Author Topic: BV:AutoRun-E [Wrm] i don't know how to remove it  (Read 30448 times)

0 Members and 1 Guest are viewing this topic.

sh3r3d3r

  • Guest
BV:AutoRun-E [Wrm] i don't know how to remove it
« on: November 29, 2008, 05:50:39 PM »
hi ppl,
first sorry my english.

my computer is infected with BV:AutoRun-E [Wrm], avast detect it, but don't remove it. It creates a autorun.inf in all my hard disks. Avast shows that found it every 2 minutes. I don't know what to do to remove it. I also search internet for solutions, but nothig was found that can really help. Please, if someone knows how to remove it i'll apreciate.

Thanks in advance.

BR
Nuno

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89420
  • No support PMs thanks
Re: BV:AutoRun-E [Wrm] i don't know how to remove it
« Reply #1 on: November 29, 2008, 06:15:28 PM »
You also need to clean your USB flash drives or they would try to reinfect and that is what avast is trying to block.

You chould try the freware "Flash Disinfector" program, at http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe

Also see this post, http://forum.avast.com/index.php?topic=34095.msg285331#msg285331.

You also appear to have infected yourself via USB so lets prevent that

1 - Flash Drive Disinfector
Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

« Last Edit: November 29, 2008, 06:18:13 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

sh3r3d3r

  • Guest
Re: BV:AutoRun-E [Wrm] i don't know how to remove it
« Reply #2 on: November 29, 2008, 06:19:19 PM »
hi, many thanks for your anwser. But, the file "autorun.inf", the virus itself, exists in all my hard drives. If i remove it from my removable hard disk, it keep exists in my other hard drives. But, i will try that to see if it works.

BR
Nuno

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89420
  • No support PMs thanks
Re: BV:AutoRun-E [Wrm] i don't know how to remove it
« Reply #3 on: November 29, 2008, 06:25:43 PM »
Read the Blue text in the quote above, the tool creates an autorun.inf hidden folder on your hard disk partitions and a folder has priority over a file with the same name and that should prevent the autorun.ini from running.

If you have XP, vista32bit or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, 'Schedule boot-time scan...' Or see http://www.digitalred.com/avast-boot-time.php.

Or boot into safe mode and delete the autorun.inf files on your hard disk partitions.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

sh3r3d3r

  • Guest
Re: BV:AutoRun-E [Wrm] i don't know how to remove it
« Reply #4 on: November 29, 2008, 06:30:08 PM »
Thanks David, i'll try that. Later i'll post here the results. Let me first backup my important data.

BR
Nuno

sh3r3d3r

  • Guest
Re: BV:AutoRun-E [Wrm] i don't know how to remove it
« Reply #5 on: November 29, 2008, 06:42:29 PM »
Read the Blue text in the quote above, the tool creates an autorun.inf hidden folder on your hard disk partitions and a folder has priority over a file with the same name and that should prevent the autorun.ini from running.

If you have XP, vista32bit or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, 'Schedule boot-time scan...' Or see http://www.digitalred.com/avast-boot-time.php.

Or boot into safe mode and delete the autorun.inf files on your hard disk partitions.



After i use the Flash Drive Disinfector, the virus keep exits, but only on the drice C:, The folder "autorun.inf", was not created in that drive.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89420
  • No support PMs thanks
Re: BV:AutoRun-E [Wrm] i don't know how to remove it
« Reply #6 on: November 29, 2008, 07:42:35 PM »
It is a hidden folder.

Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, see image.

Did you read the link to the other forum topic in my first reply ?

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
1. SUPERantispyware On-Demand only in free version.
2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
« Last Edit: November 29, 2008, 08:18:44 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

sh3r3d3r

  • Guest
Re: BV:AutoRun-E [Wrm] i don't know how to remove it
« Reply #7 on: November 29, 2008, 07:54:23 PM »
thanks for trying to help me.

no, i didn't read it, sorry. i'll read it now, and trying with the programs you provided. I'll post the result later.
Once again, many thanks.

sh3r3d3r

  • Guest
Re: BV:AutoRun-E [Wrm] i don't know how to remove it
« Reply #8 on: November 29, 2008, 08:14:57 PM »
i did it all you said, and i did all the things in the topic forum you provieded. Nothing worked, the virus still in my computer. i don't now what more can i do...

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89420
  • No support PMs thanks
Re: BV:AutoRun-E [Wrm] i don't know how to remove it
« Reply #9 on: November 29, 2008, 08:24:30 PM »
I have edited my last post I forgot to attach the image showinf how to show hidden files and folders.

I also suggested a boot-time scan did you do that ?
I also suggested you run both those programs from safe mode did you run them from safe mode ?
You said you would post the results of the scans ?

