JS:Banker-O[Trj] - false positive?

Hello, people.

For the past few days I have had Banker-O warnings from Avast popping up on my Windows Vista SP1 screen. I am running Avast 6.0.1125, updated today.

I do not recall what prompted the first warning, or what application I was trying to run. But it just so happens that, whatever the application, EVERY application I try to run, Avast consistently warns me that it has detected JS:Banker-O[Trj] (i.e. trojan Banker-O, but I guess you could tell that) and that it has moved said trojan to the chest. It has been doing so for GoogleUpdate (in fact I think this was the first), IExplore, Excel, Spyware Terminator, you name it. And svchost triggers the alarm frequently too.

I would guess this to be a false positive. I have also seen scarce mention on Banker, let alone Banker-O, on Google. In fact I have not seen any mention to Banker-O wherever, including this forum here. However, the warnings are noisy and very annoying, and I fear that I may really be infected.

I have downloaded a banking-virus removal tool, it has found nothing. Malwarebytes’ Anti-Malware has found nothing wrong either.

Any suggestions on what I should do? Maybe I should tell this to Avast’s developers?

follow the guide here and post an OTS log in your next reply here

http://forum.avast.com/index.php?topic=53253.0

Essexboy will then review the log when he arrive here, usually late UK time

Hello again. After I posted this topic yesterday, I ran a full boot-time Avast scan. It took around 12 hours and, early on, indeed it found a Banker-gen signature at dwm.exe. I could not clean it, so I sent it to the chest. Another occurrence was found (can’t recall which application it was, sorry), and again I moved it to the chest.

Today I did exactly as told above. Malwarebytes found nothing wrong, nothing at all.

Then I turned off all software I could, even went offline, and ran OTS. The results are below. Curiously enough, when I booted again, at first I was not online. Well, now Avast was no longer beeping for Banker-O! I opened Iexplore and it did not beep. (Whereas it has been beeping all the time for the past few days.) Then I came online to post this reply and, sure enough, there it is beeping again…

Anyway, this is what OTS shows (in about five parts because the forum limits text length). Can anyone decipher this mystery for me…?


OTS logfile created on: 16/06/2011 00:11:40 - Run 1
OTS by OldTimer - Version 3.1.44.0     Folder = C:\Users\Joao\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000416 | Country: Brasil | Language: PTB | Date Format: dd/MM/yyyy
 
3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 65,00% Memory free
7,00 Gb Paging File | 6,00 Gb Available in Paging File | 84,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 222,78 Gb Total Space | 112,75 Gb Free Space | 50,61% Space Free | Partition Type: NTFS
Drive D: | 10,00 Gb Total Space | 5,91 Gb Free Space | 59,09% Space Free | Partition Type: NTFS
Drive E: | 232,88 Gb Total Space | 194,73 Gb Free Space | 83,61% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 232,83 Gb Total Space | 196,01 Gb Free Space | 84,19% Space Free | Partition Type: FAT32
Drive J: | 977,47 Mb Total Space | 15,58 Mb Free Space | 1,59% Space Free | Partition Type: FAT
Drive L: | 1863,01 Gb Total Space | 1669,00 Gb Free Space | 89,59% Space Free | Partition Type: NTFS
 
Computer Name: MAJELBARRETT
Current User Name: Joao
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
 
[Processes - Safe List]
ots.exe -> C:\Users\Joao\Desktop\OTS.exe -> [2011/06/15 23:58:47 | 000,645,120 | ---- | M] (OldTimer Tools)
gbpsv.exe -> C:\Arquivos de programas\GbPlugin\gbpsv.exe -> [2011/06/10 11:49:40 | 000,169,760 | ---- | M] ( )
mbamservice.exe -> C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbamservice.exe -> [2011/05/29 09:11:28 | 000,366,640 | ---- | M] (Malwarebytes Corporation)
avastui.exe -> C:\Arquivos de programas\Alwil Software\Avast5\AvastUI.exe -> [2011/05/10 09:10:58 | 003,459,712 | ---- | M] (AVAST Software)
avastsvc.exe -> C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe -> [2011/05/10 09:10:57 | 000,042,184 | ---- | M] (AVAST Software)
sp_rsser.exe -> C:\Arquivos de programas\Spyware Terminator\sp_rsser.exe -> [2010/11/02 11:51:56 | 000,496,128 | ---- | M] (Crawler.com)
wlidsvc.exe -> C:\Arquivos de programas\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE -> [2010/09/21 14:03:14 | 001,710,464 | ---- | M] (Microsoft Corp.)
wlidsvcm.exe -> C:\Arquivos de programas\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE -> [2010/09/21 14:03:14 | 000,193,408 | ---- | M] (Microsoft Corp.)
conime.exe -> C:\Windows\System32\conime.exe -> [2009/04/11 03:27:28 | 000,069,120 | ---- | M] (Microsoft Corporation)
wmpnetwk.exe -> C:\Arquivos de programas\Windows Media Player\wmpnetwk.exe -> [2008/01/20 23:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation)
wmpnscfg.exe -> C:\Arquivos de programas\Windows Media Player\wmpnscfg.exe -> [2008/01/20 23:25:33 | 000,202,240 | ---- | M] (Microsoft Corporation)
msascui.exe -> C:\Arquivos de programas\Windows Defender\MSASCui.exe -> [2008/01/20 23:23:32 | 001,008,184 | ---- | M] (Microsoft Corporation)
monitor.exe -> C:\Windows\PixArt\PAC7302\Monitor.exe -> [2007/12/10 15:55:26 | 000,323,584 | ---- | M] (PixArt Imaging Incorporation)
rthdvcpl.exe -> C:\Windows\RtHDVCpl.exe -> [2007/09/24 06:41:02 | 004,452,352 | ---- | M] (Realtek Semiconductor)
cmpe.exe -> C:\Windows\System32\cmpe.exe -> [2007/02/26 11:11:52 | 000,061,440 | ---- | M] (LightComm)
desp2k.exe -> C:\Arquivos de programas\Oi Velox\Manager\desp2k.exe -> [2006/08/03 16:05:18 | 000,065,536 | ---- | M] (LightComm)

[Modules - Safe List]
ots.exe → C:\Users\Joao\Desktop\OTS.exe → [2011/06/15 23:58:47 | 000,645,120 | ---- | M] (OldTimer Tools)
comctl32.dll → C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll → [2010/08/31 12:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation)

[Win32 Services - Safe List]
(GbpSv) Gbp Service [Unknown | Running] → C:\Arquivos de Programas\GbPlugin\gbpsv.exe → [2011/06/10 11:49:40 | 000,169,760 | ---- | M] ( )
(MBAMService) MBAMService [Auto | Running] → C:\Program Files\Malwarebytes’ Anti-Malware\mbamservice.exe → [2011/05/29 09:11:28 | 000,366,640 | ---- | M] (Malwarebytes Corporation)
(avast! Antivirus) avast! Antivirus [Auto | Running] → C:\Program Files\Alwil Software\Avast5\AvastSvc.exe → [2011/05/10 09:10:57 | 000,042,184 | ---- | M] (AVAST Software)
(FontCache) Serviço de Cache de Fontes do Windows [Auto | Running] → C:\Windows\System32\FntCache.dll → [2011/02/22 10:33:09 | 000,797,696 | ---- | M] (Microsoft Corporation)
(sp_rssrv) Spyware Terminator Realtime Shield Service [Auto | Running] → C:\Program Files\Spyware Terminator\sp_rsser.exe → [2010/11/02 11:51:56 | 000,496,128 | ---- | M] (Crawler.com)
(vsmon) TrueVector Internet Monitor [Auto | Stopped] → C:\Windows\System32\ZoneLabs\vsmon.exe → [2010/09/02 09:22:30 | 002,435,592 | ---- | M] (Check Point Software Technologies LTD)
(nosGetPlusHelper) getPlus(R) Helper 3004 [On_Demand | Stopped] → C:\Arquivos de Programas\NOS\bin\getPlus_Helper_3004.dll → [2010/09/01 15:51:28 | 000,066,112 | ---- | M] (NOS Microsystems Ltd.)
(WinDefend) Windows Defender [Auto | Running] → C:\Arquivos de Programas\Windows Defender\MpSvc.dll → [2008/01/20 23:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation)
(cmpe) Context Manager Process Extension [Auto | Running] → C:\Windows\System32\cmpe.exe → [2007/02/26 11:11:52 | 000,061,440 | ---- | M] (LightComm)

[Driver Services - Safe List]
(GbpKm) Gbp KernelMode [Kernel | Boot | Running] → C:\Windows\system32\drivers\gbpkm.sys → [2011/06/10 11:49:06 | 000,046,624 | ---- | M] (GAS Tecnologia)
(MBAMProtector) MBAMProtector [File_System | On_Demand | Running] → C:\Windows\System32\drivers\mbam.sys → [2011/05/29 09:11:20 | 000,022,712 | ---- | M] (Malwarebytes Corporation)
(aswSnx) aswSnx [File_System | System | Running] → C:\Windows\System32\drivers\aswSnx.sys → [2011/05/10 09:03:54 | 000,441,176 | ---- | M] (AVAST Software)
(aswSP) aswSP [Kernel | System | Running] → C:\Windows\System32\drivers\aswSP.sys → [2011/05/10 09:03:44 | 000,307,928 | ---- | M] (AVAST Software)
(aswTdi) avast! Network Shield Support [Kernel | System | Running] → C:\Windows\System32\drivers\aswTdi.sys → [2011/05/10 09:02:37 | 000,049,240 | ---- | M] (AVAST Software)
(aswRdr) aswRdr [Kernel | System | Running] → C:\Windows\System32\drivers\aswRdr.sys → [2011/05/10 08:59:56 | 000,025,432 | ---- | M] (AVAST Software)
(aswMonFlt) aswMonFlt [File_System | Auto | Running] → C:\Windows\System32\drivers\aswMonFlt.sys → [2011/05/10 08:59:44 | 000,053,592 | ---- | M] (AVAST Software)
(aswFsBlk) aswFsBlk [File_System | Auto | Running] → C:\Windows\System32\drivers\aswFsBlk.sys → [2011/05/10 08:59:35 | 000,019,544 | ---- | M] (AVAST Software)
(sp_rsdrv2) Spyware Terminator Driver 2 [Kernel | System | Running] → C:\Windows\System32\drivers\sp_rsdrv2.sys → [2010/10/31 18:13:59 | 000,142,592 | ---- | M] ()
(Vsdatant) Zone Alarm Firewall Driver [Kernel | System | Running] → C:\Windows\System32\drivers\vsdatant.sys → [2010/05/15 16:30:46 | 000,457,304 | ---- | M] (Check Point Software Technologies LTD)
(EUFS) EUFS [Kernel | Boot | Running] → C:\Windows\system32\drivers\eufs.sys → [2009/12/02 12:21:00 | 000,021,896 | ---- | M] (CHENGDU YIWO Tech Development Co., Ltd)
(EUDSKACS) EUDSKACS [Kernel | On_Demand | Stopped] → C:\Windows\System32\drivers\eudskacs.sys → [2009/12/02 12:20:58 | 000,015,240 | ---- | M] (CHENGDU YIWO Tech Development Co., Ltd)
(EUBAKUP) EUBAKUP [Kernel | Boot | Running] → C:\Windows\system32\drivers\eubakup.sys → [2009/12/02 12:20:56 | 000,027,016 | ---- | M] (CHENGDU YIWO Tech Development Co., Ltd)
(EuDisk) EASEUS Disk Enumerator [Kernel | On_Demand | Running] → C:\Windows\System32\drivers\EuDisk.sys → [2009/12/02 12:20:54 | 000,123,784 | ---- | M] (CHENGDU YIWO Tech Development Co., Ltd)
(PAC7302) PAC7302 VGA SoC PC-Camera [Kernel | On_Demand | Stopped] → C:\Windows\System32\drivers\PAC7302.SYS → [2009/07/01 18:03:40 | 000,461,952 | ---- | M] (PixArt Imaging Inc.)
(usbaudio) Driver de áudio USB (WDM) [Kernel | On_Demand | Stopped] → C:\Windows\System32\drivers\USBAUDIO.sys → [2009/04/11 01:42:54 | 000,073,216 | ---- | M] (Microsoft Corporation)
(nvrd32) NVIDIA nForce RAID Driver [Kernel | Disabled | Stopped] → C:\Windows\system32\drivers\nvrd32.sys → [2008/05/04 07:22:40 | 000,131,616 | ---- | M] (NVIDIA Corporation)
(nvstor32) nvstor32 [Kernel | Boot | Running] → C:\Windows\system32\drivers\nvstor32.sys → [2008/05/04 07:22:40 | 000,110,624 | ---- | M] (NVIDIA Corporation)
(e1express) Driver do Intel(R) PRO/1000 PCI Express Network Connection [Kernel | On_Demand | Stopped] → C:\Windows\System32\drivers\e1e6032.sys → [2008/01/20 23:23:25 | 000,220,672 | ---- | M] (Intel Corporation)
(NVENETFD) NVIDIA nForce Networking Controller Driver [Kernel | On_Demand | Stopped] → C:\Windows\System32\drivers\nvmfdx32.sys → [2007/10/29 06:40:28 | 001,062,048 | ---- | M] (NVIDIA Corporation)
(pmxmouse) pmxmouse [Kernel | On_Demand | Running] → C:\Windows\System32\drivers\pmxmouse.sys → [2007/06/01 13:41:00 | 000,018,432 | ---- | M] (Primax Electronics Ltd.)
(pmxusblf) pmxusblf [Kernel | On_Demand | Running] → C:\Windows\System32\drivers\pmxusblf.sys → [2007/05/24 16:44:00 | 000,019,008 | ---- | M] (Primax Electronics Ltd.)
(R300) R300 [Kernel | On_Demand | Running] → C:\Windows\System32\drivers\atikmdag.sys → [2007/04/04 09:54:32 | 002,313,216 | ---- | M] (ATI Technologies Inc.)
(emAudio) Dazzle DVC Audio Device [Kernel | On_Demand | Stopped] → C:\Windows\System32\drivers\emAudio.sys → [2006/12/12 11:16:06 | 000,022,528 | ---- | M] (Pinnacle Systems GmbH)
(HSXHWBS2) HSXHWBS2 [Kernel | On_Demand | Running] → C:\Windows\System32\drivers\HSXHWBS2.sys → [2006/10/18 15:08:18 | 000,258,048 | ---- | M] (Conexant Systems, Inc.)
(XAudio) XAudio [Kernel | Auto | Running] → C:\Windows\System32\drivers\XAudio.sys → [2006/08/04 21:39:10 | 000,008,192 | ---- | M] (Conexant Systems, Inc.)
(DCamUSBEMPIA) Dazzle DVC Video Device [Kernel | On_Demand | Stopped] → C:\Windows\System32\drivers\emDevice.sys → [2005/12/21 09:14:52 | 000,100,957 | ---- | M] (eMPIA Technology, Inc.)
(FiltUSBEMPIA) USB Device Lower Filter [Kernel | On_Demand | Stopped] → C:\Windows\System32\drivers\emFilter.sys → [2005/12/21 09:14:52 | 000,005,245 | ---- | M] (eMPIA Technology, Inc.)
(ScanUSBEMPIA) USB Still Image Capture Device [Kernel | On_Demand | Stopped] → C:\Windows\System32\drivers\emScan.sys → [2005/12/21 09:14:52 | 000,004,493 | ---- | M] (eMPIA Technology, Inc.)
(MarvinBus) Pinnacle Marvin Bus [Kernel | On_Demand | Running] → C:\Windows\System32\drivers\MarvinBus.sys → [2005/09/23 22:18:32 | 000,171,520 | ---- | M] (Pinnacle Systems GmbH)
(NPF) NetGroup Packet Filter Driver [Kernel | On_Demand | Stopped] → C:\Windows\System32\drivers\npf.sys → [2003/04/04 15:07:20 | 000,030,336 | ---- | M] (Politecnico di Torino)

[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE] > → ->
HKEY_LOCAL_MACHINE: Search\“CustomizeSearch” → http://dnl.crawler.com/support/sa_customize.aspx?TbId=60076
HKEY_LOCAL_MACHINE: Search\“SearchAssistant” → http://www.crawler.com/search/ie.aspx?tb_id=60076
< Internet Explorer Settings [HKEY_USERS.DEFAULT] > → ->
HKEY_USERS.DEFAULT: “ProxyEnable” → 0 →
< Internet Explorer Settings [HKEY_USERS\S-1-5-18] > → ->
HKEY_USERS\S-1-5-18: “ProxyEnable” → 0 →
< Internet Explorer Settings [HKEY_USERS\S-1-5-19] > → ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-20] > → ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-3419713465-2872600009-4099021196-1000] > → ->
HKEY_USERS\S-1-5-21-3419713465-2872600009-4099021196-1000: Main\“Default Download Directory” → E:\JP\TBx →
HKEY_USERS\S-1-5-21-3419713465-2872600009-4099021196-1000: Main\“Default_Page_URL” → http://partnerpage.google.com/smallbiz.dell.com/pt-BR_br?hl=pt-BR&client=dell-row&channel=br-smb&ibd=6080828
HKEY_USERS\S-1-5-21-3419713465-2872600009-4099021196-1000: Main\“Start Page” → http://mail.yahoo.com/
HKEY_USERS\S-1-5-21-3419713465-2872600009-4099021196-1000: URLSearchHooks\“{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}” [HKLM] → C:\Arquivos de Programas\Crawler\Toolbar\ctbr.dll → [2010/10/14 04:04:04 | 001,252,200 | ---- | M] (Crawler.com)
HKEY_USERS\S-1-5-21-3419713465-2872600009-4099021196-1000: “ProxyEnable” → 0 →
HKEY_USERS\S-1-5-21-3419713465-2872600009-4099021196-1000: “AutoConfigURL” → http://avir.atawin.com:8083/connect.dat
< FireFox Extensions [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\Extensions → →
< FireFox Extensions [User Folders] > →
< HOSTS File > ([2011/06/14 22:02:53 | 000,000,759 | ---- | M] - 20 lines) → C:\Windows\System32\drivers\etc\hosts →
Reset Hosts
127.0.0.1 localhost
::1 localhost
< BHO’s [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ →
{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} [HKLM] → C:\Arquivos de Programas\Crawler\Toolbar\ctbr.dll → [2010/10/14 04:04:04 | 001,252,200 | ---- | M] (Crawler.com)
{8E5E2654-AD2D-48bf-AC2D-D17F00898D06} [HKLM] → C:\Arquivos de Programas\Alwil Software\Avast5\aswWebRepIE.dll [avast! WebRep] → [2011/05/10 09:10:54 | 000,819,840 | ---- | M] (AVAST Software)
{9030D464-4C02-4ABF-8ECC-5164760863C6} [HKLM] → C:\Arquivos de Programas\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll [Windows Live ID Sign-in Helper] → [2010/09/21 14:08:38 | 000,439,168 | ---- | M] (Microsoft Corp.)
{C41A1C0E-EA6C-11D4-B1B8-444553540000} [HKLM] → C:\Arquivos de Programas\GbPlugin\gbieh.dll [GbIehObj Class] → [2011/06/10 11:46:56 | 001,412,384 | ---- | M] (Banco do Brasil)
{C41A1C0E-EA6C-11D4-B1B8-444553540003} [HKLM] → Reg Error: Key error. [Reg Error: Key error.] → File not found
{CA6319C0-31B7-401E-A518-A07C3DB8F777} [HKLM] → C:\Arquivos de Programas\Dell\BAE\BAE.dll [CBrowserHelperObject Object] → [2006/11/09 09:56:48 | 000,098,304 | ---- | M] (Dell Inc.)
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar →
“{4B3803EA-5230-4DC3-A7FC-33638F3D3542}” [HKLM] → C:\Arquivos de Programas\Crawler\Toolbar\ctbr.dll [&Crawler Toolbar] → [2010/10/14 04:04:04 | 001,252,200 | ---- | M] (Crawler.com)
“{8E5E2654-AD2D-48bf-AC2D-D17F00898D06}” [HKLM] → C:\Arquivos de Programas\Alwil Software\Avast5\aswWebRepIE.dll [avast! WebRep] → [2011/05/10 09:10:54 | 000,819,840 | ---- | M] (AVAST Software)
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-3419713465-2872600009-4099021196-1000] > → HKEY_USERS\S-1-5-21-3419713465-2872600009-4099021196-1000\Software\Microsoft\Internet Explorer\Toolbar\ →
WebBrowser\“{4B3803EA-5230-4DC3-A7FC-33638F3D3542}” [HKLM] → C:\Arquivos de Programas\Crawler\Toolbar\ctbr.dll [&Crawler Toolbar] → [2010/10/14 04:04:04 | 001,252,200 | ---- | M] (Crawler.com)

< Run [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run →
“avast” → C:\Program Files\Alwil Software\Avast5\avastUI.exe [“C:\Program Files\Alwil Software\Avast5\avastUI.exe” /nogui] → [2011/05/10 09:10:58 | 003,459,712 | ---- | M] (AVAST Software)
“desp2k” → C:\Arquivos de Programas\Oi Velox\Manager\desp2k.exe [C:\Program Files\Oi Velox\Manager\desp2k.exe] → [2006/08/03 16:05:18 | 000,065,536 | ---- | M] (LightComm)
“DoroServer” → C:\Arquivos de Programas\DoroPDFWriter\DoroServer.exe [C:\Program Files\DoroPDFWriter\DoroServer.exe] → [2006/12/29 23:03:14 | 000,106,496 | ---- | M] (CompSoft)
“Malwarebytes’ Anti-Malware” → C:\Program Files\Malwarebytes’ Anti-Malware\mbamgui.exe [“C:\Program Files\Malwarebytes’ Anti-Malware\mbamgui.exe” /starttray] → [2011/05/29 09:11:28 | 000,449,584 | ---- | M] (Malwarebytes Corporation)
“PAC7302_Monitor” → C:\Windows\PixArt\PAC7302\Monitor.exe [C:\Windows\PixArt\PAC7302\Monitor.exe] → [2007/12/10 15:55:26 | 000,323,584 | ---- | M] (PixArt Imaging Incorporation)
“RtHDVCpl” → C:\Windows\RtHDVCpl.exe [RtHDVCpl.exe] → [2007/09/24 06:41:02 | 004,452,352 | ---- | M] (Realtek Semiconductor)
“SpywareTerminator” → C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe [“C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe”] → [2010/11/02 11:51:56 | 002,216,960 | ---- | M] (Crawler.com)
“USB2Check” → C:\Windows\System32\PCLECoInst.dll [RUNDLL32.EXE “C:\Windows\system32\PCLECoInst.dll”,CheckUSBController] → [2006/11/06 13:31:08 | 000,081,920 | ---- | M] (Pinnacle Systems)
“USBToolTip” → C:\Arquivos de Programas\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe [C:\PROGRA~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe] → [2007/02/20 11:07:40 | 000,199,752 | ---- | M] (Pinnacle Systems GmbH)
“Windows Defender” → C:\Program Files\Windows Defender\MSASCui.exe [%ProgramFiles%\Windows Defender\MSASCui.exe -hide] → [2008/01/20 23:23:32 | 001,008,184 | ---- | M] (Microsoft Corporation)
“ZoneAlarm Client” → C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [“C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”] → [2010/09/02 09:21:04 | 001,043,968 | ---- | M] (Check Point Software Technologies LTD)
< Run [HKEY_USERS\S-1-5-19] > → HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run →
“WindowsWelcomeCenter” → C:\Windows\System32\oobefldr.dll [rundll32.exe oobefldr.dll,ShowWelcomeCenter] → [2009/04/11 03:28:23 | 002,153,472 | ---- | M] (Microsoft Corporation)
< Run [HKEY_USERS\S-1-5-20] > → HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run →
“WindowsWelcomeCenter” → C:\Windows\System32\oobefldr.dll [rundll32.exe oobefldr.dll,ShowWelcomeCenter] → [2009/04/11 03:28:23 | 002,153,472 | ---- | M] (Microsoft Corporation)
< Run [HKEY_USERS\S-1-5-21-3419713465-2872600009-4099021196-1000] > → HKEY_USERS\S-1-5-21-3419713465-2872600009-4099021196-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run →
“StartCCC” → C:\Arquivos de Programas\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe] → [2006/11/10 12:35:24 | 000,090,112 | ---- | M] ()
“WMPNSCFG” → C:\Arquivos de Programas\Windows Media Player\wmpnscfg.exe [C:\Program Files\Windows Media Player\WMPNSCFG.exe] → [2008/01/20 23:25:33 | 000,202,240 | ---- | M] (Microsoft Corporation)

< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\“EnableLUA” → [0] → File not found
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-3419713465-2872600009-4099021196-1000] > → HKEY_USERS\S-1-5-21-3419713465-2872600009-4099021196-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer →
< Internet Explorer Menu Extensions [HKEY_USERS\S-1-5-21-3419713465-2872600009-4099021196-1000] > → HKEY_USERS\S-1-5-21-3419713465-2872600009-4099021196-1000\Software\Microsoft\Internet Explorer\MenuExt\ →
Crawler Search → [tbr:iemenu] → File not found
Google Sidewiki… → C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll [res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html] → [2011/05/16 17:21:20 | 001,866,928 | ---- | M] (Google Inc.)
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ →
{219C3416-8CB2-491a-A3C7-D9FCDDC9D600}:{5F7B1267-94A9-47F5-98DB-E99415F33AEC} [HKLM] → C:\Arquivos de Programas\Windows Live\Writer\WriterBrowserExtension.dll [Button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004] → [2010/11/10 02:15:56 | 000,188,256 | ---- | M] (Microsoft Corporation)
{219C3416-8CB2-491a-A3C7-D9FCDDC9D600}:{5F7B1267-94A9-47F5-98DB-E99415F33AEC} [HKLM] → C:\Arquivos de Programas\Windows Live\Writer\WriterBrowserExtension.dll [Menu: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003] → [2010/11/10 02:15:56 | 000,188,256 | ---- | M] (Microsoft Corporation)
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ →
< Default Prefix > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
“” → http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ → [Key] 0 domain(s) found. →
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ → [Key] 0 range(s) found. →
< Trusted Sites Domains [HKEY_USERS.DEFAULT] > → HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ →
HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ → [Key] 0 domain(s) found. →
< Trusted Sites Ranges [HKEY_USERS.DEFAULT] > → HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ →
HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ → [Key] 0 range(s) found. →
< Trusted Sites Domains [HKEY_USERS\S-1-5-18] > → HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ →
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ → [Key] 0 domain(s) found. →
< Trusted Sites Ranges [HKEY_USERS\S-1-5-18] > → HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ →
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ → [Key] 0 range(s) found. →
< Trusted Sites Domains [HKEY_USERS\S-1-5-19] > → HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ →
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ → [Key] 0 domain(s) found. →
< Trusted Sites Ranges [HKEY_USERS\S-1-5-19] > → HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ →
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ → [Key] 0 range(s) found. →
< Trusted Sites Domains [HKEY_USERS\S-1-5-20] > → HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ →
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ → [Key] 0 domain(s) found. →
< Trusted Sites Ranges [HKEY_USERS\S-1-5-20] > → HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ →
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ → [Key] 0 range(s) found. →
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-3419713465-2872600009-4099021196-1000] > → HKEY_USERS\S-1-5-21-3419713465-2872600009-4099021196-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ →
HKEY_USERS\S-1-5-21-3419713465-2872600009-4099021196-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ → [Key] 1 domain(s) found. →
caixa.gov.br .[https] → Trusted sites →
< Trusted Sites Ranges [HKEY_USERS\S-1-5-21-3419713465-2872600009-4099021196-1000] > → HKEY_USERS\S-1-5-21-3419713465-2872600009-4099021196-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ →
HKEY_USERS\S-1-5-21-3419713465-2872600009-4099021196-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ → [Key] 0 range(s) found. →
< Downloaded Program Files > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ →
{3D3B42C2-11BF-4732-A304-A01384B70D68} [HKLM] → http://picasaweb.google.com/s/v/69.14/uploader2.cab [UploadListView Class] →
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] → http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab [Java Plug-in 1.6.0_24] →
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [HKLM] → http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab [Java Plug-in 1.6.0_05] →
{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} [HKLM] → http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab [Java Plug-in 1.6.0_24] →
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] → http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab [Java Plug-in 1.6.0_24] →
{E2883E8F-472F-4FB0-9522-AC9BF37916A7} [HKLM] → http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab [get_atlcom Class] →
< Name Servers [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ →
DhcpNameServer → 192.168.1.1 →
< Name Servers [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ →
{AC29C613-16E4-414B-9B3F-B3299EBEBE7F}\DhcpNameServer → 192.168.1.1 (NVIDIA nForce Networking Controller) →
< Winlogon settings [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon →
Shell → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell →
explorer.exe → C:\Windows\explorer.exe → [2009/04/11 03:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation)
MultiFile Done → ->

< Winlogon settings [HKEY_USERS\S-1-5-21-3419713465-2872600009-4099021196-1000] > → HKEY_USERS\S-1-5-21-3419713465-2872600009-4099021196-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon →
Shell → HKEY_USERS\S-1-5-21-3419713465-2872600009-4099021196-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell →
explorer.exe → C:\Windows\explorer.exe → [2009/04/11 03:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation)
MultiFile Done → ->
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ →
GbPluginBb → C:\Arquivos de Programas\GbPlugin\gbieh.dll → [2011/06/10 11:46:56 | 001,412,384 | ---- | M] (Banco do Brasil)
GbPluginCef → C:\Arquivos de Programas\GbPlugin\gbiehcef.dll → [2011/04/18 15:12:24 | 000,496,072 | ---- | M] (Caixa Economica Federal)
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks →
“{E37CB5F0-51F5-4395-A808-5FA49E399003}” [HKLM] → C:\Arquivos de Programas\GbPlugin\gbiehcef.dll [GbPlugin ShlObj] → [2011/04/18 15:12:24 | 000,496,072 | ---- | M] (Caixa Economica Federal)
“{E37CB5F0-51F5-4395-A808-5FA49E399F83}” [HKLM] → C:\Arquivos de Programas\GbPlugin\gbieh.dll [GbPlugin ShlObj] → [2011/06/10 11:46:56 | 001,412,384 | ---- | M] (Banco do Brasil)
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot →
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> → HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom →
“AutoRun” → 1 →
“DisplayName” → Driver de CD-ROM →
“ImagePath” → [system32\DRIVERS\cdrom.sys] → File not found
< Drives with AutoRun files > → →
C:\autoexec.bat [REM Dummy file for NTVDM | ] → C:\autoexec.bat [ NTFS ] → [2006/09/18 18:43:36 | 000,000,024 | ---- | M] ()
L:\autorun → L:\autorun [ NTFS ] → [2010/03/15 06:45:58 | 000,000,000 | RH-D | M]
L:\autorun.inf [[autorun] | ICON=AUTORUN\WDLOGO.ICO | ] → L:\autorun.inf [ NTFS ] → [2002/10/16 09:56:50 | 000,000,036 | RH-- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 →
{078e6db2-0b92-11e0-a456-001ec9227237}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{078e6db2-0b92-11e0-a456-001ec9227237}\shell
{078e6db2-0b92-11e0-a456-001ec9227237}\shell\“” → [AutoRun] → File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{078e6db2-0b92-11e0-a456-001ec9227237}\shell\AutoRun\command
{078e6db2-0b92-11e0-a456-001ec9227237}\shell\AutoRun\command\“” → [“L:\WD SmartWare.exe” autoplay=true] → File not found
{eee0fd32-08a9-11e0-9c8f-001ec9227237}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{eee0fd32-08a9-11e0-9c8f-001ec9227237}\shell\AutoRun\command
{eee0fd32-08a9-11e0-9c8f-001ec9227237}\shell\AutoRun\command\“” → [K:\urDrive.exe] → File not found
< Registry Shell Spawning - Select to Repair > → HKEY_LOCAL_MACHINE\SOFTWARE\Classes<key>\shell[command]\command →
comfile [open] → “%1” %* →
exefile [open] → “%1” %* →
< File Associations - Select to Repair > → HKEY_LOCAL_MACHINE\SOFTWARE\Classes<extension>\ →
.com [@ = comfile] → “%1” %* →
.exe [@ = exefile] → “%1” %* →

[Registry - Additional Scans - Safe List]
< Disabled MSConfig Registry Items [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ →
ECenter hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run → C:\DELL\E-Center\EULALauncher.exe → [2008/02/29 00:59:48 | 000,017,920 | ---- | M] ( )
< Disabled MSConfig State [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state →
“startup” → 2 →
< Drivers32 [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 →
“msacm.l3acm” → C:\Windows\System32\l3codeca.acm [C:\Windows\System32\l3codeca.acm] → [2010/01/21 12:05:44 | 000,062,464 | ---- | M] (Fraunhofer Institut Integrierte Schaltungen IIS)
“MSVideo8” → C:\Windows\System32\vfwwdm32.dll [VfWWDM32.dll] → [2008/01/20 23:23:54 | 000,056,832 | ---- | M] (Microsoft Corporation)
“vidc.cvid” → C:\Windows\System32\iccvid.dll [iccvid.dll] → [2010/05/27 17:08:17 | 000,081,920 | ---- | M] (Radius Inc.)
“vidc.DIVX” → C:\Windows\System32\DivX.dll [DivX.dll] → [2010/02/19 16:27:36 | 000,720,384 | ---- | M] (DivX, Inc.)
“VIDC.I420” → C:\Windows\System32\emYUV.dll [emYUV.dll] → [2005/12/21 09:14:52 | 000,017,808 | ---- | M] (Microsoft Corporation)
“vidc.mjpg” → [pvmjpg30.dll] → File not found
“vidc.yv12” → C:\Windows\System32\DivX.dll [DivX.dll] → [2010/02/19 16:27:36 | 000,720,384 | ---- | M] (DivX, Inc.)
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost > → ->
netsvcs → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs →
FastUserSwitchingCompatibility → → File not found
Ias → → File not found
Nla → → File not found
Ntmssvc → → File not found
NWCWorkstation → → File not found
Nwsapagent → → File not found
SRService → → File not found
WmdmPmSp → → File not found
LogonHours → → File not found
PCAudit → → File not found
helpsvc → → File not found
uploadmgr → → File not found
MultiFile Done → ->

