Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan-Downloader.WMA.Wimad.y [Solved]

Started by Andre Silva , Feb 09 2010 11:42 PM

  • This topic is locked This topic is locked

#1
Andre Silva
Posted 09 February 2010 - 11:42 PM

Andre Silva

    Member

  • Member
  • PipPipPip
  • 140 posts
Hello everyone,

I had the pleasure of working with Mjöllnir from Geekstogo on my personal computer and resolved my virus problem :) . I´m truly amazed the organization and resourcefulness of this forum. It should be considered an international reference point for IT.

I have another family computer which has been infected with several viruses. I would like to kindly ask for some additional assistance.

The diagnosis from Kaspersky is the following:

Trojan-Downloader.WMA.Wimad.y
Trojan-Downloader.WMA.Wimad.y
Trojan-Downloader.WMA.GetCodec.af
Trojan-Downloader.WMA.Wimad.y
Trojan-Downloader.WMA.Wimad.y
Trojan-Downloader.WMA.Wimad.y

I performed the procedures presented on "Malware and Spyware Cleaning Guide" from Geekstogo. Here follows the logs for MBAM and OTL.
**I was not able to get a GMER log as it shut down my machine and made it reboot twice and appeared a blue screen with the warning "dumping physical memory".

Thank you all forum members for your willingness to help. Your efforts and expertise are indeed much appreciated.

Best regards,

Andre

Malwarebytes' Anti-Malware 1.44
Database version: 3711
Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

09/02/2010 02:13:07
mbam-log-2010-02-09 (02-13-07).txt

Scan type: Quick Scan
Objects scanned: 106985
Time elapsed: 7 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{t5tbb77l-4678-0mkc-421q-14416031dyu6} (Generic.Bot.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{t5tbb77l-4678-0mkc-421q-14416031dyu6} (Password.Stealer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Cerberus (Backdoor.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\dark (Trojan.Banker) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


OTL logfile created on: 10/02/2010 02:54:23 - Run 1
OTL by OldTimer - Version 3.1.28.0 Folder = C:\Users\p\Documents\Downloads
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000416 | Country: Brasil | Language: PTB | Date Format: dd/MM/yyyy

3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 56,00% Memory free
6,00 Gb Paging File | 5,00 Gb Available in Paging File | 81,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 223,14 Gb Total Space | 145,98 Gb Free Space | 65,42% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 2,57 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: UDF
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PRISCILLA
Current User Name: p
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/02/10 02:46:59 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Users\p\Documents\Downloads\OTL.exe
PRC - [2010/02/06 02:13:42 | 000,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Arquivos de programas\AVG\AVG9\avgnsx.exe
PRC - [2010/02/06 02:13:42 | 000,503,576 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Arquivos de programas\AVG\AVG9\avgrsx.exe
PRC - [2010/02/06 02:13:40 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Arquivos de programas\AVG\AVG9\avgwdsvc.exe
PRC - [2010/02/06 02:13:32 | 000,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Arquivos de programas\AVG\AVG9\avgcsrvx.exe
PRC - [2010/02/06 02:13:31 | 001,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Arquivos de programas\AVG\AVG9\avgchsvx.exe
PRC - [2010/02/06 02:13:30 | 000,827,160 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Arquivos de programas\AVG\AVG9\avgam.exe
PRC - [2010/01/21 05:24:00 | 000,527,344 | ---- | M] (Google Inc.) -- C:\Users\p\AppData\Local\Google\Chrome\Application\chrome.exe
PRC - [2009/09/17 17:33:44 | 000,053,640 | ---- | M] ( ) -- C:\Arquivos de programas\GbPlugin\GbpSv.exe
PRC - [2009/07/14 08:59:24 | 000,168,960 | ---- | M] (Microsoft Corporation) -- C:\Arquivos de programas\Windows Media Player\wmplayer.exe
PRC - [2009/05/19 12:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/05/18 11:13:50 | 000,185,640 | ---- | M] (TeamViewer GmbH) -- C:\Arquivos de programas\TeamViewer\Version4\TeamViewer_Service.exe
PRC - [2008/10/29 04:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/10/25 11:44:34 | 000,031,072 | ---- | M] (Microsoft Corporation) -- C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe
PRC - [2008/08/06 19:06:44 | 001,771,360 | ---- | M] (Sony Corporation) -- C:\Arquivos de programas\Sony\VAIO Power Management\SPMgr.exe
PRC - [2008/08/06 19:06:42 | 000,411,488 | ---- | M] (Sony Corporation) -- C:\Arquivos de programas\Sony\VAIO Power Management\SPMService.exe
PRC - [2008/07/15 19:04:08 | 000,182,112 | ---- | M] (Sony Corporation) -- C:\Arquivos de programas\Sony\VAIO Event Service\VESMgr.exe
PRC - [2008/07/15 19:04:08 | 000,100,472 | ---- | M] (Sony Corporation) -- C:\Arquivos de programas\Sony\VAIO Event Service\VESMgrSub.exe
PRC - [2008/07/04 01:02:59 | 000,256,536 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxsrvc.exe
PRC - [2008/07/04 01:02:44 | 000,174,616 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxext.exe
PRC - [2008/07/04 01:02:44 | 000,145,944 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxpers.exe
PRC - [2008/07/04 01:02:26 | 000,170,520 | ---- | M] (Intel Corporation) -- C:\Windows\System32\hkcmd.exe
PRC - [2008/07/03 04:06:17 | 000,104,992 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RTKAUDIOSERVICE.EXE
PRC - [2008/06/20 09:56:44 | 000,415,744 | ---- | M] (Sony Corporation) -- C:\Arquivos de programas\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe
PRC - [2008/06/19 09:55:48 | 000,279,848 | ---- | M] (Sony Corporation) -- C:\Arquivos de programas\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
PRC - [2008/06/12 00:13:24 | 000,337,184 | ---- | M] (Sony Corporation) -- C:\Arquivos de programas\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe
PRC - [2008/06/11 20:46:10 | 000,866,144 | ---- | M] (Sony Corporation) -- C:\Arquivos de programas\Sony\VAIO Update 4\VAIOUpdt.exe
PRC - [2008/06/06 21:51:32 | 000,976,160 | ---- | M] (Sony Corporation) -- C:\Arquivos de programas\Sony\VCM Manager Setting\VcmMgrNotification.exe
PRC - [2008/05/22 15:23:10 | 000,192,512 | ---- | M] (Sony Corporation) -- C:\Arquivos de programas\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
PRC - [2008/03/25 15:32:18 | 000,104,960 | ---- | M] (ArcSoft, Inc.) -- C:\Arquivos de programas\ArcSoft\Magic-i Visual Effects\uCamMonitor.exe
PRC - [2008/01/25 00:14:25 | 000,386,560 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\XAudio.exe
PRC - [2008/01/21 00:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation) -- C:\Arquivos de programas\Windows Media Player\wmpnetwk.exe
PRC - [2008/01/21 00:25:33 | 000,202,240 | ---- | M] (Microsoft Corporation) -- C:\Arquivos de programas\Windows Media Player\wmpnscfg.exe
PRC - [2008/01/21 00:24:59 | 000,142,336 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\WUDFHost.exe
PRC - [2008/01/21 00:24:13 | 000,069,120 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conime.exe
PRC - [2007/09/11 01:45:04 | 000,124,832 | ---- | M] () -- C:\Arquivos de programas\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
PRC - [2007/03/10 00:43:03 | 000,835,584 | ---- | M] (Synaptics, Inc.) -- C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe
PRC - [2007/01/04 20:48:50 | 000,112,152 | ---- | M] (InterVideo) -- C:\Arquivos de programas\Common Files\InterVideo\RegMgr\iviRegMgr.exe


========== Modules (SafeList) ==========

MOD - [2010/02/10 02:46:59 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Users\p\Documents\Downloads\OTL.exe
MOD - [2010/02/06 02:13:42 | 000,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\avgrsstx.dll
MOD - [2008/01/21 00:23:44 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/02/06 02:13:40 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/02/05 04:07:20 | 001,181,328 | ---- | M] (Lavasoft) [Auto | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/01/22 11:44:43 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/10/20 19:39:28 | 000,340,456 | ---- | M] (Kaspersky Lab) [Auto | Stopped] -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe -- (AVP)
SRV - [2009/09/17 17:33:44 | 000,053,640 | ---- | M] ( ) [Unknown | Running] -- C:\Arquivos de Programas\GbPlugin\GbpSv.exe -- (GbpSv)
SRV - [2009/05/27 19:13:46 | 000,182,768 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2009/05/19 12:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2009/05/18 11:13:50 | 000,185,640 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe -- (TeamViewer4)
SRV - [2008/11/04 01:06:28 | 000,441,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008/10/25 11:44:08 | 000,065,888 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)
SRV - [2008/08/06 19:06:42 | 000,411,488 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files\Sony\VAIO Power Management\SPMService.exe -- (VAIO Power Management)
SRV - [2008/07/15 19:04:08 | 000,182,112 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Arquivos de Programas\Sony\VAIO Event Service\VESMgr.exe -- (VAIO Event Service)
SRV - [2008/07/03 04:06:17 | 000,104,992 | ---- | M] (Realtek Semiconductor) [Auto | Running] -- C:\Windows\RTKAUDIOSERVICE.EXE -- (RtkAudioService)
SRV - [2008/06/20 09:56:44 | 000,415,744 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe -- (VCFw)
SRV - [2008/06/19 09:55:48 | 000,279,848 | ---- | M] (Sony Corporation) [On_Demand | Running] -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe -- (Vcsw)
SRV - [2008/06/12 00:13:24 | 000,337,184 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe -- (VcmIAlzMgr)
SRV - [2008/06/12 00:10:48 | 000,083,232 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe -- (VcmXmlIfHelper)
SRV - [2008/05/22 15:23:10 | 000,192,512 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe -- (VzCdbSvc)
SRV - [2008/05/22 15:21:44 | 000,073,728 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzHardwareResourceManager\VzHardwareResourceManager\VzHardwareResourceManager.exe -- (VAIO Entertainment TV Device Arbitration Service)
SRV - [2008/05/20 20:05:40 | 000,353,568 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\VAIO Media plus\SOHDms.exe -- (SOHDms)
SRV - [2008/05/20 20:05:40 | 000,103,712 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\VAIO Media plus\SOHCImp.exe -- (SOHCImp)
SRV - [2008/05/20 20:05:40 | 000,062,752 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\VAIO Media plus\SOHDs.exe -- (SOHDs)
SRV - [2008/05/20 02:51:34 | 000,077,824 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV)
SRV - [2008/05/20 02:49:04 | 000,053,248 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe -- (MSCSPTISRV)
SRV - [2008/05/20 02:29:06 | 000,053,248 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe -- (PACSPTISVR)
SRV - [2008/03/25 15:32:18 | 000,104,960 | ---- | M] (ArcSoft, Inc.) [Auto | Running] -- C:\Arquivos de Programas\ArcSoft\Magic-i Visual Effects\uCamMonitor.exe -- (uCamMonitor)
SRV - [2008/01/25 00:14:25 | 000,386,560 | ---- | M] (Conexant Systems, Inc.) [Auto | Running] -- C:\Windows\System32\drivers\XAudio.exe -- (XAudioService)
SRV - [2008/01/21 00:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Arquivos de programas\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/09/11 01:45:04 | 000,124,832 | ---- | M] () [Auto | Running] -- C:\Arquivos de Programas\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor6.0)
SRV - [2007/01/04 20:48:50 | 000,112,152 | ---- | M] (InterVideo) [Auto | Running] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
SRV - [2006/11/02 10:35:29 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\ehome\ehstart.dll -- (ehstart)
SRV - [2006/10/26 14:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://vaio.sony-latin.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://vaio.sony-latin.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.defaulturl: "http://search.live.c...?FORM=IEFM1&q="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "chrome://speeddial/content/speeddial.xul"
FF - prefs.js..extensions.enabledItems: [email protected]:3.5.1.110
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.1
FF - prefs.js..extensions.enabledItems: {87F8774F-B485-47E2-A755-A40A8A5E886D}:1.0.7.6
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.716
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.1.3
FF - prefs.js..extensions.enabledItems: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.1.9.6
FF - prefs.js..extensions.enabledItems: [email protected]:9.0.0.736
FF - prefs.js..extensions.enabledItems: {64161300-e22b-11db-8314-0800200c9a66}:0.9.0.8
FF - prefs.js..keyword.URL: "http://search.live.c...FORM=MICUE2&q="


FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2010/02/06 02:18:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/16 09:38:34 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/16 09:38:34 | 000,000,000 | ---D | M]

[2009/06/02 03:33:09 | 000,000,000 | ---D | M] -- C:\Users\p\AppData\Roaming\mozilla\Extensions
[2009/06/02 03:33:09 | 000,000,000 | ---D | M] -- C:\Users\p\AppData\Roaming\mozilla\Extensions\[email protected]
[2010/02/09 10:12:11 | 000,000,000 | ---D | M] -- C:\Users\p\AppData\Roaming\mozilla\Firefox\Profiles\o8aw7m22.default\extensions
[2009/06/22 12:17:08 | 000,000,000 | ---D | M] (FlashGot) -- C:\Users\p\AppData\Roaming\mozilla\Firefox\Profiles\o8aw7m22.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2009/06/16 02:14:16 | 000,000,000 | ---D | M] (Speed Dial) -- C:\Users\p\AppData\Roaming\mozilla\Firefox\Profiles\o8aw7m22.default\extensions\{64161300-e22b-11db-8314-0800200c9a66}
[2009/12/15 17:52:03 | 000,000,000 | ---D | M] (No name found) -- C:\Users\p\AppData\Roaming\mozilla\Firefox\Profiles\o8aw7m22.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E886D}
[2009/11/01 03:07:23 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\p\AppData\Roaming\mozilla\Firefox\Profiles\o8aw7m22.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/06/22 21:02:41 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Users\p\AppData\Roaming\mozilla\Firefox\Profiles\o8aw7m22.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2009/09/14 22:49:43 | 000,000,000 | ---D | M] -- C:\Users\p\AppData\Roaming\mozilla\Firefox\Profiles\o8aw7m22.default\extensions\[email protected]
[2009/06/04 00:24:34 | 000,001,632 | ---- | M] () -- C:\Users\p\AppData\Roaming\Mozilla\FireFox\Profiles\o8aw7m22.default\searchplugins\live-search.xml
[2010/02/09 02:49:29 | 000,000,000 | ---D | M] -- C:\Arquivos de Programas\Mozilla Firefox\extensions
[2010/02/09 02:49:29 | 000,000,000 | ---D | M] -- C:\Arquivos de Programas\Mozilla Firefox\extensions\[email protected]
[2009/10/29 09:22:21 | 000,001,027 | ---- | M] () -- C:\Arquivos de Programas\Mozilla Firefox\searchplugins\buscape.xml
[2009/10/29 09:22:22 | 000,001,135 | ---- | M] () -- C:\Arquivos de Programas\Mozilla Firefox\searchplugins\mercadolivre.xml
[2009/10/29 09:22:22 | 000,001,168 | ---- | M] () -- C:\Arquivos de Programas\Mozilla Firefox\searchplugins\wikipedia-br.xml
[2009/10/29 09:22:22 | 000,000,648 | ---- | M] () -- C:\Arquivos de Programas\Mozilla Firefox\searchplugins\yahoo-br.xml

O1 HOSTS File: ([2006/09/18 19:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de Programas\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Arquivos de Programas\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Arquivos de Programas\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll (Kaspersky Lab)
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Arquivos de Programas\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Arquivos de Programas\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Auxiliar de Conexão do Windows Live) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de Programas\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Arquivos de Programas\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de Programas\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll (Google Inc.)
O2 - BHO: (GbIehObj Class) - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\Arquivos de Programas\GbPlugin\gbieh.dll (Banco do Brasil)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Arquivos de Programas\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Arquivos de Programas\Ask.com\GenericAskToolbar.dll (Ask.com)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de Programas\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Arquivos de Programas\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O2 - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Arquivos de Programas\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll (Kaspersky Lab)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Arquivos de Programas\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Arquivos de Programas\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Arquivos de Programas\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Arquivos de Programas\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Arquivos de Programas\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O4 - HKLM..\Run: [AVP] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe (Kaspersky Lab)
O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
O4 - HKLM..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [Persistence] C:\Windows\System32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SynTPEnh] C:\Arquivos de Programas\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [WinLogT] C:\Windows\WinLogT.exe (LightComm)
O4 - HKCU..\Run: [] File not found
O4 - HKCU..\Run: [swg] C:\Arquivos de Programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKCU..\Run: [WMPNSCFG] C:\Arquivos de Programas\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: Trine = C:\Windows\system32\Trine\Trine.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: Trine = C:\Windows\system32\Trine\Trine.exe File not found
O8 - Extra context menu item: E&xportar para o Microsoft Excel - C:\Arquivos de Programas\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de Programas\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de Programas\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Arquivos de Programas\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Arquivos de Programas\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: &Teclado virtual - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Arquivos de Programas\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll (Kaspersky Lab)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Arquivos de Programas\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Veri&ficação de URLs - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Arquivos de Programas\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll (Kaspersky Lab)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 189.4.64.17 189.4.64.15
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Arquivos de Programas\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Arquivos de Programas\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Arquivos de Programas\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Arquivos de Programas\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Arquivos de Programas\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Arquivos de Programas\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Arquivos de Programas\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Arquivos de Programas\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Arquivos de Programas\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Arquivos de Programas\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Arquivos de Programas\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Arquivos de Programas\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Arquivos de Programas\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Arquivos de Programas\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Arquivos de Programas\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Arquivos de Programas\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O18 - Protocol\Filter\x-sdch {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Arquivos de Programas\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O20 - AppInit_DLLs: (avgrsstx.dll) - C:\Windows\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll) - C:\Arquivos de Programas\Kaspersky Lab\Kaspersky Anti-Virus 2010\mzvkbd3.dll (Kaspersky Lab)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\ GbPluginBb: DllName - C:\Program Files\GbPlugin\gbieh.dll - C:\Arquivos de Programas\GbPlugin\gbieh.dll (Banco do Brasil)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\klogon: DllName - C:\Windows\system32\klogon.dll - C:\Windows\System32\klogon.dll (Kaspersky Lab)
O20 - Winlogon\Notify\VESWinlogon: DllName - VESWinlogon.dll - C:\Windows\System32\VESWinlogon.dll (Sony Corporation)
O24 - Desktop WallPaper: C:\Users\p\AppData\Roaming\Microsoft\Windows Photo Gallery\Papel de Parede da Galeria de Fotos do Windows.jpg
O24 - Desktop BackupWallPaper: C:\Users\p\AppData\Roaming\Microsoft\Windows Photo Gallery\Papel de Parede da Galeria de Fotos do Windows.jpg
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Arquivos de Programas\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {E37CB5F0-51F5-4395-A808-5FA49E399F83} - C:\Arquivos de Programas\GbPlugin\gbieh.dll (Banco do Brasil)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 19:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{44cdba57-5ee5-11de-a14b-001dba925860}\Shell\AutoRun\command - "" = NADFOLDER\autorun.exe
O33 - MountPoints2\{44cdba57-5ee5-11de-a14b-001dba925860}\Shell\open\command - "" = NADFOLDER\autorun.exe
O33 - MountPoints2\{77fd151b-cc80-11de-a181-001dba925860}\Shell - "" = AutoRun
O33 - MountPoints2\{77fd151b-cc80-11de-a181-001dba925860}\Shell\AutoRun\command - "" = G:\AutoRun.exe -- File not found
O33 - MountPoints2\{77fd1523-cc80-11de-a181-001dba925860}\Shell - "" = AutoRun
O33 - MountPoints2\{77fd1523-cc80-11de-a181-001dba925860}\Shell\AutoRun\command - "" = G:\AutoRun.exe -- File not found
O33 - MountPoints2\{77fd1543-cc80-11de-a181-001dba925860}\Shell - "" = AutoRun
O33 - MountPoints2\{77fd1543-cc80-11de-a181-001dba925860}\Shell\AutoRun\command - "" = G:\AutoRun.exe -- File not found
O33 - MountPoints2\{77fd154b-cc80-11de-a181-001dba925860}\Shell - "" = AutoRun
O33 - MountPoints2\{77fd154b-cc80-11de-a181-001dba925860}\Shell\AutoRun\command - "" = G:\AutoRun.exe -- File not found
O33 - MountPoints2\{77fd154d-cc80-11de-a181-001dba925860}\Shell - "" = AutoRun
O33 - MountPoints2\{77fd154d-cc80-11de-a181-001dba925860}\Shell\AutoRun\command - "" = G:\AutoRun.exe -- File not found
O33 - MountPoints2\{cbe9ca1b-c5eb-11de-8ed7-001dba925860}\Shell\AutoRun\command - "" = I:\setupSNK.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\Windows\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2008/01/21 00:34:27 | 000,000,000 | ---D | M]
NetSvcs: Irmon - C:\Windows\System32\irmon.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
OTL cannot create restorepoints on Vista OSs!