If oyu have one of the autorun.inf files, right click on it and select Open With, select Notepad. That file should contain some commands to run files, what are the names and locations to those files, e.g. (C:\windows\system32\infected-file-name.xxx) ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

sh3r3d3r

  • Guest
Re: BV:AutoRun-E [Wrm] i don't know how to remove it
« Reply #10 on: November 29, 2008, 08:29:18 PM »
in safe mode, no. I'm backup my data first, then i will restart and do de boot-time scan, and run the programs in safe mode.
here are the lines in the "autorun.inf" file:

[autorun]
shellexecute="resycled\boot.com c:"
shell\Open\command="resycled\boot.com c:"
shell=Open

in 30minutes i will restart and do the tasks above. once again, thanks.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89420
  • No support PMs thanks
Re: BV:AutoRun-E [Wrm] i don't know how to remove it
« Reply #11 on: November 29, 2008, 08:58:09 PM »
From safe mode -
a) Try renaming autorun.inf to no-run.inf
b) See if you can find resycled folder (hopefully the unhide bit will help) and rename these files to something like killboot.com

Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis and post the contents of the HJT log file here. - HJT Information HiJackThis Tutorial.

Download and run HJT and post the contents of the log file (cut and paste) into this topic, you may need to split it over two or more posts depending on how large it is.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

InFerNo

  • Guest
Re: BV:AutoRun-E [Wrm] i don't know how to remove it
« Reply #12 on: November 29, 2008, 09:12:10 PM »
Hi I just got the same thing and it took me forever to get rid of it. Seems mine also opened porn every 2 minutes >.< Anyways, I ran system restore (Start>>Programs>>Accessories>>System Tools>>System Restore) and restored my computer to a week before. Then I ran the USB Disinfector and all is well =) Hope this helps!

sh3r3d3r

  • Guest
Re: BV:AutoRun-E [Wrm] i don't know how to remove it
« Reply #13 on: November 29, 2008, 09:18:23 PM »
here is the log oh hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:15:05, on 29-11-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programas\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Programas\Microsoft Office\Office12\GrooveMonitor.exe
C:\Programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programas\LogMeIn\x86\LogMeInSystray.exe
C:\Programas\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Programas\Java\jre1.6.0_07\bin\jusched.exe
C:\Programas\Windows Live\Family Safety\fsui.exe
E:\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Programas\iTunes\iTunesHelper.exe
C:\Programas\Windows Live\Messenger\msnmsgr.exe
C:\Programas\RocketDock\RocketDock.exe
C:\Programas\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Ficheiros comuns\Ahead\Lib\NMBgMonitor.exe
C:\Programas\Nokia\Nokia PC Suite 6\PCSync2.exe
C:\Programas\Netropa\Onscreen Display\OSD.exe
C:\Programas\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Programas\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programas\Ficheiros comuns\Autodesk Shared\Service\AdskScSrv.exe
C:\Programas\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Windows Live\Family Safety\fsssvc.exe
C:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe
C:\Programas\LogMeIn\x86\RaMaint.exe
C:\Programas\LogMeIn\x86\LogMeIn.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Programas\LogMeIn\x86\LMIGuardian.exe
C:\Programas\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Programas\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
D:\Jogos\Need for Speed ProStreet\PB\PnkBstrA.exe
C:\Programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Programas\Windows Live\Contacts\wlcomm.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\Programas\Ficheiros comuns\Ahead\Lib\NMIndexingService.exe
C:\Programas\PC Connectivity Solution\ServiceLayer.exe
C:\Programas\Ficheiros comuns\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programas\iPod\bin\iPodService.exe
C:\Programas\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Programas\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programas\Microsoft Office\Office12\OUTLOOK.EXE
D:\Revista\eMule\emule.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Programas\Yahoo!\Widgets\YahooWidgets.exe
C:\Programas\Yahoo!\Widgets\YahooWidgets.exe
C:\Programas\Yahoo!\Widgets\YahooWidgets.exe
C:\Programas\Yahoo!\Widgets\YahooWidgets.exe
C:\Programas\Yahoo!\Widgets\YahooWidgets.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programas\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Programas\Windows Live\Family Safety\fssbho.dll
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Programas\Windows Live\Messenger\wlchtc.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Programas\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programas\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Programa Auxiliar de Início de Sessão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

sh3r3d3r

  • Guest
Re: BV:AutoRun-E [Wrm] i don't know how to remove it
« Reply #14 on: November 29, 2008, 09:19:32 PM »
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Revista\Free Download Manager\iefdm2.dll
O2 - BHO: Windows Live Toolbar Beta - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Programas\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar Beta - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programas\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programas\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Programas\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programas\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Programas\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Programas\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programas\Ficheiros comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [fssui] "C:\Programas\Windows Live\Family Safety\fsui.exe" -autorun
O4 - HKLM\..\Run: [StartCCC] "C:\Programas\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "E:\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\FICHEI~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programas\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "D:\Revista\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdlif.exe] C:\WINDOWS\system32\kdlif.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] D:\Revista\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [RocketDock] "C:\Programas\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programas\Ficheiros comuns\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Programas\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Programas\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Revista\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Yahoo! Widgets.lnk = C:\Programas\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Programas\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Programas\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Append to existing PDF - res://E:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download All Files by HiDownload - D:\Revista\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - D:\Revista\HiDownload\HDGet.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Transferir com FDM - file://D:\Revista\Free Download Manager\dllink.htm
O8 - Extra context menu item: Transferir todos com FDM - file://D:\Revista\Free Download Manager\dlall.htm
O8 - Extra context menu item: Transferir vídeo com FDM - file://D:\Revista\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Transferência seleccionada pelo FDM - file://D:\Revista\Free Download Manager\dlselected.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programas\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programas\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll