Scolari, vá em Iniciar > Executar, digite sysdm.cpl e tecle Enter. Clique na aba Restauração do Sistema e marque a opção Desativar restauração do sistema > OK. Pois o vírus infectou a pasta da restauração do sistema em seu pc, caso deixe a restauração ativada o vírus poderá ser restaurado. Após terminarmos de limpar sua máquina volte neste mesmo local e desmarque esta opção Scolari.Wolf seguem todos os logs conforme solicitado.
A máquina melhorou bastante durante esse processo de desinfecção. Os popouts já eram.
Malwaresbytes
Malwarebytes' Anti-Malware 1.30
Database version: 1402
Windows 5.1.2600 Service Pack 3
2008-11-16 21:41:40
mbam-log-2008-11-16 (21-41-40).txt
Scan type: Full Scan (D:\|)
Objects scanned: 70989
Time elapsed: 13 minute(s), 26 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 9
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
D:\System Volume Information\_restore{9212D3AF-A3C9-4721-B6D6-D602607397B7}\RP9\A0004476.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{9212D3AF-A3C9-4721-B6D6-D602607397B7}\RP9\A0004464.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{9212D3AF-A3C9-4721-B6D6-D602607397B7}\RP9\A0004465.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{9212D3AF-A3C9-4721-B6D6-D602607397B7}\RP9\A0004466.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{9212D3AF-A3C9-4721-B6D6-D602607397B7}\RP9\A0004467.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{9212D3AF-A3C9-4721-B6D6-D602607397B7}\RP9\A0004470.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{9212D3AF-A3C9-4721-B6D6-D602607397B7}\RP9\A0004472.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{9212D3AF-A3C9-4721-B6D6-D602607397B7}\RP9\A0004473.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{9212D3AF-A3C9-4721-B6D6-D602607397B7}\RP9\A0004474.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
RSIT
Logfile of random's system information tool 1.04 (written by random/random)
Run by Administrateur at 2008-11-16 21:45:30
Microsoft Windows XP Professionnel Service Pack 3
System drive D: has 11 GB (52%) free of 20 GB
Total RAM: 1918 MB (65% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:45, on 2008-11-16
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20900)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\PROGRA~1\GbPlugin\GbpSv.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\inetsrv\inetinfo.exe
D:\Program Files\Raxco\PerfectDisk\PDAgent.exe
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
D:\WINDOWS\VistaDrive\VistaDrive.exe
D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\WINDOWS\RTHDCPL.EXE
D:\WINDOWS\CTHELPER.EXE
D:\WINDOWS\system32\CTXFIHLP.EXE
D:\WINDOWS\SYSTEM32\CTXFISPI.EXE
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\Program Files\Spyware Doctor\pctsTray.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Documents and Settings\Administrateur\Bureau\RSIT.exe
D:\Program Files\Raxco\PerfectDisk\PDEngine.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\wbem\wmiprvse.exe
D:\WINDOWS\System32\alg.exe
D:\Program Files\Trend Micro\HijackThis\Administrateur.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.fr/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.fr
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.fr
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.folha.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://esimo.c.la/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows XP Edition Classic Plus
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: (no name) - {3C0591A7-E7B4-4F55-B400-E2465FDC2F9E} - D:\WINDOWS\system32\hgGxUlKB.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - D:\Program Files\GbPlugin\gbieh.dll