========== Files/Folders - Created Within 14 Days ==========

[2010/02/10 02:17:53 | 000,093,056 | ---- | C] (GMER) -- C:\pxlyypoc.sys
[2010/02/09 21:30:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Office Genuine Advantage
[2010/02/09 21:30:31 | 000,000,000 | ---D | C] -- C:\Users\p\Office Genuine Advantage
[2010/02/09 02:46:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab
[2010/02/09 02:46:17 | 000,000,000 | ---D | C] -- C:\Arquivos de Programas\Kaspersky Lab
[2010/02/09 02:44:38 | 000,311,312 | ---- | C] (Kaspersky Lab) -- C:\Windows\System32\drivers\klif.sys
[2010/02/09 02:42:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab Setup Files
[2010/02/09 02:02:34 | 000,000,000 | ---D | C] -- C:\Users\p\AppData\Roaming\Malwarebytes
[2010/02/09 02:02:29 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/02/09 02:02:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/02/09 02:02:26 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/02/09 02:02:26 | 000,000,000 | ---D | C] -- C:\Arquivos de Programas\Malwarebytes' Anti-Malware
[2010/02/09 02:00:02 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/02/09 01:59:13 | 000,000,000 | ---D | C] -- C:\Arquivos de Programas\ERUNT
[2010/02/06 02:02:55 | 000,012,464 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\avgrsstx.dll
[2010/02/06 02:02:53 | 000,161,800 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgrkx86.sys
[2010/02/06 02:02:50 | 000,360,584 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgtdix.sys
[2010/02/06 02:02:41 | 000,333,192 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgldx86.sys
[2010/02/06 02:02:39 | 000,028,424 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgmfx86.sys
[2010/02/06 02:02:38 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\Avg
[2010/02/06 02:00:10 | 000,000,000 | ---D | C] -- C:\Windows\System32\Trine
[2010/02/01 10:00:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Real

========== Files - Modified Within 14 Days ==========

[2010/02/10 03:01:39 | 004,456,448 | ---- | M] () -- C:\Users\p\NTUSER.DAT
[2010/02/10 02:57:05 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/02/10 02:57:05 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/02/10 02:41:33 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/02/10 02:41:10 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/02/10 02:41:03 | 3081,801,728 | -HS- | M] () -- C:\hiberfil.sys
[2010/02/10 02:40:56 | 223,388,872 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/02/10 02:17:53 | 000,093,056 | ---- | M] (GMER) -- C:\pxlyypoc.sys
[2010/02/10 01:43:31 | 000,284,915 | ---- | M] () -- C:\Users\p\Desktop\gmer.zip
[2010/02/10 00:03:00 | 000,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-952780558-6971352-2556725738-1000UA.job
[2010/02/09 20:52:44 | 000,000,000 | ---- | M] () -- C:\Users\p\AppData\Local\prvlcl.dat
[2010/02/09 15:37:15 | 000,008,042 | ---- | M] () -- C:\Users\p\Desktop\doc site.gif
[2010/02/09 09:30:36 | 055,322,153 | ---- | M] () -- C:\Windows\System32\drivers\Avg\incavi.avm
[2010/02/09 03:02:08 | 000,311,312 | ---- | M] (Kaspersky Lab) -- C:\Windows\System32\drivers\klif.sys
[2010/02/09 02:48:53 | 000,108,059 | ---- | M] () -- C:\Windows\System32\drivers\klin.dat
[2010/02/09 02:48:53 | 000,095,259 | ---- | M] () -- C:\Windows\System32\drivers\klick.dat
[2010/02/09 02:30:24 | 000,524,288 | -HS- | M] () -- C:\Users\p\NTUSER.DAT{1b4d737c-c873-11de-b59f-806e6f6e6963}.TMContainer00000000000000000001.regtrans-ms
[2010/02/09 02:30:24 | 000,065,536 | -HS- | M] () -- C:\Users\p\NTUSER.DAT{1b4d737c-c873-11de-b59f-806e6f6e6963}.TM.blf
[2010/02/09 02:30:22 | 002,843,432 | -H-- | M] () -- C:\Users\p\AppData\Local\IconCache.db
[2010/02/09 02:02:32 | 000,000,818 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/09 01:03:00 | 000,000,840 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-952780558-6971352-2556725738-1000Core.job
[2010/02/09 00:47:00 | 001,452,594 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/02/09 00:47:00 | 000,637,126 | ---- | M] () -- C:\Windows\System32\prfh0416.dat
[2010/02/09 00:47:00 | 000,590,082 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/02/09 00:47:00 | 000,122,732 | ---- | M] () -- C:\Windows\System32\prfc0416.dat
[2010/02/09 00:47:00 | 000,102,094 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/02/06 02:13:43 | 000,360,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgtdix.sys
[2010/02/06 02:13:42 | 000,028,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgmfx86.sys
[2010/02/06 02:13:42 | 000,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\avgrsstx.dll
[2010/02/06 02:13:30 | 000,161,800 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgrkx86.sys
[2010/02/06 02:13:30 | 000,142,495 | ---- | M] () -- C:\Windows\System32\drivers\Avg\microavi.avg
[2010/02/06 02:02:41 | 000,333,192 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgldx86.sys
[2010/02/06 02:02:39 | 000,113,461 | ---- | M] () -- C:\Windows\System32\drivers\Avg\iavichjw.avm
[2010/02/06 02:02:38 | 006,061,540 | ---- | M] () -- C:\Windows\System32\drivers\Avg\avi7.avg
[2010/02/06 02:02:38 | 000,492,629 | ---- | M] () -- C:\Windows\System32\drivers\Avg\miniavi.avg
[2010/02/05 11:14:35 | 000,110,088 | ---- | M] () -- C:\Users\p\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/02/05 03:25:13 | 000,403,552 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/02/05 03:03:11 | 000,000,334 | ---- | M] () -- C:\Windows\win.ini
[2010/02/03 11:16:24 | 000,117,248 | ---- | M] () -- C:\Users\p\Desktop\ficha carnaval 2009.doc
[2010/02/01 00:39:55 | 000,029,184 | ---- | M] () -- C:\Users\p\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/27 15:08:01 | 000,002,022 | ---- | M] () -- C:\Users\p\Desktop\Google Chrome.lnk

========== Files Created - No Company Name ==========

[2010/02/10 02:32:27 | 223,388,872 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/02/10 02:16:58 | 000,284,915 | ---- | C] () -- C:\Users\p\Desktop\gmer.zip
[2010/02/10 02:15:56 | 000,293,376 | ---- | C] () -- C:\Users\p\Desktop\gmer.exe
[2010/02/09 16:37:06 | 000,000,000 | ---- | C] () -- C:\Users\p\AppData\Local\prvlcl.dat
[2010/02/09 15:37:11 | 000,008,042 | ---- | C] () -- C:\Users\p\Desktop\doc site.gif
[2010/02/09 02:48:53 | 000,108,059 | ---- | C] () -- C:\Windows\System32\drivers\klin.dat
[2010/02/09 02:48:53 | 000,095,259 | ---- | C] () -- C:\Windows\System32\drivers\klick.dat
[2010/02/09 02:02:32 | 000,000,818 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/06 02:02:39 | 000,113,461 | ---- | C] () -- C:\Windows\System32\drivers\Avg\iavichjw.avm
[2010/02/06 02:02:38 | 055,322,153 | ---- | C] () -- C:\Windows\System32\drivers\Avg\incavi.avm
[2010/02/06 02:02:38 | 006,061,540 | ---- | C] () -- C:\Windows\System32\drivers\Avg\avi7.avg
[2010/02/06 02:02:38 | 000,492,629 | ---- | C] () -- C:\Windows\System32\drivers\Avg\miniavi.avg
[2010/02/06 02:02:38 | 000,142,495 | ---- | C] () -- C:\Windows\System32\drivers\Avg\microavi.avg
[2010/02/03 11:09:22 | 000,117,248 | ---- | C] () -- C:\Users\p\Desktop\ficha carnaval 2009.doc
[2010/01/25 12:40:59 | 000,000,680 | ---- | C] () -- C:\Users\p\AppData\Local\d3d9caps.dat
[2009/12/11 12:42:44 | 000,000,023 | ---- | C] () -- C:\Windows\CDCOPS.INI
[2009/10/01 18:25:10 | 000,021,879 | ---- | C] () -- C:\Users\p\AppData\Roaming\UserTile.png
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/06/24 02:41:32 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2009/06/22 21:18:21 | 000,000,025 | ---- | C] () -- C:\Windows\cdplayer.ini
[2009/06/04 22:58:11 | 000,029,184 | ---- | C] () -- C:\Users\p\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/05/29 19:08:30 | 000,168,448 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2009/05/27 19:37:17 | 000,000,412 | ---- | C] () -- C:\Windows\ODBC.INI
[2008/10/06 14:35:26 | 000,000,000 | ---- | C] () -- C:\Windows\VAIOUpdt.INI
[2008/09/03 16:04:55 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1511.dll
[2008/09/03 16:03:37 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2006/11/02 10:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 05:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2005/06/10 11:56:06 | 000,120,320 | ---- | C] () -- C:\Windows\System32\UnzDll.dll
[2005/06/10 11:55:04 | 000,123,904 | ---- | C] () -- C:\Windows\System32\ZipDll.dll
[2004/05/13 21:14:58 | 000,122,880 | ---- | C] () -- C:\Windows\System32\opencrypto.dll
[2004/03/18 18:43:44 | 000,843,776 | ---- | C] () -- C:\Windows\System32\libeay32.dll
[1999/01/22 15:46:58 | 000,065,536 | ---- | C] () -- C:\Windows\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2010/01/19 16:50:05 | 000,000,000 | ---D | M] -- C:\Users\p\AppData\Roaming\LimeWire
[2009/10/01 18:25:10 | 000,000,000 | ---D | M] -- C:\Users\p\AppData\Roaming\PeerNetworking
[2009/05/27 21:22:56 | 000,000,000 | ---D | M] -- C:\Users\p\AppData\Roaming\TeamViewer
[2009/10/19 02:50:52 | 000,000,000 | ---D | M] -- C:\Users\p\AppData\Roaming\TuneUp Software
[2009/09/14 18:43:04 | 000,000,000 | ---D | M] -- C:\Users\p\AppData\Roaming\uTorrent
[2009/06/22 21:08:57 | 000,000,000 | ---D | M] -- C:\Users\p\AppData\Roaming\VistaCodecs
[2010/02/09 02:30:36 | 000,032,630 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/01/21 00:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\drivers\AGP440.sys
[2008/01/21 00:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
[2008/01/21 00:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
[2008/01/21 00:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys
[2006/11/02 07:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/04/11 04:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\SoftwareDistribution\Download\15d05090e6f876555f2419af621dda9f\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[2008/01/21 00:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\drivers\atapi.sys
[2008/01/21 00:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008/01/21 00:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2006/11/02 07:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2006/11/02 07:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
[2006/11/02 07:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

< MD5 for: IASTOR.SYS >
[2008/04/21 22:20:41 | 000,312,344 | ---- | M] (Intel Corporation) MD5=DB0CC620B27A928D968C1A1E9CD9CB87 -- C:\Windows\Drivers\INF\SATA Driver (Intel) (Non-RAID)\IaStor.sys
[2008/04/21 22:20:41 | 000,312,344 | ---- | M] (Intel Corporation) MD5=DB0CC620B27A928D968C1A1E9CD9CB87 -- C:\Windows\System32\drivers\iaStor.sys
[2008/04/21 22:20:41 | 000,312,344 | ---- | M] (Intel Corporation) MD5=DB0CC620B27A928D968C1A1E9CD9CB87 -- C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_77c04a30\iaStor.sys
[2008/04/21 22:20:41 | 000,312,344 | ---- | M] (Intel Corporation) MD5=DB0CC620B27A928D968C1A1E9CD9CB87 -- C:\Windows\System32\DriverStore\FileRepository\iastor.inf_054cd65f\iaStor.sys

< MD5 for: IASTORV.SYS >
[2008/01/21 00:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\drivers\iaStorV.sys
[2008/01/21 00:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys
[2008/01/21 00:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys
[2006/11/02 07:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2009/04/11 04:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\SoftwareDistribution\Download\15d05090e6f876555f2419af621dda9f\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll
[2008/01/21 00:24:05 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\System32\netlogon.dll
[2008/01/21 00:24:05 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2006/11/02 07:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008/01/21 00:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\drivers\nvstor.sys
[2008/01/21 00:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
[2008/01/21 00:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

< MD5 for: SCECLI.DLL >
[2008/01/21 00:24:50 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\System32\scecli.dll
[2008/01/21 00:24:50 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll
[2009/04/11 04:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\SoftwareDistribution\Download\15d05090e6f876555f2419af621dda9f\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/01/21 00:24:42 | 000,242,744 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll
[2008/01/21 00:24:38 | 000,225,792 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2009/09/17 17:33:52 | 000,030,344 | ---- | M] (GAS Tecnologia) Unable to obtain MD5 -- C:\Windows\System32\drivers\gbpkm.sys

< %systemroot%\System32\config\*.sav >
[2008/01/21 01:14:18 | 016,846,848 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2008/01/21 01:14:08 | 000,106,496 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2008/01/21 01:14:18 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/02 08:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/02 08:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

========== Alternate Data Streams ==========

@Alternate Data Stream - 204 bytes -> C:\Windows\System32\drivers:GbpKmAp.lst
@Alternate Data Stream - 2 bytes -> C:\Windows\System32:1CCC62F7_Bb.gbp
< End of report >



OTL Extras logfile created on: 10/02/2010 02:54:23 - Run 1
OTL by OldTimer - Version 3.1.28.0 Folder = C:\Users\p\Documents\Downloads
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000416 | Country: Brasil | Language: PTB | Date Format: dd/MM/yyyy

3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 56,00% Memory free
6,00 Gb Paging File | 5,00 Gb Available in Paging File | 81,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 223,14 Gb Total Space | 145,98 Gb Free Space | 65,42% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 2,57 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: UDF
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PRISCILLA
Current User Name: p
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [mega] -- "C:\Program Files\Megacubo\megacubo.exe" "%1" (Megacubo)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"UacDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring" = 1
"" =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-952780558-6971352-2556725738-1000]
"EnableNotifications" = 0
"EnableNotificationsRef" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0DC7CC05-8673-489C-B71A-930141DDB380}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{2B79DE39-75FE-4ABA-B128-344330E0444D}" = rport=137 | protocol=17 | dir=out | app=system |
"{369E9DD8-8222-4210-BB98-CC07BDE3EE62}" = lport=2869 | protocol=6 | dir=in | app=system |
"{3D3F7BF1-3B32-4860-8F6D-01B9AFD0E4F5}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |
"{46F27365-2FF4-4147-838A-BC58752C75D3}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{4B97AD5C-6085-434F-92E8-E98A5245A1C1}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{5CBF1655-9FFE-4CCD-9B57-FB615E626A5D}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{5E0A3EB7-0919-48B1-98C3-9ADDD3773B10}" = rport=10243 | protocol=6 | dir=out | app=system |
"{677DF220-2688-4CF7-B59B-7D8F2646B3A3}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{6ADA3B73-9D46-4847-B03B-87B33512587C}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{778080F4-23BD-4745-8790-4A7E93E8C148}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{7C19BA25-C692-4C3F-970D-3A2B52F4310D}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{857493AD-E58C-4BD9-8F54-40A441443DC8}" = rport=138 | protocol=17 | dir=out | app=system |
"{86E8B775-AE6B-4E1F-AD96-9CF6F3B8A5C9}" = lport=2869 | protocol=6 | dir=in | app=system |
"{96C3C5F3-EFB3-4E77-86C8-0B6B08C3BFB5}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{99848783-E8FA-4584-8034-6E7792BE32A9}" = lport=445 | protocol=6 | dir=in | app=system |
"{A523EB24-094B-42F0-BAD5-1AA73E261E29}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{A685FF39-774C-4AE4-832A-70A8B0A3789A}" = rport=139 | protocol=6 | dir=out | app=system |
"{AEF3AC72-0057-4E3B-B824-A20E001579C5}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{B29F5206-C266-4901-8EEE-23C91C563740}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | [email protected],-28539 |
"{B5589FEB-7C65-4E3E-8677-3D9FBB747E3F}" = lport=137 | protocol=17 | dir=in | app=system |
"{C4D45527-A624-4DB8-961C-6D63A6C4408F}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{CC9D5175-7693-4778-A127-7647DD597823}" = lport=10243 | protocol=6 | dir=in | app=system |
"{CF25FFD4-5B83-48E9-BBC6-C5C296B262D5}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{D8DDDC97-C8DA-45AE-94A5-22A00AC3B822}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{DD7A3D1B-C620-435E-9604-37F5620D5DAB}" = lport=139 | protocol=6 | dir=in | app=system |
"{E644109F-26C7-4DD6-AF64-741B7FE89DF6}" = lport=138 | protocol=17 | dir=in | app=system |
"{F0E836E8-09EE-4E8A-83EB-FF78518AD615}" = rport=445 | protocol=6 | dir=out | app=system |
"{F63071C3-CEB2-481B-8F28-49A7384C84CB}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{FF4C89A8-8359-41DD-8A0F-BAE4D71D7966}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{04E3D00F-FD8A-40A3-8117-C1EA444864DD}" = protocol=1 | dir=out | [email protected],-28544 |
"{0935157D-7640-40D1-B478-AAE490EC82BA}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{1300B18B-BFB4-4EE3-BF4B-3EA92FDB81B0}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{15C30953-47C5-4535-8321-4A82BF060CC3}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{190F343F-0C6F-46FE-918C-28ACA7D569CD}" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{1EF97454-6279-4AC3-B156-B3DAA5417162}" = protocol=17 | dir=in | app=c:\program files\megacubo\megacubo.exe |
"{1EFAAB00-ADAA-4F99-8723-2B06A75F8B59}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe |
"{20D2FDAC-810E-44EB-B1CF-92221CD76961}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{20E4ABDC-0B86-43C3-A6F0-97C53134F358}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{23D7E521-6B2F-45FB-99D0-D5F1E69E0CFC}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{31B8E0A4-9DE7-4447-A36E-5802612A0375}" = protocol=6 | dir=in | app=c:\program files\megacubo\megacubo.exe |
"{32865876-2D0C-4E34-A612-FC849419D64D}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{3D7498F8-E806-4315-B796-0AA1F60F4B4B}" = protocol=6 | dir=out | app=system |
"{3DDA611C-D23D-4092-BE2E-CAEF1BDB33F6}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{455279C4-C71C-4EEB-8AD1-FCF6FC6FD706}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{4AD65A55-8505-4F4E-BC08-30A5A58C7392}" = dir=in | app=c:\program files\rosetta stone\rosetta stone version 3\rosettastoneversion3.exe |
"{559A18A1-C710-4198-B8ED-530564DA57CC}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{5ABE61CB-EFD7-433D-8B59-3D0484A91050}" = protocol=58 | dir=out | [email protected],-28546 |
"{775D9437-27AD-41C0-8B0F-4D473D3A02CC}" = dir=in | app=c:\program files\avg\avg9\avgam.exe |
"{8185A36D-2E34-41DA-AB24-FB1C18803332}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{87145F5F-03AB-4C8E-9278-D5A8F3801F0F}" = protocol=6 | dir=out | app=c:\program files\rosetta stone\rosetta stone version 3\rosettastoneversion3.exe |
"{890933B6-F44D-42F6-9A5B-FE1FFAD73AF6}" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{8C731916-60C0-4E9F-88D9-6807E63984DA}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{984B9685-B08C-4D35-B48E-EECB491762FD}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{9E158BB0-F882-4F02-BAC0-DEFD53A1311C}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{B364E71F-5C2D-421A-B392-93A9BC9EEEF0}" = dir=in | app=c:\program files\rosetta stone\rosetta stone version 3\support\bin\win\rosettastoneltdservices.exe |
"{C1F1C17E-456C-4374-A286-BBDFDA9058F4}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{C28E6E3E-7001-4D86-84FE-8B28B82BAFA3}" = dir=in | app=c:\program files\avg\avg9\avgdiagex.exe |
"{C6223544-AA7F-4301-AA66-E509097A1CA2}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{C66ADD1E-9148-417A-8355-45E3967560EE}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{DAC242A0-0CA9-4FEC-85CA-5DBCB64E6CC9}" = protocol=58 | dir=in | [email protected],-28545 |
"{E0059764-BD39-4130-9FB0-441B9154A6B1}" = protocol=1 | dir=in | [email protected],-28543 |
"{E71085D1-47F6-4E21-9AFD-005136E38A8D}" = dir=in | app=c:\program files\avg\avg9\avgnsx.exe |
"{EC36BD03-0994-4F3A-B158-CC826F94B270}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe |
"{ED67F4F2-66BA-42E3-B70A-219B431F7297}" = protocol=6 | dir=out | app=c:\program files\rosetta stone\rosetta stone version 3\support\bin\win\rosettastoneltdservices.exe |
"{F623EACB-6880-4811-94B1-3904EEA2177A}" = dir=in | app=c:\program files\avg\avg9\avgupd.exe |
"{FC57A5FA-524F-4A83-BDE8-1ECDA89320ED}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"TCP Query User{26D52D7D-B378-45E9-A329-AAAAB2D899FB}C:\program files\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"TCP Query User{2B7201AB-0B92-42BE-8B6F-B7F90D61C513}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{3905E594-A9E0-4C71-8007-26B2506882CB}C:\program files\limewire\limewire.exe" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"TCP Query User{6AD822BD-B07E-4D6F-8387-456780D3D5B8}C:\program files\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"TCP Query User{CB438185-7457-48E3-9F3D-C8FDDB604748}C:\program files\limewire\limewire.exe" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"UDP Query User{0F2AE1BE-4312-4389-99A9-8A2B2502FA5A}C:\program files\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"UDP Query User{39631C2F-B2A5-4493-9F0D-479BBB7BDD3F}C:\program files\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"UDP Query User{46E56840-13CD-467C-982D-EB99CBDA0FB2}C:\program files\limewire\limewire.exe" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |
"UDP Query User{BA4F614F-8760-4714-844F-FA02EA22D992}C:\program files\limewire\limewire.exe" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |
"UDP Query User{DD89F2E8-82AB-4F9C-928B-05EC992E61E1}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000416-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
"{01FDC9FC-4D4F-4DB0-ACD1-D3E8E1D52902}" = Sony Video Shared Library
"{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Central Data
"{0C405D1F-359E-41C5-A1A9-383A04BBD5E2}" = Windows Live Galeria de Fotos
"{1316AEF2-E086-46C7-B1FB-8C9A39A2ABF9}" = VAIO Media plus
"{14291118-0C19-45EA-A4FA-5C1C0F5FDE09}" = Primo
"{15D5C238-4C2E-4AEA-A66D-D6989A4C586B}" = VAIO Launcher
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Central Tools
"{2018C019-30D9-4240-8C01-0865C10DCF5A}" = VAIO Presentation Support
"{20471B27-D702-4FE8-8DEC-0702CC8C0A85}" = WinDVD for VAIO
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Ferramenta de Carregamento do Windows Live
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{23825B69-36DF-4DAD-9CFD-118D11D80F16}" = VAIO Content Folder Setting
"{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skype™ 4.0
"{24F3CA05-14C6-4D1D-BED8-6E4F61EF1B0E}" = Windows Live Movie Maker
"{26A24AE4-039D-4CA4-87B4-2F83216010FF}" = Java™ 6 Update 13
"{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java™ SE Runtime Environment 6
"{32BC546A-8AA3-4239-AE92-9CF3291C35A6}" = Windows Live Call
"{34B37A74-125E-4406-87BA-E4BD3D097AE5}" = VAIO Survey
"{363611D9-1106-41F2-B74E-BD8481C41219}" = Click to Disc
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3E2C691B-B7E6-4053-B5C3-94B8BC407E7A}" = Adobe Premiere Elements 4.0
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{4DCEA9C1-4D6E-41BF-A854-28CFA8B56DBF}" = Click to Disc Editor
"{4EA55D20-27FB-45D7-8726-147E8A5F6C62}" = VAIO MusicBox
"{51A9E3DD-37B8-47BB-8E67-5B76B3EFBC48}" = Assistente de Conexão do Windows Live
"{537BF16E-7412-448C-95D8-846E85A1D817}" = Roxio Easy Media Creator 10 LJ
"{57B955CE-B5D3-495D-AF1B-FAEE0540BFEF}" = Ferramenta de Restauração de Dados VAIO
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{596BED91-A1D8-4DF1-8CD1-1C777F7588AC}" = VAIO DVD Menu Data Basic
"{5C5EE8F2-0B38-4C13-AE4E-A87A237FE718}" =
"{5F5867F0-2D23-4338-A206-01A76C823924}" = VAIO Power Management
"{624DEAA0-B27D-444B-8BFE-70622B318A4A}" = Windows Live Toolbar
"{68A69CFF-130D-4CDE-AB0E-7374ECB144C8}" = Click to Disc
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6B1F20F2-6321-4669-A58C-33DF8E7517FF}" = VAIO Entertainment Platform
"{6C50525A-2D77-4C22-B058-9AA2F27ACFF2}" = VAIO Content Metadata Intelligent Analyzing Manager
"{6FA8BA2C-052B-4072-B8E2-2302C268BE9E}" = VAIO Movie Story Template Data
"{72042FA6-5609-489F-A8EA-3C2DD650F667}" = VAIO Control Center
"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Central Audio
"{74AD1846-2010-4FB1-8E24-B6F2B87150C2}" = Windows Live Mail
"{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}" = Avanquest update
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7BB90344-0647-468E-925A-7F69F7983421}" = ArcSoft Magic-i Visual Effects
"{7E823DA5-43A2-46E8-A75E-5A2A0FDE81A1}" = VAIO Content Metadata Manager Setting
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83CDA18E-0BF3-4ACA-872C-B4CDABF2360E}" = VAIO Update 4
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8BD60AEF-3F9D-47AE-B80A-FB7FFCE335A0}" = VAIO Movie Story
"{8EDBA74D-0686-4C99-BFDD-F894678E5102}" = Adobe Common File Installer
"{90120000-0015-0416-0000-0000000FF1CE}" = Microsoft Office Access MUI (Portuguese (Brazil)) 2007
"{90120000-0015-0416-0000-0000000FF1CE}_ENTERPRISE_{02A880E2-B8B9-4BF5-8822-EA1374734E2E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0416-0000-0000000FF1CE}" = Microsoft Office Excel MUI (Portuguese (Brazil)) 2007
"{90120000-0016-0416-0000-0000000FF1CE}_ENTERPRISE_{02A880E2-B8B9-4BF5-8822-EA1374734E2E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0416-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2007
"{90120000-0018-0416-0000-0000000FF1CE}_ENTERPRISE_{02A880E2-B8B9-4BF5-8822-EA1374734E2E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0416-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (Portuguese (Brazil)) 2007
"{90120000-0019-0416-0000-0000000FF1CE}_ENTERPRISE_{02A880E2-B8B9-4BF5-8822-EA1374734E2E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0416-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (Portuguese (Brazil)) 2007
"{90120000-001A-0416-0000-0000000FF1CE}_ENTERPRISE_{02A880E2-B8B9-4BF5-8822-EA1374734E2E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0416-0000-0000000FF1CE}" = Microsoft Office Word MUI (Portuguese (Brazil)) 2007
"{90120000-001B-0416-0000-0000000FF1CE}_ENTERPRISE_{02A880E2-B8B9-4BF5-8822-EA1374734E2E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0416-0000-0000000FF1CE}" = Microsoft Office Proof (Portuguese (Brazil)) 2007
"{90120000-001F-0416-0000-0000000FF1CE}_ENTERPRISE_{75EBE365-7FC5-4720-A7D3-804BF550D1BC}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0416-0000-0000000FF1CE}" = Microsoft Office Proofing (Portuguese (Brazil)) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0416-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2007
"{90120000-0044-0416-0000-0000000FF1CE}_ENTERPRISE_{02A880E2-B8B9-4BF5-8822-EA1374734E2E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0416-0000-0000000FF1CE}" = Microsoft Office Shared MUI (Portuguese (Brazil)) 2007
"{90120000-006E-0416-0000-0000000FF1CE}_ENTERPRISE_{9A141B2B-7C5E-47D2-8E9E-9AC6018F3C42}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0416-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (Portuguese (Brazil)) 2007
"{90120000-00A1-0416-0000-0000000FF1CE}_ENTERPRISE_{02A880E2-B8B9-4BF5-8822-EA1374734E2E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0416-0000-0000000FF1CE}" = Microsoft Office Groove MUI (Portuguese (Brazil)) 2007
"{90120000-00BA-0416-0000-0000000FF1CE}_ENTERPRISE_{02A880E2-B8B9-4BF5-8822-EA1374734E2E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{943B6738-4801-4982-90EC-0442EF7AEB16}" = Kaspersky Anti-Virus 2010
"{95120000-00AF-0416-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (Portuguese (Brazil))
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95120000-0122-0416-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{9555B4ED-09A3-4722-8E8C-57A49401D059}" = Windows Live Writer
"{96D0B6C6-5A72-4B47-8583-A87E55F5FE81}" =
"{98FC7A64-774B-49B5-B046-4B4EBC053FA9}" = VAIO MusicBox Sample Music
"{99011A6E-5200-11DE-BDB8-7ACD56D89593}" = Rosetta Stone Version 3
"{9973498D-EA29-4A68-BE0B-C88D6E03E928}" = ArcSoft WebCam Companion 2
"{9E2EE2F7-33BD-4D30-9E5D-8469A9F32009}" = Windows Live Sync
"{A552C4EA-D41E-4C61-A0FB-C0E05440F7D7}" = VAIO Entertainment Platform
"{A63E7492-A0BC-4BB9-89A7-352965222380}" = VAIO Original Function Setting
"{A7DA438C-2E43-4C20-BFDA-C1F4A6208558}" = Setting Utility Series
"{AC76BA86-7AD7-1046-7B44-A90000000001}" = Adobe Reader 9 - Português
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B25563A0-41F4-4A81-A6C1-6DBC0911B1F3}" = VAIO Movie Story
"{B513C7B0-024A-498F-B0F5-00C67E2440A9}" = VAIO Content Metadata Intelligent Analyzing Manager
"{B5ED7AB0-3838-4389-8549-7C8E22DD48F4}" = Windows Live Messenger
"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Central Copy
"{B7C03E84-AF46-42F4-809D-D4127D9086D0}" = VAIO Edit Components 6.4
"{BACD22AE-5B6B-4F23-B506-3FCFF13AC137}" = VAIO Media plus
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C1083DBC-C541-4E8C-91EA-D92397AB9A2C}" = OpenMG Secure Module 5.1.00
"{C7477742-DDB4-43E5-AC8D-0259E1E661B1}" = VAIO Event Service
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{CB8A8696-93EC-414E-A752-850AB133F68A}" = VAIO Content Metadata XML Interface Library
"{CE2121C6-C94D-4A73-8EA4-6943F33EE335}" = Music Transfer
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D2CE03FF-F1EB-4C78-907E-5F034DAC4F1E}" = VAIO OOBE and Welcome Center
"{D47FE987-EA3D-424B-9886-B752501D7CE7}" = VAIO Help and Support
"{D5068583-D569-468B-9755-5FBF5848F46F}" = Sony Picture Utility
"{D60F97EC-EF06-4E1E-B0D1-C2CBABA62FA3}" = VAIO Wallpaper Contents
"{DB0A8A2A-4EA7-4FE3-802E-8A6DEE32696C}_is1" = Orban/Coding Technologies AAC/aacPlus Player Plugin™ 1.0
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Central Core
"{EE59BBF9-415C-45DB-8C4B-EE43CF635FEA}" = VAIO Content Metadata XML Interface Library
"{EE5B6291-45EF-4705-A20E-89A3C5D2F87E}" = Microsoft Works
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F2CD4651-F948-467C-B014-71FD981B7F59}" = Windows Live Essentials
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F54AC413-D2C6-4A24-B324-370C223C6250}" = Adobe Photoshop Elements 6.0
"{F85C7118-F3DC-4ED9-AB27-3E7931EA3D88}" = Adobe Premiere Elements 4.0 Templates
"{F9FD80CE-0448-4D4F-8BCD-77FC514C3F99}" = Vista Codec Package
"{FD72E69E-CF34-4071-BFD6-FD081A365E2C}" = VAIO Content Metadata Intelligent Analyzing Manager
"{FE51662F-D8F6-43B5-99D9-D4894AF00F83}" = Roxio Easy Media Creator Home
"{FE697886-F392-4E0D-A0C0-47587BF60992}" = VAIO Content Metadata Manager Setting
"Ad-Aware" = Ad-Aware
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop Elements 6" = Adobe Photoshop Elements 6.0
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"AVG9Uninstall" = AVG 9.0
"CCleaner" = CCleaner (remove only)
"Claro" = Claro
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_104D0200" = HDAUDIO SoftV92 Data Fax Modem with SmartCP
"ENTERPRISE" = Microsoft Office Enterprise 2007
"ERUNT_is1" = ERUNT 1.1j
"HDMI" = Intel® Graphics Media Accelerator Driver
"InstallShield_{20471B27-D702-4FE8-8DEC-0702CC8C0A85}" = WinDVD for VAIO
"InstallShield_{4DCEA9C1-4D6E-41BF-A854-28CFA8B56DBF}" = Click to Disc Editor
"InstallShield_{C1083DBC-C541-4E8C-91EA-D92397AB9A2C}" = OpenMG Secure Module 5.1.00
"InstallWIX_{943B6738-4801-4982-90EC-0442EF7AEB16}" = Kaspersky Anti-Virus 2010
"LimeWire" = LimeWire PRO 5.0.11
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Manual de Instalação_is1" = Manual de Instalação 3.0
"Megacubo_is1" = Megacubo 7.1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.17)" = Mozilla Firefox (3.0.17)
"PowerISO" = PowerISO
"PremElem40" = Adobe Premiere Elements 4.0
"PremElem40Templates" = Adobe Premiere Elements 4.0 Templates
"Programador de Modem_is1" = LightModem 3.0
"RealPlayer 6.0" = RealPlayer
"SopCast" = SopCast 3.0.3
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TeamViewer 4" = TeamViewer 4
"uTorrent" = µTorrent
"VLC media player" = VLC media player 0.9.9
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = Arquivo do WinRAR

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 03/01/2010 19:36:59 | Computer Name = Priscilla | Source = WinMgmt | ID = 10
Description =

Error - 05/01/2010 13:07:00 | Computer Name = Priscilla | Source = WinMgmt | ID = 10
Description =

Error - 05/01/2010 13:07:00 | Computer Name = Priscilla | Source = VzCdbSvc | ID = 7
Description = Failed to load the plug-in module. (GUID = {56F9312C-C989-4E04-8C23-299DEE3A36F5})(Error
code = 0x80042019)

Error - 05/01/2010 17:31:59 | Computer Name = Priscilla | Source = WinMgmt | ID = 10
Description =

Error - 05/01/2010 17:32:01 | Computer Name = Priscilla | Source = VzCdbSvc | ID = 7
Description = Failed to load the plug-in module. (GUID = {56F9312C-C989-4E04-8C23-299DEE3A36F5})(Error
code = 0x80042019)

Error - 05/01/2010 17:34:04 | Computer Name = Priscilla | Source = Perflib | ID = 1010
Description =

Error - 05/01/2010 17:34:05 | Computer Name = Priscilla | Source = Perflib | ID = 1008
Description =

Error - 05/01/2010 18:03:06 | Computer Name = Priscilla | Source = Google Update | ID = 20
Description =

Error - 07/01/2010 09:15:19 | Computer Name = Priscilla | Source = Perflib | ID = 1010
Description =

Error - 07/01/2010 09:15:23 | Computer Name = Priscilla | Source = Perflib | ID = 1008
Description =

[ System Events ]
Error - 09/02/2010 01:03:46 | Computer Name = Priscilla | Source = Service Control Manager | ID = 7009
Description =

Error - 09/02/2010 01:03:46 | Computer Name = Priscilla | Source = Service Control Manager | ID = 7000
Description =

Error - 10/02/2010 00:33:14 | Computer Name = Priscilla | Source = EventLog | ID = 6008
Description = O desligamento anterior do sistema em 02:30:49 em 10/02/2010 não era
esperado.

Error - 10/02/2010 00:33:30 | Computer Name = Priscilla | Source = Microsoft-Windows-WLAN-AutoConfig | ID = 10000
Description =

Error - 10/02/2010 00:33:32 | Computer Name = Priscilla | Source = HTTP | ID = 15016
Description =

Error - 10/02/2010 00:35:54 | Computer Name = Priscilla | Source = Service Control Manager | ID = 7000
Description =

Error - 10/02/2010 00:41:17 | Computer Name = Priscilla | Source = EventLog | ID = 6008
Description = O desligamento anterior do sistema em 02:39:15 em 10/02/2010 não era
esperado.

Error - 10/02/2010 00:41:32 | Computer Name = Priscilla | Source = Microsoft-Windows-WLAN-AutoConfig | ID = 10000
Description =

Error - 10/02/2010 00:41:33 | Computer Name = Priscilla | Source = HTTP | ID = 15016
Description =

Error - 10/02/2010 00:41:58 | Computer Name = Priscilla | Source = Service Control Manager | ID = 7000
Description =


< End of report >

Edited by Andre Silva, 10 February 2010 - 01:39 PM.

  • 0

Advertisements

#2
Andre Silva
Posted 10 February 2010 - 01:40 PM

Andre Silva

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
Anyone, PLEASE?
  • 0

#3
Mjöllnir
Posted 10 February 2010 - 02:08 PM

Mjöllnir

    Trusted Helper

  • Retired Staff
  • 1,207 posts
Welcome to Geeks to Go, Andre Silva.

I will be helping you with your malware issues.

Before we get started, please read the following.
  • Be advised that I am still in training, so there may be a delay between replies. Each reply must be approved by a resident expert before I will be allowed to post them to you.
  • Please completely read through all instructions given you before attempting to follow them. If you are confused about any part of the instructions, post back with your questions and we'll figure things out.
  • Please post all logs in their entirety. DO NOT attach logs to a post unless I ask you to do that. Rather copy and paste the contents of the logs directly into the post.
  • Please refrain from running any tools or otherwise performing any fixes other than what I ask you to do.
  • Finally, do not PM me directly for help. If you have any questions, post them in this topic.



I see that you are back. I'll put something together this evening and get back to you.

Thanks.
  • 0

#4
Andre Silva
Posted 10 February 2010 - 02:16 PM

Andre Silva

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
Hello Mjöllnir,

It is a pleasure to work with you again. I am honored. Please be advised that this is a DIFFERENT computer than the last one. This computer is running on Windows Vista Home Premium 32 bit.

Once again, thank you for your help. It is much appreciated and very valuable.

Regards,

Andre

Edited by Andre Silva, 10 February 2010 - 02:21 PM.

  • 0

#5
Mjöllnir
Posted 11 February 2010 - 01:33 PM

Mjöllnir

    Trusted Helper

  • Retired Staff
  • 1,207 posts
Hello.


WARNING - Your computer has been infected by a Backdoor Trojan!

From your log(s), one or more of the identified infections are Backdoor Trojans. Backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the author.

If this computer is ever used for online banking, I suggest you do the following IMMEDIATELY:
  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your online passwords for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information. Please refrain from using this computer for online banking / financial purposes until we give it an all clear.

If you want to continue fixing, please follow the steps below.



IMPORTANT
I have noticed that you have peer-to-peer (P2P) software installed on your computer. P2P applications open holes in your computer's security, giving unsecure routes for malware to access your machine. P2P programs are widely used to distribute viruses. Many of the highly successful viruses in circulation today use P2P programs running on an infected computer as an additional mechanism for propagation. In some cases, virus writers may anonymously introduce newly created viruses to the Internet via P2P. In the wild, such newly created viruses are less likely to be detected by your antivirus program. You might consider removing these applications: Limewire, µTorrent



Please continue with the steps below.


»» Step 1 ««

Download RootRepeal from one of the following locations and save it to your desktop:Link 1
Link 2
Link 3
  • Double click Posted Image to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Posted Image button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
    • Shadow SSDT
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan

    Note: The scan can take some time. DO NOT run any other programs while the scan is running

  • When the scan is complete, click the Posted Image button and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program
If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post




»» Step 2 ««

Download avz4.zip from HERE
  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window: Posted Image
  • Click Start to begin the update
Note: If you recieve an error message, chose a different source, then click Start again


  • Start AVZ.
  • Choose from the menu "File" => "Standard scripts " and mark the "Advanced System Analysis with malware removal mode enabled" check box.
    Posted Image
  • Click on the “Execute selected scripts”.
  • Automatic scanning, healing and system check will be executed.
  • A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
  • It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
  • All applications will work properly after the system restart.

When restarted

  • Start AVZ.
  • Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis" check box.
    Posted Image
  • Click on the "Execute selected scripts".
  • A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post




»» Step 3 ««

Post Logs
Please post back with the following information:
  • RootRepeal.txt
  • virusinfo_syscure.zip
  • virusinfo_syscheck.zip

  • 0

#6
Andre Silva
Posted 15 February 2010 - 10:39 AM

Andre Silva

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
AVZ has been running for 48 hours and not complete yet! Is it normal?
  • 0

#7
Mjöllnir
Posted 15 February 2010 - 10:46 AM

Mjöllnir

    Trusted Helper

  • Retired Staff
  • 1,207 posts
No, that is not normal. You can stop it from running. Can you post the root repeal log?
  • 0

#8
Andre Silva
Posted 15 February 2010 - 11:27 PM

Andre Silva

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
Hello,

Here follows the RootRepeal report:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/02/11 18:35
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP1
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\Windows\System32\Drivers\dump_iaStor.sys
Address: 0x8FF07000 Size: 843776 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xAEA00000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\System Volume Information\{b2da5c57-14b3-11df-a1f5-001dba925860}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{b3d5288a-12d6-11df-8437-001dba925860}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{b5dc7606-1216-11df-89ae-001dba925860}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{b5dc760e-1216-11df-89ae-001dba925860}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{d6b40b14-1531-11df-90f4-001dba925860}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{d9002bec-163b-11df-8598-001dba925860}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{ef147b6d-1533-11df-bc8b-001dba925860}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{ef147b7c-1533-11df-bc8b-001dba925860}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{ef147b8b-1533-11df-bc8b-001dba925860}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{ef147b97-1533-11df-bc8b-001dba925860}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{f98c94ce-0da0-11df-8712-001dba925860}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{727804b1-09df-11df-88c9-001dba925860}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{87af1a6c-0f22-11df-88c0-001dba925860}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{8a1182f2-0ff4-11df-9241-001dba925860}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{8a11834f-0ff4-11df-9241-001dba925860}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{8a118447-0ff4-11df-9241-001dba925860}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{48dae49e-12d3-11df-be57-001dba925860}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{48dae4a8-12d3-11df-be57-001dba925860}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{48dae4ae-12d3-11df-be57-001dba925860}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\Program Files\Windows Media Player\Network Sharing\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\Microsoft.NET\Framework\NETFXS~1.HKF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4053_none_516e2e610f48bda6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.debugcrt_1fc8b3b9a1e18e3b_9.0.30729.1_none_61305e07e4f1bc01.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_54c11df268b7c6d9.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9818.0_none_b7e811947b297f6d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_dc990e4797f81af1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_7658964504b9f3b6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_e163563597edeada.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_5c4003bc63e949f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_dcc7eae99ad0d9cf.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_7dd1e0ebd6590e0b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.debugcrt_1fc8b3b9a1e18e3b_9.0.30729.1_none_bb1f6aa1308c35eb.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_4db266e67dd280ef.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.0.0_none_3658456fda6654f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_91949b06671d08ae.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_58b19c2866332652.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.4053_none_4ddfc6cd11929a02.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d1c738ec43578ea1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_81c25f21d3d46d84.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_d6c3e7af9bae13a2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.1801_none_516953ad0f4d16c4.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.163_none_8e0633726966e50a.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_sony.sensing.sfaceplus_5a496c7842cd4787_4.2.0.520_none_cb6fc1498b448601.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.debugmfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_bfff6c932d60651e.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_10b3ea459bfee365.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.163_none_11eda5919b2bd9a9.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_58843c41d2730d3f.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8dd7dea5d5a7a18a.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.4053_none_3b0e32bdc9afe437.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d08d7da0442a985d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d218504d2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.1.0.0_none_6c030d6fdc86522c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_365945b9da656e4d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_abac38a907ee8801.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9876.0_none_a6e4a7980e9b18a2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9876.0_none_b7e610287b2b4ea5.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_0e9c2a8d74fd3ce6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8a14c0566bec5b24.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053e8c6967ba9d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_49ef489714173a89.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_750b37ff97f4f68b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.4053_none_6b86c0e9b0196766.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_60a5df56e60dc5df.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_8550c6b5d18a9128.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_b7e00e6c7b30b69b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_a6dea5dc0ea08098.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_e29d1181971ae11e.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_sony.sensing.vmlib_5a496c7842cd4787_1.3.1.527_none_7b92227ffb6605d1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.1801_none_d088a2ec442ef17b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_45e008191e507087.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.debugmfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_5c94f2bbe7d4aaf6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_818f59bf601aa775.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.1.microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_8b7b15c031cda6db.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_18f8a87fd1919cd9.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Manifests\88b03fe13d2710ad787d5d96cd0e5cbeda3a61c2a0a2bdc0c0984a48365242e2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Manifests\dd72f7ab2def5f75f58d01b24643b308750c38685daaed50bcddf61c18460dee.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\msil_mscorlib.resources_b77a5c561934e089_6.0.6000.16720_pt-br_85f6991702165714\MSCORL~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\msil_mscorlib.resources_b77a5c561934e089_6.0.6000.20883_pt-br_6f2eafbb1bb89c07\MSCORL~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\msil_mscorlib.resources_b77a5c561934e089_6.0.6001.18111_pt-br_85d17dcd026863b5\MSCORL~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\msil_system.configuration.resources_b03f5f7f11d50a3a_6.0.6001.18000_pt-br_4c81605870ad0b94\$$DeleteMe.System.Configuration.resources.dll.01ca1e42280cba30.0009
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-atl_31bf3856ad364e35_6.0.6001.18000_none_ab203fc659b26ce7\$$DeleteMe.atl.dll.01ca1b149abcf8a0.0004
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6001.18000_none_69cadbfc3ddffe3c\$$DeleteMe.rpcss.dll.01c9dfa4ffd07d6f.000b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-e..emorydevicesservice_31bf3856ad364e35_6.0.6001.18000_none_9e8bec4ef6ba613c\$$DeleteMe.emdmgmt.dll.01c9dfa4fe1f432f.0006
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-http-api_31bf3856ad364e35_6.0.6001.18000_none_f5ac3cff9d4bd9d3\$$DeleteMe.httpapi.dll.01ca7a21b90c9740.0002
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-http-api_31bf3856ad364e35_6.0.6001.18356_none_f57c34d19d6ef507\$$DeleteMe.httpapi.dll.01ca7bb3a3cb42d0.0000
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_6.0.6001.18099_none_b48acb29d70acadb\$$DeleteMe.urlmon.dll.01c9dfa4fa75656f.0000
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6001.18248_none_478070c58c9d650d\$$DeleteMe.iertutil.dll.01ca10dbec263e60.0001
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.0.6001.18000_none_93bde541564b88ae\$$DeleteMe.kernel32.dll.01c9dfa4fee736af.000a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.18000_none_a64a8ac25ccb3836\$$DeleteMe.lsasrv.dll.01c9dfa4fe80db8f.0008
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.18000_none_a64a8ac25ccb3836\$$DeleteMe.secur32.dll.01c9dfa4fea6f18f.0009
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.18215_none_a644c0145ccecd28\$$DeleteMe.lsasrv.dll.01ca1bdc186fbea0.0001
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.18215_none_a644c0145ccecd28\$$DeleteMe.secur32.dll.01ca1bdc187ba580.0002
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.0.6002.18005_none_04642e8a80bb8b27\MI2095~1.MAN
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.0.6002.18005_none_04642e8a80bb8b27\MIC237~1.MAN
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16789_none_09360999522be962\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16885_none_09320a57522f812d\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.20976_none_09c777586b441e5d\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.21083_none_09b97eb06b4f218b\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18185_none_0b1847174f5614f7\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18185_none_0b1847174f5614f7\$$DeleteMe.wmp.dll.01ca1b1496381c60.0000
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18185_none_0b1847174f5614f7\$$DeleteMe.wmploc.DLL.01ca1b149869e0e0.0001
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18289_none_0b1c4a254f52777a\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-wmvcore_31bf3856ad364e35_6.0.6001.18096_none_06d7363dd61b14c2\$$DeleteMe.WMVCORE.DLL.01ca31dcfdb0cf51.0001
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22331_none_0bd3f43c684ec0d7\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-wmvcore_31bf3856ad364e35_6.0.6001.18000_none_073283cdd5d7813f\$$DeleteMe.WMVCORE.DLL.01c9dfa4fd574faf.0004
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-msasn1_31bf3856ad364e35_6.0.6000.16386_none_c52353cea8765257\$$DeleteMe.msasn1.dll.01ca4c96e1cac1ff.0000
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-msxml60_31bf3856ad364e35_6.0.6001.18138_none_885590b496e78ad1\$$DeleteMe.msxml6.dll.01ca6e57bd21e940.0000
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-msxml30_31bf3856ad364e35_6.0.6001.18000_none_886e409a96d6223c\$$DeleteMe.msxml3.dll.01c9dfa506ed794f.0011
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-msxml60_31bf3856ad364e35_6.0.6001.18000_none_886dfc4296d66f1f\$$DeleteMe.msxml6.dll.01c9dfa4fc1394af.0003
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6001.18000_none_8d341b13018fde32\$$DeleteMe.netapi32.dll.01c9dfa506b6b9af.0010
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..ooler-core-localspl_31bf3856ad364e35_6.0.6001.18000_none_301b5dfb92ae18db\$$DeleteMe.localspl.dll.01c9eb6b357cfef0.0004
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..ooler-networkclient_31bf3856ad364e35_6.0.6001.18000_none_39733ab970ea03f2\$$DeleteMe.win32spl.dll.01c9dfa4fe5602cf.0007
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-raschap_31bf3856ad364e35_6.0.6001.18000_none_12bf0305774c76e6\$$DeleteMe.raschap.dll.01ca7a21b8e86d70.0000
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rastls_31bf3856ad364e35_6.0.6001.18000_none_6c652bee5023e04d\$$DeleteMe.rastls.dll.01ca7a21b8f8e830.0001
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rpc-local_31bf3856ad364e35_6.0.6001.18000_none_b3fa9f1745144f5f\$$DeleteMe.rpcrt4.dll.01c9dfa50aef69ef.0014
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rpc-local_31bf3856ad364e35_6.0.6001.18051_none_b3c58fc5453bf46b\$$DeleteMe.rpcrt4.dll.01c9eb6b356c5550.0003
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6001.18000_none_3acd4b177cb513c9\$$DeleteMe.wdigest.dll.01ca1bdc18937340.0003
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6001.18000_none_7cb2ecd3628ac318\$$DeleteMe.msv1_0.dll.01ca1bdc18b727e0.0006
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-shell32_31bf3856ad364e35_6.0.6001.18062_none_6bea4bea122ac813\$$DeleteMe.shell32.dll.01c9dfa500e49cef.000f
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-video-for-windows_31bf3856ad364e35_6.0.6001.18000_none_9231f0ab88c213e9\$$DeleteMe.avifil32.dll.01ca1b149a83d7a0.0002
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-windowscodec_31bf3856ad364e35_6.0.6001.18000_none_9681b77aa11e1dfb\$$DeleteMe.WindowsCodecs.dll.01c9e4b97b4afb20.0000
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-windowscodecext_31bf3856ad364e35_6.0.6001.18000_none_9391cc6cb8a57a62\$$DeleteMe.WindowsCodecsExt.dll.01c9e4b97b6c4e60.0001
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.18000_none_9c44425304e62138\$$DeleteMe.wlanmsm.dll.01ca31dcfde52d91.0004
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.18000_none_9c44425304e62138\$$DeleteMe.wlansec.dll.01ca31dcfdcd5fd1.0002
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.18000_none_9c44425304e62138\$$DeleteMe.wlansvc.dll.01ca31dcfdd946b1.0003
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.18288_none_9bf5c90f051fc5c6\RULESS~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.18288_none_9bf5c90f051fc5c6\WIRELE~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.22468_none_9c9507981e2d2ad5\RULESS~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.22468_none_9c9507981e2d2ad5\WIRELE~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18005_none_9e2fbb5f0207ec84\RULESS~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18005_none_9e2fbb5f0207ec84\WIRELE~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18005_none_9e2fbb5f0207ec84\$$DeleteMe.wlansec.dll.01ca31dcfdcd5fd1.0002
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18064_none_9deddb8d02397ad3\RULESS~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18064_none_9deddb8d02397ad3\WIRELE~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.22170_none_9e68a7441b62d132\RULESS~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.22170_none_9e68a7441b62d132\WIRELE~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wmi-core-fastprox-dll_31bf3856ad364e35_6.0.6001.18000_none_fb49535a79bca3e8\$$DeleteMe.fastprox.dll.01c9dfa50034772f.000d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wmi-core-providerhost_31bf3856ad364e35_6.0.6001.18000_none_1062be8b8b6509c7\$$DeleteMe.WmiPrvSD.dll.01c9dfa50049e38f.000e
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wmi-core-providerhost_31bf3856ad364e35_6.0.6001.18000_none_1062be8b8b6509c7\$$DeleteMe.WmiPrvSE.exe.01c9dfa5001ca96f.000c
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-workstationservice_31bf3856ad364e35_6.0.6001.18000_none_cc3a17edd6d1c174\$$DeleteMe.wkssvc.dll.01ca1b149ab111c0.0003
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_appdata_b03f5f7f11d50a3a_6.0.6000.20883_none_8469d28baa199a7e\GROUPE~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_appdata_b03f5f7f11d50a3a_6.0.6000.16720_none_9b31bbe79077558b\GROUPE~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-mscoree_dll_31bf3856ad364e35_6.0.6001.18000_none_b55ffc255629a804\$$DeleteMe.mscoree.dll.01ca1e42165ae190.0000
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-mscorjit_dll_b03f5f7f11d50a3a_6.0.6001.18000_none_bf5ca9cf312f74f6\$$DeleteMe.mscorjit.dll.01ca1e421e364b70.0003
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_policy.1.2.microsof..op.security.azroles_31bf3856ad364e35_6.0.6000.16386_none_ea83414c2e75b887\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_end_perf_vrg_31bf3856ad364e35_6.0.6000.16708_none_cab9e41b8efd69ed\_SERVI~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_end_perf_vrg_31bf3856ad364e35_6.0.6000.20864_none_cafea036a84f4c01\_SERVI~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_end_perf_vrg_31bf3856ad364e35_6.0.6001.18096_none_cc3cd0fb8c6ec682\_SERVI~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globalserifcf_31bf3856ad364e35_6.0.6000.16708_none_319b7f14a2b4f78c\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globalserifcf_31bf3856ad364e35_6.0.6000.20864_none_31e03b2fbc06d9a0\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_end_perf_vrg_31bf3856ad364e35_6.0.6001.22208_none_cd29bf8ca5419aa8\_SERVI~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wwf-cperfcnt_31bf3856ad364e35_6.0.6000.16708_none_1dbee32b03599791\PERFCO~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wwf-cperfcnt_31bf3856ad364e35_6.0.6000.20864_none_1e039f461cab79a5\PERFCO~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wwf-cperfcnt_31bf3856ad364e35_6.0.6001.18096_none_1f41d00b00caf426\PERFCO~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wwf-cperfcnt_31bf3856ad364e35_6.0.6001.22208_none_202ebe9c199dc84c\PERFCO~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wwf-cperfcnt_31bf3856ad364e35_6.0.6002.18005_none_218896a6fda92bef\PERFCO~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6001.18294_none_474660018cc98b66\$$DeleteMe.iertutil.dll.01ca4c96e3c3657f.0005
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6001.18319_none_47a1e2b98c8427b8\$$DeleteMe.iertutil.dll.01ca7a21b93220a0.0004
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6001.18349_none_478172f58c9c7b8b\$$DeleteMe.iertutil.dll.01ca9d7ddb8a0990.0001
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_6.0.6001.18226_none_b4d37d8bd6d4b58d\$$DeleteMe.urlmon.dll.01c9eb6b34856ff0.0000
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_6.0.6001.18248_none_b4bfde47d6e3201d\$$DeleteMe.urlmon.dll.01ca10dbebd7b100.0000
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_6.0.6001.18294_none_b485cd83d70f4676\$$DeleteMe.urlmon.dll.01ca4c96e34ec21f.0004
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_6.0.6001.18319_none_b4e1503bd6c9e2c8\$$DeleteMe.urlmon.dll.01ca7a21b91dae40.0003
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_6.0.6001.18349_none_b4c0e077d6e2369b\$$DeleteMe.urlmon.dll.01ca9d7ddb3b7460.0000
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6001.18000_none_22164b0e5542d6c1\$$DeleteMe.schannel.dll.01c9dfa4fd717ecf.0005
Status: Locked to theProcesses
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1824 Status: Locked to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ece9bd0

#: 021 Function Name: NtAlpcConnectPort
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8eceb52c

#: 022 Function Name: NtAlpcCreatePort
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8eceb782

#: 038 Function Name: NtAlpcSendWaitReceivePort
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8eceb9fc

#: 048 Function Name: NtClose
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ecea450

#: 054 Function Name: NtConnectPort
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8eceab32

#: 058 Function Name: NtCreateEvent
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8eceaf3c

#: 060 Function Name: NtCreateFile
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ecea5f8

#: 067 Function Name: NtCreateMutant
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8eceae14

#: 068 Function Name: NtCreateNamedPipeFile
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ece97d6

#: 071 Function Name: NtCreatePort
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8eceacd0

#: 075 Function Name: NtCreateSection
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ece9992

#: 076 Function Name: NtCreateSemaphore
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8eceb06e

#: 077 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ececcb0

#: 078 Function Name: NtCreateThread
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ecea0ee

#: 115 Function Name: NtCreateWaitablePort
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ecead72

#: 116 Function Name: NtDebugActiveProcess
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ecec6a2

#: 129 Function Name: NtDuplicateObject
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8eced672

#: 150 Function Name: NtFsControlFile
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ecea752

#: 165 Function Name: NtLoadDriver
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ecec734

#: 177 Function Name: NtMapViewOfSection
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ececd64

#: 184 Function Name: NtOpenEvent
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8eceafde

#: 186 Function Name: NtOpenFile
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ecea4d2

#: 191 Function Name: NtOpenMutant
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8eceaeac

#: 194 Function Name: NtOpenProcess
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ece9dd6

#: 197 Function Name: NtOpenSection
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ececcda

#: 198 Function Name: NtOpenSemaphore
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8eceb110

#: 201 Function Name: NtOpenThread
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ece9cfa

#: 219 Function Name: NtQueryDirectoryObject
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ecebc3e

#: 242 Function Name: NtQuerySection
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8eced07c

#: 255 Function Name: NtQueueApcThread
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ecec9ca

#: 270 Function Name: NtReplyPort
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8eceb49a

#: 271 Function Name: NtReplyWaitReceivePort
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8eceb360

#: 276 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ecec442

#: 282 Function Name: NtResumeThread
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8eced554

#: 286 Function Name: NtSecureConnectPort
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ecea86c

#: 289 Function Name: NtSetContextThread
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ecea30c

#: 307 Function Name: NtSetInformationToken
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ecebcf2

#: 314 Function Name: NtSetSecurityObject
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ecec82e

#: 317 Function Name: NtSetSystemInformation
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8eced1bc

#: 330 Function Name: NtSuspendProcess
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8eced2a0

#: 331 Function Name: NtSuspendThread
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8eced3c8

#: 332 Function Name: NtSystemDebugControl
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ecec5ce

#: 334 Function Name: NtTerminateProcess
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ece9f4e

#: 335 Function Name: NtTerminateThread
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ece9ea4

#: 348 Function Name: NtUnmapViewOfSection
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ececf32

#: 358 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ecea02e

#: 382 Function Name: NtCreateThreadEx
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ecea1ee

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ecfad1c

#: 235 Function Name: NtGdiMaskBlt
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ecfade6

#: 245 Function Name: NtGdiPlgBlt
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ecfae50

#: 301 Function Name: NtGdiStretchBlt
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ecfad80

#: 317 Function Name: NtUserAttachThreadInput
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ecfa930

#: 333 Function Name: NtUserCallOneParam
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ecface8

#: 391 Function Name: NtUserFindWindowEx
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ecfab1e

#: 397 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ecfa898

#: 428 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ecfac20

#: 430 Function Name: NtUserGetKeyState
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ecfa8e4

#: 479 Function Name: NtUserMessageCall
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ecfaa70

#: 497 Function Name: NtUserPostMessage
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ecfa9c6

#: 498 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ecfaa1a

#: 513 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ecfabb0

#: 525 Function Name: NtUserSendInput
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ecfaad0

#: 573 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ecfa7e8

#: 576 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8ecfa83e

==EOF==
  • 0

#9
Mjöllnir
Posted 16 February 2010 - 12:56 PM

Mjöllnir

    Trusted Helper

  • Retired Staff
  • 1,207 posts
Hello.

Please continue with the steps below.

Download OTS to your desktop
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box labeled Scan All Users
  • Under File Age at the top, change it from 30 days to 90 days
  • Under Additional Scans check the boxes beside
    • Reg - ActiveX StubPath
    • Reg - App Paths
    • Reg - Approved Shell Extensions
    • Reg - Desktop Components
    • Reg - Disabled MS Config Items
    • Reg - Drivers32
    • Reg - Ext
    • Reg - File Associations
    • Reg - IE Explorer Bars
    • Reg - NetSvcs
    • Reg - Protocol Filters
    • Reg - Protocol Handlers
    • Reg - SafeBoot Minimal
    • Reg - SafeBoot Network
    • Reg - Session Manager Settings
    • Reg - Winsock2 Catalogs
    • Evnt - EventViewer Logs ( Last 10 Errors )
    • File - Lop Check
    • File - Purity Scan
  • Under the Custom Scans box at the bottom left paste the following in
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    beep.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles

  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete, Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is, then click on it to uncheck it.

Please attach the log in your next post.
(Note, The last line is < End of Report >, so make sure that is the last line in the attached report)

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post



Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here or Here

Double-click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer, please do so immediately.
  • 0

#10
Andre Silva
Posted 16 February 2010 - 02:42 PM

Andre Silva

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
Hello again Mjöllnir,

Here follows the logs requested. Thanks for your help!

Attached File  OTS.Txt   345.29KB   215 downloads


Malwarebytes' Anti-Malware 1.44
Database version: 3747
Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

16/02/2010 18:27:43
mbam-log-2010-02-16 (18-27-43).txt

Scan type: Quick Scan
Objects scanned: 108172
Time elapsed: 8 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#11
Mjöllnir
Posted 17 February 2010 - 01:31 PM

Mjöllnir

    Trusted Helper

  • Retired Staff
  • 1,207 posts
Hi Andre.


How is everything running on this computer?


We're going to perform an online scan to make sure that we got everything.


Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.
3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.
  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases
  • Click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View report... at the bottom.
  • Click the Save report... button.

    Posted Image

  • Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

  • 0

#12
Andre Silva
Posted 18 February 2010 - 10:42 PM

Andre Silva

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
Hello Mjöllnir,

Here is the report. I think it looks clean. Please have a look.

Thank you,

Andre

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, February 19, 2010
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, February 18, 2010 23:52:53
Records in database: 3555787
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 223276
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 02:37:15

No threats found. Scanned area is clean.

Selected area has been scanned.
  • 0

#13
Mjöllnir
Posted 23 February 2010 - 09:32 AM

Mjöllnir

    Trusted Helper

  • Retired Staff
  • 1,207 posts
Hello.

Sorry for the delay. :)



Your log is clean! :)


Now that we've finished cleaning your computer, please follow these last sets of instructions and then you'll be ready to go.


»»» Clear Temp Files «««

Download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run as administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


»»» System Restore Points «««

Clear your 'System Restore' points by doing the following:
Turn off Windows Vista System Restore:
  • Click Start
  • Right-click the Computer icon, and then click Properties
  • Click on System Protection
  • Click on Continue on the User Account Control window that pops up
  • Under the System Protection tab, find Available Disks
  • Uncheck the box for any drive you wish to disable system restore on
  • When turning off System Restore, the existing restore points will be deleted. Click Turn System Restore Off on the popup window to do this
  • Click OK
Restart your computer.

Turn on Windows Vista System Restore:
  • Click Start
  • Right-click the Computer icon, and then click Properties
  • Click on System Protection
  • Click on Continue on the User Account Control window that pops up
  • Under the System Protection tab, find Available Disks
  • Place a checkmark in the box for any drive you wish to enable System Restore on
  • Click OK

Create a new System Restore point:
  • Click on Start/All Programs/Accessories/System Tools/System Restore
  • In the System Restore window, click the open system protection link
  • In the System Properties window, check the Available Disks you would like to restore and click Create...
  • In the System Protection window, enter a description and click Create
  • Once the restore point has been created, click OK


»»» Cleanup «««

Remove Other Tools

  • Open OTL to run it. (Vista users, please right click on OTL and select "Run as administrator")
  • Click on the CleanUp button
  • Click Yes to begin the cleanup process and remove out tools, including this application
  • You may be asked to reboot the machine to finish the cleanup process - if so, choose Yes


++++++++++++++++++++++++++++++++++++


Below are links to several programs that will help protect your computer.

Firewalls
If you are using the Windows firewall or not using a firewall at all, I recommend downloading and installing the application below.
You may also want to read Understanding and Using Firewalls.

Note that you should NEVER have more than one firewall running on your system, as firewalls can conflict with one another and can cause slow or total loss of your Internet connection.


Anti-Spyware
I recommend downloading and installing all of the following applications.


++++++++++++++++++++++++++++++++++++


Other things to keep in mind.

Windows, Java, and Adobe products should all be kept up-to-date on a regular basis so the latest security fixes are in place on your computer. Please refer to the following links on how to manage these products.

Here are a few other applications you might consider. Keeping your temporary file area clean, your Windows registry backed up, and backing up your important data are all good techniques.

Please remember that just having these programs is not enough. You must use them. Running a full spyware scan weekly, a full virus scan monthly, and checking for updates and cleaning your temporary files periodically is very important in keeping your computer in tip-top shape.

Finally, please take the time to read the following articles. Applying this information will help prevent future infections:

How to prevent malware by miekiemoes
Preventing Malware and Safe Computing by Rorschach112

This article will help you understand how you may have gotten infected:
How did I get infected in the first place?

Remember, you have to be smarter than the bad guys! Be safe out there! :)
  • 0

#14
Essexboy
Posted 25 February 2010 - 01:37 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP