Rapport de ZHPDiag v2013.4.23.139 par Nicolas Coolman, Update du 23/04/2013
Run by f003289 at 24/04/2013 10:15:47
State : 
WhiteList : Enable
High Elevated Privileges : OK
UAC : Not Found


---\\ Web Browser
MSIE: Internet Explorer v8.0.6001.18702 (Defaut)
MFIE: Mozilla Firefox 17.0.1
GCIE: Google Chrome v26.0.1410.64

---\\ Windows Product Information
~ Langage: Anglais
Windows XP Professional Service Pack 3 (Build 2600)
Windows Automatic Updates : OK
Windows Genuine Advantage : KO

---\\ System Protection
avast! Free Antivirus v8.0.1483.0
Malwarebytes Anti-Malware versão 1.75.0.1300

---\\ System Optimizer
CCleaner v3.24

---\\ Software Update
Adobe Flash Player 11 Plugin
Adobe Reader XI
Java 7 Update 21

---\\ System Information
~ Processor: x86 Family 15 Model 4 Stepping 9, GenuineIntel
~ Operating System: 32 Bits
Boot mode: Normal (Normal boot)
Total RAM: 1982 MB (71% free)
System Restore: Activé (Enable)
System drive C: has 47 GB (63%) free of 75 GB

---\\ Logged in mode
~ Computer Name: FUN0070
~ User Name: f003289
~ All Users Names: SUPPORT_388945a0, HelpAssistant, Funpec, Convidado, Administrador, 
~ Unselected Option: O45,O61,O62,O65,O82
Logged in as Administrator

---\\ Environnement Variables
~ System Unit : C:\
~ %AppData% : C:\Documents and Settings\f003289\Dados de aplicativos\
~ %Desktop% : C:\Documents and Settings\f003289\Desktop\
~ %Favorites% : C:\Documents and Settings\f003289\Favoritos\
~ %LocalAppData% : C:\Documents and Settings\f003289\Configurações locais\Dados de aplicativos\
~ %StartMenu% : C:\Documents and Settings\f003289\Menu Iniciar\
~ %Windir% : C:\WINDOWS\
~ %System% : C:\WINDOWS\system32\

---\\ DOS/Devices
A:\ Floppy drive, Flash card reader, USB Key (Not Inserted)
C:\ Hard drive, Flash drive, Thumb drive (Free 47 Go of 75 Go)



---\\ Security Center & Tools Informations
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations] Application: OK
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations] Intl: OK
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations] XMLLookup: OK
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] Shell: OK
~ Security Center:  Scanned in 00mn 00s



---\\ Search Generic System Files
[MD5.064EC7FF5F58B928C3E119402977FA6D] - (.Microsoft Corporation - Windows Explorer.) (.13/04/2008 - 18:21:00.) -- C:\WINDOWS\Explorer.exe [1035776]
[MD5.6CE32F7778061CCC5814D5E0F282D369] - (.Microsoft Corporation - Internet Extensions for Win32.) (.08/03/2009 - 03:34:58.) -- C:\WINDOWS\system32\wininet.dll [914944]
[MD5.71D440F79B711627B12B567FB2EADB42] - (.Microsoft Corporation - Aplicativo de logon do Windows NT.) (.13/04/2008 - 18:21:24.) -- C:\WINDOWS\system32\Winlogon.exe [509952]
[MD5.322D0E36693D6E24A2398BEE62A268CD] - (.Microsoft Corporation - Ancillary Function Driver for WinSock.) (.13/04/2008 - 11:19:24.) -- C:\WINDOWS\system32\Drivers\AFD.sys [138112]
[MD5.9F3A2F5AA6875C72BF062C712CFA2674] - (.Microsoft Corporation - IDE/ATAPI Port Driver.) (.13/04/2008 - 10:40:32.) -- C:\WINDOWS\system32\Drivers\atapi.sys [96512]
[MD5.C885B02847F5D2FD45A24E219ED93B32] - (.Microsoft Corporation - CD-ROM File System Driver.) (.13/04/2008 - 11:14:22.) -- C:\WINDOWS\system32\Drivers\Cdfs.sys [63744]
[MD5.1F4260CC5B42272D71F79E570A27A4FE] - (.Microsoft Corporation - SCSI CD-ROM Driver.) (.13/04/2008 - 10:40:48.) -- C:\WINDOWS\system32\Drivers\Cdrom.sys [62976]
[MD5.A8D31E836CCF2F51009CE7DFFECF6D51] - (.Microsoft Corporation - FIPS Crypto Driver.) (.13/04/2008 - 17:52:44.) -- C:\WINDOWS\system32\Drivers\Fips.sys [44672]
[MD5.573C7D0A32852B48F3058CFD8026F511] - (.Windows (R) Server 2003 DDK provider - High Definition Audio Bus Driver v1.0a.) (.13/04/2008 - 08:36:06.) -- C:\WINDOWS\system32\Drivers\HDAudBus.sys [144384]
[MD5.485BC6BEB778B5E9702E6AA3D384C0CB] - (.Microsoft Corporation - Driver de porta i8042.) (.13/04/2008 - 17:55:20.) -- C:\WINDOWS\system32\Drivers\i8042prt.sys [53504]
[MD5.083A052659F5310DD8B6A6CB05EDCF8E] - (.Microsoft Corporation - IMAPI Kernel Driver.) (.13/04/2008 - 10:41:00.) -- C:\WINDOWS\system32\Drivers\Imapi.sys [42112]
[MD5.CC748EA12C6EFFDE940EE98098BF96BB] - (.Microsoft Corporation - IP Network Address Translator.) (.13/04/2008 - 10:57:16.) -- C:\WINDOWS\system32\Drivers\IpNat.sys [152832]
[MD5.23C74D75E36E7158768DD63D92789A91] - (.Microsoft Corporation - IPSec Driver.) (.13/04/2008 - 11:19:44.) -- C:\WINDOWS\system32\Drivers\IPSec.sys [75264]
[MD5.68755F0FF16070178B54674FE5B847B0] - (.Microsoft Corporation - Windows NT SMB Minirdr.) (.13/04/2008 - 11:17:02.) -- C:\WINDOWS\system32\Drivers\MRxSmb.sys [456576]
[MD5.74B2B2F5BEA5E9A3DC021D685551BD3D] - (.Microsoft Corporation - MBT Transport driver.) (.13/04/2008 - 11:21:02.) -- C:\WINDOWS\system32\Drivers\netBT.sys [162816]
[MD5.78A08DD6A8D65E697C18E1DB01C5CDCA] - (.Microsoft Corporation - NT File System Driver.) (.13/04/2008 - 11:15:54.) -- C:\WINDOWS\system32\Drivers\ntfs.sys [574976]
[MD5.9BADEE6B698BF1AF36E25A1A64A89EAB] - (.Microsoft Corporation - Driver de porta paralela.) (.13/04/2008 - 18:02:26.) -- C:\WINDOWS\system32\Drivers\Parport.sys [80384]
[MD5.11B4A627BC9614B885C4969BFA5FF8A6] - (.Microsoft Corporation - RAS L2TP mini-port/call-manager driver.) (.13/04/2008 - 11:19:44.) -- C:\WINDOWS\system32\Drivers\Rasl2tp.sys [51328]
[MD5.15CABD0F7C00C47C70124907916AF3F1] - (.Microsoft Corporation - Microsoft RDP Device redirector.) (.13/04/2008 - 10:32:52.) -- C:\WINDOWS\system32\Drivers\rdpdr.sys [196224]
[MD5.68D749B04BFBBD4D4D15CC5185AFA4DD] - (.Microsoft Corporation - Redbook Audio Filter Driver.) (.13/04/2008 - 17:53:18.) -- C:\WINDOWS\system32\Drivers\redbook.sys [58240]
[MD5.EB6B1E2C984D84470FF4FE7EF98CD44A] - (.Microsoft Corporation - Driver de cópia de sombra de volume.) (.13/04/2008 - 17:53:02.) -- C:\WINDOWS\system32\Drivers\volsnap.sys [53248]
~ Generic Processes:  Scanned in 00mn 00s



---\\ Hidden files state (Hidden/Total)
~ Mes images (My Pictures) : 2/103
~ Mes musiques (My Musics) : 1/2579
~ Mes Videos (My Videos) : 0/9
~ Mes Favoris (My Favorites) : 0/24
~ Mes Documents (My Documents) : 1/4014
~ Mon Bureau (My Desktop) : 1/788
~ Menu demarrer (Programs) : 1/26
~ Hidden Files:  Scanned in 00mn 04s



