Remoção de vírus

[luisednardo]

Pronto Mr Wolf,
demorou mas saiu!

Spoiler

SDFix: Version 1.240
Run by Pedro on sex 01/05/2009 at 02:34

Microsoft Windows XP [versÆo 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\DOCUME~1\Pedro\CONFIG~1\Temp\tmp10.tmp - Deleted
C:\DOCUME~1\Pedro\CONFIG~1\Temp\tmp11.tmp - Deleted
C:\DOCUME~1\Pedro\CONFIG~1\Temp\tmp12.tmp - Deleted
C:\DOCUME~1\Pedro\CONFIG~1\Temp\tmp13.tmp - Deleted
C:\DOCUME~1\Pedro\CONFIG~1\Temp\tmp14.tmp - Deleted
C:\DOCUME~1\Pedro\CONFIG~1\Temp\tmp15.tmp - Deleted
C:\DOCUME~1\Pedro\CONFIG~1\Temp\tmp6.tmp - Deleted
C:\DOCUME~1\Pedro\CONFIG~1\Temp\tmp7.tmp - Deleted
C:\DOCUME~1\Pedro\CONFIG~1\Temp\tmp8.tmp - Deleted
C:\DOCUME~1\Pedro\CONFIG~1\Temp\tmp9.tmp - Deleted
C:\DOCUME~1\Pedro\CONFIG~1\Temp\tmpA.tmp - Deleted
C:\DOCUME~1\Pedro\CONFIG~1\Temp\tmpB.tmp - Deleted
C:\DOCUME~1\Pedro\CONFIG~1\Temp\tmpC.tmp - Deleted
C:\DOCUME~1\Pedro\CONFIG~1\Temp\tmpD.tmp - Deleted
C:\DOCUME~1\Pedro\CONFIG~1\Temp\tmpE.tmp - Deleted
C:\DOCUME~1\Pedro\CONFIG~1\Temp\tmpF.tmp - Deleted
C:\WINDOWS\csrss.exe - Deleted





Removing Temp Files

ADS Check :

C:\WINDOWS
:0BA97ACCC81B6BC7 24
Total size: 24 bytes.
WINDOWS: deleted 24 bytes in 1 streams.

Checking for remaining Streams

C:\WINDOWS
No streams found.



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-01 02:47:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:24,e7,6d,d9,0e,37,5a,8c,a3,3a,ce,bc,d0,e4,f8,60,cd,ef,1b,a2,0c,..
"p0"="C:\Arquivos de programas\DAEMON Tools\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,a8,e4,72,f1,19,74,50,cd,30,c2,ad,1e,4c,92,25,cb,ae,..
"khjeh"=hex:3f,8a,4d,ef,0a,89,c8,85,6f,59,1f,03,69,7c,8e,31,7e,2c,62,6c,8e,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:5c,5e,6c,46,1e,ca,9f,6e,4c,f9,31,30,7a,96,d6,1d,d4,03,ca,96,1d,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s0"=dword:ec2f7bba
"s1"=dword:6d056a47
"s2"=dword:980ee038
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:24,e7,6d,d9,0e,37,5a,8c,a3,3a,ce,bc,d0,e4,f8,60,cd,ef,1b,a2,0c,..
"p0"="C:\Arquivos de programas\DAEMON Tools\"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,a8,e4,72,f1,19,74,50,cd,30,c2,ad,1e,4c,92,25,cb,ae,..
"khjeh"=hex:3f,8a,4d,ef,0a,89,c8,85,6f,59,1f,03,69,7c,8e,31,7e,2c,62,6c,8e,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:5c,5e,6c,46,1e,ca,9f,6e,4c,f9,31,30,7a,96,d6,1d,d4,03,ca,96,1d,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:24,e7,6d,d9,0e,37,5a,8c,a3,3a,ce,bc,d0,e4,f8,60,cd,ef,1b,a2,0c,..
"p0"="C:\Arquivos de programas\DAEMON Tools\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,a8,e4,72,f1,19,74,50,cd,30,c2,ad,1e,4c,92,25,cb,ae,..
"khjeh"=hex:3f,8a,4d,ef,0a,89,c8,85,6f,59,1f,03,69,7c,8e,31,7e,2c,62,6c,8e,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:5c,5e,6c,46,1e,ca,9f,6e,4c,f9,31,30,7a,96,d6,1d,d4,03,ca,96,1d,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\{8AC25C6A-D4B3-FF2F-2A61-C75CA1DB6116}\Install]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\{8AC25C6A-D4B3-FF2F-2A61-C75CA1DB6116}\Install\VxDs]
"CTE_32 Name"="2454892:{301564B2-67A6-1A66-9C4E-A1FE91DE9752}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Install]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Install\xga-1-{7D4173F1-55F5-0F5D-0EE2-8E03738B530C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Install\xga-1-{7D4173F1-55F5-0F5D-0EE2-8E03738B530C}\Version 1.1]
"dat"="806585365:{7B580B85-93B3-3A19-DAE6-BC5540E3071F}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\{3433EFFB-D52A-DCD3-08C5-13C866A21837}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\{3433EFFB-D52A-DCD3-08C5-13C866A21837}\Install]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\{3433EFFB-D52A-DCD3-08C5-13C866A21837}\Install\xga-1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\{3433EFFB-D52A-DCD3-08C5-13C866A21837}\Install\xga-1\dat]
"default"="516231575:{83E883D0-0F3E-27F9-5B89-F036E22BC242}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Install VBX]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Install VBX\Current]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Install VBX\Current\Install]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Install VBX\Current\Install\xga-1-{7D4173F1-55F5-0F5D-0EE2-8E03738B530C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Install VBX\Current\Install\xga-1-{7D4173F1-55F5-0F5D-0EE2-8E03738B530C}\Version 3.x]
"dat"="1767914624:{56553F38-8585-EE5B-28E2-485C8166DF67}"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Arquivos de programas\\DreaMule\\emule.exe"="C:\\Arquivos de programas\\DreaMule\\emule.exe:*:Enabledreamule"
"C:\\WINDOWS\\system32\\rtcshare.exe"="C:\\WINDOWS\\system32\\rtcshare.exe:*isabled:Compartilhamento de aplicativo RTC"
"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Arquivos de programas\\Windows Live\\Sync\\WindowsLiveSync.exe"="C:\\Arquivos de programas\\Windows Live\\Sync\\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"
"C:\\Arquivos de programas\\Internet Explorer\\IEXPLORE.EXE"="C:\\Arquivos de programas\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"="C:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Arquivos de programas\\Windows Live\\Sync\\WindowsLiveSync.exe"="C:\\Arquivos de programas\\Windows Live\\Sync\\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Arquivos de programas\Messenger\msmsgs.exe"
Mon 15 Dec 2008 36,096 ..SHR --- "C:\WINDOWS\system32\drive21.sys"
Fri 12 Dec 2008 2,516 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sat 28 Feb 2009 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 22 Apr 2009 1,514,272 ..SHR --- "C:\WINDOWS\system32\7225D3\FDF101.EXE"
Fri 20 Mar 2009 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 14 Jan 2009 34,816 ...H. --- "C:\Documents and Settings\Pedro\Dados de aplicativos\Microsoft\Word\~WRL0004.tmp"

Finished!

E aí Mestre, será que temos chance de remover?

 

[Megadeeth]

vlwww Mestre

vou jah me cadastrar nesses foruns q vc me passou e se tiver uma duvida posso msm te mandar uma mp??? prometo q ñ vou mandar sempre soh quando eu ñ conseguir tirar a duvida tanto nos foruns quanto no google tah???? brigadao Mr Wolf vc eh um kra mtoo gnt boa irmao merece um premio por tdo q faz pela gnt aki

vlw msm pelo insentivo a mim

um abraçao cara

 

[Mr.Wolf]

luisednardo, o payload ainda não foi removido do Rootkit. Será uma briga e tanto, mas temos chances sim

Poste um novo log do HijackThis aqui.

OBS: Delete a pasta C:\SDFix.

 

[luisednardo]

luisednardo, o payload ainda não foi removido do Rootkit. Será uma briga e tanto, mas temos chances sim

Poste um novo log do HijackThis aqui.

OBS: Delete a pasta C:\SDFix.

Pronto Mr WOlf,

Spoiler

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:13:03, on 1/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Arquivos de programas\Bonjour\mDNSResponder.exe
C:\Arquivos de programas\Windows Live\Family Safety\fsssvc.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\Arquivos de programas\Photodex\ProShowGold\ScsiAccess.exe
C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Arquivos de programas\QuickTime\qttask.exe
C:\Arquivos de programas\Windows Live\Family Safety\fsui.exe
C:\Arquivos de programas\DAEMON Tools\daemon.exe
C:\Arquivos de programas\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\7225D3\FDF101.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe
C:\Arquivos de programas\Save\Save.exe
C:\Documents and Settings\Pedro\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Arquivos de programas\Windows Live\Toolbar\wltuser.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.live.com/sphome.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.live.com/sphome.aspx
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Arquivos de programas\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Windows Live Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Arquivos de programas\Windows Live\Family Safety\fssbho.dll
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Arquivos de programas\Windows Live\Messenger\wlchtc.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Arquivos de programas\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\ARQUIV~1\GbPlugin\gbiehabn.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\WINDOWS\BricoPacks\LeopardXP\FindeXer.dll (file missing)
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [fssui] "C:\Arquivos de programas\Windows Live\Family Safety\fsui.exe" -autorun
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [FDF101] C:\WINDOWS\system32\7225D3\FDF101.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Arquivos de programas\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WhenUSave] "C:\Arquivos de programas\Save\Save.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Pedro\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP.exe" -s
O4 - HKCU\..\Run: [wsctf.exe] wsctf.exe
O4 - HKCU\..\Run: [EXPLORER.EXE] EXPLORER.EXE
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ¡¡¡¡¡¡.lnk = C:\WINDOWS\system32\7225D3\FDF101.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab
O20 - Winlogon Notify: GbPluginAbn - C:\ARQUIV~1\GbPlugin\gbiehabn.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\ARQUIV~1\GbPlugin\GbpSv.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Arquivos de programas\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Arquivos de programas\Arquivos comuns\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9767 bytes

É impressão minha ou aumentaram a quantidade de processos rodando nessa máquina?

 

[Mr.Wolf]

Sim, aumentou o número de processos. É normal, quando se tem um rootkit na máquina.

luisednardo, foi você quem colocou esta entrada na inicialização?

O4 - HKCU\..\Run: [EXPLORER.EXE] EXPLORER.EXE

Abra o Bloco de Notas e cole o texto abaixo dentro:

Option Explicit
On Error Resume Next

'Declare variables
Dim WSHShell, n, p, itemtype, MyBox, User, Title, Prompt

'set variables
p = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\"
itemtype = "REG_DWORD"
n = 0

Prompt = "Enter the username you wish to hide."
Title = "Hide User on Welcome screen"
User = InputBox(Prompt, Title,"")

If User = "" Then
Title = "Error!"
Prompt = "You left the user name blank."
MyBox = MsgBox(Prompt,4096,Title)
Else
p = p & User
Set WSHShell = WScript.CreateObject("WScript.Shell")
WSHShell.RegWrite p, n, itemtype
Title = "Success"
Prompt = User & " is now hidden on the Welcome screen."

MyBox = MsgBox(Prompt, 4096, Title)
End If

Set WshShell = Nothing

Salve como Fag.vbs e logo em seguida salve este mesmo arquivo como Fag.txt (os dois no mesmo local). Mas não execute nenhum!

Abra o HijackThis e clique em Open the Misc Tools section > Open ADS Spy. Desmarque as duas opções marcadas e clique no botão Scan.

Poste o log que será gerado aqui.

 

[luisednardo]

Sim, aumentou o número de processos. É normal, quando se tem um rootkit na máquina.

luisednardo, foi você quem colocou esta entrada na inicialização?


Abra o Bloco de Notas e cole o texto abaixo dentro:


Salve como Fag.vbs e logo em seguida salve este mesmo arquivo como Fag.txt (os dois no mesmo local). Mas não execute nenhum!

Abra o HijackThis e clique em Open the Misc Tools section > Open ADS Spy. Desmarque as duas opções marcadas e clique no botão Scan.

Poste o log que será gerado aqui.

Pronto Mr Wolf

Spoiler

C:\Arquivos de programas\AdorageI-SAL\Thumbs.db : encryptable (0 bytes)
C:\Arquivos de programas\DreaMule\Thumbs.db : encryptable (0 bytes)
C:\Arquivos de programas\GenArts\SapphireAE\docs\Thumbs.db : encryptable (0 bytes)
C:\Arquivos de programas\LimeWire\.NetworkShare\LimeWireWin4.18.8.exe : Zone.Identifier (26 bytes)
C:\Arquivos de programas\Messenger\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\All Users\Dados de aplicativos\TEMP : 888AFB86 (110 bytes)
C:\Documents and Settings\All Users\Dados de aplicativos\TEMP : 888AFB86 (110 bytes)
C:\Documents and Settings\All Users\Documentos\Minhas imagens\Amostras de imagens\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\LocalService\Meus documentos\aro_bt_dw.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Pedro\Desktop\marilia\01 Faixa 1.wma : Zone.Identifier (24 bytes)
C:\Documents and Settings\Pedro\Desktop\marilia\03 Faixa 3.wma : Zone.Identifier (24 bytes)
C:\Documents and Settings\Pedro\Desktop\marilia\04 Faixa 4.wma : Zone.Identifier (24 bytes)
C:\Documents and Settings\Pedro\Desktop\marilia\09 Faixa 9.wma : Zone.Identifier (24 bytes)
C:\Documents and Settings\Pedro\Desktop\OgAAABwWXUCX4fOr8KL98PDJ9Bs3PxRgRqsZL1AIrqM58mRSqQhKfHiXLV9s6IEdwR_kfbMg-eKzp0FsSieG-klJ22UAm1T1UPzGp4Ta-oQR4vpI0DOnXQStVgqG.jpg : Zone.Identifier (24 bytes)
C:\Documents and Settings\Pedro\Desktop\OgAAAGgWkWnWS_V5ZSHv0WvwsnvKUo3DCL65GgVfQOZpBXfovLdu1jZQuArPr2ywovUOlNsGCOtfUdeG6C_Hpo5KJmkAm1T1UDEPtO-ZScpWIUgapRdHq8dRYuNz.jpg : Zone.Identifier (24 bytes)
C:\Documents and Settings\Pedro\Desktop\pedru\orkut\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Pedro\Desktop\pedru\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Pedro\Desktop\SDFix.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Pedro\Desktop\SONINHA\100ND40X\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Pedro\Desktop\SONINHA\EFEITO 01\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Pedro\Desktop\SONINHA\EFEITO 02\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Pedro\Desktop\SONINHA\EFEITO 03\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Pedro\Desktop\SONINHA\EFEITO 04\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Pedro\Desktop\SONINHA\EFEITO 05\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Pedro\Desktop\SONINHA\EFEITO 06\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Pedro\Desktop\SONINHA\EFEITO 07-CAPA\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Pedro\Desktop\SONINHA\FOTO TELA\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Pedro\Desktop\SONINHA\SONINHA\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Pedro\Desktop\SONINHA\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Pedro\Desktop\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Pedro\Meus documentos\Downloads\35.mp3 : Zone.Identifier (24 bytes)
C:\Documents and Settings\Pedro\Meus documentos\Downloads\InsttrucoesPreenchimentomodelocompleto2009.zip.zip : Zone.Identifier (24 bytes)
C:\Documents and Settings\Pedro\Meus documentos\Downloads\ReceitanetJava2009.01a_setup_win32.exe : Zone.Identifier (24 bytes)
C:\Documents and Settings\Pedro\Meus documentos\Downloads\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Pedro\Meus documentos\ist2_3582294-fashion-scroll-art.jpg : Zone.Identifier (24 bytes)
C:\Documents and Settings\Pedro\Meus documentos\ist2_5528470-scroll-art.jpg : Zone.Identifier (24 bytes)
C:\Documents and Settings\Pedro\Meus documentos\Meus arquivos recebidos\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Pedro\Meus documentos\Thumbs.db : encryptable (0 bytes)
C:\HJTInstall.exe : Zone.Identifier (26 bytes)
C:\WINDOWS\system32\drivers : GbpKmAp.lst (208 bytes)
C:\WINDOWS\system32\drivers : GbpKmAp.lst (208 bytes)
C:\WINDOWS\Thumbs.db : encryptable (0 bytes)
D:\arquivos,videos\pagamentos\(pagamento visa)Comprovante_20070721 : Zone.Identifier (26 bytes)
D:\arquivos,videos\pagamentos\Comprovante_20070616 : Zone.Identifier (26 bytes)
D:\arquivos,videos\pagamentos\Comprovante_20070716 : Zone.Identifier (26 bytes)
D:\arquivos,videos\pagamentos\Comprovante_20070816 : Zone.Identifier (26 bytes)
D:\arquivos,videos\pagamentos\Comprovante_20070817 : Zone.Identifier (26 bytes)
D:\arquivos,videos\Thumbs.db : encryptable (0 bytes)
D:\DESKTOP\02 Faixa 2.wma : Zone.Identifier (26 bytes)
D:\DESKTOP\bride-calla-bouquet-lg.jpg : Zone.Identifier (24 bytes)
D:\DESKTOP\Foto 01.mp3 : Zone.Identifier (26 bytes)
D:\DESKTOP\Thumbs.db : encryptable (0 bytes)
D:\MAXIMIM-1 (ALESSANDRA)\musicas igreja tenor\Tenor.zip : Zone.Identifier (26 bytes)
D:\MAXIMIM-1 (ALESSANDRA)\PESSOAL pedro\documento studio maximum e reginaldo\Thumbs.db : encryptable (0 bytes)
D:\MAXIMIM-1 (ALESSANDRA)\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA) : BZ-VIRTUAL-LINK (0 bytes)
D:\Projetos M1 (ALESSANDRA) : BZ-VIRTUAL-LINK (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\BORDAS\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\carac casamento\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\CASAMENTO\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\casamento 02\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\FLORES\gatopreto.com.br_atelie_08_b.gif : Zone.Identifier (26 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\FLORES\gatopreto.com.br_florais_01_b.gif : Zone.Identifier (26 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\FLORES\gatopreto.com.br_florais_02_b.gif : Zone.Identifier (26 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\FLORES\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\hero_selloverview.png : Zone.Identifier (24 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\bonequinhas\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\bordas\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\disney\SÓ DISNEY\101 dalmatas\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\disney\SÓ DISNEY\A dama e o vagabundo\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\disney\SÓ DISNEY\Aladin\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\disney\SÓ DISNEY\aranha\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\disney\SÓ DISNEY\barney\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\disney\SÓ DISNEY\bob esponja\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\disney\SÓ DISNEY\branca de neve\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\disney\SÓ DISNEY\cinderela\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\disney\SÓ DISNEY\FLINTSTONES\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\disney\SÓ DISNEY\garfield\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\disney\SÓ DISNEY\gravuras\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\disney\SÓ DISNEY\Harry Potter\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\disney\SÓ DISNEY\hello kitty\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\disney\SÓ DISNEY\Hercules\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\disney\SÓ DISNEY\lilo e stitch\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\disney\SÓ DISNEY\looney tunes\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\disney\SÓ DISNEY\mickey baby\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\disney\SÓ DISNEY\mickey e donald\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\disney\SÓ DISNEY\monica\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\disney\SÓ DISNEY\monstros sa\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\disney\SÓ DISNEY\moranguinho\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\disney\SÓ DISNEY\nemo\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\disney\SÓ DISNEY\pequena sereia\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\disney\SÓ DISNEY\petter pan\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\disney\SÓ DISNEY\pooh\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\disney\SÓ DISNEY\princesas\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\disney\SÓ DISNEY\rei leão\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\disney\SÓ DISNEY\scooby\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\disney\SÓ DISNEY\shrek\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\disney\SÓ DISNEY\simpsons\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\disney\SÓ DISNEY\super poderosas\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\disney\SÓ DISNEY\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\disney\SÓ DISNEY\variados\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\disney\SÓ DISNEY\vida de inseto\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\disney\Turma da Monica\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\fundo\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\olhos\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\roupas psd\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\infantil\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\ist2_3582294-fashion-scroll-art.jpg : Zone.Identifier (24 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\ist2_5528470-scroll-art.jpg : Zone.Identifier (24 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\PSDS\barras\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\PSDS\casamento 01\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\PSDS\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\((PSDS))\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\capa dvd\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\CARACTERES\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\EVENTOS IZA\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\EVENTOS IZA\vinhetas\9.jpg : Zone.Identifier (26 bytes)
D:\Projetos M1 (ALESSANDRA)\EVENTOS IZA\vinhetas\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\EVENTOS MAXIMUM : BZ-VIRTUAL-LINK (0 bytes)
D:\Projetos M1 (ALESSANDRA)\EVENTOS MAXIMUM : BZ-VIRTUAL-LINK (0 bytes)
D:\Projetos M1 (ALESSANDRA)\EVENTOS MAXIMUM\maximum\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\EVENTOS MAXIMUM\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\EVENTOS MAXIMUM\vinheta MAXIMUM\MAXIMUM\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\EVENTOS MAXIMUM\vinheta MAXIMUM\studio\card\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\EVENTOS MAXIMUM\vinheta MAXIMUM\studio\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\EVENTOS MAXIMUM\vinheta MAXIMUM\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\EVENTOS MAXIMUM\vinheta MAXIMUM\vinheta MAXIMUM\DEKSTOP MAXIMUM\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\EVENTOS MAXIMUM\vinheta MAXIMUM\vinheta MAXIMUM\MAXIMUM STUDIO\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\EVENTOS MAXIMUM\vinheta MAXIMUM\vinheta MAXIMUM\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\EVENTOS MAXIMUM\vinheta MAXIMUM\vinhetas maximum\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\EVENTOS REGINALDO\abertura\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\EVENTOS REGINALDO\ABERTURA CASAMENTO REGINALDO\chamadinha\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\EVENTOS REGINALDO\ABERTURA CASAMENTO REGINALDO\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\EVENTOS REGINALDO\amanda (pastor)\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\EVENTOS REGINALDO\ANTONIETTA\menu\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\EVENTOS REGINALDO\entregues reginaldo\editado clip\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\EVENTOS REGINALDO\entregues reginaldo\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\EVENTOS REGINALDO\mpg portugal\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\EVENTOS REGINALDO\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\EVENTOS REGINALDO\video clip\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\EVENTOS REGINALDO\vinheta REGINALDO\abertura evento.avi : Zone.Identifier (26 bytes)
D:\Projetos M1 (ALESSANDRA)\EVENTOS REGINALDO\vinheta REGINALDO\reginaldo produções\abertura evento.avi : Zone.Identifier (26 bytes)
D:\Projetos M1 (ALESSANDRA)\EVENTOS REGINALDO\vinheta REGINALDO\reginaldo produções\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\EVENTOS REGINALDO\vinheta REGINALDO\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\EVENTOS ZILEMAR\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\EVENTOS ZILEMAR\VINHETA ZILEMAR\LOGOMARCA ZILEMAR.psd : Zone.Identifier (26 bytes)
D:\Projetos M1 (ALESSANDRA)\EVENTOS ZILEMAR\VINHETA ZILEMAR\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\EVENTOS ZILEMAR\vinhetas outros\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\filtros\adp 8\internal\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\filtros\Atomix_Virtual_DJ_Pro_v5.0.7\Atomix_Virtual_DJ_Pro_v5.0.7.zip : Zone.Identifier (26 bytes)
D:\Projetos M1 (ALESSANDRA)\filtros\Atomix_Virtual_DJ_Pro_v5.0.7\commmm\Atomix_Virtual_DJ_Pro_v5.0.7_Multilenguaje_PORTABLE.rar : Zone.Identifier (26 bytes)
D:\Projetos M1 (ALESSANDRA)\filtros\Atomix_Virtual_DJ_Pro_v5.0.7\commmm\stylish-0.5.6-fx+tb+sm.xpi : Zone.Identifier (26 bytes)
D:\Projetos M1 (ALESSANDRA)\filtros\Atomix_Virtual_DJ_Pro_v5.0.7\Serial.txt : Zone.Identifier (26 bytes)
D:\Projetos M1 (ALESSANDRA)\filtros\Atomix_Virtual_DJ_Pro_v5.0.7\Virtual DJ Pro 5.0.7.exe : Zone.Identifier (26 bytes)
D:\Projetos M1 (ALESSANDRA)\filtros\DVD Workshop 2.0\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\FOTOS DA FAMILIA\2009-1semestre\ATgAAABGqE8_4aTPcpNUT4RQsCv9mgE-xc2HQQXN1C3vT-V2bgXQlnuJeoEOAAuWznMwDVdSg3KxkI6jPhf-ley_lXHDAJtU9VAxFTFxoO6DkwfpuUdM2vAR74TabA.jpg : Zone.Identifier (24 bytes)
D:\Projetos M1 (ALESSANDRA)\FOTOS DA FAMILIA\2009-1semestre\ATgAAACE1Ut44j0WPR0lX3UaNNSQVGIpU_0CZUCEQPdbQq6cRXa9u8z-a7BGxpEhXfFanFefw0pKTJ8No6adBtyqwLYPAJtU9VCl-_ztmpI9qz4-JmNlv8PdOGScpg.jpg : Zone.Identifier (24 bytes)
D:\Projetos M1 (ALESSANDRA)\FOTOS DA FAMILIA\2009-1semestre\ATgAAACMsOn7P5YnaLgduX94Wllmm7_REJnISRgyAXmgasNs5VxmHvSjaDXmkYBmz1sPI6pIsgiyj6rrPaC7W9nVnEinAJtU9VAHpbd0mN6-Fs49mysQ1GLsfxagAA.jpg : Zone.Identifier (24 bytes)
D:\Projetos M1 (ALESSANDRA)\FOTOS DA FAMILIA\2009-1semestre\OgAAAOvqSPwQJlxNdCvbqPJvHXc2qcIMhSVhysNXjT-0cxTWH5m_jq4Tq4u2DypnBh9KSF0HoWF6KfRLz9r0MOetzGoAm1T1UIBsjsgwkdrynKhRr3gv5z8Eb9gH.jpg : Zone.Identifier (24 bytes)
D:\Projetos M1 (ALESSANDRA)\MUSICAS\CASAMENTO\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\MUSICAS\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\pro notebook\antonieta\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\pro notebook\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\PSDS\barras\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\PSDS\casamento 01\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\PSDS\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\videos net\Thumbs.db : encryptable (0 bytes)
D:\Projetos M1 (ALESSANDRA)\videos net\vdownloader\ffmpeg.exe : Zone.Identifier (26 bytes)
D:\Projetos M1 (ALESSANDRA)\videos net\vdownloader\pthreadGC2.dll : Zone.Identifier (26 bytes)
D:\Projetos M1 (ALESSANDRA)\videos net\vdownloader\VDownloader.exe : Zone.Identifier (26 bytes)
D:\Projetos M1 (ALESSANDRA)\videos net\vdownloader.zip : Zone.Identifier (26 bytes)
D:\Thumbs.db : encryptable (0 bytes)

 

[luisednardo]

Sim, aumentou o número de processos. É normal, quando se tem um rootkit na máquina.

luisednardo, foi você quem colocou esta entrada na inicialização?

Não fui eu não Mr Wolf

 

[AJFLevenhagen]

AJFLevenhagen, pode deletar o Fix.reg sim amigo. Me esqueci de lhe pedir que o deletasse mesmo.

Abraços

putz vlw wolf
ajudou muito, esse virus me impedia de abrir o pen drive no pc hehe
vlww

 

[Alessandro Monteiro]

Mr. Wolf abaixo os logs que vc solicitou

Lop SD

Spoiler

--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3
X86-based PC ( Multiprocessor Free : Processador Intel Pentium III Xeon )
BIOS : Default System BIOS
USER : Alessandro ( Administrator )
BOOT : Normal boot
C:\ (Local Disk) - NTFS - Total:149 Go (Free:131 Go)
D:\ (Local Disk) - NTFS - Total:149 Go (Free:148 Go)
E:\ (Local Disk) - NTFS - Total:232 Go (Free:232 Go)
F:\ (CD or DVD) - CDFS - Total:3 Go (Free:0 Go)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [2] ( sex 01/05/2009|10:24 )


\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ REMOVIDOS

Deletado! - C:\WINDOWS\Tasks\B12F0DF491088138.job
Deletado! - C:\DOCUME~1\ALLUSE~1\DADOSD~1\seek film amok web\drv build.dat
Deletado! - C:\DOCUME~1\ALLUSE~1\DADOSD~1\seek film amok web\drv build.exe
Deletado! - C:\DOCUME~1\ALESSA~1\DADOSD~1\axisht~1\Byte Mode Proc.exe
Deletado! - C:\DOCUME~1\ALESSA~1\DADOSD~1\axisht~1\itchgreysavebeep.exe
Deletado! - C:\DOCUME~1\ALESSA~1\DADOSD~1\axisht~1\settings way bags.exe
Deletado! - C:\DOCUME~1\ALESSA~1\DADOSD~1\axisht~1\vrtemmrr.exe
Deletado! - C:\Arquivos de programas\Adverts\uninst.exe
Deletado! - C:\DOCUME~1\ALLUSE~1\DADOSD~1\seek film amok web
Deletado! - C:\DOCUME~1\ALESSA~1\DADOSD~1\axisht~1
Deletado! - C:\Arquivos de programas\axisht~1
Deletado! - C:\Arquivos de programas\Adverts

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\


--------------------\\ Lista de pastas em DADOSD~1

[02/01/2008|18:35] C:\DOCUME~1\ALESSA~1\DADOSD~1\Adobe
[02/01/2008|18:11] C:\DOCUME~1\ALESSA~1\DADOSD~1\Identities
[02/01/2008|18:14] C:\DOCUME~1\ALESSA~1\DADOSD~1\InstallShield
[02/01/2008|18:35] C:\DOCUME~1\ALESSA~1\DADOSD~1\Macromedia
[25/04/2009|19:27] C:\DOCUME~1\ALESSA~1\DADOSD~1\Microsoft
[29/04/2009|22:48] C:\DOCUME~1\ALESSA~1\DADOSD~1\Ventrilo
[22/04/2009|23:17] C:\DOCUME~1\ALESSA~1\DADOSD~1\WinRAR

[23/04/2009|20:00] C:\DOCUME~1\ALLUSE~1\DADOSD~1\Microsoft
[30/04/2009|19:15] C:\DOCUME~1\ALLUSE~1\DADOSD~1\Spybot - Search & Destroy
[23/04/2009|20:01] C:\DOCUME~1\ALLUSE~1\DADOSD~1\WLInstaller

[02/01/2008|18:06] C:\DOCUME~1\DEFAUL~1\DADOSD~1\Microsoft

[02/01/2008|18:06] C:\DOCUME~1\LOCALS~1\DADOSD~1\Microsoft

[02/01/2008|18:06] C:\DOCUME~1\NETWOR~1\DADOSD~1\Microsoft

--------------------\\ Tarefas Agendadas na pasta C:\WINDOWS\Tasks

[01/05/2009 10:19][--ah-----] C:\WINDOWS\tasks\SA.DAT
[28/10/2001 12:07][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Lista de pastas em C:\Arquivos de programas

[29/04/2009|22:44] C:\Arquivos de programas\Arquivos comuns
[02/01/2008|18:04] C:\Arquivos de programas\ComPlus Applications
[22/04/2009|22:50] C:\Arquivos de programas\EVGA Precision
[22/04/2009|23:27] C:\Arquivos de programas\InstallShield Installation Information
[02/01/2008|18:13] C:\Arquivos de programas\Intel
[23/04/2009|23:08] C:\Arquivos de programas\Internet Explorer
[22/04/2009|23:27] C:\Arquivos de programas\Logitech
[23/04/2009|23:20] C:\Arquivos de programas\Messenger
[23/04/2009|21:45] C:\Arquivos de programas\MessengerPlus! 3
[02/01/2008|18:59] C:\Arquivos de programas\Microsoft
[25/04/2009|14:20] C:\Arquivos de programas\Microsoft ActiveSync
[02/01/2008|18:06] C:\Arquivos de programas\microsoft frontpage
[23/04/2009|23:17] C:\Arquivos de programas\Movie Maker
[02/01/2008|18:03] C:\Arquivos de programas\MSN Gaming Zone
[23/04/2009|23:16] C:\Arquivos de programas\NetMeeting
[23/04/2009|23:16] C:\Arquivos de programas\Outlook Express
[02/01/2008|18:27] C:\Arquivos de programas\Realtek
[02/01/2008|18:05] C:\Arquivos de programas\Servi‡os on-line
[30/04/2009|19:15] C:\Arquivos de programas\Spybot - Search & Destroy
[01/05/2009|10:19] C:\Arquivos de programas\Steam
[30/04/2009|19:05] C:\Arquivos de programas\Trend Micro
[02/01/2008|18:11] C:\Arquivos de programas\Uninstall Information
[29/04/2009|22:45] C:\Arquivos de programas\Ventrilo
[23/04/2009|21:52] C:\Arquivos de programas\Windows Live
[23/04/2009|20:00] C:\Arquivos de programas\Windows Live SkyDrive
[23/04/2009|23:17] C:\Arquivos de programas\Windows Media Player
[23/04/2009|23:16] C:\Arquivos de programas\Windows NT
[02/01/2008|18:05] C:\Arquivos de programas\WindowsUpdate
[22/04/2009|23:17] C:\Arquivos de programas\WinRAR
[02/01/2008|18:06] C:\Arquivos de programas\xerox

--------------------\\ Lista de pastas em C:\Arquivos de programas\Arquivos comuns

[02/01/2008|18:27] C:\Arquivos de programas\Arquivos comuns\InstallShield
[22/04/2009|23:27] C:\Arquivos de programas\Arquivos comuns\Logitech
[25/04/2009|14:20] C:\Arquivos de programas\Arquivos comuns\Microsoft Shared
[02/01/2008|18:04] C:\Arquivos de programas\Arquivos comuns\MSSoap
[02/01/2008|15:51] C:\Arquivos de programas\Arquivos comuns\ODBC
[02/01/2008|18:05] C:\Arquivos de programas\Arquivos comuns\Servi‡os
[02/01/2008|15:51] C:\Arquivos de programas\Arquivos comuns\SpeechEngines
[23/04/2009|23:16] C:\Arquivos de programas\Arquivos comuns\System
[02/01/2008|18:50] C:\Arquivos de programas\Arquivos comuns\Windows Live
[29/04/2009|22:44] C:\Arquivos de programas\Arquivos comuns\Wise Installation Wizard

--------------------\\ Process

( 29 Processes )

MsgPlus.exe ~ [PID:1984]

--------------------\\ Procura pelo S_Lop

Não foram encontradas pastas com o Lop!

--------------------\\ Procura por Arquivos/Ficheiros e pastas do Lop

Não foram encontradas pastas com o Lop!

--------------------\\ Procura no Registro

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

..... OK !

--------------------\\ Verificando o Arquivos/Ficheiros Hosts

Arquivos/Ficheiros Hosts LIMPO


--------------------\\ Procurando Arquivos/Ficheiros ocultos com o Catchme


--------------------\\ Procurando por outras infecções

--------------------\\ Cracks & Keygens ..

C:\DOCUME~1\ALESSA~1\Recent\rFactor Crack.lnk


[F:62][D:15]-> C:\DOCUME~1\ALESSA~1\CONFIG~1\Temp
[F:137][D:0]-> C:\DOCUME~1\ALESSA~1\Cookies
[F:5645][D:9]-> C:\DOCUME~1\ALESSA~1\CONFIG~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - sex 01/05/2009|10:36 - Option : [2]

--------------------\\ Verificação completa em 10:36:54

Combofix

Spoiler

ComboFix 09-04-30.05 - Alessandro 01/05/2009 10:58.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.2047.1769 [GMT -3:00]
Executando de: c:\documents and settings\Alessandro\Desktop\ComboFix1.exe
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\ieocx.dll
c:\windows\system32\drivers\UACxvncvienivfuxds.sys
c:\windows\system32\UACasvedapaustvscx.log
c:\windows\system32\UACbbabjrewqqoveuw.dll
c:\windows\system32\UACbsblximnwqonxmf.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACinxtuedbmyftbpb.dll
c:\windows\system32\UACleugciywkuvbawx.log
c:\windows\system32\UACnksiglmskyuptfs.log
c:\windows\system32\UACrecumttrvpcwvhi.dat
c:\windows\system32\UACtijibcwwivpthee.dll
c:\windows\system32\UACtwompdvecmmcrdp.dll

----- BITS: Sites possivelmente infetados -----

hxxp://tubeontvgl.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


(((((((((((((((( Arquivos/Ficheiros criados de 2009-04-01 to 2009-05-01 ))))))))))))))))))))))))))))
.

2009-05-01 13:20 . 2009-05-01 13:36 -------- d-----w C:\Lop SD
2009-04-30 22:14 . 2009-04-30 22:14 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-30 22:05 . 2009-04-30 22:05 -------- d-----w c:\arquivos de programas\Trend Micro
2009-04-30 01:45 . 2009-04-30 01:48 -------- d-----w c:\documents and settings\Alessandro\Dados de aplicativos\Ventrilo
2009-04-30 01:45 . 2009-04-30 01:45 -------- d-----w c:\arquivos de programas\Ventrilo
2009-04-30 01:44 . 2009-04-30 01:44 -------- d-----w c:\arquivos de programas\Arquivos comuns\Wise Installation Wizard
2009-04-29 02:58 . 2009-04-30 22:15 -------- d-----w c:\arquivos de programas\Spybot - Search & Destroy
2009-04-29 02:58 . 2009-04-30 22:15 -------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Spybot - Search & Destroy
2009-04-29 00:38 . 2009-04-29 00:38 1020928 ----a-w c:\documents and settings\Alessandro\Dados de aplicativos\pcdefender.exe
2009-04-25 17:20 . 2009-04-25 17:20 -------- d-----w c:\arquivos de programas\Microsoft ActiveSync
2009-04-24 22:21 . 2008-05-09 10:55 180224 -c----w c:\windows\system32\dllcache\scrobj.dll
2009-04-24 22:21 . 2008-05-09 10:55 512000 -c----w c:\windows\system32\dllcache\jscript.dll
2009-04-24 22:21 . 2008-05-09 10:55 172032 -c----w c:\windows\system32\dllcache\scrrun.dll
2009-04-24 22:21 . 2008-05-09 10:55 90112 -c----w c:\windows\system32\dllcache\wshext.dll
2009-04-24 22:21 . 2008-05-09 10:55 430080 -c----w c:\windows\system32\dllcache\vbscript.dll
2009-04-24 22:21 . 2008-05-09 08:45 135168 -c----w c:\windows\system32\dllcache\cscript.exe
2009-04-24 22:21 . 2008-05-08 11:24 155648 -c----w c:\windows\system32\dllcache\wscript.exe
2009-04-24 02:17 . 2009-04-24 02:17 -------- d-----w c:\windows\l2schemas
2009-04-24 02:17 . 2009-04-24 02:17 -------- d-----w c:\windows\system32\bits
2009-04-24 02:16 . 2009-04-24 02:16 -------- d-----w c:\windows\ServicePackFiles
2009-04-24 02:06 . 2009-02-20 17:11 6066176 -c----w c:\windows\system32\dllcache\ieframe.dll
2009-04-24 02:06 . 2009-02-20 17:11 268288 -c----w c:\windows\system32\dllcache\iertutil.dll
2009-04-24 02:06 . 2009-02-20 10:20 13824 -c----w c:\windows\system32\dllcache\ieudinit.exe
2009-04-24 02:06 . 2009-02-20 17:11 459264 -c----w c:\windows\system32\dllcache\msfeeds.dll
2009-04-24 02:06 . 2009-02-20 17:11 52224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
2009-04-24 02:06 . 2009-02-20 17:11 63488 -c----w c:\windows\system32\dllcache\icardie.dll
2009-04-24 02:06 . 2008-07-09 14:25 2455488 -c----w c:\windows\system32\dllcache\ieapfltr.dat
2009-04-24 02:06 . 2009-02-20 17:11 383488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
2009-04-24 02:06 . 2009-04-24 02:17 -------- d-----w c:\windows\system32\pt-br
2009-04-24 01:28 . 2004-08-04 01:29 63488 ------w c:\windows\system32\drivers\atinxsxx.sys
2009-04-24 00:53 . 2009-05-01 13:19 -------- d-----w c:\documents and settings\Alessandro\Tracing
2009-04-24 00:45 . 2009-04-24 00:45 -------- d-----w c:\arquivos de programas\MessengerPlus! 3
2009-04-23 23:01 . 2009-04-23 23:01 -------- d-----w c:\documents and settings\All Users\Dados de aplicativos\WLInstaller
2009-04-23 23:00 . 2009-04-23 23:00 -------- d-----w c:\arquivos de programas\Windows Live SkyDrive
2009-04-23 03:34 . 2009-05-01 13:19 -------- d-----w c:\arquivos de programas\Steam
2009-04-23 02:27 . 2006-06-06 18:37 46208 ----a-w c:\windows\system32\drivers\WmXlCore.sys
2009-04-23 02:27 . 2006-06-06 18:37 6400 ----a-w c:\windows\system32\drivers\WmVirHid.sys
2009-04-23 02:27 . 2006-06-06 18:37 20864 ----a-w c:\windows\system32\drivers\WmHidLo.sys
2009-04-23 02:27 . 2006-06-06 18:37 21632 ----a-w c:\windows\system32\drivers\WmFilter.sys
2009-04-23 02:27 . 2006-06-06 18:37 11136 ----a-w c:\windows\system32\drivers\WmBEnum.sys
2009-04-23 02:27 . 2006-06-06 18:34 192512 ----a-w c:\windows\system32\WmJoyFrc.dll
2009-04-23 02:27 . 2009-04-23 02:27 -------- d-----w c:\arquivos de programas\Arquivos comuns\Logitech
2009-04-23 02:27 . 2009-04-23 02:27 -------- d-----w c:\arquivos de programas\Logitech
2009-04-23 02:13 . 2009-04-29 02:19 -------- d-----w C:\rFactor
2009-04-23 02:08 . 2008-06-14 17:34 272384 -c----w c:\windows\system32\dllcache\bthport.sys
2009-04-23 02:08 . 2008-06-14 17:34 272384 ------w c:\windows\system32\drivers\bthport.sys
2009-04-23 02:07 . 2008-04-21 21:15 216064 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-23 02:04 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-23 02:04 . 2009-02-09 11:25 2193280 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-23 02:04 . 2009-03-06 14:20 286208 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-23 02:04 . 2009-02-09 11:25 111104 -c----w c:\windows\system32\dllcache\services.exe
2009-04-23 02:04 . 2009-02-09 10:53 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-23 02:04 . 2009-02-09 10:53 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-23 02:04 . 2009-02-09 10:53 683520 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-23 02:04 . 2009-02-09 10:53 731648 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-23 02:04 . 2009-02-09 10:53 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-23 02:04 . 2009-02-09 10:53 730624 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-23 02:04 . 2009-02-09 11:25 2149376 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-23 02:04 . 2009-02-09 11:25 2028032 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-23 01:38 . 2008-04-11 19:05 691712 -c----w c:\windows\system32\dllcache\inetcomm.dll
2009-04-23 01:10 . 2008-12-11 10:57 333952 -c----w c:\windows\system32\dllcache\srv.sys
2009-04-23 01:06 . 2008-05-08 14:02 203136 -c----w c:\windows\system32\dllcache\rmcast.sys
2009-04-23 01:06 . 2008-10-24 11:21 455296 -c----w c:\windows\system32\dllcache\mrxsmb.sys
2009-04-23 00:57 . 2009-04-23 01:50 -------- d-----w c:\arquivos de programas\EVGA Precision
2009-04-23 00:56 . 2009-04-23 00:56 -------- d-----w c:\windows\nview
2009-04-23 00:56 . 2008-07-09 11:02 446464 ----a-w c:\windows\system32\nvudisp.exe
2009-04-23 00:55 . 2008-07-09 18:59 446464 ----a-w c:\windows\system32\NVUNINST.EXE
2009-04-23 00:35 . 2008-10-15 16:36 337408 -c----w c:\windows\system32\dllcache\netapi32.dll
2009-04-23 00:27 . 2009-04-23 00:27 -------- d-----w C:\NVIDIA
2009-04-23 00:27 . 2009-04-29 23:55 -------- d--h--w c:\windows\$hf_mig$
2009-04-23 00:23 . 2008-10-16 17:06 268648 ----a-w c:\windows\system32\mucltui.dll

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-30 21:56 . 2009-04-30 21:56 43 ----a-w c:\documents and settings\Alessandro\Dados de aplicativos\~ygw.tmp
2009-04-25 22:28 . 2001-10-28 15:07 48628 ----a-w c:\windows\system32\perfc016.dat
2009-04-25 22:28 . 2001-10-28 15:07 344380 ----a-w c:\windows\system32\perfh016.dat
2009-04-24 02:19 . 2008-01-02 21:06 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-24 00:52 . 2008-01-02 21:59 -------- d-----w c:\arquivos de programas\Windows Live
2009-04-23 02:27 . 2008-01-02 21:14 -------- d--h--w c:\arquivos de programas\InstallShield Installation Information
2009-03-06 14:20 . 2004-08-04 03:45 286208 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:06 . 2004-08-04 03:45 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 17:11 . 2004-08-04 03:45 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 14:06 . 2004-08-04 03:38 1846912 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:25 . 2004-08-04 00:40 2028032 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-09 11:25 . 2004-08-04 03:40 2149376 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-09 11:25 . 2004-08-04 03:45 111104 ----a-w c:\windows\system32\services.exe
2009-02-09 10:53 . 2004-08-04 03:45 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:53 . 2004-08-04 03:45 731648 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:53 . 2004-08-04 03:45 683520 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:53 . 2004-08-04 03:45 730624 ----a-w c:\windows\system32\ntdll.dll
2009-02-06 21:52 . 2009-02-06 21:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 10:39 . 2001-10-28 15:07 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:58 . 2004-08-04 03:45 56832 ----a-w c:\windows\system32\secur32.dll
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\arquivos de programas\steam\steam.exe" [2009-04-23 1410296]
"MessengerPlus3"="c:\arquivos de programas\MessengerPlus! 3\MsgPlus.exe" [2009-04-24 190024]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"sysav"="c:\documents and settings\Alessandro\Dados de aplicativos\pcdefender.exe" [2009-04-29 1020928]
"H/PC Connection Agent"="c:\arquivos de programas\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EVGAPrecision"="c:\arquivos de programas\EVGA Precision\EVGAPrecision.exe" [2008-07-25 236560]
"MessengerPlus3"="c:\arquivos de programas\MessengerPlus! 3\MsgPlus.exe" [2009-04-24 190024]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-09 13533184]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-09 86016]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-10-16 16855552]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-07-09 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="1"
"UpdatesDisableNotify"="1"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\arquivos de programas\Microsoft ActiveSync\rapimgr.exe"= c:\arquivos de programas\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\arquivos de programas\Microsoft ActiveSync\wcescomm.exe"= c:\arquivos de programas\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\arquivos de programas\Microsoft ActiveSync\WCESMgr.exe"= c:\arquivos de programas\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Arquivos de programas\\Ventrilo\\Ventrilo.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

S1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2005-03-16 13696]

.
- - - - ORFÃOS REMOVIDOS - - - -

BHO-{39fc2065-c9c7-49cd-8942-44cc2dedc844} - c:\windows\ieocx.dll


.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.google.com.br/
TCP: {544FEC64-D488-47BC-B0F1-DE3929F113A6} = 10.1.1.1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-01 10:59
Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************
.
Tempo para conclusão: 2009-05-01 11:00
ComboFix-quarantined-files.txt 2009-05-01 14:00

Pré-execução: 12 pasta(s) 141.263.208.448 bytes disponíveis
Pós execução: 11 pasta(s) 141.612.195.840 bytes disponíveis

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

191 --- E O F --- 2009-04-30 02:04

Desde já agradeço a sua dedicação em ajudar a galera do Adrena! :yes:

 

[Mr.Wolf]

luisednardo, siga abaixo:

Spoiler

Vá em Open ADS Spy no HijackThis e remova apenas as entradas abaixo:

C:\Arquivos de programas\DreaMule\Thumbs.db : encryptable (0 bytes)
C:\Arquivos de programas\GenArts\SapphireAE\docs\Thumbs.db : encryptable (0 bytes)
C:\Arquivos de programas\LimeWire\.NetworkShare\LimeWireWin4.18.8 .exe : Zone.Identifier (26 bytes)
C:\Arquivos de programas\Messenger\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\All Users\Dados de aplicativos\TEMP : 888AFB86 (110 bytes)
C:\Documents and Settings\All Users\Dados de aplicativos\TEMP : 888AFB86 (110 bytes)
D:\Projetos M1 (ALESSANDRA)\videos net\vdownloader\ffmpeg.exe : Zone.Identifier (26 bytes)
D:\Projetos M1 (ALESSANDRA)\videos net\vdownloader\pthreadGC2.dll : Zone.Identifier (26 bytes)
D:\Projetos M1 (ALESSANDRA)\videos net\vdownloader\VDownloader.exe : Zone.Identifier (26 bytes)
D:\Projetos M1 (ALESSANDRA)\videos net\vdownloader.zip : Zone.Identifier (26 bytes)
D:\Thumbs.db : encryptable (0 bytes)

Reinicie o computador em Modo de Segurança. Faça um novo scan ADS Spy e veja se estas entradas serão apresentadas.

Caso não, reinicie em Modo Normal e poste um novo log do HijackThis.

_________________________________


Alessandro Monteiro, siga as instruções abaixo:

Spoiler

Delete a pasta C:\Lop SD e mantenha o TeaTimer desabilitado para prosseguir com a instrução!

Selecione e copie o texto abaixo. Cole-o no Bloco de Notas do PC e salve-o no desktop como CFScript.txt

File::
c:\documents and settings\Alessandro\Dados de aplicativos\pcdefender.exe
Registry:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sysav"=-
Rootkit::
c:\windows\system32\drivers\BIOS.sys
Driver::
BIOS

Arraste o CFScript para o ComboFix como na imagem aqui abaixo e aguarde a execução automática da ferramenta:

● Se for solicitado à você, pressione Enter para iniciar o processo de remoção;
● Não use o mouse nem o teclado quando o ComboFix estiver rodando;
● Quando terminar, será gerado um novo log que estará em C:\ComboFix.txt;
● Talvez seu computador seja reiniciado automaticamente. Caso não ocorra, reinicie-o manualmente.

Na sua próxima resposta Alessandro, cole o ComboFix.txt e um novo log do HijackThis.

