escort.dll
TB: esnips Toolbar: {3132f1df-2c69-49f5-aca5-69965fc18e59} - c:\programas\esnips.com\esnipstoolbar\1.3.0.3\escorTlbr.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\programas\windows live\toolbar\wltcore.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\programas\avast software\avast\aswWebRepIE.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\programas\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [HitmanPro35] "c:\programas\hitman pro 3.5\HitmanPro35.exe" /scan:boot
mRun: [avast] "c:\programas\avast software\avast\avastUI.exe" /nogui
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\utiliz~1\menuin~1\progra~1\arranque\inicia~1.lnk - c:\programas\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\documents and settings\utilizador\menu iniciar\programas\arranque\Índice do OneNote.onetoc2
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
IE: E&xportar para o Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programas\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\programas\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242890722484
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1242890714281
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\programas\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\programas\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\programas\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {D58F39FF-953E-4F45-898F-59F243B9A523} - RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register
IFEO: image file execution options - svchost.exe
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-4-7 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-4-7 301528]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-12-16 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-12-16 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-12-16 243024]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.SYS [2009-5-21 5888]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-4-7 19544]
R2 avast! Antivirus;avast! Antivirus;c:\programas\avast software\avast\AvastSvc.exe [2011-4-7 42184]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-7-30 54760]
S2 avg9emc;AVG Free E-mail Scanner;c:\programas\avg\avg9\avgemc.exe --> c:\programas\avg\avg9\avgemc.exe [?]
S2 avg9wd;AVG Free WatchDog;c:\programas\avg\avg9\avgwdsvc.exe --> c:\programas\avg\avg9\avgwdsvc.exe [?]
S2 Tmesrv;Tmesrv3;c:\programas\toshiba\tme3\TMESRV31.EXE [2009-5-21 118784]
S2 wlknvoym;Boot Server;c:\windows\system32\svchost.exe -k netsvcs [2008-4-15 14336]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-5-21 1684736]
S3 fsssvc;Serviço Windows Live Proteção para a Família;c:\programas\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2010-9-11 50704]
.
=============== Created Last 30 ================
.
2011-04-07 14:13:17 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-04-07 14:13:02 40648 ----a-w- c:\windows\avastSS.scr
2011-04-07 14:12:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVAST Software
2011-04-07 13:55:02 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-07 13:55:00 -------- d-----w- c:\programas\Hitman Pro 3.5
2011-04-07 13:54:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2011-04-07 12:57:39 -------- d-----w- c:\programas\ESET
2011-04-07 12:25:54 -------- d-----w- c:\programas\AVAST Software
2011-04-07 09:41:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-07 09:41:32 -------- d-----w- c:\programas\Malwarebytes' Anti-Malware
2011-04-07 09:38:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-07 09:20:46 -------- d-----w- c:\docume~1\utiliz~1\applic~1\Malwarebytes
2011-04-07 08:37:25 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-07 07:43:30 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2011-04-06 18:04:50 -------- d-----w- c:\windows\pss
.
==================== Find3M ====================
.
.
============= FINISH: 22:20:38,21 ===============

AlbionPT · Apr 6, 2011

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 21-05-2009 13:31:48
System Uptime: 07-04-2011 22:06:23 (0 hours ago)
.
Motherboard: Intel Corporation | | MPAD-MSAE Customer Reference Boards
Processor: Genuine Intel(R) CPU T2400 @ 1.83GHz | U1 | 1828/mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 64 GiB total, 47,52 GiB free.
D: is FIXED (NTFS) - 5 GiB total, 1,578 GiB free.
E: is CDROM (CDFS)
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\D134F24380DA0
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\D134F24380DA0
Service: NIC1394
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\TOS620A\2&DABA3FF&0
Manufacturer:
Name:
PNP Device ID: ACPI\TOS620A\2&DABA3FF&0
Service:
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\TOS6205\2&DABA3FF&0
Manufacturer:
Name:
PNP Device ID: ACPI\TOS6205\2&DABA3FF&0
Service:
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Hosts File Hijack ======================
.
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com
Hosts: 74.125.45.100 secure-plus-payments.com
Hosts: 74.125.45.100 www.getantivirusplusnow.com
Hosts: 74.125.45.100 www.secure-plus-payments.com
Hosts: 74.125.45.100 www.getavplusnow.com
Hosts: 74.125.45.100 safebrowsing-cache.google.com
Hosts: 74.125.45.100 urs.microsoft.com
Hosts: 74.125.45.100 www.securesoftwarebill.com
Hosts: 74.125.45.100 secure.paysecuresystem.com
Hosts: 74.125.45.100 paysoftbillsolution.com
Hosts: 74.125.45.100 protected.maxisoftwaremart.com
Hosts: 74.55.176.156 www.google.com
Hosts: 74.55.176.156 google.com
Hosts: 74.55.176.156 google.com.au
Hosts: 74.55.176.156 www.google.com.au
Hosts: 74.55.176.156 google.be
Hosts: 74.55.176.156 www.google.be
Hosts: 74.55.176.156 google.com.br
Hosts: 74.55.176.156 www.google.com.br
Hosts: 74.55.176.156 google.ca
Hosts: 74.55.176.156 www.google.ca
Hosts: 74.55.176.156 google.ch
Hosts: 74.55.176.156 www.google.ch
Hosts: 74.55.176.156 google.de
Hosts: 74.55.176.156 www.google.de
Hosts: 74.55.176.156 google.dk
Hosts: 74.55.176.156 www.google.dk
Hosts: 74.55.176.156 google.fr
Hosts: 74.55.176.156 www.google.fr
Hosts: 74.55.176.156 google.ie
Hosts: 74.55.176.156 www.google.ie
Hosts: 74.55.176.156 google.it
Hosts: 74.55.176.156 www.google.it
Hosts: 74.55.176.156 google.co.jp
Hosts: 74.55.176.156 www.google.co.jp
Hosts: 74.55.176.156 google.nl
Hosts: 74.55.176.156 www.google.nl
Hosts: 74.55.176.156 google.no
Hosts: 74.55.176.156 www.google.no
Hosts: 74.55.176.156 google.co.nz
Hosts: 74.55.176.156 www.google.co.nz
Hosts: 74.55.176.156 google.pl
Hosts: 74.55.176.156 www.google.pl
Hosts: 74.55.176.156 google.se
Hosts: 74.55.176.156 www.google.se
Hosts: 74.55.176.156 google.co.uk
Hosts: 74.55.176.156 www.google.co.uk
Hosts: 74.55.176.156 google.co.za
Hosts: 74.55.176.156 www.google.co.za
Hosts: 74.55.176.156 www.google-analytics.com
Hosts: 74.55.176.156 www.bing.com
Hosts: 74.55.176.156 search.yahoo.com
Hosts: 74.55.176.156 www.search.yahoo.com
Hosts: 74.55.176.156 uk.search.yahoo.com
Hosts: 74.55.176.156 ca.search.yahoo.com
Hosts: 74.55.176.156 de.search.yahoo.com
Hosts: 74.55.176.156 fr.search.yahoo.com
Hosts: 74.55.176.156 au.search.yahoo.com
.
==== Installed Programs ======================
.
Actualização Crítica para o Windows Media Player 11 (KB959772)
Actualização de Segurança para o Windows Media Player (KB954155)
Actualização de Segurança para o Windows Media Player (KB968816)
Actualização de Segurança para o Windows Media Player (KB973540)
Actualização de Segurança para o Windows Media Player (KB978695)
Actualização de Segurança para o Windows Media Player 11 (KB954154)
Actualização de segurança para Windows Internet Explorer 7 (KB938127-v2)
Actualização de segurança para Windows Internet Explorer 7 (KB961260)
Actualização de segurança para Windows Internet Explorer 7 (KB963027)
Actualização de segurança para Windows Internet Explorer 8 (KB2183461)
Actualização de segurança para Windows Internet Explorer 8 (KB969897)
Actualização de segurança para Windows Internet Explorer 8 (KB971961)
Actualização de segurança para Windows Internet Explorer 8 (KB972260)
Actualização de segurança para Windows Internet Explorer 8 (KB974455)
Actualização de segurança para Windows Internet Explorer 8 (KB976325)
Actualização de segurança para Windows Internet Explorer 8 (KB978207)
Actualização de segurança para Windows Internet Explorer 8 (KB981332)
Actualização de segurança para Windows Internet Explorer 8 (KB982381)
Actualização de segurança para Windows XP (KB2079403)
Actualização de segurança para Windows XP (KB2115168)
Actualização de segurança para Windows XP (KB2160329)
Actualização de segurança para Windows XP (KB2229593)
Actualização de segurança para Windows XP (KB2286198)
Actualização de segurança para Windows XP (KB923561)
Actualização de segurança para Windows XP (KB923789)
Actualização de Segurança para Windows XP (KB941569)
Actualização de segurança para Windows XP (KB950760)
Actualização de segurança para Windows XP (KB952004)
Actualização de segurança para Windows XP (KB956572)
Actualização de segurança para Windows XP (KB956744)
Actualização de segurança para Windows XP (KB956844)
Actualização de segurança para Windows XP (KB958690)
Actualização de segurança para Windows XP (KB958869)
Actualização de segurança para Windows XP (KB959426)
Actualização de segurança para Windows XP (KB960225)
Actualização de segurança para Windows XP (KB960715)
Actualização de segurança para Windows XP (KB960803)
Actualização de segurança para Windows XP (KB960859)
Actualização de segurança para Windows XP (KB961371)
Actualização de segurança para Windows XP (KB961373)
Actualização de segurança para Windows XP (KB961501)
Actualização de segurança para Windows XP (KB968537)
Actualização de segurança para Windows XP (KB969059)
Actualização de segurança para Windows XP (KB969898)
Actualização de segurança para Windows XP (KB969947)
Actualização de segurança para Windows XP (KB970238)
Actualização de segurança para Windows XP (KB970430)
Actualização de segurança para Windows XP (KB971468)
Actualização de segurança para Windows XP (KB971486)
Actualização de segurança para Windows XP (KB971557)
Actualização de segurança para Windows XP (KB971633)
Actualização de segurança para Windows XP (KB971657)
Actualização de segurança para Windows XP (KB972270)
Actualização de segurança para Windows XP (KB973346)
Actualização de segurança para Windows XP (KB973354)
Actualização de segurança para Windows XP (KB973507)
Actualização de segurança para Windows XP (KB973525)
Actualização de segurança para Windows XP (KB973869)
Actualização de segurança para Windows XP (KB973904)
Actualização de segurança para Windows XP (KB974112)
Actualização de segurança para Windows XP (KB974318)
Actualização de segurança para Windows XP (KB974392)
Actualização de segurança para Windows XP (KB974571)
Actualização de segurança para Windows XP (KB975025)
Actualização de segurança para Windows XP (KB975467)
Actualização de segurança para Windows XP (KB975560)
Actualização de segurança para Windows XP (KB975561)
Actualização de segurança para Windows XP (KB975562)
Actualização de segurança para Windows XP (KB975713)
Actualização de segurança para Windows XP (KB977165)
Actualização de segurança para Windows XP (KB977816)
Actualização de segurança para Windows XP (KB977914)
Actualização de segurança para Windows XP (KB978037)
Actualização de segurança para Windows XP (KB978251)
Actualização de segurança para Windows XP (KB978262)
Actualização de segurança para Windows XP (KB978338)
Actualização de segurança para Windows XP (KB978542)
Actualização de segurança para Windows XP (KB978601)
Actualização de segurança para Windows XP (KB978706)
Actualização de segurança para Windows XP (KB979309)
Actualização de segurança para Windows XP (KB979482)
Actualização de segurança para Windows XP (KB979559)
Actualização de segurança para Windows XP (KB979683)
Actualização de segurança para Windows XP (KB980195)
Actualização de segurança para Windows XP (KB980218)
Actualização de segurança para Windows XP (KB980232)
Actualização de segurança para Windows XP (KB980436)
Actualização de segurança para Windows XP (KB981852)
Actualização de segurança para Windows XP (KB981997)
Actualização de segurança para Windows XP (KB982214)
Actualização de segurança para Windows XP (KB982665)
Actualização para o Windows XP (KB943729)
Actualização para Windows Internet Explorer 8 (KB969497)
Actualização para Windows Internet Explorer 8 (KB976662)
Actualização para Windows Internet Explorer 8 (KB976749)
Actualização para Windows Internet Explorer 8 (KB980182)
Actualização para Windows XP (KB898461)
Actualização para Windows XP (KB955759)
Actualização para Windows XP (KB961503)
Actualização para Windows XP (KB968389)
Actualização para Windows XP (KB971737)
Actualização para Windows XP (KB973687)
Actualização para Windows XP (KB973815)
Adobe Flash Player 10 ActiveX
Adobe Reader 9.1.1 - Português
Adobe Shockwave Player 11.5
Alky for Applications (Windows XP)
Any Video Converter 3.0.3
Apple Mobile Device Support
Apple Software Update
Assist TOSHIBA
Assistente de Conexão do Windows Live
ATI - Utilitário de desinstalação de software
ATI Catalyst Control Center
ATI Display Driver
avast! Free Antivirus
Barra Lateral do Windows
Bonjour
Bullzip PDF Printer 6.0.0.865
CD/DVD Drive Acoustic Silencer
Compatibility Pack for Office system de 2007
Compressor WinRAR
Controlador de DVD-RAM
Controlos TOSHIBA
CyberLink PowerDVD 9
ESET Online Scanner v3
eSnips
Extensão Móvel TOSHIBA 3 para Windows XP V3.79.00.XP.C
Ferramenta de Carregamento do Windows Live
Formatar Placa de Memória SD TOSHIBA
Free Mp3 Wma Converter V 1.81
Gadget Documentos Recentes do Microsoft Office 2007
GPL Ghostscript Lite 8.64
Hitman Pro 3.5
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB976002-v5)
Hotfix para Windows XP (KB970653-v3)
Hotfix para Windows XP (KB976098-v2)
Hotfix para Windows XP (KB979306)
Hotfix para Windows XP (KB981793)
Intel PROSet Wireless
Intel(R) PRO Network Connections Drivers
iTunes
Java(TM) 6 Update 13
Junk Mail filter update
K-Lite Mega Codec Pack 4.8.0
Módulo seguro SD
Malwarebytes' Anti-Malware
Math-A-Maze
Media Player Product Tool 5.25
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Portuguese Language Pack
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 2.0 Service Pack 2 Language Pack - PTG
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2 Language Pack - PTG
Microsoft .NET Framework 3.5 Language Pack SP1 - ptg
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (Portuguese (Portugal)) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (Portuguese (Portugal)) 2007
Microsoft Office Groove MUI (Portuguese (Portugal)) 2007
Microsoft Office InfoPath MUI (Portuguese (Portugal)) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (Portuguese (Portugal)) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (Portuguese (Portugal)) 2007
Microsoft Office PowerPoint MUI (Portuguese (Portugal)) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Portuguese (Portugal)) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (Portuguese (Portugal)) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (Portuguese (Portugal)) 2007
Microsoft Office Shared MUI (Portuguese (Portugal)) 2007
Microsoft Office Word MUI (Portuguese (Portugal)) 2007
Microsoft Picture It! Express 7.0
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft Software Update for Web Folders (Portuguese (Portugal)) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft WinUsb 1.0
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
neroxml
Pacote do Fornecedor de Serviço Criptográfico para Cartão Inteligente Base da Microsoft
Paint Shop Pro 6.02 ESD
PC Diagnostic Tool da TOSHIBA
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Search Settings 1.2.2
Security Update for 2007 Microsoft Office System (KB2277947)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB980376)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2251419)
Segoe UI
SMSC IrCC V5.1.3600.7
Software Intel(R) PROSet/Wireless WiFi
Spelling Dictionaries Support For Adobe Reader 9
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
TOSHIBA ConfigFree
TOSHIBA Hotkey Utility
TOSHIBA Management Console Version 3.5 (3.5.4)
TOSHIBA Power Saver
TOSHIBA Software Modem
TOSHIBA TouchPad ON/Off Utility
TOSHIBA Utilities
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Outlook 2007 Junk Email Filter (kb2279264)
Utilitário de Zooming da TOSHIBA
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Galeria de Fotos
Windows Live Mail
Windows Live Messenger
Windows Live Proteção para a Família
Windows Live Sync
Windows Live Toolbar
Windows Live Writer
XML Paper Specification Shared Components Language Pack 1.0
.
==== Event Viewer Messages From Past Week ========
.
07-04-2011 20:08:51, Informações: Windows File Protection [64002] - Foi tentada a substituição de ficheiro no ficheiro de sistema protegido c:\windows\system32\userinit.exe. Este ficheiro foi restaurado para a versão original para manter a estabilidade do sistema. A versão do ficheiro danificado é 5.1.2600.5512!.
07-04-2011 18:38:51, Informações: Windows File Protection [64004] - O ficheiro de sistema protegido explorer.exe não pôde ser restaurado para a versão válida, original. A versão do ficheiro incorrecto é 6.0.2900.2180 O código de erro específico é 0x800b0100 [Nenhuma assinatura estava presente no sujeito. ].
07-04-2011 18:32:51, Informações: Windows File Protection [64001] - Foi tentada a substituição de ficheiro no ficheiro de sistema protegido c:\windows\system32\userinit.exe. Este ficheiro foi restaurado para a versão original para manter a estabilidade do sistema. A versão do ficheiro danificado é 5.1.2600.2180, a versão do ficheiro de sistema é 5.1.2600.5512.
07-04-2011 18:31:00, Informações: Windows File Protection [64001] - Foi tentada a substituição de ficheiro no ficheiro de sistema protegido c:\windows\system32\userinit.exe. Este ficheiro foi restaurado para a versão original para manter a estabilidade do sistema. A versão do ficheiro danificado é 5.1.2600.2180, a versão do ficheiro de sistema é 5.1.2600.5512.
.
==== End Of File ===========================

AlbionPT · Apr 6, 2011

2 things:

- Sorry if some lines are in Portuguese but this is Portuguese Windows

- I see AVG on the logs but it was never available to use. The virus probably disabled it.

Broni · Apr 6, 2011

You're running two AV programs, Avast and AVG.
One of them has to go.
I suggest, AVG goes.
If so, use AVG Remover to uninstall it: http://www.avg.com/us-en/download-tools

======================================================================

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

=====================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

Double-click on the Rkill desktop icon to run the tool.
If using Vista or Windows 7 right-click on it and choose Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
Do not reboot until instructed.
If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

AlbionPT · Apr 6, 2011

So MBRCheck run correctly but I'm having issues with AVG vs ComboFix

Combofix States that:"COmboFix cannot run when AVG is installed" even after running AVG Remover.

I tried to run on Safe mode and after RKill but no avail. Same message.

rKill Log:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 08-04-2011 at 4:39:14.
Operating System: Microsoft Windows XP

Processes terminated by Rkill or while it was running:

Rkill completed on 08-04-2011 at 4:39:19.

------------------------------------------------------------------

MBRCheck log:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 141):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x80700000 \WINDOWS\system32\hal.dll
0xF7996000 \WINDOWS\system32\KDCOM.DLL
0xF78A6000 \WINDOWS\system32\BOOTVID.dll
0xF7446000 ACPI.sys
0xF7998000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7435000 pci.sys
0xF7496000 isapnp.sys
0xF74A6000 ohci1394.sys
0xF74B6000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF78AA000 compbatt.sys
0xF78AE000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7A5E000 pciide.sys
0xF7716000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7417000 pcmcia.sys
0xF74C6000 MountMgr.sys
0xF73F8000 ftdisk.sys
0xF799A000 dmload.sys
0xF73D2000 dmio.sys
0xF78B2000 ACPIEC.sys
0xF7A5F000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF771E000 PartMgr.sys
0xF74D6000 VolSnap.sys
0xF73BA000 atapi.sys
0xF74E6000 disk.sys
0xF74F6000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF739A000 fltMgr.sys
0xF7388000 sr.sys
0xF7371000 KSecDD.sys
0xF72E4000 Ntfs.sys
0xF72B7000 NDIS.sys
0xF799C000 TVALG.SYS
0xF729D000 Mup.sys
0xF7556000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF797E000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF6C00000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF6BEC000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF6BC4000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF6B98000 \SystemRoot\system32\DRIVERS\e1e5132.sys
0xF6796000 \SystemRoot\system32\DRIVERS\NETw5x32.sys
0xF77D6000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6772000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF77DE000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF674A000 \SystemRoot\system32\drivers\tifm21.sys
0xF6736000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xF6725000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7982000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF7566000 \SystemRoot\system32\DRIVERS\smcirda.sys
0xF7986000 \SystemRoot\system32\DRIVERS\irenum.sys
0xF6711000 \SystemRoot\system32\DRIVERS\parport.sys
0xF7576000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF77E6000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF66E2000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF79B8000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF77EE000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7586000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7596000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF75A6000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF66BF000 \SystemRoot\system32\DRIVERS\ks.sys
0xF75B6000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF7ADF000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF77F6000 \SystemRoot\system32\DRIVERS\rasirda.sys
0xF77FE000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF75C6000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7279000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF66A8000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF75D6000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF75E6000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF6697000 \SystemRoot\system32\DRIVERS\psched.sys
0xF75F6000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7806000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF780E000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF6667000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7606000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF79BA000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6609000 \SystemRoot\system32\DRIVERS\update.sys
0xF725D000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF79BC000 \SystemRoot\system32\DRIVERS\NBSMI.sys
0xF7616000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xAA2FF000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xAA2DB000 \SystemRoot\system32\drivers\portcls.sys
0xF7646000 \SystemRoot\system32\drivers\drmk.sys
0xAA1C8000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xF7816000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7666000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF79C6000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7BCA000 \SystemRoot\System32\Drivers\Null.SYS
0xF79C8000 \SystemRoot\System32\Drivers\Beep.SYS
0xF783E000 \SystemRoot\System32\drivers\vga.sys
0xF79CA000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79CC000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xAA0A2000 \SystemRoot\System32\Drivers\meiudf.sys
0xAA091000 \SystemRoot\System32\Drivers\Udfs.SYS
0xF7846000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF784E000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7976000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAA07E000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAA025000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA9FFF000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF76A6000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xA9FD7000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF76B6000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF7856000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xA9EED000 \SystemRoot\System32\drivers\afd.sys
0xF76C6000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF79CE000 \SystemRoot\System32\Drivers\TMEI3E.SYS
0xA9EC2000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA9E52000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF76D6000 \SystemRoot\System32\Drivers\Fips.SYS
0xA9E0A000 \SystemRoot\System32\Drivers\aswSP.SYS
0xA9DAC000 \SystemRoot\System32\Drivers\aswSnx.SYS
0xF7876000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xF657E000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA9D6C000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF79A0000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA9F0F000 \SystemRoot\System32\drivers\Dxapi.sys
0xF775E000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7BCF000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF055000 \SystemRoot\System32\ati2cqag.dll
0xBF09C000 \SystemRoot\System32\atikvmag.dll
0xBF0E2000 \SystemRoot\System32\ati3duag.dll
0xBF32D000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA7B50000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xA7B04000 \SystemRoot\system32\DRIVERS\fssfltr_tdi.sys
0xA7926000 \SystemRoot\system32\DRIVERS\irda.sys
0xA7A58000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA7A50000 \SystemRoot\system32\DRIVERS\netdevio.sys
0xA7A44000 \SystemRoot\system32\DRIVERS\s24trans.sys
0xA76DF000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xA7482000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7A12000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xA724B000 \SystemRoot\system32\DRIVERS\srv.sys
0xA716E000 \SystemRoot\system32\drivers\wdmaud.sys
0xA7527000 \SystemRoot\system32\drivers\sysaudio.sys
0xA6B15000 \SystemRoot\System32\Drivers\HTTP.sys
0xA69FA000
0x7C910000 \WINDOWS\system32\ntdll.dll

Processes (total 40):
0 System Idle Process
4 System
860 C:\WINDOWS\system32\smss.exe
916 csrss.exe
944 C:\WINDOWS\system32\winlogon.exe
996 C:\WINDOWS\system32\services.exe
1008 C:\WINDOWS\system32\lsass.exe
1168 C:\WINDOWS\system32\ati2evxx.exe
1188 C:\WINDOWS\system32\svchost.exe
1256 svchost.exe
1308 C:\WINDOWS\system32\svchost.exe
1452 C:\Programas\Intel\WiFi\bin\S24EvMon.exe
1532 svchost.exe
1620 C:\WINDOWS\system32\ati2evxx.exe
1636 svchost.exe
2012 C:\Programas\AVAST Software\Avast\AvastSvc.exe
300 C:\WINDOWS\explorer.exe
708 C:\WINDOWS\system32\spoolsv.exe
1012 svchost.exe
1356 C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
1376 C:\Programas\Bonjour\mDNSResponder.exe
1404 svchost.exe
1416 C:\Programas\TOSHIBA\ConfigFree\CFSvcs.exe
1388 C:\WINDOWS\system32\DVDRAMSV.exe
1648 C:\Programas\Intel\WiFi\bin\EvtEng.exe
1684 C:\Programas\Java\jre6\bin\jqs.exe
1880 C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
1712 C:\Programas\Ficheiros comuns\Intel\WirelessCommon\RegSrvc.exe
2068 C:\Programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
2228 C:\Programas\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
2304 C:\Programas\TOSHIBA\TME3\TMESRV31.EXE
2432 C:\WINDOWS\system32\wuauclt.exe
2676 wmiprvse.exe
2828 alg.exe
2888 C:\WINDOWS\system32\wbem\wmiapsrv.exe
3636 C:\Programas\Hitman Pro 3.5\HitmanPro35.exe
3644 C:\Programas\AVAST Software\Avast\AvastUI.exe
3652 C:\WINDOWS\system32\ctfmon.exe
3664 C:\Programas\Microsoft Office\Office12\ONENOTEM.EXE
2272 C:\Documents and Settings\Utilizador\Ambiente de trabalho\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000011`5563b400 (NTFS)

PhysicalDrive0 Model Number: HTS541080G9SA00, Rev: MB4OC60D

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: A3CF0C5E0DDB481C20C91FE98105799CE54C7986

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

Any other ideas?

Broni · Apr 6, 2011

Download OTL to your Desktop.

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Click the Scan All Users checkbox.
Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
explorer.exe
userinit.exe
winlogon.exe
/md5stop

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

AlbionPT · Apr 7, 2011

All right here are the logs:

OTL LOG:

OTL logfile created on: 08-04-2011 13:55:42 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Utilizador\Ambiente de trabalho
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000816 | Country: Portugal | Language: PTG | Date Format: dd-MM-yyyy

1.022,00 Mb Total Physical Memory | 426,00 Mb Available Physical Memory | 42,00% Memory free
2,00 Gb Paging File | 2,00 Gb Available in Paging File | 81,00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programas
Drive C: | 63,52 Gb Total Space | 47,73 Gb Free Space | 75,14% Space Free | Partition Type: NTFS
Drive D: | 5,19 Gb Total Space | 1,58 Gb Free Space | 30,43% Space Free | Partition Type: NTFS
Drive E: | 563,69 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS

Computer Name: UTILIZAD-D3390B | User Name: Utilizador | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011-04-08 13:54:36 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\OTL.exe
PRC - [2011-02-23 19:34:20 | 003,451,496 | ---- | M] (AVAST Software) -- C:\Programas\AVAST Software\Avast\AvastUI.exe
PRC - [2011-02-23 19:34:19 | 000,042,184 | ---- | M] (AVAST Software) -- C:\Programas\AVAST Software\Avast\AvastSvc.exe
PRC - [2009-03-26 15:31:20 | 000,132,424 | ---- | M] (Apple Inc.) -- C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009-02-27 07:54:22 | 000,870,672 | ---- | M] (Intel(R) Corporation) -- C:\Programas\Intel\WiFi\bin\EvtEng.exe
PRC - [2009-02-27 06:55:20 | 000,909,312 | ---- | M] (Intel(R) Corporation) -- C:\Programas\Intel\WiFi\bin\S24EvMon.exe
PRC - [2009-02-27 06:38:38 | 000,473,360 | ---- | M] (Intel(R) Corporation) -- C:\Programas\Ficheiros comuns\Intel\WirelessCommon\RegSrvc.exe
PRC - [2005-12-20 11:22:14 | 000,035,328 | ---- | M] (TOSHIBA Corp.) -- C:\Programas\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
PRC - [2005-01-17 16:38:38 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Programas\TOSHIBA\ConfigFree\CFSvcs.exe
PRC - [2004-08-28 02:33:00 | 000,110,592 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\DVDRAMSV.exe
PRC - [2004-08-04 00:57:04 | 001,034,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2003-06-20 03:55:00 | 000,322,120 | ---- | M] (Microsoft Corporation) -- C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