---\\ Running Processes
[MD5.41735B82DB57E4EBE9504EC400FD120E] - (.AVAST Software - avast! Service.) -- C:\Arquivos de programas\AVAST Software\Avast\AvastSvc.exe   [45248] [PID.1416]
[MD5.06752FAEA93BB8C9D4D72C56D360E415] - (.GAS Tecnologia - G-Buster Browser Defense - Service.) -- C:\Arquivos de programas\GbPlugin\GbpSv.exe   [526888] [PID.1744]
[MD5.6D2018AEE93285F2A8BEF55D722187A3] - (.Microsoft Corporation - Application Layer Gateway Service.) -- C:\WINDOWS\System32\alg.exe   [44544] [PID.1456]
[MD5.C0417E571BA2837EA3CBE17E728E17DD] - (.Panda Security - USB Vaccine.) -- C:\Arquivos de programas\Panda USB Vaccine\USBVaccine.exe   [1287176] [PID.2240]
[MD5.148C545849C1379A3D4448F5DE768E86] - (.AVAST Software - avast! Antivirus.) -- C:\Arquivos de programas\AVAST Software\Avast\avastUI.exe   [4767304] [PID.2444]
[MD5.4F2DDAECD720AAA6AD7475E5A29E5980] - (.Microsoft Corporation - Atualizações Automáticas.) -- C:\WINDOWS\system32\wuauclt.exe   [111616] [PID.2744]
[MD5.B60DDDD2D63CE41CB8C487FCFBB6419E] - (.Microsoft Corporation - Internet Explorer.) -- C:\Arquivos de programas\Internet Explorer\iexplore.exe   [638816] [PID.920]
[MD5.AAE42F24B1510ADF8E7DE92085B8E67F] - (.Nicolas Coolman - ZHPDiag.) -- C:\Arquivos de programas\ZHPDiag\ZHPDiag.exe   [6971904] [PID.2084]
~ Processes Running:  Scanned in 00mn 01s



---\\ Mozilla Firefox,Plugins,Start,Search,Extensions (P2,M0,M1,M2,M3)
M3 - MFPP: Plugins - [f003289] -- C:\Arquivos de programas\Mozilla FireFox\searchplugins\buscape.xml
M3 - MFPP: Plugins - [f003289] -- C:\Arquivos de programas\Mozilla FireFox\searchplugins\mercadolivre.xml
M3 - MFPP: Plugins - [f003289] -- C:\Arquivos de programas\Mozilla FireFox\searchplugins\wikipedia-br.xml
M3 - MFPP: Plugins - [f003289] -- C:\Arquivos de programas\Mozilla FireFox\searchplugins\yahoo-br.xml
~ Firefox Browser: 14 Legitimates Filtered in 00mn 00s



---\\ Internet Explorer Extensions, Start, Search (R4,R3,R0,R1)
R4 - HKCU\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter,Enabled = 2
~ IE Browser: 11 Legitimates Filtered in 00mn 00s



---\\ Internet Explorer, Proxy Management (R5)
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = no key
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyEnable = 0
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,MigrateProxy = 1
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,EnableHttp1_1 = 1
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigProxy = wininet.dll
~ Proxy management:  Scanned in 00mn 00s



---\\ Line Analysis F0, F1, F2, F3 - IniFiles, Auto loading programs
F2 - REG:system.ini: USERINIT=C:\WINDOWS\system32\userinit.exe,
F2 - REG:system.ini: Shell=C:\WINDOWS\explorer.exe
F2 - REG:system.ini: VMApplet=rundll32 shell32,Control_RunDLL "sysdm.cpl"
~ Keys:  Scanned in 00mn 00s



---\\ Hosts file redirection (O1)
~ Le fichier hosts est sain (The hosts file is clean).
~ Hosts File:  Scanned in 00mn 00s
~ Nombre de lignes (Lines number): 1



---\\ Browser Helper Objects (O2)
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} . (.Banco do Brasil - Gbieh Module.) -- C:\Arquivos de programas\GbPlugin\gbieh.dll
~ BHO: 5 Legitimates Filtered in 00mn 00s



---\\ Internet Explorer toolbars (O3)
O3 - Toolbar: avast! WebRep - [HKLM]{8E5E2654-AD2D-48bf-AC2D-D17F00898D06} . (.AVAST Software - avast! WebRep Plugin.) -- C:\Arquivos de programas\AVAST Software\Avast\aswWebRepIE.dll
~ Toolbar:  Scanned in 00mn 00s



---\\ Auto loading programs from Registry and folders (O4)
O4 - HKLM\..\Run: [avast] . (.AVAST Software - avast! Antivirus.) -- C:\Arquivos de programas\AVAST Software\Avast\avastUI.exe 
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] . (.Microsoft Corporation - CTF Loader.) -- C:\WINDOWS\system32\CTFMON.exe 
~ Application:  Scanned in 00mn 00s



---\\ Other User Links (O4)
O4 - GS\Desktop: Malwarebytes Anti-Malware.lnk . (.Malwarebytes Corporation - Malwarebytes Anti-Malware.)  -- C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbam.exe 
O4 - GS\Desktop: MBRCheck.lnk . (...)  -- C:\Arquivos de programas\ZHPDiag\mbrcheck.exe
O4 - GS\Desktop: ZHPDiag.lnk . (.Nicolas Coolman - ZHPDiag Setup.)  -- C:\Arquivos de programas\ZHPDiag\ZHPhep.exe 
O4 - GS\Desktop: ZHPFix.lnk . (.Nicolas Coolman - ZHPDiag Setup.)  -- C:\Arquivos de programas\ZHPDiag\ZHPFix\ZHPhep.exe 
O4 - GS\Desktop: Atalho para Funpec.lnk . (...)  -- C:\SIGAP\Funpec.exe
O4 - GS\Desktop: Auslogics Disk Defrag.lnk . (.Auslogics - Disk Defrag.)  -- C:\Arquivos de programas\Auslogics\Auslogics Disk Defrag\DiskDefrag.exe 
~ Global Startup:  Scanned in 00mn 04s



---\\ Extra buttons on main IE button toolbar, or extra items in IE 'Tools' menu (O9)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} . (...) -- C:\Arquivos de programas\Microsoft Office\Office12\REFBARH.ICO
O9 - Extra button: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -- Orphean Key
O9 - Extra button: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} . (.Microsoft Corporation - Windows Messenger.) -- C:\Arquivos de programas\Messenger\msmsgs.exe
~ IE Extra Buttons:  Scanned in 00mn 00s



---\\ Winsock hijacker (Layered Service Provider) (O10)
O10 - WLSP:\000000000001\Winsock LSP File . (.Microsoft Corporation - Fornecedor de serviços do Microsoft Windows Sockets 2.0.) -- C:\WINDOWS\system32\mswsock.dll
O10 - WLSP:\000000000003\Winsock LSP File . (.Microsoft Corporation - Fornecedor de serviços do Microsoft Windows Sockets 2.0.) -- C:\WINDOWS\system32\mswsock.dll
~ Winsock: 3 Legitimates Filtered in 00mn 00s



---\\ 'Reset Web Settings' hijack (O14)
O14 - IERESET.INF: SEARCH_PAGE_URL=SEARCH_PAGE_URL="&http://home.microsoft.com/intl/br/access/allinone.asp"
O14 - IERESET.INF: SAFESITE_VALUE=SAFESITE_VALUE="search.msn.com.br"
~ IE Paramètres WEB:  Scanned in 00mn 00s



---\\ Lop.com/Domain Hijackers (O17)
O17 - HKLM\System\CCS\Services\Tcpip\..\{201E4DE0-6376-4181-A850-4EFF4FF93D31}: DhcpNameServer = 10.4.65.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{201E4DE0-6376-4181-A850-4EFF4FF93D31}: DhcpDomain = funpec.br
O17 - HKLM\System\CS1\Services\Tcpip\..\{201E4DE0-6376-4181-A850-4EFF4FF93D31}: DhcpNameServer = 10.4.65.16
O17 - HKLM\System\CS1\Services\Tcpip\..\{201E4DE0-6376-4181-A850-4EFF4FF93D31}: DhcpDomain = funpec.br
O17 - HKLM\System\CS3\Services\Tcpip\..\{201E4DE0-6376-4181-A850-4EFF4FF93D31}: DhcpNameServer = 10.4.65.16
O17 - HKLM\System\CS3\Services\Tcpip\..\{201E4DE0-6376-4181-A850-4EFF4FF93D31}: DhcpDomain = funpec.br
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.4.65.16
~ Domain:  Scanned in 00mn 00s



---\\ Extra protocols (O18)
O18 - Handler: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} . (.Microsoft Corporation - WIA Scripting Layer.) -- C:\WINDOWS\system32\wiascr.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} . (.Microsoft Corporation - Microsoft Office XML MIME Filter.) -- C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\OFFICE12\MSOXMLMF.dll
~ Protocole Additionnel:  Scanned in 00mn 00s



---\\ AppInit_DLLs Registry value Autorun (O20)
O20 - Winlogon Notify:  GbPluginBb . (.Banco do Brasil - Gbieh Module.) -- C:\Arquivos de programas\GbPlugin\gbieh.dll
O20 - Winlogon Notify: crypt32chain . (.Microsoft Corporation - Crypto API32.) -- C:\WINDOWS\system32\crypt32.dll
O20 - Winlogon Notify: cryptnet . (.Microsoft Corporation - Crypto Network Related API.) -- C:\WINDOWS\system32\cryptnet.dll
O20 - Winlogon Notify: cscdll . (.Microsoft Corporation - Agente de rede off-line.) -- C:\WINDOWS\system32\cscdll.dll
O20 - Winlogon Notify: dimsntfy . (.Microsoft Corporation - DIMS Notification Handler.) -- C:\WINDOWS\system32\dimsntfy.dll
O20 - Winlogon Notify: ScCertProp . (.Microsoft Corporation - DLL comum para receber notificações do Winl.) -- C:\WINDOWS\system32\wlnotify.dll
O20 - Winlogon Notify: Schedule . (.Microsoft Corporation - DLL comum para receber notificações do Winl.) -- C:\WINDOWS\system32\wlnotify.dll
O20 - Winlogon Notify: sclgntfy . (.Microsoft Corporation - DLL de notificação do serviço de logon secu.) -- C:\WINDOWS\system32\sclgntfy.dll
O20 - Winlogon Notify: SensLogn . (.Microsoft Corporation - DLL comum para receber notificações do Winl.) -- C:\WINDOWS\system32\WlNotify.dll
O20 - Winlogon Notify: termsrv . (.Microsoft Corporation - DLL comum para receber notificações do Winl.) -- C:\WINDOWS\system32\wlnotify.dll
O20 - Winlogon Notify: wlballoon . (.Microsoft Corporation - DLL comum para receber notificações do Winl.) -- C:\WINDOWS\system32\wlnotify.dll
~ Winlogon:  Scanned in 00mn 00s



---\\ SharedTaskScheduler (O22)
O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} . (.Microsoft Corporation - Biblioteca da interface de usuário do naveg.) -- C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Pré-carregador Browseui - {8C7461EF-2B13-11d2-BE35-3078302C2030} . (.Microsoft Corporation - Biblioteca da interface de usuário do naveg.) -- C:\WINDOWS\system32\browseui.dll
~ STS/SSO:  Scanned in 00mn 00s



---\\ non Microsoft non disabled Windows XP/NT/2000 Services (O23)
O23 - Service: Gbp Service (GbpSv) . (.GAS Tecnologia - G-Buster Browser Defense - Service.) - C:\Arquivos de programas\GbPlugin\GbpSv.exe
O23 - Service: Serviço do Google Update (gupdate) (gupdate) . (.Google Inc. - Google Installer.) - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe
~ Services: 3 Legitimates Filtered in 00mn 09s



---\\ Windows Active Desktop & MHTML Editor (O24)
O24 - Desktop Component 0: Minha página inicial atual - file:About:Home
O24 - Desktop General: BackupWallPaper - .(...) - C:\Documents and Settings\f003289\Configurações locais\Dados de aplicativos\Microsoft\Wallpaper1.bmp
O24 - Desktop General: WallPaper - .(...) - C:\Documents and Settings\f003289\Configurações locais\Dados de aplicativos\Microsoft\Wallpaper1.bmp
~ Desktop Component: 4 Legitimates Filtered in 00mn 00s



---\\ Task Planned Automatically(039)
O39 - APT:Automatic Planified Task  - C:\WINDOWS\Tasks\FindLyrics Update.job   [390]  =>Adware.AddLyrics
[MD5.C69FCEF7D1378EA3FBD7CF0D78A840F7] [APT] [FindLyrics Update] (.FindLyrics.) -- C:\Arquivos de programas\FindLyrics\flcsur.exe   [117760]  =>Adware.AddLyrics
~ Scheduled Task: 16 Legitimates Filtered in 00mn 00s



---\\ Software installed (O42)
O42 - Logiciel: FindLyrics - (.FindLyrics.) [HKLM] -- findlyrics@findlyrics.co  =>Adware.AddLyrics
O42 - Logiciel: MV RegClean 6.0 - (...) [HKLM] -- MV RegClean 6.0_is1
O42 - Logiciel: VIA/S3G Display Driver - (...) [HKLM] -- VIA/S3G UniChrome Family Win2K/XP/Server2003 Display
~ Logic: 68 Legitimates Filtered in 00mn 00s



---\\ HKCU & HKLM Software Keys
[HKCU\Software\AutoHelpDesk]
[HKCU\Software\GbAs]
[HKCU\Software\findlyrics]  =>Adware.AddLyrics
[HKLM\Software\AutoHelpDesk]
[HKLM\Software\S3]
~ Key Software: 134 Legitimates Filtered in 00mn 00s



---\\ Contents of the Common Files folders (O43)
O43 - CFD: 19/04/2013 - 16:31:45 - [0,388] ----D C:\Arquivos de programas\FindLyrics  =>Adware.AddLyrics
O43 - CFD: 27/11/2012 - 15:26:42 - [2,465] ----D C:\Arquivos de programas\Marcos Velasco Security
O43 - CFD: 27/11/2012 - 15:28:15 - [0,383] ----D C:\Arquivos de programas\S3
O43 - CFD: 27/11/2012 - 14:21:49 - [0,001] ----D C:\Arquivos de programas\Serviços on-line
O43 - CFD: 27/11/2012 - 14:21:06 - [0,008] ----D C:\Arquivos de programas\Arquivos comuns\Serviços
O43 - CFD: 19/04/2013 - 16:31:52 - [1,063] ----D C:\Documents and Settings\f003289\Dados de aplicativos\0B1T1L2V1T1J1L
O43 - CFD: 27/11/2012 - 16:51:41 - [0,015] R---D C:\Documents and Settings\f003289\Menu Iniciar\Programas\Acessórios
O43 - CFD: 27/02/2013 - 13:55:30 - [0,000] R---D C:\Documents and Settings\f003289\Menu Iniciar\Programas\Ferramentas administrativas
O43 - CFD: 19/04/2013 - 16:55:41 - [0,001] R---D C:\Documents and Settings\f003289\Menu Iniciar\Programas\Inicializar
~ Program Folder: 84 Legitimates Filtered in 00mn 03s



---\\ Last modified or created files under Windows and System32 (O44)
O44 - LFC:[MD5.9D0CAD95DCAAB4514F3D3220B46A7DDE] - 24/04/2013 - 10:09:58 ---A- . (...) -- C:\ComboFix.txt   [14112]
O44 - LFC:[MD5.C9DD76D0EF94637C77FF8CA5E0FB0684] - 24/04/2013 - 10:07:47 ---A- . (...) -- C:\WINDOWS\system.ini   [227]
O44 - LFC:[MD5.C51A881398F29071239741AE16D07C1C] - 24/04/2013 - 09:56:57 RSHA- . (...) -- C:\cmldr   [261856]
O44 - LFC:[MD5.0277C027A26428DB64EF4F64F52BB4FD] - 24/04/2013 - 09:55:25 ---A- . (...) -- C:\WINDOWS\MBR.exe   [208896]
O44 - LFC:[MD5.F042EE4C8D66248D9B86DCF52ABAE416] - 24/04/2013 - 09:55:25 ---A- . (...) -- C:\WINDOWS\PEV.exe   [256000]
O44 - LFC:[MD5.9E05A9C264C8A908A8E79450FCBFF047] - 24/04/2013 - 09:55:25 ---A- . (...) -- C:\WINDOWS\grep.exe   [80412]
O44 - LFC:[MD5.2B657A67AEBB84AEA5632C53E61E23BF] - 24/04/2013 - 09:55:25 ---A- . (...) -- C:\WINDOWS\sed.exe   [98816]
O44 - LFC:[MD5.5E832F4FAF5F481F2EAF3B3A48F603B8] - 24/04/2013 - 09:55:25 ---A- . (...) -- C:\WINDOWS\zip.exe   [68096]
O44 - LFC:[MD5.E171F85801F3ECA920F1E316E3063A48] - 24/04/2013 - 09:28:59 ---A- . (.GAS Tecnologia - GbPlugin Device Driver.) -- C:\WINDOWS\system32\Drivers\gbpkm.sys   [46888]
O44 - LFC:[MD5.FA579938B0733B87066546AFE951082C] - 23/04/2013 - 15:29:20 ---A- . (...) -- C:\Boot.bak   [211]
O44 - LFC:[MD5.F5C397BEFBE878EBBAA17055D06359C7] - 23/04/2013 - 15:29:20 ---A- . (...) -- C:\WINDOWS\win.ini   [507]
O44 - LFC:[MD5.7B9199D7821C8994F51B265FD7BDDCAF] - 23/04/2013 - 15:22:55 ---A- . (...) -- C:\WINDOWS\wiadebug.log   [214]
O44 - LFC:[MD5.67CDAFE6BE27A23E874A38E4C954197A] - 23/04/2013 - 14:49:01 ---A- . (...) -- C:\WINDOWS\wiaservc.log   [49]
O44 - LFC:[MD5.D41D8CD98F00B204E9800998ECF8427E] - 23/04/2013 - 14:48:59 ---A- . (...) -- C:\WINDOWS\Sti_Trace.log   [0]
O44 - LFC:[MD5.B506D6810834523F8634773E06E71050] - 22/04/2013 - 15:07:06 ---A- . (...) -- C:\WINDOWS\system32\jupdate-1.7.0_21-b11.log   [3998]
O44 - LFC:[MD5.8D873392CC208F2E8F418288C15F26AF] - 19/04/2013 - 16:32:09 ---A- . (.ScreenTime Media - ScreenTime Screensaver Engine.) -- C:\WINDOWS\system32\Holding Pattern Coach Class.scr   [524288]
~ Files: 42 Legitimates Filtered in 00mn 03s



---\\ Operations and functions at Windows Explorer startup (O46)
O46 - SEH:ShellExecuteHooks - URL Exec Hook - {AEB6717E-7E19-11d0-97EE-00C04FD91972} - shell32.dll
O46 - SEH:ShellExecuteHooks - GbPlugin ShlObj - {E37CB5F0-51F5-4395-A808-5FA49E399F83} - C:\Arquivos de programas\GbPlugin\gbieh.dll
~ ShellExecuteHooks:  Scanned in 00mn 00s



---\\ Image File Execution Options (IFEO) (O50)
O50 - IFEO:Image File Execution Options - Your Image File Name Here without a path - ntsd -d
~ IFEO:  Scanned in 00mn 00s



---\\ ShareTools MSconfig StartupReg (SMSR) (O53)
O53 - SMSR:HKLM\...\startupreg\High Definition Audio Property Page Shortcut  [Key] . (.Windows (R) Server 2003 DDK provider - High Definition Audio Property Page Shortcu.) -- C:\WINDOWS\system32\HDAShCut.exe
O53 - SMSR:HKLM\...\startupreg\VTTimer  [Key] . (.S3 Graphics, Inc. - No comment.) -- C:\WINDOWS\system32\VTTimer.exe
O53 - SMSR:HKLM\...\startupreg\VTTrayp  [Key] . (.S3 Graphics Co., Ltd. - s3contrl (32-bit).) -- C:\WINDOWS\system32\VTtrayp.exe
~ SMSR Keys: 9 Legitimates Filtered in 00mn 00s



---\\ Microsoft Control Security Providers (MCSP) (O54)
O54 - MCSP:[HKLM\...\CurrentControlSet\Control] - (SecurityProviders) - (.Microsoft Corporation - Cliente DPA para plataformas de 32 bits.) -- C:\WINDOWS\system32\msapsspc.dll
O54 - MCSP:[HKLM\...\ControlSet001\Control] - (SecurityProviders) - (.Microsoft Corporation - Cliente DPA para plataformas de 32 bits.) -- C:\WINDOWS\system32\msapsspc.dll
~ MSCP: 6 Legitimates Filtered in 00mn 00s



---\\ System Drivers List (SDL) (O58)
O58 - SDL:[MD5.D392183CC5379E302E50CEBA635248EB] - 05/10/2005 - 16:21:10 R--A- . (.Analog Devices, Inc. - High Definition Audio Function Driver(Release Candidate 1).) -- C:\WINDOWS\system32\Drivers\ADIHdAud.sys   [141312]
O58 - SDL:[MD5.C1E76718BAB6BCA0D18E5670F074F821] - 02/03/2006 - 09:00:00 ---A- . (...) -- C:\WINDOWS\system32\ansi.sys   [9032]
~ Drivers:  Scanned in 00mn 00s



---\\ List all tools cleaner (LATC) (O63)
O63 - Logiciel: ZHPDiag 2013 - (.Nicolas Coolman.) [HKLM] -- ZHPDiag_is1
~ ADS:  Scanned in 00mn 00s



---\\ List all legacy services(LALS) (O64)
O64 - Services: CurCS - 22/01/2013 - C:\WINDOWS\system32\drivers\gbpkm.sys (GbpKm)  .(.GAS Tecnologia - GbPlugin Device Driver.) - LEGACY_GBPKM
O64 - Services: CurCS - 22/01/2013 - C:\Arquivos de programas\GbPlugin\GbpSv.exe (GbpSv)  .(.GAS Tecnologia - G-Buster Browser Defense - Service.) - LEGACY_GBPSV
~ Legacy: 114 Legitimates Filtered in 00mn 00s



---\\ File Associations Shell Spawning (O67)
O67 - Shell Spawning: <.html> <htmlfile>[HKLM\..\open\Command] (.Microsoft Corporation - Internet Explorer.) -- C:\Arquivos de programas\Internet Explorer\IEXPLORE.exe
O67 - Shell Spawning: <.html> <htmlfile>[HKCU\..\open\Command] (.Not Key.)
O67 - Shell Spawning: <.html> <htmlfile>[HKCR\..\open\Command] (.Microsoft Corporation - Internet Explorer.) -- C:\Arquivos de programas\Internet Explorer\IEXPLORE.exe
~ FASS Keys: 17 Legitimates Filtered in 00mn 00s



---\\ Start Menu Internet (SMI) (O68)
O68 - StartMenuInternet: <chrome.exe> <>[HKLM\..\Shell\open\Command] (.Google Inc. - Google Chrome.) -- C:\Arquivos de programas\Google\Chrome\Application\chrome.exe
O68 - StartMenuInternet: <FIREFOX.EXE> <Mozilla Firefox>[HKLM\..\Shell\open\Command] (.Mozilla Corporation - Firefox.) -- C:\Arquivos de programas\Mozilla Firefox\firefox.exe
O68 - StartMenuInternet: <Google Chrome> <Google Chrome>[HKLM\..\Shell\open\Command] (.Google Inc. - Google Chrome.) -- C:\Arquivos de programas\Google\Chrome\Application\chrome.exe
O68 - StartMenuInternet: <IEXPLORE.EXE> <Internet Explorer>[HKLM\..\Shell\open\Command] (.Microsoft Corporation - Internet Explorer.) -- C:\Arquivos de programas\Internet Explorer\iexplore.exe
~ Keys:  Scanned in 00mn 00s