O4 - HKLM\..\Run: [VistaDrive] D:\WINDOWS\VistaDrive\VistaDrive.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Apoint] D:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [StartCCC] "D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ISTray] "D:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [MsnMsgr] "D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [MsnMsgr] "D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [MsnMsgr] "D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MsnMsgr] "D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab
O16 - DPF: {DC11F230-5717-4C25-BAD7-37B879C19655} (MyPhotoAlbum Easy Upload Tool Combo Control) - http://edinhoscolari.myphotoalbum.com/ImageUploader4.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2/ocx/15035/CTPID.cab
O20 - AppInit_DLLs: eavhjg.dll
O20 - Winlogon Notify: GbPluginBb - D:\Program Files\GbPlugin\gbieh.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: PDAgent - Raxco Software, Inc. - D:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - D:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 8150 bytes
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}]
BitComet Helper - D:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll [2008-02-29 468280]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3C0591A7-E7B4-4F55-B400-E2465FDC2F9E}]
D:\WINDOWS\system32\hgGxUlKB.dll []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C41A1C0E-EA6C-11D4-B1B8-444553540000}]
GbIehObj Class - D:\Program Files\GbPlugin\gbieh.dll [2008-04-15 378696]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"VistaDrive"=D:\WINDOWS\VistaDrive\VistaDrive.exe [2006-10-05 280779]
"SunJavaUpdateSched"=D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"RTHDCPL"=D:\WINDOWS\RTHDCPL.EXE [2007-05-10 16342528]
"Alcmtr"=D:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"CTHelper"=D:\WINDOWS\CTHELPER.EXE [2006-05-24 17920]
"CTxfiHlp"=D:\WINDOWS\system32\CTXFIHLP.EXE [2006-05-24 18944]
"UpdReg"=D:\WINDOWS\UpdReg.EXE [2000-05-10 90112]
"Apoint"=D:\Program Files\Apoint2K\Apoint.exe [2008-06-01 196608]
"StartCCC"=D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2008-08-01 61440]
"avgnt"=D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe [2008-06-12 266497]
"ISTray"=D:\Program Files\Spyware Doctor\pctsTray.exe [2008-08-25 1168264]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=D:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\005c6137]
D:\WINDOWS\system32\pxqhyygq.dll []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="eavhjg.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ GbPluginBb]
D:\Program Files\GbPlugin\gbieh.dll [2008-04-15 378696]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
D:\WINDOWS\system32\Ati2evxx.dll [2008-08-21 143360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\wpdshserviceobj.dll [2008-05-23 133632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"=D:\Program Files\GbPlugin\gbieh.dll [2008-04-15 378696]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
D:\WINDOWS\system32\hgGxUlKB
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoSMHelp"=1
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"D:\Program Files\Windows Live\Messenger\msnmsgr.exe"="D:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"D:\Program Files\Windows Live\Messenger\livecall.exe"="D:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"D:\Program Files\Steam\steamapps\gaminy\counter-strike\hl.exe"="D:\Program Files\Steam\steamapps\gaminy\counter-strike\hl.exe:*:Enabled:Half-Life Launcher"
"D:\Program Files\eMule\emule.exe"="D:\Program Files\eMule\emule.exe:*:Enabled:eMule"
"D:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe"="D:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe:*:Enabled:Nexon Game Manager"
"D:\Nexon\Combat Arms\CombatArms.exe"="D:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe"
"D:\Nexon\Combat Arms\Engine.exe"="D:\Nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe"
"D:\Nexon\Combat Arms\NMService.exe"="D:\Nexon\Combat Arms\NMService.exe:*:Enabled:Nexon Messenger Core"
"D:\Program Files\LimeWire\LimeWire.exe"="D:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"D:\Program Files\Windows Live\Messenger\msnmsgr.exe"="D:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"D:\Program Files\Windows Live\Messenger\livecall.exe"="D:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"D:\Nexon\Combat Arms\CombatArms.exe"="D:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe"
"D:\Nexon\Combat Arms\Engine.exe"="D:\Nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe"
======List of files/folders created in the last 2 months======
2008-11-16 21:45:30 ----D---- D:\rsit
2008-11-16 21:09:51 ----D---- D:\Documents and Settings\Administrateur\Application Data\Malwarebytes
2008-11-16 21:09:45 ----D---- D:\Program Files\Malwarebytes' Anti-Malware
2008-11-16 21:09:45 ----D---- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-11-14 19:21:05 ----D---- D:\Documents and Settings\All Users\Application Data\PC Tools
2008-11-14 14:04:49 ----A---- D:\WINDOWS\system32\MRT.INI
2008-11-14 14:03:26 ----HDC---- D:\WINDOWS\$NtUninstallKB957097$
2008-11-14 14:03:22 ----HDC---- D:\WINDOWS\$NtUninstallKB954459$
2008-11-14 14:03:19 ----A---- D:\WINDOWS\imsins.BAK
2008-11-14 14:03:14 ----HDC---- D:\WINDOWS\$NtUninstallKB955069$
2008-11-14 13:59:07 ----D---- D:\Program Files\Fichiers communs\PC Tools
2008-11-13 22:41:13 ----D---- D:\Program Files\Spyware Doctor
2008-11-13 22:41:13 ----D---- D:\Documents and Settings\Administrateur\Application Data\PC Tools
2008-11-13 20:59:53 ----A---- D:\WINDOWS\system32\CF22555.exe
2008-11-13 20:55:38 ----A---- D:\WINDOWS\system32\CF21732.exe
2008-11-13 20:54:42 ----A---- D:\WINDOWS\system32\CF21549.exe
2008-11-13 20:28:08 ----D---- D:\WINDOWS\ERUNT
2008-11-13 20:25:39 ----A---- D:\WINDOWS\ntbtlog.txt
2008-11-13 00:32:13 ----A---- D:\WINDOWS\system32\CF11398.exe
2008-11-13 00:31:33 ----A---- D:\WINDOWS\system32\CF11261.exe
2008-11-13 00:14:48 ----D---- D:\WINDOWS\ERDNT
2008-11-13 00:14:43 ----A---- D:\WINDOWS\system32\CF7969.exe
2008-11-13 00:06:06 ----D---- D:\Program Files\Trend Micro
2008-11-07 13:06:19 ----D---- D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-11-05 22:28:36 ----D---- D:\Documents and Settings\All Users\Application Data\ESET
2008-10-23 23:32:25 ----HDC---- D:\WINDOWS\$NtUninstallKB958644$
2008-10-15 20:00:02 ----HDC---- D:\WINDOWS\$NtUninstallKB956803$
2008-10-15 19:59:59 ----HDC---- D:\WINDOWS\$NtUninstallKB956391$
2008-10-15 19:59:56 ----HDC---- D:\WINDOWS\$NtUninstallKB957095$
2008-10-15 19:59:40 ----HDC---- D:\WINDOWS\$NtUninstallKB954211$
2008-10-15 19:59:34 ----HDC---- D:\WINDOWS\$NtUninstallKB956841$
2008-10-15 19:58:27 ----HDC---- D:\WINDOWS\$NtUninstallKB953155$
2008-10-09 13:32:28 ----A---- D:\WINDOWS\system32\avsda.dll
2008-10-09 13:32:27 ----D---- D:\Program Files\Avira
2008-10-03 12:16:14 ----RHD---- D:\Documents and Settings\Administrateur\Application Data\SecuROM
2008-10-03 12:16:13 ----A---- D:\WINDOWS\system32\CmdLineExt.dll
2008-09-30 16:43:34 ----A---- D:\WINDOWS\system32\msxml4.dll
2008-09-30 12:42:10 ----D---- D:\Documents and Settings\All Users\Application Data\ATI
2008-09-30 12:27:46 ----N---- D:\WINDOWS\system32\ati2sgag.exe
2008-09-30 12:26:51 ----D---- D:\ATI
2008-09-29 14:40:50 ----D---- D:\Documents and Settings\Administrateur\Application Data\SPORE
2008-09-29 14:33:39 ----A---- D:\WINDOWS\system32\XAudio2_2.dll
2008-09-29 14:33:39 ----A---- D:\WINDOWS\system32\XAPOFX1_1.dll
2008-09-29 14:33:39 ----A---- D:\WINDOWS\system32\xactengine3_2.dll
2008-09-29 14:33:39 ----A---- D:\WINDOWS\system32\D3DX9_39.dll
2008-09-29 14:33:39 ----A---- D:\WINDOWS\system32\d3dx10_39.dll
2008-09-29 14:33:39 ----A---- D:\WINDOWS\system32\D3DCompiler_39.dll
2008-09-29 14:33:38 ----A---- D:\WINDOWS\system32\XAudio2_1.dll
2008-09-29 14:33:38 ----A---- D:\WINDOWS\system32\XAPOFX1_0.dll
2008-09-29 14:33:38 ----A---- D:\WINDOWS\system32\xactengine3_1.dll
2008-09-29 14:33:38 ----A---- D:\WINDOWS\system32\X3DAudio1_4.dll
2008-09-29 14:33:37 ----A---- D:\WINDOWS\system32\XAudio2_0.dll
2008-09-29 14:33:37 ----A---- D:\WINDOWS\system32\xactengine3_0.dll
2008-09-29 14:33:37 ----A---- D:\WINDOWS\system32\D3DX9_38.dll
2008-09-29 14:33:37 ----A---- D:\WINDOWS\system32\d3dx10_38.dll
2008-09-29 14:33:37 ----A---- D:\WINDOWS\system32\D3DCompiler_38.dll
2008-09-29 14:33:36 ----A---- D:\WINDOWS\system32\X3DAudio1_3.dll
2008-09-29 14:33:36 ----A---- D:\WINDOWS\system32\D3DX9_37.dll
2008-09-29 14:33:36 ----A---- D:\WINDOWS\system32\d3dx10_37.dll
2008-09-29 14:33:36 ----A---- D:\WINDOWS\system32\D3DCompiler_37.dll
2008-09-29 14:33:18 ----D---- D:\WINDOWS\system32\DirectX
2008-09-29 14:33:12 ----D---- D:\WINDOWS\Logs
2008-09-28 22:03:46 ----D---- D:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
======List of files/folders modified in the last 2 months======
2008-11-16 21:45:42 ----D---- D:\Program Files\Mozilla Firefox
2008-11-16 21:45:33 ----D---- D:\WINDOWS\Temp
2008-11-16 21:45:32 ----AD---- D:\Documents and Settings\All Users\Application Data\TEMP
2008-11-16 21:45:18 ----D---- D:\WINDOWS\system32\drivers
2008-11-16 21:45:16 ----D---- D:\WINDOWS\system32\inetsrv
2008-11-16 21:43:14 ----A---- D:\WINDOWS\SchedLgU.Txt
2008-11-16 21:42:31 ----D---- D:\WINDOWS\system32\Restore
2008-11-16 21:09:51 ----D---- D:\WINDOWS\Prefetch
2008-11-16 21:09:45 ----RD---- D:\Program Files
2008-11-16 20:52:36 ----D---- D:\WINDOWS\system32
2008-11-16 20:50:23 ----D---- D:\WINDOWS
2008-11-16 20:50:08 ----SHD---- D:\System Volume Information
2008-11-16 16:26:58 ----D---- D:\WINDOWS\system32\config
2008-11-16 11:32:07 ----D---- D:\WINDOWS\system32\CatRoot2
2008-11-14 14:05:31 ----SHD---- D:\WINDOWS\Installer
2008-11-14 14:05:30 ----D---- D:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-11-14 14:04:06 ----D---- D:\WINDOWS\Debug
2008-11-14 14:03:28 ----RSHDC---- D:\WINDOWS\system32\dllcache
2008-11-14 14:03:28 ----HD---- D:\WINDOWS\inf
2008-11-14 14:03:26 ----HD---- D:\WINDOWS\$hf_mig$
2008-11-14 14:03:09 ----D---- D:\WINDOWS\WinSxS
2008-11-14 13:59:07 ----D---- D:\Program Files\Fichiers communs
2008-11-13 22:42:47 ----A---- D:\WINDOWS\system32\PerfStringBackup.INI
2008-11-13 22:33:20 ----D---- D:\Documents and Settings\Administrateur\Application Data\LimeWire
2008-11-13 21:12:08 ----D---- D:\Documents and Settings\All Users\Application Data\Avira
2008-11-13 21:03:22 ----D---- D:\WINDOWS\Minidump
2008-11-13 20:18:44 ----A---- D:\WINDOWS\NeroDigital.ini
2008-11-08 21:11:10 ----A---- D:\WINDOWS\win.ini
2008-11-08 21:11:10 ----A---- D:\WINDOWS\system.ini
2008-11-08 21:11:00 ----D---- D:\WINDOWS\pss
2008-11-05 20:58:51 ----D---- D:\WINDOWS\system32\Logfiles
2008-11-04 21:50:15 ----D---- D:\WINDOWS\Help
2008-11-03 22:10:25 ----A---- D:\WINDOWS\system32\MRT.exe
2008-10-16 20:35:48 ----SD---- D:\Documents and Settings\Administrateur\Application Data\Microsoft
2008-10-16 14:13:40 ----A---- D:\WINDOWS\system32\wuweb.dll
2008-10-16 14:13:40 ----A---- D:\WINDOWS\system32\wuaueng.dll
2008-10-16 14:12:22 ----A---- D:\WINDOWS\system32\wucltui.dll
2008-10-16 14:12:20 ----A---- D:\WINDOWS\system32\wuapi.dll
2008-10-16 14:09:44 ----A---- D:\WINDOWS\system32\wups2.dll
2008-10-16 14:09:44 ----A---- D:\WINDOWS\system32\wucltui.dll.mui
2008-10-16 14:09:44 ----A---- D:\WINDOWS\system32\wuauclt.exe
2008-10-16 14:09:44 ----A---- D:\WINDOWS\system32\cdm.dll
2008-10-16 14:08:58 ----A---- D:\WINDOWS\system32\wups.dll
2008-10-16 14:08:06 ----A---- D:\WINDOWS\system32\wuapi.dll.mui
2008-10-16 14:07:32 ----A---- D:\WINDOWS\system32\wuaueng.dll.mui
2008-10-16 14:06:48 ----A---- D:\WINDOWS\system32\muweb.dll
2008-10-16 14:06:48 ----A---- D:\WINDOWS\system32\mucltui.dll
2008-10-16 14:06:40 ----A---- D:\WINDOWS\system32\mucltui.dll.mui
2008-10-15 19:59:52 ----D---- D:\Program Files\Internet Explorer
2008-10-15 14:35:43 ----A---- D:\WINDOWS\system32\netapi32.dll
2008-10-13 19:29:01 ----D---- D:\Program Files\DAEMON Tools
2008-10-03 14:22:30 ----A---- D:\WINDOWS\system32\ieframe.dll
2008-10-03 12:11:55 ----HD---- D:\Program Files\InstallShield Installation Information
2008-10-02 22:02:53 ----RSD---- D:\WINDOWS\assembly
2008-09-30 12:30:39 ----D---- D:\Program Files\ATI Technologies
2008-09-30 12:28:03 ----D---- D:\WINDOWS\system32\ReinstallBackups
2008-09-28 21:55:53 ----SD---- D:\Documents and Settings\All Users\Application Data\Microsoft
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 AmdK8;Pilote de processeur AMD; D:\WINDOWS\system32\DRIVERS\AmdK8.sys [2006-06-18 43520]
R1 avgio;avgio; \??\D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys []
R1 avipbb;avipbb; D:\WINDOWS\system32\DRIVERS\avipbb.sys [2008-11-13 75072]
R1 IKSysFlt;System Filter Driver; D:\WINDOWS\system32\drivers\iksysflt.sys [2008-08-25 66952]
R1 IKSysSec;System Security Driver; D:\WINDOWS\system32\drivers\iksyssec.sys [2008-08-25 81288]
R1 pctfw2;pctfw2; \??\D:\WINDOWS\system32\drivers\pctfw2.sys []
R1 ssmdrv;ssmdrv; D:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2007-03-01 28352]
R1 WS2IFSL;Environnement de prise en charge de Fournisseur de services non-IFS Windows Sockets 2.0; D:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-28 12032]
R3 ati2mtag;ati2mtag; D:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2008-08-21 3299840]
R3 avgntflt;avgntflt; \??\D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys []
R3 ctac32k;Creative AC3 Software Decoder; D:\WINDOWS\system32\drivers\ctac32k.sys [2006-05-24 502272]
R3 ctaud2k;Creative Audio Driver (WDM); D:\WINDOWS\system32\drivers\ctaud2k.sys [2006-05-24 499584]
R3 ctprxy2k;Creative Proxy Driver; D:\WINDOWS\system32\drivers\ctprxy2k.sys [2006-05-24 7168]
R3 ctsfm2k;Creative SoundFont Management Device Driver; D:\WINDOWS\system32\drivers\ctsfm2k.sys [2006-05-24 143872]
R3 emupia;E-mu Plug-in Architecture Driver; D:\WINDOWS\system32\drivers\emupia2k.sys [2006-05-24 78336]
R3 ha20x2k;Creative 20X HAL Driver; D:\WINDOWS\system32\drivers\ha20x2k.sys [2006-05-24 1110016]
R3 HDAudBus;Pilote de bus Microsoft UAA pour High Definition Audio; D:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Pilote de classe HID Microsoft; D:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); D:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-05-10 4419584]
R3 mouhid;Pilote HID de souris; D:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-28 12288]
R3 ossrv;Creative OS Services Driver; D:\WINDOWS\system32\drivers\ctoss2k.sys [2006-05-24 116224]
R3 RTL8023xp;Realtek 10/100/1000 PCI NIC Family NDIS XP Driver; D:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2006-12-14 85120]
R3 usbehci;Pilote miniport de contrôleur d'hôte amélioré Microsoft USB 2.0; D:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Concentrateur USB2; D:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Pilote miniport de contrôleur hôte ouvert USB Microsoft; D:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
S3 apati2ww;apati2ww; D:\WINDOWS\system32\drivers\apati2ww.sys []
S3 ApfiltrService;Alps Pointing-device Filter Driver; D:\WINDOWS\system32\DRIVERS\Apfiltr.sys [2008-06-01 101833]
S3 ctdvda2k;Creative DVD-Audio Device Driver; D:\WINDOWS\system32\drivers\ctdvda2k.sys [2005-11-10 340704]
S3 EagleNT;EagleNT; \??\D:\WINDOWS\system32\drivers\EagleNT.sys []
S3 gdrv;gdrv; \??\D:\WINDOWS\gdrv.sys []
S3 usbscan;Pilote de scanneur USB; D:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;Pilote de stockage de masse USB; D:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WpdUsb;WpdUsb; D:\WINDOWS\system32\DRIVERS\wpdusb.sys [2008-05-23 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; D:\WINDOWS\system32\DRIVERS\wudfrd.sys [2008-05-23 82944]
S4 IntelIde;IntelIde; D:\WINDOWS\system32\drivers\IntelIde.sys []
S4 Sr;Pilote de filtre de restauration système; D:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-13 73600]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler; D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe [2008-10-15 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard; D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe [2008-10-15 151297]
R2 Ati HotKey Poller;Ati HotKey Poller; D:\WINDOWS\system32\Ati2evxx.exe [2008-08-21 573440]
R2 IISADMIN;Administration IIS; D:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-13 15872]
R2 PDAgent;PDAgent; D:\Program Files\Raxco\PerfectDisk\PDAgent.exe [2007-05-24 415248]
R2 sdAuxService;PC Tools Auxiliary Service; D:\Program Files\Spyware Doctor\pctsAuxs.exe [2008-06-13 356920]
R2 sdCoreService;PC Tools Security Service; D:\Program Files\Spyware Doctor\pctsSvc.exe [2008-10-09 1079176]
R2 W3SVC;Publication World Wide Web; D:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-13 15872]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; D:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R3 PDEngine;PDEngine; D:\Program Files\Raxco\PerfectDisk\PDEngine.exe [2007-05-24 734736]
S2 ATI Smart;ATI Smart; D:\WINDOWS\system32\ati2sgag.exe [2008-08-20 593920]
S3 aspnet_state;ASP.NET State Service; D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-07-15 33632]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-07-15 68952]
S3 odserv;Microsoft Office Diagnostics Service; D:\Program Files\Fichiers communs\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; D:\Program Files\Fichiers communs\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 usnjsvc;Serviço de Compartilhamento de Pastas Messenger do USN Journal Reader; D:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WLSetupSvc;Windows Live Setup Service; D:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WMPNetworkSvc;Service Partage réseau du Lecteur Windows Media; D:\Program Files\Windows Media Player\WMPNetwk.exe [2006-11-03 918016]
-----------------EOF-----------------
O rootkit (mais perigoso e complicado) foi removido com sucesso. Porém, o trojan vundo continua nos logs.
Execute o Malwarebytes e clique na aba Quarentena. Selecione todos os arquivos e clique no botão Remover Tudo. Siga as instruções abaixo Scolari.
- Faça o download do VundoFix e salve-o em sua área de trabalho.
● Rode o VundoFix.exe dando dois cliques;
● Quando o VundoFix abrir novamente, clique em Scan for Vundo;
● Quando ele terminar, clique em Remove Vundo;
● Você receberá um prompt perguntando se você quer remover os arquivos. Confirme. Sua área de trabalho vai sumir;
● Você receberá um aviso dizendo que seu computador deve ser desligado. Clique em OK e depois ligue o computador novamente;
● É possível que o VundoFix encontre um arquivo, mas não consiga removê-lo. Se isso acontecer, a ferramenta rodará ao reiniciar.
● Quando o VundoFix aparecer, clique no botão Scan for Vundo para repetir o processo.
Quando o VundoFix não encontrar mais nenhum arquivo que não consegue remover, faça um novo log do RSIT e cole junto com o log VundoFix.txt Scolari.