 

[JulianoT]

Mr Wolf, tudo bem!!
Voce pode me tirar uma duvida?!!
Fui instalar um programa que um amigo meu me passou de modelagem 3d, quando eu estava copiando a pasta para dentro da maquina, o Eset Smart Security parou e identificou um trojan numa pasta crack que tinha dentro dele. Ai eu olhei nos logs do Eset e la dizia isso: variant of Win32/SdBot trojan
Na atividade do antivirus ele descreveu assim: cleaned by deleting (after the next restart) - quarantined.
Ele foi para quarentena.
O que eu faço?!!
Desculpe o incomodo
Meu log do HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:27:57 PM, on 5/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{56EF57E3-AAF4-41A2-AEF6-FE06F54D010D}: NameServer = 200.175.89.139,200.175.182.139
O17 - HKLM\System\CS1\Services\Tcpip\..\{56EF57E3-AAF4-41A2-AEF6-FE06F54D010D}: NameServer = 200.175.89.139,200.175.182.139
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5642 bytes

 

[luisednardo]

luisednardo, siga abaixo:

Spoiler

Vá em Open ADS Spy no HijackThis e remova apenas as entradas abaixo:

Reinicie o computador em Modo de Segurança. Faça um novo scan ADS Spy e veja se estas entradas serão apresentadas.

Caso não, reinicie em Modo Normal e poste um novo log do HijackThis.

As entradas não apareceram Mr Wolf

Spoiler

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:59:22, on 1/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe
C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Arquivos de programas\QuickTime\qttask.exe
C:\Arquivos de programas\Windows Live\Family Safety\fsui.exe
C:\Arquivos de programas\DAEMON Tools\daemon.exe
C:\Arquivos de programas\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\7225D3\FDF101.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe
C:\Arquivos de programas\Save\Save.exe
C:\Documents and Settings\Pedro\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe
C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Arquivos de programas\Bonjour\mDNSResponder.exe
C:\Arquivos de programas\Windows Live\Family Safety\fsssvc.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\Arquivos de programas\Photodex\ProShowGold\ScsiAccess.exe
C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Ulead Systems\DVD\ULCDRSvr.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.live.com/sphome.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.live.com/sphome.aspx
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Arquivos de programas\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Windows Live Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Arquivos de programas\Windows Live\Family Safety\fssbho.dll
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Arquivos de programas\Windows Live\Messenger\wlchtc.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Arquivos de programas\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\ARQUIV~1\GbPlugin\gbiehabn.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\WINDOWS\BricoPacks\LeopardXP\FindeXer.dll (file missing)
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [fssui] "C:\Arquivos de programas\Windows Live\Family Safety\fsui.exe" -autorun
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [FDF101] C:\WINDOWS\system32\7225D3\FDF101.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Arquivos de programas\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WhenUSave] "C:\Arquivos de programas\Save\Save.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Pedro\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP.exe" -s
O4 - HKCU\..\Run: [wsctf.exe] wsctf.exe
O4 - HKCU\..\Run: [EXPLORER.EXE] EXPLORER.EXE
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ¡¡¡¡¡¡.lnk = C:\WINDOWS\system32\7225D3\FDF101.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab
O20 - Winlogon Notify: GbPluginAbn - C:\ARQUIV~1\GbPlugin\gbiehabn.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\ARQUIV~1\GbPlugin\GbpSv.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Arquivos de programas\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Arquivos de programas\Arquivos comuns\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9715 bytes

 

[Alessandro Monteiro]

Ok Mr. Wolf abaixo os dois Logs solicitados!

Combofix

Spoiler

ComboFix 09-05-02.4 - Alessandro 01/05/2009 22:05.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.2047.1669 [GMT -3:00]
Executando de: c:\documents and settings\Alessandro\Desktop\ComboFix1.exe
Comandos utilizados :: c:\documents and settings\Alessandro\Desktop\CFScript.txt

FILE ::
c:\documents and settings\Alessandro\Dados de aplicativos\pcdefender.exe
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Alessandro\Dados de aplicativos\pcdefender.exe
c:\windows\system32\drivers\BIOS.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BIOS
-------\Service_BIOS


(((((((((((((((( Arquivos/Ficheiros criados de 2009-04-02 to 2009-05-02 ))))))))))))))))))))))))))))
.

2009-04-30 22:14 . 2009-04-30 22:14 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-30 22:05 . 2009-04-30 22:05 -------- d-----w c:\arquivos de programas\Trend Micro
2009-04-30 01:45 . 2009-04-30 01:48 -------- d-----w c:\documents and settings\Alessandro\Dados de aplicativos\Ventrilo
2009-04-30 01:45 . 2009-04-30 01:45 -------- d-----w c:\arquivos de programas\Ventrilo
2009-04-30 01:44 . 2009-04-30 01:44 -------- d-----w c:\arquivos de programas\Arquivos comuns\Wise Installation Wizard
2009-04-29 02:58 . 2009-04-30 22:15 -------- d-----w c:\arquivos de programas\Spybot - Search & Destroy
2009-04-29 02:58 . 2009-04-30 22:15 -------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Spybot - Search & Destroy
2009-04-25 17:20 . 2009-04-25 17:20 -------- d-----w c:\arquivos de programas\Microsoft ActiveSync
2009-04-24 22:21 . 2008-05-09 10:55 180224 -c----w c:\windows\system32\dllcache\scrobj.dll
2009-04-24 22:21 . 2008-05-09 10:55 512000 -c----w c:\windows\system32\dllcache\jscript.dll
2009-04-24 22:21 . 2008-05-09 10:55 172032 -c----w c:\windows\system32\dllcache\scrrun.dll
2009-04-24 22:21 . 2008-05-09 10:55 90112 -c----w c:\windows\system32\dllcache\wshext.dll
2009-04-24 22:21 . 2008-05-09 10:55 430080 -c----w c:\windows\system32\dllcache\vbscript.dll
2009-04-24 22:21 . 2008-05-09 08:45 135168 -c----w c:\windows\system32\dllcache\cscript.exe
2009-04-24 22:21 . 2008-05-08 11:24 155648 -c----w c:\windows\system32\dllcache\wscript.exe
2009-04-24 02:17 . 2009-04-24 02:17 -------- d-----w c:\windows\l2schemas
2009-04-24 02:17 . 2009-04-24 02:17 -------- d-----w c:\windows\system32\bits
2009-04-24 02:16 . 2009-04-24 02:16 -------- d-----w c:\windows\ServicePackFiles
2009-04-24 02:06 . 2009-02-20 17:11 6066176 -c----w c:\windows\system32\dllcache\ieframe.dll
2009-04-24 02:06 . 2009-02-20 17:11 268288 -c----w c:\windows\system32\dllcache\iertutil.dll
2009-04-24 02:06 . 2009-02-20 10:20 13824 -c----w c:\windows\system32\dllcache\ieudinit.exe
2009-04-24 02:06 . 2009-02-20 17:11 459264 -c----w c:\windows\system32\dllcache\msfeeds.dll
2009-04-24 02:06 . 2009-02-20 17:11 52224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
2009-04-24 02:06 . 2009-02-20 17:11 63488 -c----w c:\windows\system32\dllcache\icardie.dll
2009-04-24 02:06 . 2008-07-09 14:25 2455488 -c----w c:\windows\system32\dllcache\ieapfltr.dat
2009-04-24 02:06 . 2009-02-20 17:11 383488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
2009-04-24 02:06 . 2009-04-24 02:17 -------- d-----w c:\windows\system32\pt-br
2009-04-24 01:28 . 2004-08-04 01:29 63488 ------w c:\windows\system32\drivers\atinxsxx.sys
2009-04-24 00:53 . 2009-05-02 01:07 -------- d-----w c:\documents and settings\Alessandro\Tracing
2009-04-24 00:45 . 2009-04-24 00:45 -------- d-----w c:\arquivos de programas\MessengerPlus! 3
2009-04-23 23:01 . 2009-04-23 23:01 -------- d-----w c:\documents and settings\All Users\Dados de aplicativos\WLInstaller
2009-04-23 23:00 . 2009-04-23 23:00 -------- d-----w c:\arquivos de programas\Windows Live SkyDrive
2009-04-23 03:34 . 2009-05-02 01:07 -------- d-----w c:\arquivos de programas\Steam
2009-04-23 02:27 . 2006-06-06 18:37 46208 ----a-w c:\windows\system32\drivers\WmXlCore.sys
2009-04-23 02:27 . 2006-06-06 18:37 6400 ----a-w c:\windows\system32\drivers\WmVirHid.sys
2009-04-23 02:27 . 2006-06-06 18:37 20864 ----a-w c:\windows\system32\drivers\WmHidLo.sys
2009-04-23 02:27 . 2006-06-06 18:37 21632 ----a-w c:\windows\system32\drivers\WmFilter.sys
2009-04-23 02:27 . 2006-06-06 18:37 11136 ----a-w c:\windows\system32\drivers\WmBEnum.sys
2009-04-23 02:27 . 2006-06-06 18:34 192512 ----a-w c:\windows\system32\WmJoyFrc.dll
2009-04-23 02:27 . 2009-04-23 02:27 -------- d-----w c:\arquivos de programas\Arquivos comuns\Logitech
2009-04-23 02:27 . 2009-04-23 02:27 -------- d-----w c:\arquivos de programas\Logitech
2009-04-23 02:13 . 2009-04-29 02:19 -------- d-----w C:\rFactor
2009-04-23 02:08 . 2008-06-14 17:34 272384 -c----w c:\windows\system32\dllcache\bthport.sys
2009-04-23 02:08 . 2008-06-14 17:34 272384 ------w c:\windows\system32\drivers\bthport.sys
2009-04-23 02:07 . 2008-04-21 21:15 216064 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-23 02:04 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-23 02:04 . 2009-02-09 11:25 2193280 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-23 02:04 . 2009-03-06 14:20 286208 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-23 02:04 . 2009-02-09 11:25 111104 -c----w c:\windows\system32\dllcache\services.exe
2009-04-23 02:04 . 2009-02-09 10:53 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-23 02:04 . 2009-02-09 10:53 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-23 02:04 . 2009-02-09 10:53 683520 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-23 02:04 . 2009-02-09 10:53 731648 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-23 02:04 . 2009-02-09 10:53 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-23 02:04 . 2009-02-09 10:53 730624 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-23 02:04 . 2009-02-09 11:25 2149376 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-23 02:04 . 2009-02-09 11:25 2028032 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-23 01:38 . 2008-04-11 19:05 691712 -c----w c:\windows\system32\dllcache\inetcomm.dll
2009-04-23 01:10 . 2008-12-11 10:57 333952 -c----w c:\windows\system32\dllcache\srv.sys
2009-04-23 01:06 . 2008-05-08 14:02 203136 -c----w c:\windows\system32\dllcache\rmcast.sys
2009-04-23 01:06 . 2008-10-24 11:21 455296 -c----w c:\windows\system32\dllcache\mrxsmb.sys
2009-04-23 00:57 . 2009-04-23 01:50 -------- d-----w c:\arquivos de programas\EVGA Precision
2009-04-23 00:56 . 2009-04-23 00:56 -------- d-----w c:\windows\nview
2009-04-23 00:56 . 2008-07-09 11:02 446464 ----a-w c:\windows\system32\nvudisp.exe
2009-04-23 00:55 . 2008-07-09 18:59 446464 ----a-w c:\windows\system32\NVUNINST.EXE
2009-04-23 00:35 . 2008-10-15 16:36 337408 -c----w c:\windows\system32\dllcache\netapi32.dll
2009-04-23 00:27 . 2009-04-23 00:27 -------- d-----w C:\NVIDIA
2009-04-23 00:27 . 2009-04-29 23:55 -------- d--h--w c:\windows\$hf_mig$
2009-04-23 00:23 . 2008-10-16 17:06 268648 ----a-w c:\windows\system32\mucltui.dll

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 01:07 . 2008-01-02 21:09 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-04-30 21:56 . 2009-04-30 21:56 43 ----a-w c:\documents and settings\Alessandro\Dados de aplicativos\~ygw.tmp
2009-04-25 22:28 . 2001-10-28 15:07 48628 ----a-w c:\windows\system32\perfc016.dat
2009-04-25 22:28 . 2001-10-28 15:07 344380 ----a-w c:\windows\system32\perfh016.dat
2009-04-24 02:19 . 2008-01-02 21:06 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-24 00:52 . 2008-01-02 21:59 -------- d-----w c:\arquivos de programas\Windows Live
2009-04-23 02:27 . 2008-01-02 21:14 -------- d--h--w c:\arquivos de programas\InstallShield Installation Information
2009-03-06 14:20 . 2004-08-04 03:45 286208 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:06 . 2004-08-04 03:45 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 17:11 . 2004-08-04 03:45 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 14:06 . 2004-08-04 03:38 1846912 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:25 . 2004-08-04 00:40 2028032 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-09 11:25 . 2004-08-04 03:40 2149376 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-09 11:25 . 2004-08-04 03:45 111104 ----a-w c:\windows\system32\services.exe
2009-02-09 10:53 . 2004-08-04 03:45 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:53 . 2004-08-04 03:45 731648 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:53 . 2004-08-04 03:45 683520 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:53 . 2004-08-04 03:45 730624 ----a-w c:\windows\system32\ntdll.dll
2009-02-06 21:52 . 2009-02-06 21:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 10:39 . 2001-10-28 15:07 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:58 . 2004-08-04 03:45 56832 ----a-w c:\windows\system32\secur32.dll
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\arquivos de programas\steam\steam.exe" [2009-04-23 1410296]
"MessengerPlus3"="c:\arquivos de programas\MessengerPlus! 3\MsgPlus.exe" [2009-04-24 190024]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"H/PC Connection Agent"="c:\arquivos de programas\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"msnmsgr"="c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EVGAPrecision"="c:\arquivos de programas\EVGA Precision\EVGAPrecision.exe" [2008-07-25 236560]
"MessengerPlus3"="c:\arquivos de programas\MessengerPlus! 3\MsgPlus.exe" [2009-04-24 190024]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-09 13533184]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-09 86016]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-10-16 16855552]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-07-09 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\arquivos de programas\Microsoft ActiveSync\rapimgr.exe"= c:\arquivos de programas\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\arquivos de programas\Microsoft ActiveSync\wcescomm.exe"= c:\arquivos de programas\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\arquivos de programas\Microsoft ActiveSync\WCESMgr.exe"= c:\arquivos de programas\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Arquivos de programas\\Ventrilo\\Ventrilo.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
- - - - ORFÃOS REMOVIDOS - - - -

HKCU-Run-sysav - c:\documents and settings\Alessandro\Dados de aplicativos\pcdefender.exe


.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.google.com.br/
TCP: {544FEC64-D488-47BC-B0F1-DE3929F113A6} = 10.1.1.1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-01 22:07
Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'explorer.exe'(3560)
c:\arquivos de programas\MessengerPlus! 3\MsgPlusLoader.dll
.
------------------------ Outros Processos em Execução ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\arquiv~1\WINDOW~4\MESSEN~1\msnmsgr.exe
c:\arquiv~1\MICROS~3\rapimgr.exe
c:\windows\ALCFDRTM.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Tempo para conclusão: 2009-05-02 22:10 - Máquina reiniciou
ComboFix-quarantined-files.txt 2009-05-02 01:09
ComboFix2.txt 2009-05-01 14:00

Pré-execução: 11 pasta(s) 141.654.659.072 bytes disponíveis
Pós execução: 10 pasta(s) 141.618.581.504 bytes disponíveis

188 --- E O F --- 2009-04-30 02:04

HijackThis

Spoiler

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:11:20, on 1/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Microsoft ActiveSync\Wcescomm.exe
C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe
C:\ARQUIV~1\MICROS~3\rapimgr.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [EVGAPrecision] "C:\Arquivos de programas\EVGA Precision\EVGAPrecision.exe" /s
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Steam] "c:\arquivos de programas\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Arquivos de programas\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\ARQUIV~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARQUIV~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARQUIV~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199311739625
O17 - HKLM\System\CCS\Services\Tcpip\..\{544FEC64-D488-47BC-B0F1-DE3929F113A6}: NameServer = 10.1.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{544FEC64-D488-47BC-B0F1-DE3929F113A6}: NameServer = 10.1.1.1
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4234 bytes

No aguardo de novas instruções!
Abraços

 

[brunobyof]

Olá Wolf, blz?
Estou acessando do PC da minha namorada, que parece estar com vírus tbm. Abaixo tem o log do hijackthis, será que tá infectado tbm? Detalhe: sempre qque insere um pendrive o avast acusa vírus num arquivo ou outro do pen drive...tem como fazer limpeza no pendrive além do pc?
Segue o log:

Spoiler

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:22:26, on 2/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Arquivos de programas\CyberLink\PowerDVD\PowerDVD.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Documents and Settings\Computador\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.globo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [12CFG914-K641-26SF-N32P] C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Recorte de tela e Iniciador do OneNote 2007.lnk = C:\Arquivos de programas\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Arquivos de programas\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1218388438546
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E8F3BBE-94E6-4751-AD83-2BEC4051BD53}: NameServer = 200.204.0.10 200.204.0.138
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveSystemServices.dll
O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll
O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

--
End of file - 8211 bytes

Desde já, valew mesmo!
Meu PC ficou zero bala!

 

[_Ado_]

Aê Ninja, o avast deu um avisa de malware e deu problema no meu BS Player, creio que possa ser algo então vim tirar as dúvidas com quem manja.

Ta limpo?

Spoiler

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:20:54, on 3/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Arquivos de programas\Bonjour\mDNSResponder.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe
C:\Arquivos de programas\iTunes\iTunesHelper.exe
C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Arquivos de programas\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe
C:\Documents and Settings\adm\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Arquivos de programas\iPod\bin\iPodService.exe
C:\Arquivos de programas\Rockstar Games\Rockstar Games Social Club\1_1_3_0\RGSC.exe
C:\Arquivos de programas\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Arquivos de programas\DreaMule\emule.exe
C:\Arquivos de programas\Google\Google Earth\googleearth.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\adm\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\adm\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\adm\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\adm\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Arquivos de programas\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Arquivos de programas\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Arquivos de programas\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\adm\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Steam] "C:\Dados Antigos\ado\Arquivo de programas\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RGSC] C:\Arquivos de programas\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Arquivos de programas\Xfire\Xfire.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Arquivos de programas\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Arquivos de programas\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1221616179359
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://200.220.140.155:2584/activex/AMC.cab
O23 - Service: Dispositivo Celular da Apple (Apple Mobile Device) - Apple Inc. - C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 9758 bytes

Abraço gente boa! :yes:

 

[BrunoBsB]

to com um (uns?) virus aqui e ja to sem ideia do que fazer...
ai vão os simtomas:

ele bloqueou o acesso de USB (o windows reconhece mas nao aparece em meu computador)

restauração do sistema bloqueada

em algumas pesquisas no google sobre remoção de virus e os sintomas ele bloqueia e redireciona para sites maliciosos/propaganda (detalhe que so ocorre com o google, testei com o search do msn e deu certo). Antes era so com o IE7 agora é com o Opera e Firefox...

eu reparei o windows mas o virus continuou e parece que se proliferou mais ainda...

fiz varios scans com avira, spyware doctor,Malwarebytes e foram encontrados trojans (uns 4), mas quando ia remover falava que tinha q reniciar o pc, dai o virus fazia a festa e nao era removido

chegou uma hora que o pc parava na parte da inicialização e ficava dando boot de 15 em 15 minutos...

depois nem no windows ia mais

instalei o windows por cima, e apos a instalação vim parar aqui num modo de segurança (que tem suporte a wireless ,bem estranho)

ai via um log do hijackthis, que eu axo q não resolve nada:

Spoiler

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:57:59, on 3/5/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\ctfmon.exe
D:\Arquivos de programas\Opera\opera.exe
C:\Documents and Settings\user\Desktop\HiJackThis\HijackThis.exe

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\ARQUIV~1\MICROS~2\Office12\GRA8E1~1.DLL
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-21-1957994488-2025429265-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User '?')
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} (F-Secure Online Scanner 4.0 Launcher) - http://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\ARQUIV~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

--
End of file - 2463 bytes

por favor me ajudem, vo ter q ficar com o pc ligado ate vcs me ajudarem
se eu reniciar eu corro risco de ter q instalar denovo o windows

[]´s

 

[Mr.Wolf]

Olá pessoal, boa tarde! Responderei à todos neste mesmo post aqui ok, indo por ordem de postagens aqui.