========== Modules (SafeList) ==========

MOD - [2011-04-08 13:54:36 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\OTL.exe
MOD - [2008-04-15 15:30:00 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (wlknvoym)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2011-02-23 19:34:19 | 000,042,184 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Programas\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2009-03-26 15:31:20 | 000,132,424 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009-02-27 07:54:22 | 000,870,672 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Programas\Intel\WiFi\bin\EvtEng.exe -- (EvtEng) Intel(R)
SRV - [2009-02-27 06:55:20 | 000,909,312 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Programas\Intel\WiFi\bin\S24EvMon.exe -- (S24EventMonitor) Intel(R)
SRV - [2009-02-27 06:38:38 | 000,473,360 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Programas\Ficheiros comuns\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc) Intel(R)
SRV - [2008-11-04 01:06:28 | 000,441,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programas\Ficheiros comuns\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2006-10-26 13:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programas\Ficheiros comuns\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2005-12-20 11:22:14 | 000,035,328 | ---- | M] (TOSHIBA Corp.) [Auto | Running] -- C:\Programas\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe -- (TAPPSRV)
SRV - [2005-04-05 09:37:04 | 000,118,784 | ---- | M] (TOSHIBA) [Auto | Stopped] -- C:\Programas\TOSHIBA\TME3\Tmesrv31.exe -- (Tmesrv)
SRV - [2005-01-17 16:38:38 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Programas\TOSHIBA\ConfigFree\CFSvcs.exe -- (CFSvcs)
SRV - [2004-08-28 02:33:00 | 000,110,592 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) [Auto | Running] -- C:\WINDOWS\system32\DVDRAMSV.exe -- (DVD-RAM_Service)
SRV - [2003-06-20 03:55:00 | 000,322,120 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM)

========== Driver Services (SafeList) ==========

DRV - [2011-02-23 19:26:55 | 000,371,544 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011-02-23 19:26:45 | 000,301,528 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011-02-23 19:25:49 | 000,049,240 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011-02-23 19:25:47 | 000,102,232 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2011-02-23 19:25:10 | 000,025,432 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011-02-23 19:24:57 | 000,030,680 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2011-02-23 19:24:55 | 000,019,544 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010-09-11 17:14:42 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF) WinPcap Packet Driver (NPF)
DRV - [2010-04-28 07:44:02 | 000,054,760 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2009-04-14 16:09:56 | 005,069,312 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2009-03-04 22:01:31 | 004,202,496 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel(R)
DRV - [2008-08-13 17:23:56 | 000,011,904 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2008-08-05 20:10:12 | 001,684,736 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
DRV - [2007-09-26 06:01:32 | 002,236,032 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32) Controlador do Adaptador da ligação WiFi sem fios Intel(R)
DRV - [2006-08-29 21:09:12 | 001,723,904 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006-01-04 15:41:48 | 001,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)
DRV - [2005-12-26 13:49:00 | 000,005,888 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\TVALG.SYS -- (TVALG)
DRV - [2005-11-30 11:12:00 | 000,162,560 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
DRV - [2005-11-15 11:00:22 | 001,122,656 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2005-10-20 14:03:42 | 000,006,144 | ---- | M] (Toshiba Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NBSMI.sys -- (TVALD)
DRV - [2005-06-02 05:33:00 | 000,102,384 | ---- | M] (Matsushita Electric Industrial Co.,Ltd.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\meiudf.sys -- (meiudf)
DRV - [2004-12-09 14:54:12 | 000,046,592 | ---- | M] (SMSC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)
DRV - [2004-06-16 11:08:48 | 000,005,888 | ---- | M] (Toshiba Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TMEI3E.SYS -- (TMEI3E)
DRV - [2003-01-29 14:35:00 | 000,012,032 | ---- | M] (TOSHIBA Corporation.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Netdevio.sys -- (Netdevio)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://pt.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = pt
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 1A DA F0 04 35 F5 CB 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2009-05-24 20:00:45 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2010-09-11 16:06:33 | 000,002,828 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 urs.microsoft.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 - Hosts: 74.55.176.156 www.google.com
O1 - Hosts: 74.55.176.156 google.com
O1 - Hosts: 74.55.176.156 google.com.au
O1 - Hosts: 74.55.176.156 www.google.com.au
O1 - Hosts: 74.55.176.156 google.be
O1 - Hosts: 74.55.176.156 www.google.be
O1 - Hosts: 74.55.176.156 google.com.br
O1 - Hosts: 74.55.176.156 www.google.com.br
O1 - Hosts: 74.55.176.156 google.ca
O1 - Hosts: 38 more lines...
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programas\AVAST Software\Avast\aswWebRepIE.dll ()
O2 - BHO: (Auxiliar de Conexão do Windows Live) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (CescrtHlpr Object) - {F9B72325-A029-4a39-943A-02433C978829} - C:\Programas\eSnips.com\eSnipsToolbar\1.3.0.3\escort.dll (esnips)
O3 - HKLM\..\Toolbar: (esnips Toolbar) - {3132F1DF-2C69-49f5-ACA5-69965FC18E59} - C:\Programas\eSnips.com\eSnipsToolbar\1.3.0.3\escorTlbr.dll (esnips)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programas\AVAST Software\Avast\aswWebRepIE.dll ()
O4 - HKLM..\Run: [avast] C:\Programas\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Programas\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - Startup: C:\Documents and Settings\Utilizador\Menu Iniciar\Programas\Arranque\Índice do OneNote.onetoc2 ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Programas\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242890722484 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1242890714281 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programas\Ficheiros comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programas\Ficheiros comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programas\Ficheiros comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programas\Ficheiros comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programas\Ficheiros comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programas\Ficheiros comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programas\Ficheiros comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programas\Ficheiros comuns\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programas\Ficheiros comuns\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe ()
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - File not found
O24 - Desktop Components:0 (A minha home page actual) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Utilizador\Definições locais\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Utilizador\Definições locais\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009-05-21 13:27:10 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004-08-04 15:30:00 | 000,000,112 | R--- | M] () - E:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{31186f16-9471-11de-b8a2-001302156640}\Shell\AutoRun\command - "" = F:\DRIVE\file.exe
O33 - MountPoints2\{31186f16-9471-11de-b8a2-001302156640}\Shell\open\command - "" = F:\DRIVE\file.exe
O33 - MountPoints2\{378a741a-5b4c-11de-b817-001302156640}\Shell\AutoRun\command - "" = F:\ojcIHq.eXE
O33 - MountPoints2\{378a741a-5b4c-11de-b817-001302156640}\Shell\OPen\cOMMaNd - "" = F:\OJCihQ.eXE
O33 - MountPoints2\{496d0e74-2953-11df-ba21-001302156640}\Shell\AutoRun\command - "" = F:\NhnjVS.exe
O33 - MountPoints2\{496d0e74-2953-11df-ba21-001302156640}\Shell\opeN\commANd - "" = F:\nhnJvS.eXe
O33 - MountPoints2\{5944b642-45eb-11de-b7b8-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{5944b642-45eb-11de-b7b8-806d6172696f}\Shell\AutoRun\command - "" = E:\SETUP.EXE -- [2004-08-04 15:30:00 | 002,584,576 | R--- | M] (Microsoft Corporation)
O33 - MountPoints2\{6ca7cabc-741f-11de-b855-001302156640}\Shell\AutoRun\command - "" = G:\DRIVE\file.exe
O33 - MountPoints2\{6ca7cabc-741f-11de-b855-001302156640}\Shell\open\command - "" = G:\DRIVE\file.exe
O33 - MountPoints2\{ec523b58-461e-11de-b7ce-001302156640}\Shell - "" = AutoRun
O33 - MountPoints2\{ec523b58-461e-11de-b7ce-001302156640}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL GERaL.eXe
O33 - MountPoints2\{f686aaec-57f9-11de-b80a-001302156640}\Shell\AutoRun\command - "" = F:\DRIVE\file.exe
O33 - MountPoints2\{f686aaec-57f9-11de-b80a-001302156640}\Shell\open\command - "" = F:\DRIVE\file.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: SSHNAS - File not found

Drivers32: msacm.ac3acm - C:\WINDOWS\System32\ac3acm.acm (fccHandler)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lameacm - C:\WINDOWS\System32\lameACM.acm (http://www.mp3dev.org/)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.DIVX - C:\WINDOWS\System32\divx.dll (DivX, Inc.)
Drivers32: VIDC.FFDS - C:\WINDOWS\System32\ff_vfw.dll ()
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: VIDC.XVID - C:\WINDOWS\System32\xvidvfw.dll ()
Drivers32: VIDC.YV12 - C:\WINDOWS\System32\yv12vfw.dll (www.helixcommunity.org)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (54619756233228288)

========== Files/Folders - Created Within 30 Days ==========

[2011-04-08 13:55:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2011-04-08 13:54:33 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\OTL.exe
[2011-04-08 03:16:35 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011-04-08 03:02:49 | 001,090,912 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\avg_remover_stf_x86_2011_1184.exe
[2011-04-07 19:35:07 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\TFC.exe
[2011-04-07 18:43:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menu Iniciar\Programas\avast! Free Antivirus
[2011-04-07 18:43:20 | 000,301,528 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2011-04-07 18:43:20 | 000,019,544 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2011-04-07 18:43:18 | 000,025,432 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2011-04-07 18:43:17 | 000,371,544 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2011-04-07 18:43:17 | 000,049,240 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2011-04-07 18:43:16 | 000,102,232 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2011-04-07 18:43:16 | 000,096,344 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2011-04-07 18:43:16 | 000,030,680 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2011-04-07 18:43:02 | 000,190,016 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2011-04-07 18:43:02 | 000,040,648 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2011-04-07 18:42:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2011-04-07 18:25:00 | 000,000,000 | ---D | C] -- C:\Programas\Hitman Pro 3.5
[2011-04-07 18:24:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2011-04-07 18:24:07 | 006,449,984 | ---- | C] (SurfRight B.V.) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\HitmanPro35.exe
[2011-04-07 17:27:39 | 000,000,000 | ---D | C] -- C:\Programas\ESET
[2011-04-07 16:55:54 | 000,000,000 | ---D | C] -- C:\Programas\AVAST Software
[2011-04-07 14:11:35 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011-04-07 14:11:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menu Iniciar\Programas\Malwarebytes' Anti-Malware
[2011-04-07 14:11:32 | 000,000,000 | ---D | C] -- C:\Programas\Malwarebytes' Anti-Malware
[2011-04-07 14:08:56 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011-04-07 13:50:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Utilizador\Application Data\Malwarebytes
[2011-04-07 13:07:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011-04-07 12:22:57 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2011-04-07 12:13:30 | 000,000,000 | ---D | C] -- C:\Programas\Alwil Software
[2011-04-07 12:13:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2011-04-06 22:34:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2009-05-21 12:23:08 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\DLLVGA.dll

========== Files - Modified Within 30 Days ==========

[2011-04-08 13:54:36 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\OTL.exe
[2011-04-08 13:52:56 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2011-04-08 13:47:01 | 000,000,444 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{1BB5BD40-03C6-418F-95E6-5D2A018F5870}.job
[2011-04-08 13:45:18 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011-04-08 13:45:05 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011-04-08 03:03:32 | 004,315,416 | R--- | M] () -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\ComboFix.exe
[2011-04-08 03:03:03 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\MBRCheck.exe
[2011-04-08 03:02:51 | 001,090,912 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\avg_remover_stf_x86_2011_1184.exe
[2011-04-08 00:03:20 | 000,016,968 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011-04-07 22:13:22 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\dds.scr
[2011-04-07 22:12:22 | 000,301,568 | ---- | M] () -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\d76w6zpe.exe
[2011-04-07 19:35:14 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\TFC.exe
[2011-04-07 19:21:03 | 000,000,276 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011-04-07 18:43:21 | 000,001,658 | ---- | M] () -- C:\Documents and Settings\All Users\Ambiente de trabalho\avast! Free Antivirus.lnk
[2011-04-07 18:43:17 | 000,003,100 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011-04-07 18:30:55 | 000,002,176 | ---- | M] () -- C:\WINDOWS\System32\.crusader
[2011-04-07 18:24:07 | 006,449,984 | ---- | M] (SurfRight B.V.) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\HitmanPro35.exe
[2011-04-07 14:36:13 | 000,500,618 | ---- | M] () -- C:\WINDOWS\System32\perfh016.dat
[2011-04-07 14:36:13 | 000,444,236 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011-04-07 14:36:13 | 000,088,472 | ---- | M] () -- C:\WINDOWS\System32\perfc016.dat
[2011-04-07 14:36:13 | 000,072,494 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011-04-07 14:11:36 | 000,000,761 | ---- | M] () -- C:\Documents and Settings\All Users\Ambiente de trabalho\Malwarebytes' Anti-Malware.lnk

========== Files Created - No Company Name ==========

[2011-04-08 03:03:32 | 004,315,416 | R--- | C] () -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\ComboFix.exe
[2011-04-08 03:03:01 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\MBRCheck.exe
[2011-04-07 22:13:14 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\dds.scr
[2011-04-07 22:12:17 | 000,301,568 | ---- | C] () -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\d76w6zpe.exe
[2011-04-07 18:43:21 | 000,001,658 | ---- | C] () -- C:\Documents and Settings\All Users\Ambiente de trabalho\avast! Free Antivirus.lnk
[2011-04-07 18:30:55 | 000,002,176 | ---- | C] () -- C:\WINDOWS\System32\.crusader
[2011-04-07 18:25:02 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011-04-07 14:11:36 | 000,000,761 | ---- | C] () -- C:\Documents and Settings\All Users\Ambiente de trabalho\Malwarebytes' Anti-Malware.lnk
[2010-07-24 18:20:03 | 000,000,001 | ---- | C] () -- C:\Documents and Settings\Utilizador\Application Data\ecfnhyma
[2010-07-18 23:48:31 | 000,017,712 | ---- | C] () -- C:\Documents and Settings\Utilizador\Application Data\etec.drv
[2010-07-18 23:46:42 | 000,000,466 | ---- | C] () -- C:\Documents and Settings\Utilizador\Application Data\atec.drv
[2010-07-18 23:43:40 | 000,000,010 | ---- | C] () -- C:\Documents and Settings\Utilizador\Application Data\fhmi
[2010-07-18 23:43:27 | 000,003,509 | ---- | C] () -- C:\Documents and Settings\Utilizador\Application Data\Cerulean.lic
[2010-02-27 21:42:04 | 002,887,680 | ---- | C] () -- C:\WINDOWS\System32\VagalumePluginWMP.dll
[2009-12-16 19:28:38 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009-12-16 19:28:38 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009-12-16 19:28:38 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009-12-16 19:28:38 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2009-12-16 19:28:38 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009-11-13 02:31:38 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009-10-31 22:28:17 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Irremote.ini
[2009-10-28 18:00:43 | 000,484,352 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2009-05-24 15:46:58 | 000,000,164 | ---- | C] () -- C:\Documents and Settings\Utilizador\Application Data\default.pls
[2009-05-22 23:38:59 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009-05-21 20:18:51 | 000,170,496 | ---- | C] () -- C:\Documents and Settings\Utilizador\Definições locais\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009-05-21 16:02:38 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\TOSMgmt.dll
[2009-05-21 15:54:44 | 000,047,104 | ---- | C] () -- C:\WINDOWS\System32\Wh2Robo.dll
[2009-05-21 15:53:05 | 000,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009-05-21 15:53:03 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2009-05-21 15:53:03 | 000,795,648 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009-05-21 15:53:03 | 000,130,048 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009-05-21 15:53:01 | 000,084,480 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009-05-21 14:11:43 | 000,004,205 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009-05-21 14:10:12 | 000,271,784 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009-05-21 13:36:57 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2009-05-21 13:31:53 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009-05-21 13:28:22 | 000,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009-05-21 13:23:15 | 000,021,924 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009-05-21 13:01:25 | 000,000,413 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009-05-21 12:33:40 | 000,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2009-05-21 12:33:40 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2009-05-21 12:33:40 | 000,010,166 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
[2009-05-21 12:33:40 | 000,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
[2009-05-21 12:27:45 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
[2009-05-21 12:23:08 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\TCtrlIO.dll
[2009-05-21 11:32:36 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Utilizador\Definições locais\Application Data\fusioncache.dat
[2009-05-21 11:25:55 | 000,133,583 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2008-04-15 15:30:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008-04-15 15:30:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008-04-15 15:30:00 | 000,500,618 | ---- | C] () -- C:\WINDOWS\System32\perfh016.dat
[2008-04-15 15:30:00 | 000,444,236 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008-04-15 15:30:00 | 000,314,414 | ---- | C] () -- C:\WINDOWS\System32\perfi016.dat
[2008-04-15 15:30:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008-04-15 15:30:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008-04-15 15:30:00 | 000,088,472 | ---- | C] () -- C:\WINDOWS\System32\perfc016.dat
[2008-04-15 15:30:00 | 000,072,494 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008-04-15 15:30:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008-04-15 15:30:00 | 000,036,952 | ---- | C] () -- C:\WINDOWS\System32\perfd016.dat
[2008-04-15 15:30:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008-04-15 15:30:00 | 000,026,624 | ---- | C] () -- C:\WINDOWS\System32\userinit.exe
[2008-04-15 15:30:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008-04-15 15:30:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008-04-15 15:30:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008-04-15 15:30:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== LOP Check ==========

[2011-04-07 14:00:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2011-04-07 18:42:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2011-04-08 03:05:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2009-05-21 17:34:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DriverScanner
[2011-04-07 17:34:10 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\faa01a9
[2011-04-07 18:30:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010-09-02 21:54:25 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\MSTSZERUFS
[2009-05-21 16:05:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Temp
[2009-05-21 15:56:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2010-02-27 21:39:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\AnvSoft
[2010-02-27 18:23:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\Any Video Converter
[2009-05-21 18:25:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\Bullzip
[2011-04-07 17:34:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\CAAC8D2ED80A65103FBE3F97655A3DAF
[2009-08-22 01:14:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\esnips.com
[2011-02-25 01:53:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\Oxudn
[2009-10-28 18:06:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\Search Settings
[2009-05-21 12:33:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\toshiba
[2009-05-21 17:34:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\Uniblue
[2011-04-08 13:47:01 | 000,000,444 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{1BB5BD40-03C6-418F-95E6-5D2A018F5870}.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2009-05-21 13:27:10 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2011-04-08 13:52:56 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2008-04-15 15:30:00 | 000,004,952 | RHS- | M] () -- C:\bootfont.bin
[2011-04-07 18:14:07 | 000,003,948 | ---- | M] () -- C:\BrmiT.txt
[2009-05-21 13:27:10 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2009-05-21 13:27:10 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2009-05-21 13:27:10 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008-04-15 15:30:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008-04-15 15:30:00 | 000,251,120 | RHS- | M] () -- C:\ntldr
[2011-04-08 13:45:00 | 1610,612,736 | -HS- | M] () -- C:\pagefile.sys
[2011-04-08 04:39:19 | 000,000,359 | ---- | M] () -- C:\rkill.log

< %systemroot%\Fonts\*.com >
[2006-04-18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006-06-29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006-04-18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006-06-29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2009-05-21 13:26:36 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2008-07-06 16:36:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2007-04-09 13:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
[2006-10-26 19:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\msonpppr.dll
[2008-07-06 15:20:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >
[2011-02-23 19:34:21 | 000,040,648 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2010-04-17 00:21:08 | 000,306,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WLXPGSS.SCR

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2009-05-21 14:09:24 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009-05-21 14:09:24 | 001,097,728 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009-05-21 14:09:24 | 000,466,944 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >
[2008-06-23 16:36:24 | 000,773,120 | ---- | M] () -- C:\WINDOWS\system32\NEROINSTAEC43759.DB

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2009-05-21 13:34:20 | 000,000,076 | -HS- | M] () -- C:\Documents and Settings\Utilizador\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
[2009-05-21 13:34:19 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Utilizador\Application Data\Microsoft\Internet Explorer\Quick Launch\Mostrar ambiente de trabalho.scf

< %USERPROFILE%\Desktop\*.exe >

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >
[1 C:\Programas\Internet Explorer\*.tmp files -> C:\Programas\Internet Explorer\*.tmp -> ]

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >
[2011-04-08 13:53:49 | 000,163,840 | -HS- | M] () -- C:\Documents and Settings\Utilizador\Cookies\index.dat

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >
[2009-02-27 20:27:02 | 000,318,976 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >
[2009-02-27 19:51:37 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Programas\Messenger\custsat.dll
[2008-04-15 15:30:00 | 000,004,821 | R--- | M] () -- C:\Programas\Messenger\logowin.gif
[2007-04-03 03:07:24 | 000,007,047 | ---- | M] () -- C:\Programas\Messenger\lvback.gif
[2008-05-02 17:14:34 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Programas\Messenger\msgsc.dll
[2008-04-14 02:30:30 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Programas\Messenger\msgslang.dll
[2008-04-15 01:09:56 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Programas\Messenger\msmsgs.exe
[2008-04-15 15:30:00 | 000,009,306 | ---- | M] () -- C:\Programas\Messenger\newalert.wav
[2008-04-15 15:30:00 | 000,018,052 | ---- | M] () -- C:\Programas\Messenger\newemail.wav
[2008-04-15 15:30:00 | 000,009,306 | ---- | M] () -- C:\Programas\Messenger\online.wav
[2007-04-03 03:07:28 | 000,004,454 | ---- | M] () -- C:\Programas\Messenger\type.wav
[2007-01-24 15:53:00 | 000,123,995 | ---- | M] () -- C:\Programas\Messenger\xpmsgr.chm

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >

< MD5 for: EXPLORER.EXE >
[2008-04-15 15:30:00 | 001,035,776 | ---- | M] (Microsoft Corporation) MD5=73BF5036A2ABA403DB078C65B1A29A99 -- C:\WINDOWS\ERDNT\cache\explorer.exe
[2004-08-04 00:57:04 | 001,034,240 | ---- | M] (Microsoft Corporation) MD5=8CE8153D67135457E215C733BAFBF508 -- C:\WINDOWS\explorer.exe
[2011-04-08 13:45:09 | 000,004,608 | ---- | M] () MD5=AF7DB267EF18C63ABDB6292FEC17993C -- C:\Documents and Settings\Utilizador\Definições locais\Temp\explorer.exe
[2008-04-15 15:30:00 | 001,035,776 | ---- | M] (Microsoft Corporation) MD5=D2D6BF11A956FCE4DCBE77F3199F39C1 -- C:\WINDOWS\system32\dllcache\explorer.exe

< MD5 for: USERINIT.EXE >
[2008-04-15 15:30:00 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=714EE56EF817A7E1F80C57D41149A07F -- C:\WINDOWS\ERDNT\cache\userinit.exe
[2008-04-15 15:30:00 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=714EE56EF817A7E1F80C57D41149A07F -- C:\WINDOWS\system32\dllcache\userinit.exe
[2008-04-15 15:30:00 | 000,026,624 | ---- | M] () MD5=8068F7FEF4242B07525DBDA8AB9D1051 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2008-04-15 15:30:00 | 000,510,976 | ---- | M] (Microsoft Corporation) MD5=2EFCB948E7DA1B6D6FE351032FF76391 -- C:\WINDOWS\ERDNT\cache\winlogon.exe
[2008-04-15 15:30:00 | 000,510,976 | ---- | M] (Microsoft Corporation) MD5=83B4911B8E667F9648753A8928131636 -- C:\WINDOWS\system32\winlogon.exe
[2008-04-15 15:30:00 | 000,510,976 | ---- | M] (Microsoft Corporation) MD5=AB7F1E796C2D4D1B81349198050DE5C0 -- C:\WINDOWS\system32\dllcache\winlogon.exe

< End of report >

AlbionPT · Apr 7, 2011

Extras:

OTL Extras logfile created on: 08-04-2011 13:55:43 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Utilizador\Ambiente de trabalho
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000816 | Country: Portugal | Language: PTG | Date Format: dd-MM-yyyy

1.022,00 Mb Total Physical Memory | 426,00 Mb Available Physical Memory | 42,00% Memory free
2,00 Gb Paging File | 2,00 Gb Available in Paging File | 81,00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programas
Drive C: | 63,52 Gb Total Space | 47,73 Gb Free Space | 75,14% Space Free | Partition Type: NTFS
Drive D: | 5,19 Gb Total Space | 1,58 Gb Free Space | 30,43% Space Free | Partition Type: NTFS
Drive E: | 563,69 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS

Computer Name: UTILIZAD-D3390B | User Name: Utilizador | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet

isabled

xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet

isabled

xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Programas\Java\jre6\bin\java.exe" = C:\Programas\Java\jre6\bin\java.exe:*

isabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Documents and Settings\All Users\Application Data\faa01a9\MSfaa0_302.exe" = C:\Documents and Settings\All Users\Application Data\faa01a9\MSfaa0_302.exe:*:Enabled:My Security Shield
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*

isabled:Explorador do Windows -- (Microsoft Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0800E395-4DD7-3A93-BB96-08596C0D725F}" = Microsoft .NET Framework 3.0 Service Pack 2 Language Pack - PTG
"{0B1AAC97-8563-41D9-AE47-58E6A222F0E1}" = Search Settings 1.2.2
"{0D70FCFE-2102-4951-A56E-22DD07DFA5B6}" = Microsoft .NET Framework 1.1 Portuguese Language Pack
"{0FFEA8EE-7BC7-4C9D-8CC6-5B8C891BA3F2}" = Windows Live Essentials
"{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = Assist TOSHIBA
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Ferramenta de Carregamento do Windows Live
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java(TM) 6 Update 13
"{2DF215E0-BD3C-4C98-8616-AFEF09747285}" = Windows Live Sync
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{350C9816-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{369B36BE-3D64-4641-9AEA-808D436FE130}" = Microsoft Picture It! Express 7.0
"{4497AFF6-98C4-4F49-B073-F48F42BCBF9E}" = TIPCI
"{48CF9A66-5F03-4025-ABD0-B3A3FA095A59}" = Formatar Placa de Memória SD TOSHIBA
"{4A460FEA-AF9C-416F-BA6E-EE239609BD1D}" = ATI Catalyst Control Center
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{51A9E3DD-37B8-47BB-8E67-5B76B3EFBC48}" = Assistente de Conexão do Windows Live
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{590035D9-BFA0-406A-A7F0-479C72C0DDB2}" = Windows Live Call
"{5EFCBB42-36AB-4FF9-B90C-E78C7B9EE7B3}" = iTunes
"{64212898-097F-4F3F-AECA-6D34A7EF82DF}" = Utilitário de Zooming da TOSHIBA
"{64DD71BC-3109-4C88-9AD3-D5422644B722}" = TOSHIBA Hotkey Utility
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69BE47C2-36FE-4397-8199-85D8EAE69982}" = TOSHIBA TouchPad ON/Off Utility
"{74AD1846-2010-4FB1-8E24-B6F2B87150C2}" = Windows Live Mail
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{78C68CB9-3DF5-44F3-AB9D-FA305C5EB85C}" = TOSHIBA Utilities
"{7B1DBCBE-DF17-3B58-844C-F572F70EF5C4}" = Microsoft .NET Framework 3.5 Language Pack SP1 - ptg
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{87A9C015-C2BA-44EE-9C20-6E1A764B8E23}" = Windows Live Galeria de Fotos
"{88528F28-E04A-3A93-B3C0-14651148FE82}" = Microsoft .NET Framework 2.0 Service Pack 2 Language Pack - PTG
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8E5233E1-7495-44FB-8DEB-4BE906D59619}" = Junk Mail filter update
"{90120000-0010-0816-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (Portuguese (Portugal)) 12
"{90120000-0015-0816-0000-0000000FF1CE}" = Microsoft Office Access MUI (Portuguese (Portugal)) 2007
"{90120000-0015-0816-0000-0000000FF1CE}_ENTERPRISE_{C2EC91A8-CC39-45F7-9E46-62B85ADF9DF5}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0816-0000-0000000FF1CE}" = Microsoft Office Excel MUI (Portuguese (Portugal)) 2007
"{90120000-0016-0816-0000-0000000FF1CE}_ENTERPRISE_{C2EC91A8-CC39-45F7-9E46-62B85ADF9DF5}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0816-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (Portuguese (Portugal)) 2007
"{90120000-0018-0816-0000-0000000FF1CE}_ENTERPRISE_{C2EC91A8-CC39-45F7-9E46-62B85ADF9DF5}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0816-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (Portuguese (Portugal)) 2007
"{90120000-0019-0816-0000-0000000FF1CE}_ENTERPRISE_{C2EC91A8-CC39-45F7-9E46-62B85ADF9DF5}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0816-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (Portuguese (Portugal)) 2007
"{90120000-001A-0816-0000-0000000FF1CE}_ENTERPRISE_{C2EC91A8-CC39-45F7-9E46-62B85ADF9DF5}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0816-0000-0000000FF1CE}" = Microsoft Office Word MUI (Portuguese (Portugal)) 2007
"{90120000-001B-0816-0000-0000000FF1CE}_ENTERPRISE_{C2EC91A8-CC39-45F7-9E46-62B85ADF9DF5}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0816-0000-0000000FF1CE}" = Microsoft Office Proof (Portuguese (Portugal)) 2007
"{90120000-001F-0816-0000-0000000FF1CE}_ENTERPRISE_{C312E1CD-EC19-4270-A072-F36F634DFF79}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0816-0000-0000000FF1CE}" = Compatibility Pack for Office system de 2007
"{90120000-002C-0816-0000-0000000FF1CE}" = Microsoft Office Proofing (Portuguese (Portugal)) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0816-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (Portuguese (Portugal)) 2007
"{90120000-0044-0816-0000-0000000FF1CE}_ENTERPRISE_{C2EC91A8-CC39-45F7-9E46-62B85ADF9DF5}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0816-0000-0000000FF1CE}" = Microsoft Office Shared MUI (Portuguese (Portugal)) 2007
"{90120000-006E-0816-0000-0000000FF1CE}_ENTERPRISE_{A8523DA4-5563-4F0E-BD9D-4E4CC3CF7239}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-008A-0816-0000-0000000FF1CE}" = Gadget Documentos Recentes do Microsoft Office 2007
"{90120000-00A1-0816-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (Portuguese (Portugal)) 2007
"{90120000-00A1-0816-0000-0000000FF1CE}_ENTERPRISE_{C2EC91A8-CC39-45F7-9E46-62B85ADF9DF5}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0816-0000-0000000FF1CE}" = Microsoft Office Groove MUI (Portuguese (Portugal)) 2007
"{90120000-00BA-0816-0000-0000000FF1CE}_ENTERPRISE_{C2EC91A8-CC39-45F7-9E46-62B85ADF9DF5}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95120000-0122-0416-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{9555B4ED-09A3-4722-8E8C-57A49401D059}" = Windows Live Writer
"{9ADC3E4F-34DA-48CD-8727-BB26D90257BD}" = Windows Live Messenger
"{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}" = Controlador de DVD-RAM
"{9E17C94B-913A-48A4-B1A8-8CE25157C170}" = Media Player Product Tool 5.25
"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A6690C0E-B96E-4F0F-A8EB-D5B332454AC6}" = Controlos TOSHIBA
"{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}" = CyberLink PowerDVD 9
"{AC76BA86-7AD7-1046-7B44-A91000000001}" = Adobe Reader 9.1.1 - Português
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AFA20D47-69C3-4030-8DF8-D37466E70F13}" = Apple Mobile Device Support
"{B0D71B3D-D679-4BF7-9F9C-5C98F34345DF}" = Windows Live Proteção para a Família
"{BB05D173-9681-4812-A7FA-BD4042A3DA00}" = Alky for Applications (Windows XP)
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}" = TOSHIBA ConfigFree
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C45F4811-31D5-4786-801D-F79CD06EDD85}" = Módulo seguro SD
"{C50BF854-E881-434F-9C67-5A73EBB58F06}" = Windows Live Toolbar
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F1B8DB67-D30E-4FF9-A85F-3CEE51825AA2}" = SMSC IrCC V5.1.3600.7
"{F22FD942-651D-4EE8-BD6F-7E0AF5E17625}" = Software Intel(R) PROSet/Wireless WiFi
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"All ATI Software" = ATI - Utilitário de desinstalação de software
"Any Video Converter_is1" = Any Video Converter 3.0.3
"ATI Display Driver" = ATI Display Driver
"avast" = avast! Free Antivirus
"Bullzip PDF Printer_is1" = Bullzip PDF Printer 6.0.0.865
"ENTERPRISE" = Microsoft Office Enterprise 2007
"ESET Online Scanner" = ESET Online Scanner v3
"eSnipsToolbar" = eSnips
"Free Mp3 Wma Converter_is1" = Free Mp3 Wma Converter V 1.81
"GPL Ghostscript Lite_is1" = GPL Ghostscript Lite 8.64
"ie8" = Windows Internet Explorer 8
"InstallShield_{4497AFF6-98C4-4F49-B073-F48F42BCBF9E}" = Texas Instruments PCIxx21/x515/xx12 drivers.
"InstallShield_{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}" = CyberLink PowerDVD 9
"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 4.8.0
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Math-A-Maze" = Math-A-Maze
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 Language Pack SP1 - ptg" = Microsoft .NET Framework 3.5 Language Pack SP1 - PTG
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Paint Shop Pro 6" = Paint Shop Pro 6.02 ESD
"PC Diagnostic Tool" = PC Diagnostic Tool da TOSHIBA
"Power Saver" = TOSHIBA Power Saver
"ProInst" = Intel PROSet Wireless
"PROSet" = Intel(R) PRO Network Connections Drivers
"RealPlayer 6.0" = RealPlayer
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TME3" = Extensão Móvel TOSHIBA 3 para Windows XP V3.79.00.XP.C
"TOSHIBA Management Console" = TOSHIBA Management Console Version 3.5 (3.5.4)
"TOSHIBA Software Modem" = TOSHIBA Software Modem
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Windows Sidebar" = Barra Lateral do Windows
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = Compressor WinRAR
"winusb0100" = Microsoft WinUsb 1.0
"XPSEPSCLP" = XML Paper Specification Shared Components Language Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 06-04-2011 14:33:47 | Computer Name = UTILIZAD-D3390B | Source = Application Error | ID = 1000
Description = Aplicação em falha 566.exe, versão 0.0.0.0, módulo em falha 566.exe,
versão 0.0.0.0, endereço em falha 0x0000003f.

Error - 06-04-2011 14:33:57 | Computer Name = UTILIZAD-D3390B | Source = Application Error | ID = 1000
Description = Aplicação em falha 566.exe, versão 0.0.0.0, módulo em falha unknown,
versão 0.0.0.0, endereço em falha 0x00002f2f.

Error - 07-04-2011 8:25:28 | Computer Name = UTILIZAD-D3390B | Source = crypt32 | ID = 131080
Description = Ocorreu uma falha na actualização automática do número de sequência
da lista de raiz de terceiros de: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
com o erro: The connection with the server was terminated abnormally

Error - 07-04-2011 8:56:45 | Computer Name = UTILIZAD-D3390B | Source = crypt32 | ID = 131080
Description = Ocorreu uma falha na actualização automática do número de sequência
da lista de raiz de terceiros de: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
com o erro: The connection with the server was terminated abnormally

Error - 07-04-2011 8:56:45 | Computer Name = UTILIZAD-D3390B | Source = crypt32 | ID = 131080
Description = Ocorreu uma falha na actualização automática do número de sequência
da lista de raiz de terceiros de: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
com o erro: Esta ligação de rede não existe.

Error - 07-04-2011 8:57:16 | Computer Name = UTILIZAD-D3390B | Source = crypt32 | ID = 131080
Description = Ocorreu uma falha na actualização automática do número de sequência
da lista de raiz de terceiros de: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
com o erro: The connection with the server was terminated abnormally

Error - 07-04-2011 8:57:16 | Computer Name = UTILIZAD-D3390B | Source = crypt32 | ID = 131080
Description = Ocorreu uma falha na actualização automática do número de sequência
da lista de raiz de terceiros de: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
com o erro: Esta ligação de rede não existe.

Error - 07-04-2011 8:57:16 | Computer Name = UTILIZAD-D3390B | Source = crypt32 | ID = 131080
Description = Ocorreu uma falha na actualização automática do número de sequência
da lista de raiz de terceiros de: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
com o erro: Esta ligação de rede não existe.

Error - 07-04-2011 9:56:06 | Computer Name = UTILIZAD-D3390B | Source = crypt32 | ID = 131083
Description = Ocorreu uma falha na extracção da lista de raiz de terceiros do cab
de actualização automática em: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
com o erro: Um certificado necessário não está no seu período de validade ao ser
verificado contra o relógio do sistema actual ou a assinatura de data/hora no ficheiro
assinado.

Error - 07-04-2011 9:56:06 | Computer Name = UTILIZAD-D3390B | Source = crypt32 | ID = 131083
Description = Ocorreu uma falha na extracção da lista de raiz de terceiros do cab
de actualização automática em: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
com o erro: Um certificado necessário não está no seu período de validade ao ser
verificado contra o relógio do sistema actual ou a assinatura de data/hora no ficheiro
assinado.

[ OSession Events ]
Error - 12-06-2009 14:13:42 | Computer Name = UTILIZAD-D3390B | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.6425.1000. This session lasted 28
seconds with 0 seconds of active time. This session ended with a crash.

Error - 30-06-2009 13:41:34 | Computer Name = UTILIZAD-D3390B | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.6425.1000. This session lasted 61
seconds with 60 seconds of active time. This session ended with a crash.

Error - 16-10-2009 0:44:22 | Computer Name = UTILIZAD-D3390B | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.6425.1000. This session lasted 26
seconds with 0 seconds of active time. This session ended with a crash.

Error - 11-06-2010 9:00:47 | Computer Name = UTILIZAD-D3390B | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 98
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 07-04-2011 17:00:42 | Computer Name = UTILIZAD-D3390B | Source = Service Control Manager | ID = 7000
Description = O serviço AVG Free WatchDog falhou o arranque devido ao seguinte erro:
%%2

Error - 07-04-2011 17:00:42 | Computer Name = UTILIZAD-D3390B | Source = Service Control Manager | ID = 7023
Description = O serviço Serviço de 'Restauro do sistema' terminou com o seguinte
erro: %%2

Error - 07-04-2011 17:00:42 | Computer Name = UTILIZAD-D3390B | Source = Service Control Manager | ID = 7001
Description = O serviço AVG Free E-mail Scanner depende do serviço AVG Free WatchDog
o qual falhou o arranque devido ao seguinte erro: %%2

Error - 07-04-2011 18:57:42 | Computer Name = UTILIZAD-D3390B | Source = DCOM | ID = 10005
Description = O DCOM obteve o erro "%1084" ao tentar iniciar o serviço EventSystem
com os argumentos "" de forma a executar o servidor: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 07-04-2011 18:58:02 | Computer Name = UTILIZAD-D3390B | Source = DCOM | ID = 10005
Description = O DCOM obteve o erro "%1084" ao tentar iniciar o serviço EventSystem
com os argumentos "" de forma a executar o servidor: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 07-04-2011 18:58:13 | Computer Name = UTILIZAD-D3390B | Source = DCOM | ID = 10005
Description = O DCOM obteve o erro "%1084" ao tentar iniciar o serviço EventSystem
com os argumentos "" de forma a executar o servidor: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 07-04-2011 18:59:08 | Computer Name = UTILIZAD-D3390B | Source = Service Control Manager | ID = 7026
Description = Falhou o carregamento dos seguintes controladores de início de arranque
ou de início do sistema: Aavmker4 aswSnx aswSP aswTdi Fips intelppm TMEI3E

Error - 07-04-2011 19:18:57 | Computer Name = UTILIZAD-D3390B | Source = DCOM | ID = 10005
Description = O DCOM obteve o erro "%1084" ao tentar iniciar o serviço wuauserv
com os argumentos "" de forma a executar o servidor: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 07-04-2011 19:23:39 | Computer Name = UTILIZAD-D3390B | Source = DCOM | ID = 10005
Description = O DCOM obteve o erro "%1084" ao tentar iniciar o serviço EventSystem
com os argumentos "" de forma a executar o servidor: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 08-04-2011 5:20:15 | Computer Name = UTILIZAD-D3390B | Source = Dhcp | ID = 1002
Description = A concessão 192.168.2.3 do endereço IP para a placa de rede com o
endereço de rede 00A0D134F243 foi negado pelo servidor DHCP 192.168.2.1 (O servidor
DHCP enviou uma mensagem DHCPNACK).

< End of report >

Broni · Apr 7, 2011

Download BlitzBlank and save it to your desktop.
Double click on Blitzblank.exe

Click OK at the warning (and take note of it, this is a VERY powerful tool!).
Click the Script tab and copy/paste the following text there:

Code:

CopyFile:
C:\WINDOWS\system32\dllcache\userinit.exe C:\WINDOWS\system32\userinit.exe
DeleteFile:
C:\Documents and Settings\Utilizador\Definições locais\Temp\explorer.exe

Click Execute Now. Your computer will need to reboot in order to replace the files.
When done, post the report created by Blitzblank.
You can find it in the root of the drive, normally C:\

AlbionPT · Apr 7, 2011

It gives me a "Syntax error in line 4, Invalid file path."

It seems it doesn't like 'spaces'?

Broni · Apr 7, 2011

Ooops, sorry about that...

New script:

CopyFile:
C:\WINDOWS\system32\dllcache\userinit.exe C:\WINDOWS\system32\userinit.exe
DeleteFile:
"C:\Documents and Settings\Utilizador\Definições locais\Temp\explorer.exe"

AlbionPT · Apr 7, 2011

Is this the report? It looks a tiny bit "small" (I couldn't find any other log created)

BlitzBlank 1.0.0.32

File/Registry Modification Engine native application
CopyFileOnReboot: sourceFile = "\??\c:\windows\system32\dllcache\userinit.exe", destinationFile = "\??\c:\windows\system32\userinit.exe"MoveFileOnReboot: sourceFile = "\??\c:\documents and settings\utilizador\definições locais\temp\explorer.exe", destinationFile = "(null)", replaceWithDummy = 0

Broni · Apr 7, 2011

You did fine

Now re-run OTL with exactly same custom script as in my reply #10
Only one log will be created.

AlbionPT · Apr 7, 2011

And here it is the log:

OTL logfile created on: 08-04-2011 19:18:33 - Run 2
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Utilizador\Ambiente de trabalho
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000816 | Country: Portugal | Language: PTG | Date Format: dd-MM-yyyy

1.022,00 Mb Total Physical Memory | 552,00 Mb Available Physical Memory | 54,00% Memory free
2,00 Gb Paging File | 2,00 Gb Available in Paging File | 86,00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programas
Drive C: | 63,52 Gb Total Space | 47,38 Gb Free Space | 74,59% Space Free | Partition Type: NTFS
Drive D: | 5,19 Gb Total Space | 1,58 Gb Free Space | 30,43% Space Free | Partition Type: NTFS
Drive E: | 563,69 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS

Computer Name: UTILIZAD-D3390B | User Name: Utilizador | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011-04-08 13:54:36 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\OTL.exe
PRC - [2011-02-23 19:34:20 | 003,451,496 | ---- | M] (AVAST Software) -- C:\Programas\AVAST Software\Avast\AvastUI.exe
PRC - [2011-02-23 19:34:19 | 000,042,184 | ---- | M] (AVAST Software) -- C:\Programas\AVAST Software\Avast\AvastSvc.exe
PRC - [2009-03-26 15:31:20 | 000,132,424 | ---- | M] (Apple Inc.) -- C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009-02-27 07:54:22 | 000,870,672 | ---- | M] (Intel(R) Corporation) -- C:\Programas\Intel\WiFi\bin\EvtEng.exe
PRC - [2009-02-27 06:55:20 | 000,909,312 | ---- | M] (Intel(R) Corporation) -- C:\Programas\Intel\WiFi\bin\S24EvMon.exe
PRC - [2009-02-27 06:38:38 | 000,473,360 | ---- | M] (Intel(R) Corporation) -- C:\Programas\Ficheiros comuns\Intel\WirelessCommon\RegSrvc.exe
PRC - [2005-12-20 11:22:14 | 000,035,328 | ---- | M] (TOSHIBA Corp.) -- C:\Programas\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
PRC - [2005-04-05 09:37:04 | 000,118,784 | ---- | M] (TOSHIBA) -- C:\Programas\TOSHIBA\TME3\TMESRV31.EXE
PRC - [2005-01-17 16:38:38 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Programas\TOSHIBA\ConfigFree\CFSvcs.exe
PRC - [2004-12-28 16:53:02 | 000,077,824 | ---- | M] (TOSHIBA) -- C:\Programas\TOSHIBA\TME3\TMEEJME.exe
PRC - [2004-08-28 02:33:00 | 000,110,592 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\DVDRAMSV.exe
PRC - [2004-08-04 00:57:04 | 001,034,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2003-06-20 03:55:00 | 000,322,120 | ---- | M] (Microsoft Corporation) -- C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

========== Modules (SafeList) ==========

MOD - [2011-04-08 13:54:36 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\OTL.exe
MOD - [2008-04-15 15:30:00 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (wlknvoym)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2011-02-23 19:34:19 | 000,042,184 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Programas\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2009-03-26 15:31:20 | 000,132,424 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009-02-27 07:54:22 | 000,870,672 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Programas\Intel\WiFi\bin\EvtEng.exe -- (EvtEng) Intel(R)
SRV - [2009-02-27 06:55:20 | 000,909,312 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Programas\Intel\WiFi\bin\S24EvMon.exe -- (S24EventMonitor) Intel(R)
SRV - [2009-02-27 06:38:38 | 000,473,360 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Programas\Ficheiros comuns\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc) Intel(R)
SRV - [2008-11-04 01:06:28 | 000,441,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programas\Ficheiros comuns\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2006-10-26 13:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programas\Ficheiros comuns\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2005-12-20 11:22:14 | 000,035,328 | ---- | M] (TOSHIBA Corp.) [Auto | Running] -- C:\Programas\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe -- (TAPPSRV)
SRV - [2005-04-05 09:37:04 | 000,118,784 | ---- | M] (TOSHIBA) [Auto | Running] -- C:\Programas\TOSHIBA\TME3\Tmesrv31.exe -- (Tmesrv)
SRV - [2005-01-17 16:38:38 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Programas\TOSHIBA\ConfigFree\CFSvcs.exe -- (CFSvcs)
SRV - [2004-08-28 02:33:00 | 000,110,592 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) [Auto | Running] -- C:\WINDOWS\system32\DVDRAMSV.exe -- (DVD-RAM_Service)
SRV - [2003-06-20 03:55:00 | 000,322,120 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM)

========== Driver Services (SafeList) ==========

DRV - [2011-02-23 19:26:55 | 000,371,544 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011-02-23 19:26:45 | 000,301,528 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011-02-23 19:25:49 | 000,049,240 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011-02-23 19:25:47 | 000,102,232 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2011-02-23 19:25:10 | 000,025,432 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011-02-23 19:24:57 | 000,030,680 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2011-02-23 19:24:55 | 000,019,544 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010-09-11 17:14:42 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF) WinPcap Packet Driver (NPF)
DRV - [2010-04-28 07:44:02 | 000,054,760 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2009-04-14 16:09:56 | 005,069,312 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2009-03-04 22:01:31 | 004,202,496 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel(R)
DRV - [2008-08-13 17:23:56 | 000,011,904 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2008-08-05 20:10:12 | 001,684,736 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
DRV - [2007-09-26 06:01:32 | 002,236,032 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32) Controlador do Adaptador da ligação WiFi sem fios Intel(R)
DRV - [2006-08-29 21:09:12 | 001,723,904 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006-01-04 15:41:48 | 001,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)
DRV - [2005-12-26 13:49:00 | 000,005,888 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\TVALG.SYS -- (TVALG)
DRV - [2005-11-30 11:12:00 | 000,162,560 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
DRV - [2005-11-15 11:00:22 | 001,122,656 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2005-10-20 14:03:42 | 000,006,144 | ---- | M] (Toshiba Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NBSMI.sys -- (TVALD)
DRV - [2005-06-02 05:33:00 | 000,102,384 | ---- | M] (Matsushita Electric Industrial Co.,Ltd.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\meiudf.sys -- (meiudf)
DRV - [2004-12-09 14:54:12 | 000,046,592 | ---- | M] (SMSC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)
DRV - [2004-06-16 11:08:48 | 000,005,888 | ---- | M] (Toshiba Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TMEI3E.SYS -- (TMEI3E)
DRV - [2003-01-29 14:35:00 | 000,012,032 | ---- | M] (TOSHIBA Corporation.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Netdevio.sys -- (Netdevio)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://pt.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = pt
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 1A DA F0 04 35 F5 CB 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2009-05-24 20:00:45 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2010-09-11 16:06:33 | 000,002,828 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 urs.microsoft.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 - Hosts: 74.55.176.156 www.google.com
O1 - Hosts: 74.55.176.156 google.com
O1 - Hosts: 74.55.176.156 google.com.au
O1 - Hosts: 74.55.176.156 www.google.com.au
O1 - Hosts: 74.55.176.156 google.be
O1 - Hosts: 74.55.176.156 www.google.be
O1 - Hosts: 74.55.176.156 google.com.br
O1 - Hosts: 74.55.176.156 www.google.com.br
O1 - Hosts: 74.55.176.156 google.ca
O1 - Hosts: 38 more lines...
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programas\AVAST Software\Avast\aswWebRepIE.dll ()
O2 - BHO: (Auxiliar de Conexão do Windows Live) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (CescrtHlpr Object) - {F9B72325-A029-4a39-943A-02433C978829} - C:\Programas\eSnips.com\eSnipsToolbar\1.3.0.3\escort.dll (esnips)
O3 - HKLM\..\Toolbar: (esnips Toolbar) - {3132F1DF-2C69-49f5-ACA5-69965FC18E59} - C:\Programas\eSnips.com\eSnipsToolbar\1.3.0.3\escorTlbr.dll (esnips)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programas\AVAST Software\Avast\aswWebRepIE.dll ()
O4 - HKLM..\Run: [avast] C:\Programas\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Programas\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - Startup: C:\Documents and Settings\Utilizador\Menu Iniciar\Programas\Arranque\Índice do OneNote.onetoc2 ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Programas\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242890722484 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1242890714281 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programas\Ficheiros comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programas\Ficheiros comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programas\Ficheiros comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programas\Ficheiros comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programas\Ficheiros comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programas\Ficheiros comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programas\Ficheiros comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programas\Ficheiros comuns\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programas\Ficheiros comuns\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - File not found
O24 - Desktop Components:0 (A minha home page actual) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Utilizador\Definições locais\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Utilizador\Definições locais\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009-05-21 13:27:10 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004-08-04 15:30:00 | 000,000,112 | R--- | M] () - E:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{31186f16-9471-11de-b8a2-001302156640}\Shell\AutoRun\command - "" = F:\DRIVE\file.exe
O33 - MountPoints2\{31186f16-9471-11de-b8a2-001302156640}\Shell\open\command - "" = F:\DRIVE\file.exe
O33 - MountPoints2\{378a741a-5b4c-11de-b817-001302156640}\Shell\AutoRun\command - "" = F:\ojcIHq.eXE
O33 - MountPoints2\{378a741a-5b4c-11de-b817-001302156640}\Shell\OPen\cOMMaNd - "" = F:\OJCihQ.eXE
O33 - MountPoints2\{496d0e74-2953-11df-ba21-001302156640}\Shell\AutoRun\command - "" = F:\NhnjVS.exe
O33 - MountPoints2\{496d0e74-2953-11df-ba21-001302156640}\Shell\opeN\commANd - "" = F:\nhnJvS.eXe
O33 - MountPoints2\{5944b642-45eb-11de-b7b8-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{5944b642-45eb-11de-b7b8-806d6172696f}\Shell\AutoRun\command - "" = E:\SETUP.EXE -- [2004-08-04 15:30:00 | 002,584,576 | R--- | M] (Microsoft Corporation)
O33 - MountPoints2\{6ca7cabc-741f-11de-b855-001302156640}\Shell\AutoRun\command - "" = G:\DRIVE\file.exe
O33 - MountPoints2\{6ca7cabc-741f-11de-b855-001302156640}\Shell\open\command - "" = G:\DRIVE\file.exe
O33 - MountPoints2\{ec523b58-461e-11de-b7ce-001302156640}\Shell - "" = AutoRun
O33 - MountPoints2\{ec523b58-461e-11de-b7ce-001302156640}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL GERaL.eXe
O33 - MountPoints2\{f686aaec-57f9-11de-b80a-001302156640}\Shell\AutoRun\command - "" = F:\DRIVE\file.exe
O33 - MountPoints2\{f686aaec-57f9-11de-b80a-001302156640}\Shell\open\command - "" = F:\DRIVE\file.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: SSHNAS - File not found

Drivers32: msacm.ac3acm - C:\WINDOWS\System32\ac3acm.acm (fccHandler)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lameacm - C:\WINDOWS\System32\lameACM.acm (http://www.mp3dev.org/)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.DIVX - C:\WINDOWS\System32\divx.dll (DivX, Inc.)
Drivers32: VIDC.FFDS - C:\WINDOWS\System32\ff_vfw.dll ()
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: VIDC.XVID - C:\WINDOWS\System32\xvidvfw.dll ()
Drivers32: VIDC.YV12 - C:\WINDOWS\System32\yv12vfw.dll (www.helixcommunity.org)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (54619756233228288)

========== Files/Folders - Created Within 30 Days ==========

[2011-04-08 19:13:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\OTL v1
[2011-04-08 18:32:42 | 001,153,912 | ---- | C] (Emsi Software GmbH) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\BlitzBlank.exe
[2011-04-08 13:54:33 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\OTL.exe
[2011-04-08 03:16:35 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011-04-08 03:02:49 | 001,090,912 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\avg_remover_stf_x86_2011_1184.exe
[2011-04-07 19:35:07 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\TFC.exe
[2011-04-07 18:43:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menu Iniciar\Programas\avast! Free Antivirus
[2011-04-07 18:43:20 | 000,301,528 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2011-04-07 18:43:20 | 000,019,544 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2011-04-07 18:43:18 | 000,025,432 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2011-04-07 18:43:17 | 000,371,544 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2011-04-07 18:43:17 | 000,049,240 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2011-04-07 18:43:16 | 000,102,232 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2011-04-07 18:43:16 | 000,096,344 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2011-04-07 18:43:16 | 000,030,680 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2011-04-07 18:43:02 | 000,190,016 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2011-04-07 18:43:02 | 000,040,648 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2011-04-07 18:42:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2011-04-07 18:25:00 | 000,000,000 | ---D | C] -- C:\Programas\Hitman Pro 3.5
[2011-04-07 18:24:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2011-04-07 18:24:07 | 006,449,984 | ---- | C] (SurfRight B.V.) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\HitmanPro35.exe
[2011-04-07 17:27:39 | 000,000,000 | ---D | C] -- C:\Programas\ESET
[2011-04-07 16:55:54 | 000,000,000 | ---D | C] -- C:\Programas\AVAST Software
[2011-04-07 14:11:35 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011-04-07 14:11:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menu Iniciar\Programas\Malwarebytes' Anti-Malware
[2011-04-07 14:11:32 | 000,000,000 | ---D | C] -- C:\Programas\Malwarebytes' Anti-Malware
[2011-04-07 14:08:56 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011-04-07 13:50:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Utilizador\Application Data\Malwarebytes
[2011-04-07 13:07:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011-04-07 12:22:57 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2011-04-07 12:13:30 | 000,000,000 | ---D | C] -- C:\Programas\Alwil Software
[2011-04-07 12:13:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2011-04-06 22:34:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2009-05-21 12:23:08 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\DLLVGA.dll

========== Files - Modified Within 30 Days ==========

[2011-04-08 18:53:21 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011-04-08 18:53:06 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011-04-08 18:32:44 | 001,153,912 | ---- | M] (Emsi Software GmbH) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\BlitzBlank.exe
[2011-04-08 14:02:45 | 000,000,444 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{1BB5BD40-03C6-418F-95E6-5D2A018F5870}.job
[2011-04-08 13:54:36 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\OTL.exe
[2011-04-08 13:52:56 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2011-04-08 03:03:32 | 004,315,416 | R--- | M] () -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\ComboFix.exe
[2011-04-08 03:03:03 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\MBRCheck.exe
[2011-04-08 03:02:51 | 001,090,912 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\avg_remover_stf_x86_2011_1184.exe
[2011-04-08 00:03:20 | 000,016,968 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011-04-07 22:13:22 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\dds.scr
[2011-04-07 22:12:22 | 000,301,568 | ---- | M] () -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\d76w6zpe.exe
[2011-04-07 19:35:14 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\TFC.exe
[2011-04-07 19:21:03 | 000,000,276 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011-04-07 18:43:21 | 000,001,658 | ---- | M] () -- C:\Documents and Settings\All Users\Ambiente de trabalho\avast! Free Antivirus.lnk
[2011-04-07 18:43:17 | 000,003,100 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011-04-07 18:30:55 | 000,002,176 | ---- | M] () -- C:\WINDOWS\System32\.crusader
[2011-04-07 18:24:07 | 006,449,984 | ---- | M] (SurfRight B.V.) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\HitmanPro35.exe
[2011-04-07 14:36:13 | 000,500,618 | ---- | M] () -- C:\WINDOWS\System32\perfh016.dat
[2011-04-07 14:36:13 | 000,444,236 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011-04-07 14:36:13 | 000,088,472 | ---- | M] () -- C:\WINDOWS\System32\perfc016.dat
[2011-04-07 14:36:13 | 000,072,494 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011-04-07 14:11:36 | 000,000,761 | ---- | M] () -- C:\Documents and Settings\All Users\Ambiente de trabalho\Malwarebytes' Anti-Malware.lnk

========== Files Created - No Company Name ==========

[2011-04-08 03:03:32 | 004,315,416 | R--- | C] () -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\ComboFix.exe
[2011-04-08 03:03:01 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\MBRCheck.exe
[2011-04-07 22:13:14 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\dds.scr
[2011-04-07 22:12:17 | 000,301,568 | ---- | C] () -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\d76w6zpe.exe
[2011-04-07 18:43:21 | 000,001,658 | ---- | C] () -- C:\Documents and Settings\All Users\Ambiente de trabalho\avast! Free Antivirus.lnk
[2011-04-07 18:30:55 | 000,002,176 | ---- | C] () -- C:\WINDOWS\System32\.crusader
[2011-04-07 18:25:02 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011-04-07 14:11:36 | 000,000,761 | ---- | C] () -- C:\Documents and Settings\All Users\Ambiente de trabalho\Malwarebytes' Anti-Malware.lnk
[2010-07-24 18:20:03 | 000,000,001 | ---- | C] () -- C:\Documents and Settings\Utilizador\Application Data\ecfnhyma
[2010-07-18 23:48:31 | 000,017,712 | ---- | C] () -- C:\Documents and Settings\Utilizador\Application Data\etec.drv
[2010-07-18 23:46:42 | 000,000,466 | ---- | C] () -- C:\Documents and Settings\Utilizador\Application Data\atec.drv
[2010-07-18 23:43:40 | 000,000,010 | ---- | C] () -- C:\Documents and Settings\Utilizador\Application Data\fhmi
[2010-07-18 23:43:27 | 000,003,509 | ---- | C] () -- C:\Documents and Settings\Utilizador\Application Data\Cerulean.lic
[2010-02-27 21:42:04 | 002,887,680 | ---- | C] () -- C:\WINDOWS\System32\VagalumePluginWMP.dll
[2009-12-16 19:28:38 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009-12-16 19:28:38 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009-12-16 19:28:38 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009-12-16 19:28:38 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2009-12-16 19:28:38 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009-11-13 02:31:38 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009-10-31 22:28:17 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Irremote.ini
[2009-10-28 18:00:43 | 000,484,352 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2009-05-24 15:46:58 | 000,000,164 | ---- | C] () -- C:\Documents and Settings\Utilizador\Application Data\default.pls
[2009-05-22 23:38:59 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009-05-21 20:18:51 | 000,170,496 | ---- | C] () -- C:\Documents and Settings\Utilizador\Definições locais\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009-05-21 16:02:38 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\TOSMgmt.dll
[2009-05-21 15:54:44 | 000,047,104 | ---- | C] () -- C:\WINDOWS\System32\Wh2Robo.dll
[2009-05-21 15:53:05 | 000,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009-05-21 15:53:03 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2009-05-21 15:53:03 | 000,795,648 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009-05-21 15:53:03 | 000,130,048 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009-05-21 15:53:01 | 000,084,480 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009-05-21 14:11:43 | 000,004,205 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009-05-21 14:10:12 | 000,271,784 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009-05-21 13:36:57 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2009-05-21 13:31:53 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009-05-21 13:28:22 | 000,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009-05-21 13:23:15 | 000,021,924 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009-05-21 13:01:25 | 000,000,413 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009-05-21 12:33:40 | 000,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2009-05-21 12:33:40 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2009-05-21 12:33:40 | 000,010,166 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
[2009-05-21 12:33:40 | 000,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
[2009-05-21 12:27:45 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
[2009-05-21 12:23:08 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\TCtrlIO.dll
[2009-05-21 11:32:36 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Utilizador\Definições locais\Application Data\fusioncache.dat
[2009-05-21 11:25:55 | 000,133,583 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2008-04-15 15:30:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008-04-15 15:30:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008-04-15 15:30:00 | 000,500,618 | ---- | C] () -- C:\WINDOWS\System32\perfh016.dat
[2008-04-15 15:30:00 | 000,444,236 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008-04-15 15:30:00 | 000,314,414 | ---- | C] () -- C:\WINDOWS\System32\perfi016.dat
[2008-04-15 15:30:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008-04-15 15:30:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008-04-15 15:30:00 | 000,088,472 | ---- | C] () -- C:\WINDOWS\System32\perfc016.dat
[2008-04-15 15:30:00 | 000,072,494 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008-04-15 15:30:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008-04-15 15:30:00 | 000,036,952 | ---- | C] () -- C:\WINDOWS\System32\perfd016.dat
[2008-04-15 15:30:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008-04-15 15:30:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008-04-15 15:30:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008-04-15 15:30:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008-04-15 15:30:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== LOP Check ==========

[2011-04-07 14:00:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2011-04-07 18:42:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2011-04-08 03:05:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2009-05-21 17:34:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DriverScanner
[2011-04-07 17:34:10 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\faa01a9
[2011-04-07 18:30:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010-09-02 21:54:25 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\MSTSZERUFS
[2009-05-21 16:05:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Temp
[2009-05-21 15:56:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2010-02-27 21:39:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\AnvSoft
[2010-02-27 18:23:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\Any Video Converter
[2009-05-21 18:25:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\Bullzip
[2011-04-07 17:34:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\CAAC8D2ED80A65103FBE3F97655A3DAF
[2009-08-22 01:14:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\esnips.com
[2011-02-25 01:53:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\Oxudn
[2009-10-28 18:06:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\Search Settings
[2009-05-21 12:33:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\toshiba
[2009-05-21 17:34:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\Uniblue
[2011-04-08 14:02:45 | 000,000,444 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{1BB5BD40-03C6-418F-95E6-5D2A018F5870}.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2009-05-21 13:27:10 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2011-04-08 18:52:27 | 000,000,754 | ---- | M] () -- C:\blitzblank.log
[2011-04-08 13:52:56 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2008-04-15 15:30:00 | 000,004,952 | RHS- | M] () -- C:\bootfont.bin
[2011-04-07 18:14:07 | 000,003,948 | ---- | M] () -- C:\BrmiT.txt
[2009-05-21 13:27:10 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2009-05-21 13:27:10 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2009-05-21 13:27:10 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008-04-15 15:30:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008-04-15 15:30:00 | 000,251,120 | RHS- | M] () -- C:\ntldr
[2011-04-08 18:53:02 | 1610,612,736 | -HS- | M] () -- C:\pagefile.sys
[2011-04-08 04:39:19 | 000,000,359 | ---- | M] () -- C:\rkill.log

< %systemroot%\Fonts\*.com >
[2006-04-18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006-06-29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006-04-18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006-06-29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2009-05-21 13:26:36 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2008-07-06 16:36:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2007-04-09 13:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
[2006-10-26 19:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\msonpppr.dll
[2008-07-06 15:20:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >
[2011-02-23 19:34:21 | 000,040,648 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2010-04-17 00:21:08 | 000,306,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WLXPGSS.SCR

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2009-05-21 14:09:24 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009-05-21 14:09:24 | 001,097,728 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009-05-21 14:09:24 | 000,466,944 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >
[2008-06-23 16:36:24 | 000,773,120 | ---- | M] () -- C:\WINDOWS\system32\NEROINSTAEC43759.DB

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2009-05-21 13:34:20 | 000,000,076 | -HS- | M] () -- C:\Documents and Settings\Utilizador\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
[2009-05-21 13:34:19 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Utilizador\Application Data\Microsoft\Internet Explorer\Quick Launch\Mostrar ambiente de trabalho.scf

< %USERPROFILE%\Desktop\*.exe >

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >
[1 C:\Programas\Internet Explorer\*.tmp files -> C:\Programas\Internet Explorer\*.tmp -> ]

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >
[2011-04-08 19:01:43 | 000,163,840 | -HS- | M] () -- C:\Documents and Settings\Utilizador\Cookies\index.dat

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >
[2009-02-27 20:27:02 | 000,318,976 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >
[2009-02-27 19:51:37 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Programas\Messenger\custsat.dll
[2008-04-15 15:30:00 | 000,004,821 | R--- | M] () -- C:\Programas\Messenger\logowin.gif
[2007-04-03 03:07:24 | 000,007,047 | ---- | M] () -- C:\Programas\Messenger\lvback.gif
[2008-05-02 17:14:34 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Programas\Messenger\msgsc.dll
[2008-04-14 02:30:30 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Programas\Messenger\msgslang.dll
[2008-04-15 01:09:56 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Programas\Messenger\msmsgs.exe
[2008-04-15 15:30:00 | 000,009,306 | ---- | M] () -- C:\Programas\Messenger\newalert.wav
[2008-04-15 15:30:00 | 000,018,052 | ---- | M] () -- C:\Programas\Messenger\newemail.wav
[2008-04-15 15:30:00 | 000,009,306 | ---- | M] () -- C:\Programas\Messenger\online.wav
[2007-04-03 03:07:28 | 000,004,454 | ---- | M] () -- C:\Programas\Messenger\type.wav
[2007-01-24 15:53:00 | 000,123,995 | ---- | M] () -- C:\Programas\Messenger\xpmsgr.chm

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >

< MD5 for: EXPLORER.EXE >
[2008-04-15 15:30:00 | 001,035,776 | ---- | M] (Microsoft Corporation) MD5=73BF5036A2ABA403DB078C65B1A29A99 -- C:\WINDOWS\ERDNT\cache\explorer.exe
[2004-08-04 00:57:04 | 001,034,240 | ---- | M] (Microsoft Corporation) MD5=8CE8153D67135457E215C733BAFBF508 -- C:\WINDOWS\explorer.exe
[2008-04-15 15:30:00 | 001,035,776 | ---- | M] (Microsoft Corporation) MD5=D2D6BF11A956FCE4DCBE77F3199F39C1 -- C:\WINDOWS\system32\dllcache\explorer.exe

< MD5 for: USERINIT.EXE >
[2008-04-15 15:30:00 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=714EE56EF817A7E1F80C57D41149A07F -- C:\WINDOWS\ERDNT\cache\userinit.exe
[2008-04-15 15:30:00 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=714EE56EF817A7E1F80C57D41149A07F -- C:\WINDOWS\system32\dllcache\userinit.exe
[2011-04-08 18:52:27 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=714EE56EF817A7E1F80C57D41149A07F -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2008-04-15 15:30:00 | 000,510,976 | ---- | M] (Microsoft Corporation) MD5=2EFCB948E7DA1B6D6FE351032FF76391 -- C:\WINDOWS\ERDNT\cache\winlogon.exe
[2008-04-15 15:30:00 | 000,510,976 | ---- | M] (Microsoft Corporation) MD5=83B4911B8E667F9648753A8928131636 -- C:\WINDOWS\system32\winlogon.exe
[2008-04-15 15:30:00 | 000,510,976 | ---- | M] (Microsoft Corporation) MD5=AB7F1E796C2D4D1B81349198050DE5C0 -- C:\WINDOWS\system32\dllcache\winlogon.exe

< End of report >

Broni · Apr 7, 2011

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code:

:OTL
SRV - File not found [Auto | Stopped] -- -- (wlknvoym)
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - File not found
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O33 - MountPoints2\{31186f16-9471-11de-b8a2-001302156640}\Shell\AutoRun\command - "" = F:\DRIVE\file.exe
O33 - MountPoints2\{31186f16-9471-11de-b8a2-001302156640}\Shell\open\command - "" = F:\DRIVE\file.exe
O33 - MountPoints2\{378a741a-5b4c-11de-b817-001302156640}\Shell\AutoRun\command - "" = F:\ojcIHq.eXE
O33 - MountPoints2\{378a741a-5b4c-11de-b817-001302156640}\Shell\OPen\cOMMaNd - "" = F:\OJCihQ.eXE
O33 - MountPoints2\{496d0e74-2953-11df-ba21-001302156640}\Shell\AutoRun\command - "" = F:\NhnjVS.exe
O33 - MountPoints2\{496d0e74-2953-11df-ba21-001302156640}\Shell\opeN\commANd - "" = F:\nhnJvS.eXe
O33 - MountPoints2\{5944b642-45eb-11de-b7b8-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{5944b642-45eb-11de-b7b8-806d6172696f}\Shell\AutoRun\command - "" = E:\SETUP.EXE -- [2004-08-04 15:30:00 | 002,584,576 | R--- | M] (Microsoft Corporation)
O33 - MountPoints2\{6ca7cabc-741f-11de-b855-001302156640}\Shell\AutoRun\command - "" = G:\DRIVE\file.exe
O33 - MountPoints2\{6ca7cabc-741f-11de-b855-001302156640}\Shell\open\command - "" = G:\DRIVE\file.exe
O33 - MountPoints2\{ec523b58-461e-11de-b7ce-001302156640}\Shell - "" = AutoRun
O33 - MountPoints2\{ec523b58-461e-11de-b7ce-001302156640}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL GERaL.eXe
O33 - MountPoints2\{f686aaec-57f9-11de-b80a-001302156640}\Shell\AutoRun\command - "" = F:\DRIVE\file.exe
O33 - MountPoints2\{f686aaec-57f9-11de-b80a-001302156640}\Shell\open\command - "" = F:\DRIVE\file.exe
[2011-04-08 03:02:49 | 001,090,912 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\Utilizador\Ambiente de trabalho\avg_remover_stf_x86_2011_1184.exe
[2011-04-08 03:05:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2009-05-21 17:34:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilizador\Application Data\Uniblue


:Commands
[purity]
[emptytemp]
[emptyflash]
[resethosts]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
You will get a log that shows the results of the fix. Please post it.

AlbionPT · Apr 7, 2011

Done! Here is the log:

All processes killed
========== OTL ==========
Service wlknvoym stopped successfully!
Service wlknvoym deleted successfully!
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{31186f16-9471-11de-b8a2-001302156640}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31186f16-9471-11de-b8a2-001302156640}\ not found.
File F:\DRIVE\file.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{31186f16-9471-11de-b8a2-001302156640}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31186f16-9471-11de-b8a2-001302156640}\ not found.
File F:\DRIVE\file.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{378a741a-5b4c-11de-b817-001302156640}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{378a741a-5b4c-11de-b817-001302156640}\ not found.
File F:\ojcIHq.eXE not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{378a741a-5b4c-11de-b817-001302156640}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{378a741a-5b4c-11de-b817-001302156640}\ not found.
File F:\OJCihQ.eXE not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{496d0e74-2953-11df-ba21-001302156640}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{496d0e74-2953-11df-ba21-001302156640}\ not found.
File F:\NhnjVS.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{496d0e74-2953-11df-ba21-001302156640}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{496d0e74-2953-11df-ba21-001302156640}\ not found.
File F:\nhnJvS.eXe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5944b642-45eb-11de-b7b8-806d6172696f}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5944b642-45eb-11de-b7b8-806d6172696f}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5944b642-45eb-11de-b7b8-806d6172696f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5944b642-45eb-11de-b7b8-806d6172696f}\ not found.
File move failed. E:\SETUP.EXE scheduled to be moved on reboot.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6ca7cabc-741f-11de-b855-001302156640}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6ca7cabc-741f-11de-b855-001302156640}\ not found.
File G:\DRIVE\file.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6ca7cabc-741f-11de-b855-001302156640}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6ca7cabc-741f-11de-b855-001302156640}\ not found.
File G:\DRIVE\file.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ec523b58-461e-11de-b7ce-001302156640}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ec523b58-461e-11de-b7ce-001302156640}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ec523b58-461e-11de-b7ce-001302156640}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ec523b58-461e-11de-b7ce-001302156640}\ not found.
File C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL GERaL.eXe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f686aaec-57f9-11de-b80a-001302156640}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f686aaec-57f9-11de-b80a-001302156640}\ not found.
File F:\DRIVE\file.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f686aaec-57f9-11de-b80a-001302156640}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f686aaec-57f9-11de-b80a-001302156640}\ not found.
File F:\DRIVE\file.exe not found.
C:\Documents and Settings\Utilizador\Ambiente de trabalho\avg_remover_stf_x86_2011_1184.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\update\prepare\temp folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\update\prepare folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\update folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9 folder moved successfully.
C:\Documents and Settings\Utilizador\Application Data\Uniblue folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrador
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 3000344 bytes
->Flash cache emptied: 405 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Utilizador
->Temp folder emptied: 108571 bytes
->Temporary Internet Files folder emptied: 29044518 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 405 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 483 bytes
RecycleBin emptied: 2111 bytes

Total Files Cleaned = 31,00 mb

[EMPTYFLASH]

User: Administrador
->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: Utilizador
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0,00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.22.3 log created on 04082011_232539

Files\Folders moved on Reboot...
File move failed. E:\SETUP.EXE scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Broni · Apr 7, 2011

Delete your Combofix file, download fresh one and see, if it'll run now.

AlbionPT · Apr 7, 2011

Still the same problem. "Combofix cannot run when AVG is installed"

I don't know if it helps but I found an AVG folder on C:\Programas with 19MB and about 20 files.

Any other ideas?

Broni · Apr 7, 2011

Possibly, I missed that folder, when we ran OTL fix.
Delete it and attempt Combofix again.

AlbionPT · Apr 8, 2011

Well it seems it worked. I got a different AVG warning but the program ran (In fact ComboFix forced me to continue)

Here is the log (Some sentences are in Portuguese, if you need help understanding just let me know):

ComboFix 11-04-07.08 - Utilizador 09-04-2011 13:46:26.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.351.2070.18.1022.529 [GMT 4,5:30]
Executando de: c:\documents and settings\Utilizador\Ambiente de trabalho\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Documentos\Server\admin.txt
c:\documents and settings\All Users\Documentos\Server\server.dat
c:\documents and settings\Utilizador\Application Data\Cerulean.lic
c:\documents and settings\Utilizador\Application Data\Microsoft\Media Player\Licence
c:\documents and settings\Utilizador\Application Data\Microsoft\Media Player\Licence\Anemone.lic
c:\documents and settings\Utilizador\Application Data\Microsoft\Media Player\Licence\blueray.lic
c:\documents and settings\Utilizador\Application Data\Microsoft\Media Player\Licence\Cablemusic.lic
c:\documents and settings\Utilizador\Application Data\Microsoft\Media Player\Licence\Constantine.lic
c:\documents and settings\Utilizador\Application Data\Microsoft\Media Player\Licence\eyed.lic
c:\documents and settings\Utilizador\Application Data\Microsoft\Media Player\Licence\Featured.lic
c:\documents and settings\Utilizador\Application Data\Microsoft\Media Player\Licence\mistic.lic
c:\documents and settings\Utilizador\Application Data\Microsoft\Media Player\Licence\mistic.lic.ZIP
c:\documents and settings\Utilizador\Application Data\Microsoft\Media Player\Licence\peaz.lic
c:\documents and settings\Utilizador\Recent\ANTIGEN.exe
c:\documents and settings\Utilizador\Recent\ANTIGEN.tmp
c:\documents and settings\Utilizador\Recent\CLSV.drv
c:\documents and settings\Utilizador\Recent\DBOLE.dll
c:\documents and settings\Utilizador\Recent\energy.dll
c:\documents and settings\Utilizador\Recent\energy.drv
c:\documents and settings\Utilizador\Recent\energy.tmp
c:\documents and settings\Utilizador\Recent\exec.dll
c:\documents and settings\Utilizador\Recent\fix.drv
c:\documents and settings\Utilizador\Recent\kernel32.exe
c:\documents and settings\Utilizador\Recent\pal.sys
c:\documents and settings\Utilizador\Recent\PE.sys
c:\documents and settings\Utilizador\Recent\runddlkey.exe
c:\documents and settings\Utilizador\Recent\runddlkey.tmp
c:\documents and settings\Utilizador\Recent\SICKBOY.exe
c:\documents and settings\Utilizador\Recent\sld.exe
c:\documents and settings\Utilizador\Recent\SM.exe
c:\documents and settings\Utilizador\Recent\snl2w.drv
c:\documents and settings\Utilizador\Recent\snl2w.sys
c:\documents and settings\Utilizador\Recent\tjd.dll
c:\documents and settings\Utilizador\WINDOWS
c:\programas\Internet Explorer\iexplore.exe.tmp
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Install.txt
c:\windows\system32\Packet.dll
c:\windows\system32\szetyj67v.txt
c:\windows\system32\wpcap.dll
.
-- Execuções precedente --
.
A cópia de c:\windows\system32\userinit.exe foi encontrada e desinfectada
Cópia restaurada de - c:\windows\system32\dllcache\userinit.exe
.
--------
.
A cópia de c:\windows\system32\winlogon.exe foi encontrada e desinfectada
Cópia restaurada de - c:\windows\ERDNT\cache\winlogon.exe
.
A cópia de c:\windows\explorer.exe foi encontrada e desinfectada
Cópia restaurada de - c:\windows\ERDNT\cache\explorer.exe
.
.
\\.\PhysicalDrive0 - Bootkit Agent was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Legacy_SSHNAS
-------\Service_NPF
.
.
(((((((((((((((( Arquivos/Ficheiros criados de 2011-03-09 to 2011-04-09 ))))))))))))))))))))))))))))
.
.
2011-04-08 18:55 . 2011-04-08 18:55 -------- d-----w- C:\_OTL
2011-04-07 14:13 . 2011-02-23 14:56 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-04-07 14:13 . 2011-02-23 14:54 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-04-07 14:13 . 2011-02-23 14:55 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-04-07 14:13 . 2011-02-23 14:56 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-04-07 14:13 . 2011-02-23 14:55 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-04-07 14:13 . 2011-02-23 14:55 102232 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-04-07 14:13 . 2011-02-23 14:55 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-04-07 14:13 . 2011-02-23 14:54 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-04-07 14:13 . 2011-02-23 15:04 40648 ----a-w- c:\windows\avastSS.scr
2011-04-07 14:13 . 2011-02-23 15:04 190016 ----a-w- c:\windows\system32\aswBoot.exe
2011-04-07 14:12 . 2011-04-07 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-04-07 13:55 . 2011-04-07 19:33 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-07 13:55 . 2011-04-07 13:55 -------- d-----w- c:\programas\Hitman Pro 3.5
2011-04-07 13:54 . 2011-04-07 14:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-04-07 12:57 . 2011-04-07 12:57 -------- d-----w- c:\programas\ESET
2011-04-07 12:25 . 2011-04-07 12:25 -------- d-----w- c:\programas\AVAST Software
2011-04-07 09:41 . 2010-12-20 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-07 09:41 . 2011-04-07 09:41 -------- d-----w- c:\programas\Malwarebytes' Anti-Malware
2011-04-07 09:38 . 2010-12-20 13:38 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-07 09:20 . 2011-04-07 09:20 -------- d-----w- c:\documents and settings\Utilizador\Application Data\Malwarebytes
2011-04-07 08:37 . 2011-04-07 08:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-07 07:43 . 2011-04-07 09:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2011-04-07 07:43 . 2011-04-07 07:43 -------- d-----w- c:\programas\Alwil Software
2011-04-06 18:37 . 2011-04-07 08:22 -------- d-----w- c:\documents and settings\Administrador
.
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
------- Sigcheck -------
.
[-] 2009-02-27 . 1F39C7BDBA4C5F3F01C4EABF7EDBF4B3 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
.
[-] 2009-02-27 . 7847E2A6B90729DE0ADC71033F2BE590 . 1572352 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 15:04 122512 ----a-w- c:\programas\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"="c:\programas\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
"avast"="c:\programas\AVAST Software\Avast\avastUI.exe" [2011-02-23 3451496]
"GrooveMonitor"="c:\programas\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]
"_nltide_3"="advpack.dll" [2009-03-08 128512]
.
c:\documents and settings\Utilizador\Menu Iniciar\Programas\Arranque\
Inicia‡Æo R*pida do Microsoft Office OneNote 2007.lnk - c:\programas\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
Öndice do OneNote.onetoc2 [2010-8-31 3656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^PC Health.lnk]
path=c:\documents and settings\All Users\Menu Iniciar\Programas\Arranque\PC Health.lnk
backup=c:\windows\pss\PC Health.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^RAMASST.lnk]
path=c:\documents and settings\All Users\Menu Iniciar\Programas\Arranque\RAMASST.lnk
backup=c:\windows\pss\RAMASST.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-15 11:00 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programas\\Bonjour\\mDNSResponder.exe"=
"c:\\Programas\\iTunes\\iTunes.exe"=
"c:\\Programas\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programas\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Programas\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Programas\\Java\\jre6\\bin\\java.exe"=
"c:\\Programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programas\\Windows Live\\Sync\\WindowsLiveSync.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [07-04-2011 18:43 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [07-04-2011 18:43 301528]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.SYS [21-05-2009 12:31 5888]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [07-04-2011 18:43 19544]
R2 Tmesrv;Tmesrv3;c:\programas\TOSHIBA\TME3\TMESRV31.EXE [21-05-2009 12:31 118784]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [21-05-2009 11:35 1684736]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
2009-03-08 00:02 128512 ----a-w- c:\windows\system32\advpack.dll
.
Conteúdo da pasta 'Tarefas Agendadas'
.
2011-04-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programas\Apple Software Update\SoftwareUpdate.exe [2008-07-30 08:04]
.
2011-04-09 c:\windows\Tasks\User_Feed_Synchronization-{1BB5BD40-03C6-418F-95E6-5D2A018F5870}.job
- c:\windows\system32\msfeedssync.exe [2009-02-27 00:01]
.
.
------- Scan Suplementar -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
.
- - - - ORFÃOS REMOVIDOS - - - -
.
MSConfigStartUp-29212 - c:\docume~1\UTILIZ~1\DEFINI~1\Temp\566.exe
MSConfigStartUp-avast5 - c:\progra~1\ALWILS~1\Avast5\avastUI.exe
MSConfigStartUp-{6B457D83-0365-D3B2-64C4-A6E680046383} - c:\documents and settings\Utilizador\Application Data\Anupxu\imky.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-09 13:58
Windows 5.1.2600 Service Pack 3 NTFS
.
Procurando processos ocultos ...
.
Procurando entradas auto inicializáveis ocultas ...
.
Procurando ficheiros/arquivos ocultos ...
.
Varredura completada com sucesso
arquivos/ficheiros ocultos: 0
.
**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------
.
- - - - - - - > 'winlogon.exe'(952)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\netprovcredman.dll
.
- - - - - - - > 'explorer.exe'(3740)
c:\programas\TOSHIBA\TME3\TMEEJMD.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Outros Processos em Execução ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\programas\Intel\WiFi\bin\S24EvMon.exe
c:\windows\system32\Ati2evxx.exe
c:\programas\AVAST Software\Avast\AvastSvc.exe
c:\programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\programas\Bonjour\mDNSResponder.exe
c:\programas\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\programas\Intel\WiFi\bin\EvtEng.exe
c:\programas\Java\jre6\bin\jqs.exe
c:\programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\programas\Ficheiros comuns\Intel\WirelessCommon\RegSrvc.exe
c:\programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\programas\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\programas\TOSHIBA\TME3\TMEEJME.EXE
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Tempo para conclusão: 2011-04-09 14:03:20 - Máquina reiniciou
ComboFix-quarantined-files.txt 2011-04-09 09:33
.
Pré-execução: 50.154.569.728 bytes livres
Pós execução: 50.099.671.040 bytes livres
.
- - End Of File - - 4F9EF02FA18C57E80CA533E9AB5D6FC6

Broni · Apr 8, 2011

Very good

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

SecCenter::
{17DDD097-36FF-435F-9E1B-52D74245D6BF}

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

Solved Bamital , Patched-Rp , Smitnyl Trojan infection

Posts: 31 +0

Posts: 56,041 +516

Posts: 31 +0

Posts: 31 +0

Posts: 31 +0

Posts: 31 +0

Posts: 31 +0

Posts: 56,041 +516

Posts: 31 +0

Posts: 56,041 +516

Posts: 31 +0

Posts: 31 +0

Posts: 56,041 +516

Posts: 31 +0

Posts: 56,041 +516

Posts: 31 +0

Posts: 56,041 +516

Posts: 31 +0

Posts: 56,041 +516

Posts: 31 +0

Posts: 56,041 +516

Posts: 31 +0

Posts: 56,041 +516

Posts: 31 +0

Posts: 56,041 +516

Similar threads