Full Disclosure mailing list archives

Re: Transamericana.org

From: Antonio Henrique Oliveira <tat () postmark net>
Date: Sat, 29 Jan 2005 15:17:24 +0000

Michael Rutledge wrote:

This may be a stretch (a large stretch), but someone could have
planted something on your Windows box that is using pings as a covert
channel (given that person has also taken control of the webserver
that hosts transamericana.org and can watch the connection logs).  Do
you have a capture of the pings for someone to do a frequency analysis
on?

Also, you may want to post a list of your currently running processes
in hopes someone may spot something that looks wrong.

-Michael

On Sat, 29 Jan 2005 12:03:39 +0000, Antonio Henrique Oliveira
<tat () postmark net> wrote:

Gregh wrote:

----- Original Message -----
From: "Antonio Henrique Oliveira" <tat () postmark net>
To: <full-disclosure () lists netsys com>
Sent: Saturday, January 29, 2005 9:46 PM
Subject: [Full-disclosure] Transamericana.org

Dear all,

Please excuse me if this is a bit off-topic, but since this is the only
IT related mailing list I subscribe (apart from Secunia's) I decided to
post here.

From sometime ago (I cannot determine exactly when this started to

happen), my workstation (WinXP SP2 PT, fully patched) has been sending
out ping requests to www.transamericana.org when I login to the machine
(right at the beginning of the login process, and only at that time).



Perchance is your DNS hosted there? Eg, your ISP's DNS servers?

Greg.


No. The Linux box runs bind for the internal (and external) networks and
does direct queries to the root servers, not using our ISP's DNS. The
internal network is configured with DHCP and the DNS server for all
hosts is set to the linux box internal address. Also, my workstation
(and there are 5 more) is the only one doing this.

Regards,
--
Anto'nio Henrique A. Proenca de Oliveira

"Although we can never go back, like an old sweet song with a strong
refrain, memories remain" - (Someone)

Please avoid sending me Word or PowerPoint attachments.
See http://www.fsf.org/philosophy/no-word-attachments.html
$Id: .signature,v 1.3 2004/07/14 08:08:10 tat Exp tat $

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

The only records I have from the pings are from yesterday (when Istarted logging them).It sends three pings (not replied to) to www.transamericana.org duringlogin process and then stops until I login again (either by reboot orlogoff/login).Attached are two files with results from "HiJackThis", as per Gregh'ssuggestion. They show the running processes and the list of programsexecuted during login.


Regards,
--
Anto'nio Henrique A. Proenca de Oliveira
R. 3 - Lote 22 - Loteam. Pinhel
4805-078 Caldas das Taipas - Portugal
T +351 253 576 888 / Work +351 255 862 416
M +351 96 323 1169 / tat () postmark net

"Although we can never go back, like an old sweet song with a strongrefrain, memories remain" - (Someone)


Please avoid sending me Word or PowerPoint attachments.
See http://www.fsf.org/philosophy/no-word-attachments.html
$Id: .signature,v 1.3 2004/07/14 08:08:10 tat Exp tat $

Logfile of HijackThis v1.99.0
Scan saved at 12:34:50, on 29-01-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\apcupsd\bin\apcupsd.exe
C:\WINDOWS\System32\cisvc.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programas\Iomega\AutoDisk\ADUserMon.exe
C:\Programas\Iomega\DriveIcons\ImgIcon.exe
C:\Programas\iTunes\iTunesHelper.exe
C:\Programas\iPod\bin\iPodService.exe
C:\Programas\Mozilla Thunderbird\thunderbird.exe
C:\Programas\PuTTY\pageant.exe
C:\Programas\One Guy Coding\Automachron\achron.exe
C:\Programas\OpenOffice.org1.1.4\program\soffice.exe
C:\Programas\Microsoft Office\Office\2070\msoffice.exe
C:\Programas\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\ah.HOMES\Definições locais\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.postmark.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.citydesk.pt
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Programas\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.2:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 
7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Programas\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Apcupsd] "c:\apcupsd\bin\apcupsd.exe" /servicehelper
O4 - HKLM\..\Run: [Deskup] C:\Programas\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Programas\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programas\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [WATCHPNP_Xerox] watchPnp.exe Xerox
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programas\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Automachron.lnk = C:\Programas\One Guy Coding\Automachron\achron.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Programas\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Mozilla Thunderbird (Safe Mode).lnk = C:\Programas\Mozilla Thunderbird\thunderbird.exe
O4 - Global Startup: Pageant.lnk = C:\Programas\PuTTY\pageant.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - 
C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - 
C:\Programas\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.citydesk.pt
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - 
http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093519773919
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = homes.local
O17 - HKLM\Software\..\Telephony: DomainName = homes.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = homes.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = homes.local
O23 - Service: Apcupsd UPS Server - Unknown - c:\apcupsd\bin\apcupsd.exe
O23 - Service: FAH@C:+Programas+FOLDING+fah502-console - Stanford University - C:\Programas\FOLDING\fah502-console.exe
O23 - Service: Iomega Activity Disk2 - Unknown -  (file missing)
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programas\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VNC Server Version 4 - RealVNC Ltd. - C:\Programas\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Iomega Active Disk - Iomega Corporation - C:\Programas\Iomega\AutoDisk\ADService.exe

StartupList report, 29-01-2005, 12:38:34
StartupList version: 1.52.2
Started from : C:\Documents and Settings\ah.HOMES\Definições locais\Temp\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\apcupsd\bin\apcupsd.exe
C:\WINDOWS\System32\cisvc.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programas\Iomega\AutoDisk\ADUserMon.exe
C:\Programas\Iomega\DriveIcons\ImgIcon.exe
C:\Programas\iTunes\iTunesHelper.exe
C:\Programas\iPod\bin\iPodService.exe
C:\Programas\Mozilla Thunderbird\thunderbird.exe
C:\Programas\PuTTY\pageant.exe
C:\Programas\One Guy Coding\Automachron\achron.exe
C:\Programas\OpenOffice.org1.1.4\program\soffice.exe
C:\Programas\Microsoft Office\Office\2070\msoffice.exe
C:\Programas\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\ah.HOMES\Definições locais\Temp\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\ah.HOMES\Menu Iniciar\Programas\Arranque]
Automachron.lnk = C:\Programas\One Guy Coding\Automachron\achron.exe
OpenOffice.org 1.1.4.lnk = C:\Programas\OpenOffice.org1.1.4\program\quickstart.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque]
Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Microsoft Office.lnk = C:\Programas\Microsoft Office\Office\OSA9.EXE
Mozilla Thunderbird (Safe Mode).lnk = C:\Programas\Mozilla Thunderbird\thunderbird.exe
Pageant.lnk = C:\Programas\PuTTY\pageant.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

AdaptecDirectCD = "C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
ADUserMon = C:\Programas\Iomega\AutoDisk\ADUserMon.exe
Apcupsd = "c:\apcupsd\bin\apcupsd.exe" /servicehelper
Deskup = C:\Programas\Iomega\DriveIcons\deskup.exe /IMGSTART
Iomega Drive Icons = C:\Programas\Iomega\DriveIcons\ImgIcon.exe
iTunesHelper = C:\Programas\iTunes\iTunesHelper.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
QuickTime Task = "C:\Programas\QuickTime\qttask.exe" -atboottime
Synchronization Manager = %SystemRoot%\system32\mobsync.exe /logon
WATCHPNP_Xerox = watchPnp.exe Xerox

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Yahoo! Pager = C:\Programas\Yahoo!\Messenger\ypager.exe -quiet

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\AutoCADScriptFile\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE "%1"

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{8b15971b-5355-4c82-8c07-7e181ea07608}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Editor de registo'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093519773919

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37578.0401967593

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll
Protocol #20: C:\WINDOWS\system32\mswsock.dll
Protocol #21: C:\WINDOWS\system32\mswsock.dll
Protocol #22: C:\WINDOWS\system32\mswsock.dll
Protocol #23: C:\WINDOWS\system32\mswsock.dll
Protocol #24: C:\WINDOWS\system32\mswsock.dll
Protocol #25: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

abp480n5: System32\DRIVERS\ABP480N5.SYS (system)
Intel(r) 82801 - serviço de instalação do controlador de áudio (WDM): system32\drivers\ac97intc.sys (manual start)
Controlador ACPI da Microsoft: System32\DRIVERS\ACPI.sys (system)
adpu160m: System32\DRIVERS\adpu160m.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
Ambiente de suporte com funcionalidades de rede AFD: \SystemRoot\System32\drivers\afd.sys (system)
Filtro de barramento Intel AGP: System32\DRIVERS\agp440.sys (system)
Filtro de barramento Compaq AGP: System32\DRIVERS\agpCPQ.sys (system)
Aha154x: System32\DRIVERS\aha154x.sys (system)
aic78u2: System32\DRIVERS\aic78u2.sys (system)
aic78xx: System32\DRIVERS\aic78xx.sys (system)
Alerta: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Serviço de gateway de camada de aplicação: %SystemRoot%\System32\alg.exe (manual start)
AliIde: System32\DRIVERS\aliide.sys (system)
Filtro de barramento ALI AGP: System32\DRIVERS\alim1541.sys (system)
Controlador de filtro de barramento AMD AGP: System32\DRIVERS\amdagp.sys (system)
amsint: System32\DRIVERS\amsint.sys (system)
Apcupsd UPS Server: "c:\apcupsd\bin\apcupsd.exe" /service (autostart)
Gestão de aplicações: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
asc: System32\DRIVERS\asc.sys (system)
asc3350p: System32\DRIVERS\asc3350p.sys (system)
asc3550: System32\DRIVERS\asc3550.sys (system)
Controlador de média assíncrono de RAS: System32\DRIVERS\asyncmac.sys (manual start)
Controlador de disco rígido IDE/ESDI padrão: System32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\System32\atievxx.exe (autostart)
atimpab: System32\DRIVERS\atimpab.sys (manual start)
ATM - protocolo para cliente ARP: System32\DRIVERS\atmarpc.sys (manual start)
Áudio do Windows: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Controladores de stub de áudio: System32\DRIVERS\audstub.sys (manual start)
Serviço de transferência inteligente em fundo: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Browser de computador: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Bluetooth Audio: System32\DRIVERS\btaudio.sys (manual start)
Bluetooth Virtual Communications Driver: System32\DRIVERS\btport.sys (manual start)
Bluetooth LAN Access Server: System32\DRIVERS\btwdndis.sys (manual start)
WIDCOMM USB Bluetooth Driver: System32\Drivers\btwusb.sys (manual start)
cbidf: System32\DRIVERS\cbidf2k.sys (system)
Descodificador de captura fechada: System32\DRIVERS\CCDECODE.sys (manual start)
cd20xrnt: System32\DRIVERS\cd20xrnt.sys (system)
Controlador de CD-ROM: System32\DRIVERS\cdrom.sys (system)
Serviço de indexação: C:\WINDOWS\System32\cisvc.exe (autostart)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
CmdIde: System32\DRIVERS\cmdide.sys (system)
Aplicação de sistema COM+: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual 
start)
Cpqarray: System32\DRIVERS\cpqarray.sys (system)
Serviços criptográficos: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
dac2w2k: System32\DRIVERS\dac2w2k.sys (system)
dac960nt: System32\DRIVERS\dac960nt.sys (system)
DCOM - Lançador de processo de servidor: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
Team MFP Comm Driver: System32\Drivers\DgiVecp.sys (autostart)
Cliente DHCP: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Controlador de disco: System32\DRIVERS\disk.sys (system)
Serviço administrativo de gestão de discos lógicos: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Controlador do gestor de disco lógico: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Gestor de discos lógicos: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft - sintetizador Kernel DSL: system32\drivers\DMusic.sys (manual start)
Cliente DNS: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
dpti2o: System32\DRIVERS\dpti2o.sys (system)
Microsoft Kernel DRM Descrambler Filter: system32\drivers\drmkaud.sys (manual start)
Intel(R) - controlador de adaptador PRO: System32\DRIVERS\e100b325.sys (manual start)
3Com EtherLink XL 90XB/C Adapter Driver: System32\DRIVERS\el90xbc5.sys (manual start)
Serviço de relato de erros: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Creative AudioPCI (ES1371,ES1373) (WDM): system32\drivers\es1371mp.sys (manual start)
Registo de eventos: %SystemRoot%\system32\services.exe (autostart)
Sistema de eventos do COM+: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
FAH@C:+Programas+FOLDING+fah502-console: C:\Programas\FOLDING\fah502-console -svcstart (manual start)
Compatibilidade de 'Mudança rápida de utilizador': %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Fax: %systemroot%\system32\fxssvc.exe (manual start)
Controlador de disquete: System32\DRIVERS\fdc.sys (manual start)
D-Link DFE-530TX PCI Fast Ethernet Adapter Driver: System32\DRIVERS\dlkfet5b.sys (manual start)
Controlador de unidades de disquetes: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
SEMC DSS-20 SyncStation Serial Converter Driver: system32\drivers\ftdibus.sys (manual start)
Controlador do gestor de volume: System32\DRIVERS\ftdisk.sys (system)
Lundinova Filter Driver: system32\drivers\ftlund.sys (manual start)
SEMC DSS-20 SyncStation Driver: system32\drivers\ftser2k.sys (manual start)
Enumerador de portas de jogos: System32\DRIVERS\gameenum.sys (manual start)
GEAR CDRom Filter: SYSTEM32\DRIVERS\GEARAspiWDM.sys (manual start)
Classificador de pacotes genérico: System32\DRIVERS\msgpc.sys (manual start)
hardlock: \??\C:\WINDOWS\System32\drivers\hardlock.sys (autostart)
Haspnt: \??\C:\WINDOWS\System32\drivers\Haspnt.sys (autostart)
Ajuda e suporte: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Acesso a dispositivos de interface humana: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
hpn: System32\DRIVERS\hpn.sys (system)
hpt3xx: System32\DRIVERS\hpt3xx.sys (system)
HTTP: System32\Drivers\HTTP.sys (manual start)
SSL de HTTP: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i2omp: System32\DRIVERS\i2omp.sys (system)
Teclado i8042 e controlador de porta de rato PS/2: System32\DRIVERS\i8042prt.sys (system)
i81x: System32\DRIVERS\i81xnt5.sys (manual start)
iAimFP0: System32\DRIVERS\wADV01nt.sys (manual start)
iAimFP1: System32\DRIVERS\wADV02NT.sys (manual start)
iAimFP2: System32\DRIVERS\wADV05NT.sys (manual start)
iAimFP3: System32\DRIVERS\wSiINTxx.sys (manual start)
iAimFP4: System32\DRIVERS\wVchNTxx.sys (manual start)
iAimTV0: System32\DRIVERS\wATV01nt.sys (manual start)
iAimTV1: System32\DRIVERS\wATV02NT.sys (manual start)
iAimTV2: System32\DRIVERS\wATV03nt.sys (manual start)
iAimTV3: System32\DRIVERS\wATV04nt.sys (manual start)
iAimTV4: System32\DRIVERS\wCh7xxNT.sys (manual start)
Controlador de filtro de gravação de CD: System32\DRIVERS\imapi.sys (system)
Serviço COM de gravação de CD de IMAPI: C:\WINDOWS\System32\imapi.exe (manual start)
ini910u: System32\DRIVERS\ini910u.sys (system)
IntelIde: System32\DRIVERS\intelide.sys (system)
Iomega Devices Disk Filter Services: System32\DRIVERS\iomdisk.sys (system)
Iomega Activity Disk2: "" (manual start)
Iomega App Services: "C:\PROGRA~1\Iomega\System32\AppServices.exe" (manual start)
Controlador de IPv6 do Firewall do Windows: system32\drivers\ip6fw.sys (manual start)
Controlador de filtração de tráfego IP: System32\DRIVERS\ipfltdrv.sys (manual start)
Controlador de túnel IP-em-IP: System32\DRIVERS\ipinip.sys (manual start)
Tradutor de endereços de rede IP: System32\DRIVERS\ipnat.sys (manual start)
iPod Service: C:\Programas\iPod\bin\iPodService.exe (manual start)
Controlador IPSEC: System32\DRIVERS\ipsec.sys (system)
Serviço enumerador IR: System32\DRIVERS\irenum.sys (manual start)
Controlador de barramento PnP ISA/EISA: System32\DRIVERS\isapnp.sys (system)
Controlador de classe de teclado: System32\DRIVERS\kbdclass.sys (system)
Microsoft - misturador de áudio Kernel Wave: system32\drivers\kmixer.sys (manual start)
Servidor: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Estação de trabalho: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Programa auxiliar TCP/IP NetBIOS: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Machine Debug Manager: "C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe" (autostart)
Mensageiro: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Partilha remota do ambiente de trabalho do NetMeeting: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Controlador de classe de rato: System32\DRIVERS\mouclass.sys (system)
mraid35x: System32\DRIVERS\mraid35x.sys (system)
Redireccionador de cliente WebDav: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
DTC (Coordenador de transacções distribuídas): C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Proxy da Microsoft para serviços de fluxo: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Proxy da Microsoft para gestão de qualidade de fluxo: system32\drivers\MSPQM.sys (manual start)
Controlador BIOS Microsoft System Management: System32\DRIVERS\mssmbios.sys (manual start)
Conversor da Microsoft para fluxos Tee/Sink-to-Sink: system32\drivers\MSTEE.sys (manual start)
Microsoft - controlador MPU-401 MIDI UART: system32\drivers\msmpu401.sys (manual start)
MySQL: C:\mysql\bin\mysqld-max-nt MySQL (disabled)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
NAVAP: \??\C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys (manual start)
NAVAPEL: \??\C:\Programas\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS (autostart)
NAVENG: \??\C:\PROGRA~1\FICHEI~1\SYMANT~1\VIRUSD~1\20040728.003\NAVENG.sys (manual start)
NAVEX15: \??\C:\PROGRA~1\FICHEI~1\SYMANT~1\VIRUSD~1\20040728.003\NAVEX15.sys (manual start)
Ligação de TV/Vídeo Microsoft: System32\DRIVERS\NdisIP.sys (manual start)
Controlador TAPI NDIS de acesso remoto: System32\DRIVERS\ndistapi.sys (manual start)
Protocolo E/S de modo de utilizador NDIS: System32\DRIVERS\ndisuio.sys (manual start)
Controlador WAN NDIS de acesso remoto: System32\DRIVERS\ndiswan.sys (manual start)
Interface de NetBIOS: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Rede DDE: %SystemRoot%\system32\netdde.exe (disabled)
Rede DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Início de sessão de rede: %SystemRoot%\System32\lsass.exe (autostart)
Ligações de rede: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Identificação da localização na rede (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Armazenamento amovível: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
nv4: System32\DRIVERS\nv4.sys (manual start)
NVIDIA Display Driver Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
Controlador de filtração de tráfego IPX: System32\DRIVERS\nwlnkflt.sys (manual start)
Controlador de reencaminhamento de tráfego IPX: System32\DRIVERS\nwlnkfwd.sys (manual start)
Controlador de processador Intel PentiumIII: System32\DRIVERS\p3.sys (system)
Controlador de porta paralela: System32\DRIVERS\parport.sys (manual start)
Controlador de barramento PCI: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Video Blaster WebCam 5 (WDM): System32\DRIVERS\PD100Vid.sys (manual start)
perc2: System32\DRIVERS\perc2.sys (system)
perc2hib: System32\DRIVERS\perc2hib.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Serviços IPSEC: %SystemRoot%\System32\lsass.exe (manual start)
Controlador de filtro Legacy de porta paralela da Iomega: System32\DRIVERS\ppa3.sys (system)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Controlador do processador: System32\DRIVERS\processr.sys (system)
Armazenamento protegido: %SystemRoot%\system32\lsass.exe (autostart)
Controlador de ligações directas por porta paralela: System32\DRIVERS\ptilink.sys (manual start)
ql1080: System32\DRIVERS\ql1080.sys (system)
Ql10wnt: System32\DRIVERS\ql10wnt.sys (system)
ql12160: System32\DRIVERS\ql12160.sys (system)
ql1240: System32\DRIVERS\ql1240.sys (system)
ql1280: System32\DRIVERS\ql1280.sys (system)
Controlador de ligação automática de acesso remoto: System32\DRIVERS\rasacd.sys (system)
Gestor de ligação automática de acesso remoto: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Gestor de ligação de acesso remoto: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Controlador de acesso remoto PPPOE: System32\DRIVERS\raspppoe.sys (manual start)
Paralelo directo: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Controlador de redireccionador de dispositivo de servidor de terminais: System32\DRIVERS\rdpdr.sys (manual start)
Gestor de sessões de ajuda do 'Ambiente de trabalho remoto': C:\WINDOWS\system32\sessmgr.exe (manual start)
Controlador de filtro de reprodução de áudio digital de CD: System32\DRIVERS\redbook.sys (system)
Encaminhamento e acesso remoto: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Registo remoto: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Microsoft Legacy Modem Driver: System32\Drivers\RootMdm.sys (manual start)
Localizador RPC (Remote Procedure Call): %SystemRoot%\System32\locator.exe (autostart)
Chamada de procedimento remoto (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Controlador NT de placa Fast Ethernet baseada na Realtek RTL8139(A/B/C): System32\DRIVERS\RTL8139.SYS (manual start)
600 CU Still Image Device Service: system32\drivers\usbscan.sys (manual start)
Gestor de contas de segurança: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (disabled)
Programador de tarefas: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Início de sessão secundário: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Notificação de evento de sistema: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Controlador de filtro Serenum: System32\DRIVERS\serenum.sys (manual start)
Controlador de porta série: System32\DRIVERS\serial.sys (system)
Firewall do Windows/Partilha de ligação à Internet (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Detecção de hadrware da shell: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Filtro de barramento SIS AGP: System32\DRIVERS\sisagp.sys (system)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
Borland Socket Server: C:\Programas\Borland Socket Server\scktsrvc.exe (disabled)
Sony USB Filter Driver (SONYPVU1): System32\DRIVERS\SONYPVU1.SYS (manual start)
Sparrow: System32\DRIVERS\sparrow.sys (system)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Spooler de impressão: %SystemRoot%\system32\spoolsv.exe (autostart)
Controlador do filtro de restauro do sistema: System32\DRIVERS\sr.sys (system)
Serviço de 'Restauro do sistema': %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
Serviço de identificação SSDP: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Controlador de barramento por software: System32\DRIVERS\swenum.sys (manual start)
Microsoft - sintetizador Kernel GS Wavetable: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{9F4E95ED-F4D3-4059-997C-D616948B14CA} 
(manual start)
symc810: System32\DRIVERS\symc810.sys (system)
symc8xx: System32\DRIVERS\symc8xx.sys (system)
sym_hi: System32\DRIVERS\sym_hi.sys (system)
sym_u3: System32\DRIVERS\sym_u3.sys (system)
Microsoft - dispositivo de áudio do kernel do sistema: system32\drivers\sysaudio.sys (manual start)
Alertas e registos de desempenho: %SystemRoot%\system32\smlogsvc.exe (autostart)
Dispositivos telefónicos: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Controlador do protocolo TCP/IP: System32\DRIVERS\tcpip.sys (system)
Controlador de dispositivo de terminal: System32\DRIVERS\termdd.sys (system)
Serviços de terminal: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Temas: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Tiger Jet PCI 128K ISDN Adapter: System32\DRIVERS\tjisdn.sys (manual start)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (disabled)
TosIde: System32\DRIVERS\toside.sys (system)
Cliente de Distributed Link Tracking: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
ultra: System32\DRIVERS\ultra.sys (system)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
Controlador de actualização microcódigo: System32\DRIVERS\update.sys (manual start)
Anfitrião de dispositivos Universal Plug and Play: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Fonte de alimentação ininterrupta: %SystemRoot%\System32\ups.exe (disabled)
Concentrador activado por USB2: System32\DRIVERS\usbhub.sys (manual start)
Classe de impressoras USB Microsoft: System32\DRIVERS\usbprint.sys (manual start)
Controlador de armazenamento de massa USB: System32\DRIVERS\USBSTOR.SYS (manual start)
Controlador miniport do controlador Microsoft USB universal: System32\DRIVERS\usbuhci.sys (manual start)
VGA  - controlador de visualização.: \SystemRoot\System32\drivers\vga.sys (system)
Filtro de barramento VIA AGP: System32\DRIVERS\viaagp.sys (system)
ViaIde: System32\DRIVERS\viaide.sys (system)
Cópia sombra de volume: %SystemRoot%\System32\vssvc.exe (disabled)
Hora do Windows: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Controlador ARP IP de acesso remoto: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WDM Virtual Wave Driver (WDM): system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
WMI (Instrumento de gestão do Windows): %systemroot%\system32\svchost.exe -k netsvcs (autostart)
VNC Server Version 4: "C:\Programas\RealVNC\VNC4\WinVNC4.exe" -service (autostart)
Serviço do número de série de leitores de multimédia portáteis: %SystemRoot%\System32\svchost.exe -k netsvcs (manual 
start)
Extens. contr. da Windows Management Instrumentation: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Adaptador de desempenho WMI: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Centro de segurança: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Actualizações automáticas: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Configuração zero sem fios: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Serviço de fornecimento de rede: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Iomega Active Disk: "C:\Programas\Iomega\AutoDisk\ADService.exe" (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 38.332 bytes
Report generated in 0,320 seconds

Command line options:
   /verbose  - to add additional info on each section
   /complete - to include empty sections and unsuspicious data
   /full     - to include several rarely-important sections
   /force9x  - to include Win9x-only startups even if running on WinNT
   /forcent  - to include WinNT-only startups even if running on Win9x
   /forceall - to include all Win9x and WinNT startups, regardless of platform
   /history  - to list version history only

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Transamericana.org Antonio Henrique Oliveira (Jan 29)
- Message not available
  - Re: Transamericana.org Antonio Henrique Oliveira (Jan 29)
    - Re: Transamericana.org Michael Rutledge (Jan 29)
    - Re: Transamericana.org Michael Rutledge (Jan 29)
    - Re: Transamericana.org Antonio Henrique Oliveira (Jan 29)