---\\ Search Browser Infection (SBI) (O69)
O69 - SBI: SearchScopes [HKCU] {0633EE93-D776-472f-A0FF-E1416B8B2E3A} [DefaultScope] - (Bing) - http://www.bing.com
O69 - SBI: SearchScopes [HKCU] {6A1806CD-94D4-4689-BA73-E35EA1EA9990} - (@ieframe.dll,-12512) - http://www.bing.com
~ Keys:  Scanned in 00mn 00s



---\\ Search Particular Root Folder (SPRF) (O84)
[MD5.638F8434151B4C81BB212AAB4BD418D5] [SPRF][24/04/2013] (.Swearware - ComboFix NSIS Installer.) -- C:\Documents and Settings\f003289\Desktop\ComboFix.exe   [5059973]
[MD5.2C2F20747085946DE79A713879E09C4E] [SPRF][24/04/2013] (.Oleg N. Scherbakov - 7z Setup SFX.) -- C:\Documents and Settings\f003289\Desktop\JRT.exe   [535764]
[MD5.51A8F831E3CDCEEDE0D1EE9B61DD7551] [SPRF][24/04/2013] (.Nicolas Coolman - ZHPDiag.) -- C:\Documents and Settings\f003289\Desktop\ZHPDiag2.exe   [5600152]
~ Files:  Scanned in 00mn 01s



---\\ Additionnal Scan (O88)
Database Version : v2.11668 - (23/04/2013)
Clés trouvées (Keys found) : 2
Valeurs trouvées (Values found) : 0
Dossiers trouvés  (Folders found) : 1
Fichiers trouvés  (Files found) : 1

[HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\findlyrics@findlyrics.co]   =>Adware.AddLyrics
[HKCU\Software\findlyrics]   =>Adware.AddLyrics
C:\Arquivos de programas\FindLyrics   =>Adware.AddLyrics
C:\WINDOWS\Tasks\FindLyrics Update.job   =>Adware.AddLyrics
~ Additionnel Scan: 87414 Items scanned in 00mn 25s



---\\ General States of Services not Microsoft (EGS) (SR=Running, SS=Stopped)
SS - | Demand 24/04/2013 256904 |  (AdobeFlashPlayerUpdateSvc) . (.Adobe Systems Incorporated.) - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
SR - | Auto 06/03/2013 45248 |  (avast! Antivirus) . (.AVAST Software.) - C:\Arquivos de programas\AVAST Software\Avast\AvastSvc.exe
SS - | Demand 13/04/2008 225280 |  (dmadmin) . (.Microsoft Corp., Veritas Software.) - C:\WINDOWS\system32\dmadmin.exe
SR - | Auto 22/01/2013 526888 |  (GbpSv) . (.GAS Tecnologia.) - C:\Arquivos de programas\GbPlugin\GbpSv.exe
SS - | Auto 29/11/2012 116648 |  (gupdate) . (.Google Inc..) - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe
SS - | Demand 29/11/2012 116648 |  (gupdatem) . (.Google Inc..) - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe
SS - | Demand 03/04/2013 116120 |  (MozillaMaintenance) . (.Mozilla Foundation.) - C:\Arquivos de programas\Mozilla Maintenance Service\maintenanceservice.exe
~ Services:  Scanned in 00mn 04s



---\\ Search Master Boot Record Infection (MBR)(O80)
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Run by f003289 at 24/04/2013 10:17:13

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys viaide.sys PCIIDEX.SYS 
C:\DOCUME~1\f003289\CONFIG~1\Temp\catchme.sys  
1 ntkrnlpa!IofCallDriver[0x804EE120] >> \Device\Harddisk0\DR0[0x89DD3AB8]
kernel: MBR read successfully
user & kernel MBR OK 
~ MBR: 14 Legitimates Filtered in 00mn 02s



---\\ Search Master Boot Record Infection (MBRCheck)(O80)
Written by ad13, http://ad13.geekstog
Run by f003289 at 24/04/2013 10:17:15

********* Dump file Name *********
C:\PhysicalDisk0_MBR.bin
~ MBR:  Scanned in 00mn 04s



~ 690 Legitimates filtered by white list
End of the scan (466 lines in 01mn 27s)(0)