< SafeBoot-Minimal Settings > → HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ →
{36FC9E60-C465-11CF-8056-444553540000} → Universal Serial Bus controllers
{4D36E965-E325-11CE-BFC1-08002BE10318} → CD-ROM Drive
{4D36E967-E325-11CE-BFC1-08002BE10318} → DiskDrive
{4D36E969-E325-11CE-BFC1-08002BE10318} → Standard floppy disk controller
{4D36E96A-E325-11CE-BFC1-08002BE10318} → Hdc
{4D36E96B-E325-11CE-BFC1-08002BE10318} → Keyboard
{4D36E96F-E325-11CE-BFC1-08002BE10318} → Mouse
{4D36E977-E325-11CE-BFC1-08002BE10318} → PCMCIA Adapters
{4D36E97B-E325-11CE-BFC1-08002BE10318} → SCSIAdapter
{4D36E97D-E325-11CE-BFC1-08002BE10318} → System
{4D36E980-E325-11CE-BFC1-08002BE10318} → Floppy disk drive
{533C5B84-EC70-11D2-9505-00C04F79DEAF} → Volume shadow copy
{6BDD1FC1-810F-11D0-BEC7-08002BE2092F} → IEEE 1394 Bus host controllers
{71A27CDD-812A-11D0-BEC7-08002BE2092F} → Volume
{745A17A0-74D3-11D0-B6FE-00A0C90F57DA} → Human Interface Devices
{D48179BE-EC20-11D1-B6B8-00C04FA372A7} → SBP2 IEEE 1394 Devices
{D94EE5D8-D189-4994-83D2-F68D7D41B0E6} → SecurityDevices
AppMgmt → Service
Base → Driver Group
Boot Bus Extender → Driver Group
Boot file system → Driver Group
File system → Driver Group
Filter → Driver Group
HelpSvc → Service
NTDS → → File not found
PCI Configuration → Driver Group
PNP Filter → Driver Group
Primary disk → Driver Group
sacsvr → Service
SCSI Class → Driver Group
System Bus Extender → Driver Group
WinDefend → C:\Arquivos de Programas\Windows Defender\MpSvc.dll → [2008/01/20 23:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation)
< Registry Shell Spawning - Select to Repair > → HKEY_LOCAL_MACHINE\SOFTWARE\Classes<key>\shell[command]\command →
batfile [open] → “%1” %* →
cmdfile [open] → “%1” %* →
comfile [open] → “%1” %* →
cplfile [cplopen] → %SystemRoot%\System32\control.exe “%1”,%* → [2006/11/02 06:44:59 | 000,211,968 | ---- | M] (Microsoft Corporation)
exefile [open] → “%1” %* →
hlpfile [open] → %SystemRoot%\winhlp32.exe %1 → [2006/11/02 06:45:57 | 000,009,216 | ---- | M] (Microsoft Corporation)
htmlfile [edit] → “C:\Program Files\Microsoft Office\Office\msohtmed.exe” %1 → [1999/02/09 19:14:10 | 000,041,011 | ---- | M] (Microsoft Corporation)
htmlfile [print] → “C:\Program Files\Microsoft Office\Office\msohtmed.exe” /p %1 → [1999/02/09 19:14:10 | 000,041,011 | ---- | M] (Microsoft Corporation)
inffile [install] → %SystemRoot%\System32\InfDefaultInstall.exe “%1” → [2008/01/20 23:24:35 | 000,011,776 | ---- | M] (Microsoft Corporation)
piffile [open] → “%1” %* →
scrfile [config] → “%1” →
scrfile [install] → rundll32.exe desk.cpl,InstallScreenSaver %l →
scrfile [open] → “%1” /S →
Unknown [openas] → %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 →
Directory [cmd] → cmd.exe /s /k pushd “%V” → [2008/01/20 23:23:50 | 000,318,976 | ---- | M] (Microsoft Corporation)
Directory [find] → %SystemRoot%\Explorer.exe → [2009/04/11 03:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation)
Folder [open] → %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L → [2009/04/11 03:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation)
Folder [explore] → %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L → [2009/04/11 03:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation)
Drive [find] → %SystemRoot%\Explorer.exe → [2009/04/11 03:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation)
< EventViewer Logs - Last 10 Errors > → Event Information → Description
Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

[Files/Folders - Created Within 30 Days]
OTS.exe → C:\Users\Joao\Desktop\OTS.exe → [2011/06/15 23:58:38 | 000,645,120 | ---- | C] (OldTimer Tools)
LinhaDefensiva → C:\LinhaDefensiva → [2011/06/14 22:00:44 | 000,000,000 | —D | C]
Malwarebytes → C:\Users\Joao\AppData\Roaming\Malwarebytes → [2011/06/14 17:31:42 | 000,000,000 | —D | C]
Malwarebytes’ Anti-Malware → C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes’ Anti-Malware → [2011/06/14 17:31:28 | 000,000,000 | —D | C]
mbamswissarmy.sys → C:\Windows\System32\drivers\mbamswissarmy.sys → [2011/06/14 17:31:27 | 000,039,984 | ---- | C] (Malwarebytes Corporation)
Malwarebytes → C:\ProgramData\Malwarebytes → [2011/06/14 17:31:26 | 000,000,000 | —D | C]
mbam.sys → C:\Windows\System32\drivers\mbam.sys → [2011/06/14 17:31:23 | 000,022,712 | ---- | C] (Malwarebytes Corporation)
Malwarebytes’ Anti-Malware → C:\Arquivos de Programas\Malwarebytes’ Anti-Malware → [2011/06/14 17:31:22 | 000,000,000 | —D | C]
avast! Free Antivirus → C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus → [2011/05/19 19:22:20 | 000,000,000 | —D | C]

[Files/Folders - Modified Within 30 Days]
OTS.exe → C:\Users\Joao\Desktop\OTS.exe → [2011/06/15 23:58:47 | 000,645,120 | ---- | M] (OldTimer Tools)
GoogleUpdateTaskMachineUA.job → C:\Windows\tasks\GoogleUpdateTaskMachineUA.job → [2011/06/15 23:33:18 | 000,001,028 | ---- | M] ()
prfh0416.dat → C:\Windows\System32\prfh0416.dat → [2011/06/15 23:32:25 | 000,643,358 | ---- | M] ()
perfh009.dat → C:\Windows\System32\perfh009.dat → [2011/06/15 23:32:25 | 000,595,798 | ---- | M] ()
prfc0416.dat → C:\Windows\System32\prfc0416.dat → [2011/06/15 23:32:25 | 000,124,862 | ---- | M] ()
perfc009.dat → C:\Windows\System32\perfc009.dat → [2011/06/15 23:32:25 | 000,103,872 | ---- | M] ()
GoogleUpdateTaskMachineCore.job → C:\Windows\tasks\GoogleUpdateTaskMachineCore.job → [2011/06/15 23:12:26 | 000,001,024 | ---- | M] ()
7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 → C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 → [2011/06/15 23:12:19 | 000,003,616 | -H-- | M] ()
7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 → C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 → [2011/06/15 23:12:19 | 000,003,616 | -H-- | M] ()
bootstat.dat → C:\Windows\bootstat.dat → [2011/06/15 23:12:09 | 000,067,584 | --S- | M] ()
hiberfil.sys → C:\hiberfil.sys → [2011/06/15 23:12:06 | 3756,515,328 | -HS- | M] ()
DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini → C:\Users\Joao\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini → [2011/06/14 19:42:24 | 000,097,280 | ---- | M] ()
Malwarebytes’ Anti-Malware.lnk → C:\Users\Public\Desktop\Malwarebytes’ Anti-Malware.lnk → [2011/06/14 17:31:28 | 000,000,908 | ---- | M] ()
config.nt → C:\Windows\System32\config.nt → [2011/06/14 16:51:50 | 000,002,577 | ---- | M] ()
PCLECHAL.INI → C:\Users\Public\Documents\PCLECHAL.INI → [2011/06/12 21:19:42 | 000,000,349 | ---- | M] ()
Skype.lnk → C:\Users\Public\Desktop\Skype.lnk → [2011/06/11 20:09:30 | 000,002,377 | ---- | M] ()
organize.ini → C:\Users\Joao\organize.ini → [2011/06/10 14:13:54 | 000,000,258 | -HS- | M] ()
proce.dll → C:\Users\Joao\proce.dll → [2011/06/10 14:13:51 | 000,808,960 | -HS- | M] ()
GbpKm.sys → C:\Windows\System32\drivers\GbpKm.sys → [2011/06/10 11:49:06 | 000,046,624 | ---- | M] (GAS Tecnologia)
FlashPlayerCPLApp.cpl → C:\Windows\System32\FlashPlayerCPLApp.cpl → [2011/06/07 17:12:59 | 000,404,640 | ---- | M] (Adobe Systems Incorporated)
mbamswissarmy.sys → C:\Windows\System32\drivers\mbamswissarmy.sys → [2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation)
mbam.sys → C:\Windows\System32\drivers\mbam.sys → [2011/05/29 09:11:20 | 000,022,712 | ---- | M] (Malwarebytes Corporation)
avast! Free Antivirus.lnk → C:\Users\Public\Desktop\avast! Free Antivirus.lnk → [2011/05/19 19:22:20 | 000,001,842 | ---- | M] ()
MEMORY.DMP → C:\Windows\MEMORY.DMP → [2011/05/19 19:17:25 | 195,041,601 | ---- | M] ()

[Files - No Company Name]
hiberfil.sys → C:\hiberfil.sys → [2011/06/14 22:44:11 | 3756,515,328 | -HS- | C] ()
Malwarebytes’ Anti-Malware.lnk → C:\Users\Public\Desktop\Malwarebytes’ Anti-Malware.lnk → [2011/06/14 17:31:28 | 000,000,908 | ---- | C] ()
organize.ini → C:\Users\Joao\organize.ini → [2011/06/10 14:13:54 | 000,000,258 | -HS- | C] ()
proce.dll → C:\Users\Joao\proce.dll → [2011/06/10 14:13:51 | 000,808,960 | -HS- | C] ()
mlfcache.dat → C:\Windows\System32\mlfcache.dat → [2011/05/07 00:27:12 | 000,145,148 | -H-- | C] ()
MSJCE.dll → C:\Windows\System32\MSJCE.dll → [2011/04/21 16:37:28 | 000,069,632 | ---- | C] ()
DesinstWRecnet.EXE → C:\Windows\DesinstWRecnet.EXE → [2011/04/21 16:17:10 | 000,128,000 | ---- | C] ()
DesinstRecnet.exe → C:\Windows\DesinstRecnet.exe → [2011/04/21 16:17:10 | 000,122,880 | ---- | C] ()
DesinstWRecnet.ini → C:\Windows\DesinstWRecnet.ini → [2011/04/21 16:17:10 | 000,005,361 | ---- | C] ()
GCAP2010.ini → C:\Windows\GCAP2010.ini → [2011/03/27 21:59:18 | 000,000,126 | ---- | C] ()
Tutil32.dll → C:\Windows\System32\Tutil32.dll → [2011/03/27 21:59:14 | 000,244,984 | ---- | C] ()
Remover.ini → C:\Windows\System32\Remover.ini → [2010/10/31 20:46:46 | 000,000,291 | ---- | C] ()
SP7302.ini → C:\Windows\System32\SP7302.ini → [2010/10/31 20:46:44 | 000,000,566 | ---- | C] ()
sp_rsdrv2.sys → C:\Windows\System32\drivers\sp_rsdrv2.sys → [2010/10/31 18:13:59 | 000,142,592 | ---- | C] ()
ODBC.INI → C:\Windows\ODBC.INI → [2010/10/31 14:20:45 | 000,000,412 | ---- | C] ()
StructuredQuerySchema.bin → C:\Windows\System32\StructuredQuerySchema.bin → [2010/10/31 01:49:02 | 000,107,612 | ---- | C] ()
EhStorAuthn.dll → C:\Windows\System32\EhStorAuthn.dll → [2010/10/31 01:49:01 | 000,117,248 | ---- | C] ()
DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini → C:\Users\Joao\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini → [2010/10/30 23:25:03 | 000,097,280 | ---- | C] ()
StructuredQuerySchemaTrivial.bin → C:\Windows\System32\StructuredQuerySchemaTrivial.bin → [2010/10/30 22:39:59 | 000,018,904 | ---- | C] ()
atiumdva.dat → C:\Windows\System32\atiumdva.dat → [2008/08/28 16:44:28 | 003,107,788 | ---- | C] ()
atitmmxx.dll → C:\Windows\System32\atitmmxx.dll → [2008/08/28 16:44:28 | 000,159,744 | ---- | C] ()
atiicdxx.dat → C:\Windows\System32\atiicdxx.dat → [2008/08/28 16:44:28 | 000,145,112 | ---- | C] ()
FontZoom.exe → C:\Windows\System32\FontZoom.exe → [2008/08/28 12:02:09 | 000,303,104 | ---- | C] ()
DellPM.ini → C:\Windows\System32\DellPM.ini → [2008/08/28 12:02:09 | 000,131,078 | ---- | C] ()
prfi0416.dat → C:\Windows\System32\prfi0416.dat → [2008/01/21 02:26:25 | 000,318,818 | ---- | C] ()
prfh0416.dat → C:\Windows\System32\prfh0416.dat → [2008/01/21 02:26:24 | 000,643,358 | ---- | C] ()
prfc0416.dat → C:\Windows\System32\prfc0416.dat → [2008/01/21 02:26:24 | 000,124,862 | ---- | C] ()
prfd0416.dat → C:\Windows\System32\prfd0416.dat → [2008/01/21 02:26:24 | 000,037,412 | ---- | C] ()
namResES.dll → C:\Windows\System32\namResES.dll → [2007/03/19 05:04:58 | 000,003,584 | ---- | C] ()
namResIT.dll → C:\Windows\System32\namResIT.dll → [2007/03/19 05:04:58 | 000,003,072 | ---- | C] ()
namResFR.dll → C:\Windows\System32\namResFR.dll → [2007/03/19 05:04:58 | 000,003,072 | ---- | C] ()
namResENG.dll → C:\Windows\System32\namResENG.dll → [2007/03/19 05:04:58 | 000,003,072 | ---- | C] ()
namResDE.dll → C:\Windows\System32\namResDE.dll → [2007/03/19 05:04:58 | 000,003,072 | ---- | C] ()
namResPTB.dll → C:\Windows\System32\namResPTB.dll → [2007/03/19 05:04:56 | 000,003,584 | ---- | C] ()
namResZHC.dll → C:\Windows\System32\namResZHC.dll → [2007/03/19 05:04:56 | 000,003,072 | ---- | C] ()
namResKO.dll → C:\Windows\System32\namResKO.dll → [2007/03/19 05:04:56 | 000,003,072 | ---- | C] ()
namResJA.dll → C:\Windows\System32\namResJA.dll → [2007/03/19 05:04:56 | 000,003,072 | ---- | C] ()
nam_page.dll → C:\Windows\System32\nam_page.dll → [2007/03/19 05:04:54 | 000,022,016 | ---- | C] ()
namResZHT.dll → C:\Windows\System32\namResZHT.dll → [2007/03/19 05:04:54 | 000,003,072 | ---- | C] ()
bootstat.dat → C:\Windows\bootstat.dat → [2006/11/02 09:57:28 | 000,067,584 | --S- | C] ()
FNTCACHE.DAT → C:\Windows\System32\FNTCACHE.DAT → [2006/11/02 09:47:37 | 000,377,504 | ---- | C] ()
sysprepMCE.dll → C:\Windows\System32\sysprepMCE.dll → [2006/11/02 09:35:32 | 000,005,632 | ---- | C] ()
perfh009.dat → C:\Windows\System32\perfh009.dat → [2006/11/02 07:33:01 | 000,595,798 | ---- | C] ()
perfi009.dat → C:\Windows\System32\perfi009.dat → [2006/11/02 07:33:01 | 000,287,440 | ---- | C] ()
perfc009.dat → C:\Windows\System32\perfc009.dat → [2006/11/02 07:33:01 | 000,103,872 | ---- | C] ()
perfd009.dat → C:\Windows\System32\perfd009.dat → [2006/11/02 07:33:01 | 000,030,674 | ---- | C] ()
dssec.dat → C:\Windows\System32\dssec.dat → [2006/11/02 07:23:21 | 000,215,943 | ---- | C] ()
mib.bin → C:\Windows\mib.bin → [2006/11/02 05:58:30 | 000,043,131 | ---- | C] ()
NOISE.DAT → C:\Windows\System32\NOISE.DAT → [2006/11/02 05:19:00 | 000,000,741 | ---- | C] ()
pacerprf.ini → C:\Windows\System32\pacerprf.ini → [2006/11/02 04:40:29 | 000,013,750 | ---- | C] ()
mlang.dat → C:\Windows\System32\mlang.dat → [2006/11/02 04:25:31 | 000,673,088 | ---- | C] ()
linstall.dll → C:\Windows\System32\linstall.dll → [2005/09/29 16:42:56 | 000,049,152 | ---- | C] ()
UnzDll.dll → C:\Windows\System32\UnzDll.dll → [2005/06/10 10:56:06 | 000,120,320 | ---- | C] ()
ZipDll.dll → C:\Windows\System32\ZipDll.dll → [2005/06/10 10:55:04 | 000,123,904 | ---- | C] ()
opencrypto.dll → C:\Windows\System32\opencrypto.dll → [2004/05/13 20:14:58 | 000,122,880 | ---- | C] ()
libeay32.dll → C:\Windows\System32\libeay32.dll → [2004/03/18 17:43:44 | 000,843,776 | ---- | C] ()
pthreadVC.dll → C:\Windows\System32\pthreadVC.dll → [2003/02/03 18:12:00 | 000,053,299 | ---- | C] ()
[File - Lop Check]
Digiarty → C:\Users\Joao\AppData\Roaming\Digiarty → [2011/03/14 00:50:14 | 000,000,000 | —D | M]
IrfanView → C:\Users\Joao\AppData\Roaming\IrfanView → [2011/05/19 19:15:06 | 000,000,000 | —D | M]
OpenOffice.org → C:\Users\Joao\AppData\Roaming\OpenOffice.org → [2010/10/31 22:23:35 | 000,000,000 | —D | M]
Opera → C:\Users\Joao\AppData\Roaming\Opera → [2010/10/31 21:42:19 | 000,000,000 | —D | M]
Spyware Terminator → C:\Users\Joao\AppData\Roaming\Spyware Terminator → [2011/06/12 20:13:22 | 000,000,000 | —D | M]
TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1 → C:\Users\Joao\AppData\Roaming\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1 → [2011/05/07 00:28:20 | 000,000,000 | —D | M]
Visan → C:\Users\Joao\AppData\Roaming\Visan → [2011/04/26 00:08:27 | 000,000,000 | —D | M]
Windows Live Writer → C:\Users\Joao\AppData\Roaming\Windows Live Writer → [2010/11/11 00:13:29 | 000,000,000 | —D | M]
SCHEDLGU.TXT → C:\Windows\Tasks\SCHEDLGU.TXT → [2011/06/15 11:38:35 | 000,032,616 | ---- | M] ()

[Custom Scans]
< %SYSTEMDRIVE%*.exe >
< MD5 Scans Start>
< %systemdrive%\EXPLORER.EXE /md5 /s >
explorer.exe : MD5=37440D09DEAE0B672A04DCCF7ABF06BE → C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe → [2008/10/29 03:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation)
explorer.exe : MD5=4F554999D7D5F05DAAEBBA7B5BA1089D → C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe → [2008/10/29 03:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation)
explorer.exe : MD5=50BA5850147410CDE89C523AD3BC606E → C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe → [2008/10/30 00:59:17 | 002,927,616 | ---- | M] (Microsoft Corporation)
explorer.exe : MD5=D07D4C3038F3578FFCE1C0237F2A1253 → C:\Windows\explorer.exe → [2009/04/11 03:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation)
explorer.exe : MD5=D07D4C3038F3578FFCE1C0237F2A1253 → C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe → [2009/04/11 03:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation)
explorer.exe : MD5=E7156B0B74762D9DE0E66BDCDE06E5FB → C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe → [2008/10/27 23:15:02 | 002,923,520 | ---- | M] (Microsoft Corporation)
explorer.exe : MD5=FFA764631CB70A30065C12EF8E174F9F → C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe → [2008/01/20 23:24:24 | 002,927,104 | ---- | M] (Microsoft Corporation)
< %systemdrive%\SVCHOST.EXE /md5 /s >
svchost.exe : MD5=3794B461C45882E06856F282EEF025AF → C:\Windows\System32\svchost.exe → [2008/01/20 23:23:43 | 000,021,504 | ---- | M] (Microsoft Corporation)
svchost.exe : MD5=3794B461C45882E06856F282EEF025AF → C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6001.18000_none_b5bb59a1054dbde5\svchost.exe → [2008/01/20 23:23:43 | 000,021,504 | ---- | M] (Microsoft Corporation)
< %systemdrive%\USERINIT.EXE /md5 /s >
userinit.exe : MD5=0E135526E9785D085BCD9AEDE6FBCBF9 → C:\Windows\System32\userinit.exe → [2008/01/20 23:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation)
userinit.exe : MD5=0E135526E9785D085BCD9AEDE6FBCBF9 → C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe → [2008/01/20 23:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation)
< %systemdrive%\VOLSNAP.INF /md5 /s >
volsnap.inf : MD5=E5EE5E075DAB1367001C467C70E8C580 → C:\Windows\inf\volsnap.inf → [2006/11/02 07:25:18 | 000,001,790 | ---- | M] ()
volsnap.inf : MD5=E5EE5E075DAB1367001C467C70E8C580 → C:\Windows\System32\DriverStore\FileRepository\volsnap.inf_7eb8cdb5\volsnap.inf → [2006/11/02 03:35:04 | 000,001,790 | ---- | M] ()
< %systemdrive%\VOLSNAP.INF_LOC /md5 /s >
volsnap.inf_loc : MD5=6EE2079E1308942DE1F6341B91487460 → C:\Windows\System32\DriverStore\pt-BR\volsnap.inf_loc → [2008/01/21 02:16:25 | 000,000,214 | ---- | M] ()
volsnap.inf_loc : MD5=6EE2079E1308942DE1F6341B91487460 → C:\Windows\winsxs\x86_volsnap.inf.resources_31bf3856ad364e35_6.0.6000.16386_pt-br_12c89f7df106ed95\volsnap.inf_loc → [2008/01/21 02:16:25 | 000,000,214 | ---- | M] ()
< %systemdrive%\VOLSNAP.PNF /md5 /s >
volsnap.PNF : MD5=6F909500A4930C426F06FF50E036624E → C:\Windows\System32\DriverStore\FileRepository\volsnap.inf_7eb8cdb5\volsnap.PNF → [2008/08/28 11:52:58 | 000,005,036 | ---- | M] ()
volsnap.PNF : MD5=9E910C7F88CA048627E0BDC30C32662B → C:\Windows\inf\volsnap.PNF → [2008/08/28 11:52:58 | 000,005,036 | ---- | M] ()
< %systemdrive%\VOLSNAP.SYS /md5 /s >
volsnap.sys : MD5=11EF6C1CAEF76B685233450A126125D6 → C:\Windows\System32\DriverStore\FileRepository\volume.inf_9320b452\volsnap.sys → [2006/11/02 06:51:18 | 000,208,488 | ---- | M] (Microsoft Corporation)
volsnap.sys : MD5=147281C01FCB1DF9252DE2A10D5E7093 → C:\Windows\System32\drivers\volsnap.sys → [2009/04/11 03:32:55 | 000,226,280 | ---- | M] (Microsoft Corporation)
volsnap.sys : MD5=147281C01FCB1DF9252DE2A10D5E7093 → C:\Windows\System32\DriverStore\FileRepository\volume.inf_1e6030e4\volsnap.sys → [2009/04/11 03:32:55 | 000,226,280 | ---- | M] (Microsoft Corporation)
volsnap.sys : MD5=147281C01FCB1DF9252DE2A10D5E7093 → C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.0.6002.18005_none_17a2308cf936c619\volsnap.sys → [2009/04/11 03:32:55 | 000,226,280 | ---- | M] (Microsoft Corporation)
volsnap.sys : MD5=D8B4A53DD2769F226B3EB374374987C9 → C:\Windows\System32\DriverStore\FileRepository\volume.inf_f53a1785\volsnap.sys → [2008/01/20 23:23:21 | 000,227,896 | ---- | M] (Microsoft Corporation)
volsnap.sys : MD5=D8B4A53DD2769F226B3EB374374987C9 → C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.0.6001.18000_none_15b6b780fc14facd\volsnap.sys → [2008/01/20 23:23:21 | 000,227,896 | ---- | M] (Microsoft Corporation)
< %systemdrive%\VOLSNAP.SYS.MUI /md5 /s >
volsnap.sys.mui : MD5=EAA3DBE228BA4EE60924810EFA878416 → C:\Windows\winsxs\x86_volume.inf.resources_31bf3856ad364e35_6.0.6000.16386_pt-br_7a8bbec12fbe4a00\volsnap.sys.mui → [2008/01/21 02:12:45 | 000,016,384 | ---- | M] (Microsoft Corporation)
volsnap.sys.mui : MD5=EF3B5B76CB04AD2821FC8B6EED6C051C → C:\Windows\System32\drivers\pt-BR\volsnap.sys.mui → [2008/01/21 02:19:36 | 000,036,864 | ---- | M] (Microsoft Corporation)
volsnap.sys.mui : MD5=EF3B5B76CB04AD2821FC8B6EED6C051C → C:\Windows\winsxs\x86_volume.inf.resources_31bf3856ad364e35_6.0.6001.18000_pt-br_7cc280bd2ca95ad4\volsnap.sys.mui → [2008/01/21 02:19:36 | 000,036,864 | ---- | M] (Microsoft Corporation)

< %systemdrive%\WINLOGON.EXE  /md5 /s >
 winlogon.exe : MD5=898E7C06A350D4A1A64A9EA264D55452 -> C:\Windows\System32\winlogon.exe -> [2009/04/11 03:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation)
 winlogon.exe : MD5=898E7C06A350D4A1A64A9EA264D55452 -> C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe -> [2009/04/11 03:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation)
 winlogon.exe : MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -> C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe -> [2008/01/20 23:24:49 | 000,314,880 | ---- | M] (Microsoft Corporation)
< MD5 Scans End>
< %systemroot%\*. /mp /s >
< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo ->  -> 
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand -> C:\Windows\System32\IE4UINIT.EXE ["C:\WINDOWS\SYSTEM32\IE4UINIT.EXE" -HIDE] -> [2011/04/05 20:52:29 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand -> C:\Windows\System32\IE4UINIT.EXE ["C:\WINDOWS\SYSTEM32\IE4UINIT.EXE" -SHOW] -> [2011/04/05 20:52:29 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand -> C:\Windows\System32\IE4UINIT.EXE ["C:\WINDOWS\SYSTEM32\IE4UINIT.EXE" -REINSTALL] -> [2011/04/05 20:52:29 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command ->  -> 
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\ -> C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE ["C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE" -EXTOFF] -> [2011/04/05 20:52:30 | 000,748,336 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command ->  -> 
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\ -> C:\Arquivos de Programas\Internet Explorer\iexplore.exe [C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE] -> [2011/04/05 20:52:30 | 000,748,336 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Opera.exe\InstallInfo ->  -> 
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Opera.exe\InstallInfo\\ShowIconsCommand -> C:\PROGRAM FILES\OPERA\OPERA.EXE ["C:\PROGRAM FILES\OPERA\OPERA.EXE" /SHOWICONSCOMMAND] -> [2011/05/29 17:28:59 | 000,941,936 | ---- | M] (Opera Software)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Opera.exe\InstallInfo\\HideIconsCommand -> C:\PROGRAM FILES\OPERA\OPERA.EXE ["C:\PROGRAM FILES\OPERA\OPERA.EXE" /HIDEICONSCOMMAND] -> [2011/05/29 17:28:59 | 000,941,936 | ---- | M] (Opera Software)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Opera.exe\InstallInfo\\ReinstallCommand -> C:\PROGRAM FILES\OPERA\OPERA.EXE ["C:\PROGRAM FILES\OPERA\OPERA.EXE" /REINSTALLBROWSER] -> [2011/05/29 17:28:59 | 000,941,936 | ---- | M] (Opera Software)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Opera.exe\shell\open\command ->  -> 
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Opera.exe\shell\open\command\\ -> C:\PROGRAM FILES\OPERA\OPERA.EXE ["C:\PROGRAM FILES\OPERA\OPERA.EXE"] -> [2011/05/29 17:28:59 | 000,941,936 | ---- | M] (Opera Software)
< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo ->  -> 
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand -> C:\Windows\System32\IE4UINIT.EXE ["C:\WINDOWS\SYSTEM32\IE4UINIT.EXE" -HIDE] -> [2011/04/05 20:52:29 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand -> C:\Windows\System32\IE4UINIT.EXE ["C:\WINDOWS\SYSTEM32\IE4UINIT.EXE" -SHOW] -> [2011/04/05 20:52:29 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand -> C:\Windows\System32\IE4UINIT.EXE ["C:\WINDOWS\SYSTEM32\IE4UINIT.EXE" -REINSTALL] -> [2011/04/05 20:52:29 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command ->  -> 
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\ -> C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE ["C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE" -EXTOFF] -> [2011/04/05 20:52:30 | 000,748,336 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command ->  -> 
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\ -> C:\Arquivos de Programas\Internet Explorer\iexplore.exe [C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE] -> [2011/04/05 20:52:30 | 000,748,336 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Opera.exe\InstallInfo ->  -> 
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Opera.exe\InstallInfo\\ShowIconsCommand -> C:\PROGRAM FILES\OPERA\OPERA.EXE ["C:\PROGRAM FILES\OPERA\OPERA.EXE" /SHOWICONSCOMMAND] -> [2011/05/29 17:28:59 | 000,941,936 | ---- | M] (Opera Software)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Opera.exe\InstallInfo\\HideIconsCommand -> C:\PROGRAM FILES\OPERA\OPERA.EXE ["C:\PROGRAM FILES\OPERA\OPERA.EXE" /HIDEICONSCOMMAND] -> [2011/05/29 17:28:59 | 000,941,936 | ---- | M] (Opera Software)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Opera.exe\InstallInfo\\ReinstallCommand -> C:\PROGRAM FILES\OPERA\OPERA.EXE ["C:\PROGRAM FILES\OPERA\OPERA.EXE" /REINSTALLBROWSER] -> [2011/05/29 17:28:59 | 000,941,936 | ---- | M] (Opera Software)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Opera.exe\shell\open\command ->  -> 
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Opera.exe\shell\open\command\\ -> C:\PROGRAM FILES\OPERA\OPERA.EXE ["C:\PROGRAM FILES\OPERA\OPERA.EXE"] -> [2011/05/29 17:28:59 | 000,941,936 | ---- | M] (Opera Software)
 
CREATERESTOREPOINT
Restore point Set: OTS Restore Point
 
[Alternate Data Streams]
@Alternate Data Stream - 146 bytes -> C:\Windows\System32\drivers:GbpKmAp.lst
@Alternate Data Stream - 2 bytes -> C:\Windows\System32:E5D9D7C9_Bb.gbp
@Alternate Data Stream - 2 bytes -> C:\Windows\System32:E5D9D7C9_Cef.gbp
< End of report >

yea…forgot to tell you… to avoid multiple post with copy and paste, you can attach

lower left corner > Additional Options > Attach :wink:

Esexboy is notified and will review the log when he arrive, usually late UK time…

@ sratoz
I would also suggest you go ahead and attach the OTS log as that will be much easier for essexboy to read than multiple posts, when he does get on the forums.

Sorry for not having attached the file earlier.

Anyway here it is.

I have followed the guide regarding Malwarebytes’ Anti-Malware as well as OTS, and then run a full scan at boot. Is there something I am missing?

Regards,

Hi are you still getting the alerts ?

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {C41A1C0E-EA6C-11D4-B1B8-444553540003} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab [Java Plug-in 1.6.0_05]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{eee0fd32-08a9-11e0-9c8f-001ec9227237} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{eee0fd32-08a9-11e0-9c8f-001ec9227237}\shell\AutoRun\command -> 
YN -> \{eee0fd32-08a9-11e0-9c8f-001ec9227237}\shell\AutoRun\command\\"" -> [K:\urDrive.exe]
[Registry - Additional Scans - Safe List]
< Drivers32 [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
YN -> "vidc.mjpg" -> [pvmjpg30.dll]
[Files - No Company Name]
NY ->  proce.dll -> C:\Users\Joao\proce.dll
NY ->  DesinstWRecnet.EXE -> C:\Windows\DesinstWRecnet.EXE
NY ->  DesinstRecnet.exe -> C:\Windows\DesinstRecnet.exe
NY ->  DesinstWRecnet.ini -> C:\Windows\DesinstWRecnet.ini
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

Hello, essexboy. As a matter of fact, yes, I still get the alerts whatever application I launch. They work normally (or so they seem), but the alert is there. And, as a bonus, I often get an svchost.exe alert as well.

I will do as you suggest and post the results here. Let us see…

Hello. So I have run OTS and it has generated the log below.

By the way I still get warnings of Banker-O infection whenever I launch an application, be it iexplore.exe, twitterdeck.exe, opera.exe, excel.exe, googleupdate.exe, you name it… Help is appreciated. I wish I could reward it too…

Log follows.

All Processes Killed
[Registry - Safe List]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{C41A1C0E-EA6C-11D4-B1B8-444553540003}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{C41A1C0E-EA6C-11D4-B1B8-444553540003}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\Contains\Files\ not found.
not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{eee0fd32-08a9-11e0-9c8f-001ec9227237}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{eee0fd32-08a9-11e0-9c8f-001ec9227237}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{eee0fd32-08a9-11e0-9c8f-001ec9227237}\shell\AutoRun\command\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{eee0fd32-08a9-11e0-9c8f-001ec9227237}\shell\AutoRun\command not found.
[Registry - Additional Scans - Safe List]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\vidc.mjpg deleted successfully.
[Files - No Company Name]
DllUnregisterServer procedure not found in C:\Users\Joao\proce.dll
C:\Users\Joao\proce.dll moved successfully.
C:\Windows\DesinstWRecnet.EXE moved successfully.
C:\Windows\DesinstRecnet.exe moved successfully.
C:\Windows\DesinstWRecnet.ini moved successfully.
[Empty Temp Folders]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56468 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Joao
->Temp folder emptied: 321393246 bytes
->Temporary Internet Files folder emptied: 113080434 bytes
->Java cache emptied: 10784726 bytes
->Opera cache emptied: 28073661 bytes
->Flash cache emptied: 57430 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 21655361 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 472,00 mb

[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Joao
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0,00 mb

Restore point Set: OTS Restore Point
< End of fix log >
OTS by OldTimer - Version 3.1.44.0 fix logfile created on 06182011_192404

Files\Folders moved on Reboot…
C:\Users\Joao\AppData\Local\Temp~DFD02F.tmp moved successfully.
File move failed. C:\Windows\temp_avast_\Webshlock.txt scheduled to be moved on reboot.
File\Folder C:\Windows\temp\ZLT02b01.TMP not found!

Registry entries deleted on Reboot…

OK as it is whenver you launch a programme I am begining to suspect something is hooking the files - there are two possible reasons, TDL3 or a rootkit

So lets see

Please read carefully and follow these steps.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[
]Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Yay! TDSSKiller found nothing wrong. Then I disabled all other applications and ran ComboFix, which rebooted. Unfortunately I had forgotten to disable the “load at start” settings, so ComboFix tried to continue its magic but was cut short. Oh well, I disabled everything again and reran ComboFix. This time it did not reboot! But finished.

TDSSKiller’s and Combofix’s reports follow after my message. But, essexboy, I have to thank you: whatever it was, it has stopped now! Avast is giving me no more warnings! I am running Iexplore, TweetDeck, Skype is loaded, svchost has certainly done a lot of connecting… and no warnings have popped up since I last booted! All hail ComboFix!

After all was finished, a message remained, saying that an .exe file (sorry I clicked OK before taking note of the name… it began with a D and finished with 2k) could not be found. But everything seems to be working fine.

(Anyway, whatever happened?)

Reports are attached. You may see that ComboFix’s is written in Portuguese, but I assume that you know where to find what you are looking for, much the same way we can tell where to click in a Windows “OK/Cancel” popup window even though it is in an exotic language…

Last but not least, there are files that attempted to run during boot (that occasion when ComboFix tried to run but I had not disabled the security applications). Spyware Terminator detected them, I denied access, and only later I speculated that they might be ComboFix-related… So I disabled everything and ran ComboFix again, as I said. Now I found them listed in ComboFix’s quarantine report, which is this:

2011-06-19 20:23:08 . 2011-06-19 20:23:08 426 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Receitanet.reg.dat
2011-06-19 20:22:56 . 2011-06-19 20:22:56 210 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM_ActiveSetup-ccc-core-static.reg.dat
2011-06-19 20:01:55 . 2002-10-16 12:56:50 36 ----a-w- C:\Qoobox\Quarantine\L\Autorun.inf.vir
2011-06-19 19:55:43 . 2011-06-19 19:55:43 1,112 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_NPF.reg.dat
2011-06-19 19:55:43 . 2011-06-19 19:55:43 1,046 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_NPF.reg.dat
2011-06-19 19:55:26 . 2011-06-19 20:19:46 3,863 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-06-19 19:49:27 . 2011-06-19 20:15:35 124 ----a-w- C:\Qoobox\Quarantine\catchme.log
2003-04-04 18:07:20 . 2003-04-04 18:07:20 30,336 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\drivers\npf.sys.vir
2003-04-04 18:03:00 . 2003-04-04 18:03:00 57,344 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\Packet.dll.vir
2003-04-04 17:54:48 . 2003-04-04 17:54:48 208,896 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\wpcap.dll.vir
2003-02-03 21:12:00 . 2003-02-03 21:12:00 53,299 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\pthreadVC.dll.vir

The application Receitanet is legitimate. It means to connect to Brazil’s treasury to report on tax.

By the way, after all was done, I could not open a certain eula.txt because it was “marked for deletion”. Presumably, ComboFix did it. I then deleted the eula.txt and everything is all right.