Amigo JulianoT, a maioria dos antivirus detectam cracks como vírus mesmo. Minha sugestão era que o deletasse da quarentena e não o instalasse mais. Mas aí é com você. Se quer instalar o programa com o crack, terá que correr o risco, desativar o NOD32 e colocar o crack nas exceções do antivirus para que ele não detecte o mesmo. Porém, como eu disse, será um risco que você estará correndo. Agora se tem absoluta certeza de que o crack está "limpo"... Você quem sabe! Minha sugestão eu já dei.

No mais, log limpo JulianoT.

OBS: Ressaltando que este trojan (Win32/SdBot) que o NOD32 detectou, é muito perigo e possui alto nível de infecção.

_____________________________________


luisednardo, por favor, poste um novo log do HijackThis.

_____________________________________


Amigo Alessandro Monteiro, seus logs estão limpos

Vá em Iniciar > Executar, digite combofix /u e dê um OK para remover a ferramenta. Delete o Lop SD caso ainda esteja aí.
Desative e ative novamente a Restauração do Sistema.

Algum problema ainda amigo Alessandro?

_____________________________________


Opa brunobyof, o computador de sua namorada está infectado sim. Siga as instruções do spoiler abaixo:

Spoiler

- Faça o download do USBFix e salve-o no desktop (área de trabalho):

● Desative temporariamente seu antivírus;
● Dê um duplo clique no ícone do programa e instale-o clicando em (Suivant > Aceite o contrato > Suivant > Suivant > Démarrer > Quitter);
● Dê um duplo clique no ícone do USBFix criado no desktop para executá-lo;
● Tecle a opção [b2[/b] e pressione Enter;
● Insira seu pen drive, MP3, MP4 ou qualquer outra mídia removível que sua namorada tenha, na(s) porta(s) USB do PC e clique OK na mensagem. Seu desktop sumirá e aparecerá uma tela preta. Seu computador será reiniciado automaticamente;
● Mantenha a(s) mídia(s) no local. Não remova!
● Quando seu computador estiver reiniciando, seu desktop não será apresentado e aparecerá uma tela preta da ferramenta fazendo uma verificação final;
● Ao término Ao término, será aberto o bloco de notas para você com o log. O log também estará em C:\UsbFix.txt
● Feche o bloco de notas (clicando no X) para fechar o programa também.

OBS: Se após reiniciar o desktop ficar somente com o plano de fundo, sem ícones e barras, tecle Ctrl + Alt + Delete para rodar o gerenciador de tarefas. Clique em Arquivo > Executar nova tarefa, digite: explorer.exe e dê um OK.

_____________________________________


Opa _Ado_, seu log possui quatro entradas ocultas. Vamos verificar isso amigo, siga a instrução abaixo:

Spoiler

- Faça o download do RSIT e salve no seu desktop;

● Dê dois cliques em RSIT.exe para executar o programa;
● Na janela que abrir clique no botão Continue para que a ferramenta comece a rodar;
● Quando a ferramenta terminar de rodar, abrirá um log automaticamente no bloco de notas contendo o resultado do scan. Cole o resultado desse log (log.txt) na sua próxima resposta;
● Cole também o conteúdo do arquivo info.txt que estará em C:\rsit\info.txt.

_____________________________________


Olá BrunoBsB, se puder postar o log do Malwarebytes aqui para que pudéssemos dar uma olhada, agradeceria amigo. Para isso, abra o programa e clique em "Logs". Abra o arquivo mais recente (último) e poste o relatório aqui.
Siga a instrução abaixo Bruno:

Spoiler

Execute o HijackThis e clique em Do a system scan only. Marque a entrada abaixo no log e clique no botão Fix checked

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Clique em Sim na mensagem e feche a ferramenta. Caso apareça uma pasta chamada backups no desktop ou em C:, delete-a.

Em seguida:

Faça o download do OTListIt2 e salve-o no desktop;

● Dê um duplo clique em OTListIt2.exe para executá-lo;
● Marque as opções: Scan All Users e Minimal Output. No item "File Age" coloque a opção 90 Days;
● Clique no botão

e aguarde o scan;
● Dois logs serão gerados no Bloco de Notas:

- OTListIt.txt <- este será aberto
- Extra.txt <- este estará minimizado

Cole-os ou anexe-os em sua próxima resposta Bruno.

 

[BrunoBsB]

ai vão os logs pedidos:

todos em anexo...

log do OTListit que nao deu pra anexar:
http://www.zshare.net/download/595484553ea56942/

 

[Mr.Wolf]

- Faça o download do ComboFix e salve-o na área de trabalho;

● Desative temporariamente o seu antivirus para não detectar a ferramenta como vírus;
● Duplo clique no ícone combofix.exe para iniciar o scan;
● Leia o contrato que aparecerá e clique em Sim para continuar;
● Abrirá uma janela do Console de Recuperação, clique em Sim para instalar. Se aparecer outra janela do Console, clique em OK > Sim;
● Aguarde enquanto o ComboFix faz o scan;
● Se ocorrer algum problema durante o scan, reinicie seu computador em Modo de Segurança e repita o procedimento;
● Não clique na janela do ComboFix e procure não utilizar o teclado também, para não atrapalhar a varredura da ferramenta;
● Se quiser sair ou parar o ComboFix, tecle N;
● Quando terminar seu micro será reiniciado. Após o reinicio, a ferramenta executará novamente, aguarde;
● Será gerado um log em C:\ComboFix.txt.

Cole este log em sua próxima resposta.

 

[Felipoison]

Ajuda , por favor.

Opa , sou novo no forum e recentemente tive alguns probleminhas com virus.
Constatei que a velocidade do pc e da internet [carremento de youtube e sites (nunca o download)] cairam.
O meu driver de DVD aparece em "Meu Computador" mas ao colocar algum disco ele nao le , simplismente aparece em branco . Eu testei o driver em outro pc e ele esta funcionando . Por um scan que eu fiz vi que pode ser um virus na unidade F:.

Sou novo no forum e nao sei os procedimentos . Li alguns posts anteriores e vi alguns logs feitos pelos usuarios do ComboFix e do SDFix . Segui o mini-tutorial e fiz ambos :

Nao sei o comando pra inserir Spoiler se voce puder postar depois pra mim eu edito :

ComboFix:

ComboFix 09-05-02.4 - Felipe 03/05/2009 15:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.2046.1677 [GMT -3:00]
Executando de: c:\documents and settings\Felipe\Desktop\ComboFix.exe
AV: Eset NOD32 sistema antivírus 2.51 *On-access scanning disabled* (Updated)
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\admintxt.txt
c:\windows\msnmsgrs.exe
c:\windows\system32\bikehizi.dll
c:\windows\system32\delahiru.dll
c:\windows\system32\drivers\ovfsthxyqxtkbsi.sys
c:\windows\system32\fegenope.dll
c:\windows\system32\feyajute.dll
c:\windows\system32\hemafovi.dll
c:\windows\system32\jopisado.exe
c:\windows\system32\kalahavi.exe
c:\windows\system32\kudegovu.dll
c:\windows\system32\lefikazi.dll
c:\windows\system32\ovfsthxdkinpbab.dat
c:\windows\system32\ovfsthxieqbvskq.dll
c:\windows\system32\ovfsthxrfwridww.dll
c:\windows\system32\ovfsthxrowxredp.dat
c:\windows\system32\ovfsthxtuedxwhp.dll
c:\windows\system32\pasugusa.dll
c:\windows\system32\pihenedo.dll
c:\windows\system32\pofokago.dll
c:\windows\system32\rasawofu.dll
c:\windows\system32\ruvekifo.dll
c:\windows\system32\sidenohe.dll
c:\windows\system32\suyetebo.dll
c:\windows\system32\vikuzeja.dll
c:\windows\system32\yotenodo.dll
c:\windows\system32\httounbu.dll . . . . falha na exclusão
c:\windows\system32\iscvluu.dll . . . . falha na exclusão

----- BITS: Sites possivelmente infetados -----

hxxp://62.4.83.201
.
((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthxykvxbqpu
-------\Legacy_JRQIAVDL
-------\Service_jrqiavdl


(((((((((((((((( Arquivos/Ficheiros criados de 2009-04-03 to 2009-05-03 ))))))))))))))))))))))))))))
.

2009-05-03 17:35 . 2009-05-03 17:35 -------- d-----w c:\windows\ERUNT
2009-05-03 17:21 . 2009-05-03 17:59 -------- d-----w C:\SDFix
2009-05-02 09:49 . 2009-05-02 09:49 -------- d-----w c:\arquivos de programas\Gpotato
2009-05-01 00:58 . 2009-05-01 00:58 -------- d-----w c:\arquivos de programas\MSN Messenger
2009-04-30 17:46 . 2009-04-30 17:46 -------- d-----w c:\documents and settings\Felipe\Dados de aplicativos\cfyelmyo
2009-04-30 17:46 . 2009-04-30 17:46 -------- d-----w c:\arquivos de programas\CCleaner
2009-04-30 17:25 . 2009-04-30 17:25 -------- d-----w c:\documents and settings\NetworkService\Dados de aplicativos\cfyelmyo
2009-04-29 22:46 . 2009-04-29 22:46 46642 --sh--r c:\windows\MicrosoftHosting.exe
2009-04-25 12:40 . 2009-04-25 12:53 -------- d-----w c:\documents and settings\Felipe\Dados de aplicativos\Tibia
2009-04-18 18:50 . 2009-04-19 19:19 -------- d-----w c:\windows\system32\pt-br
2009-04-17 16:54 . 2009-04-17 16:54 -------- d-----w c:\arquivos de programas\1.22
2009-04-16 00:09 . 2009-04-16 00:09 -------- d-----w C:\Nova pasta
2009-04-14 17:02 . 2009-04-14 17:03 -------- d-----w c:\documents and settings\Felipe\Dados de aplicativos\Braid
2009-04-14 16:48 . 2009-04-14 16:55 -------- d-----w c:\arquivos de programas\Braid
2009-04-11 00:51 . 2009-04-11 00:51 -------- d-----w c:\windows\system32\config\systemprofile\Dados de aplicativos\ATI
2009-04-09 02:18 . 2009-04-09 02:18 -------- d-----w c:\documents and settings\Felipe\Dados de aplicativos\ScummVM
2009-04-09 02:17 . 2009-04-09 11:23 -------- d-----w c:\arquivos de programas\ScummVM
2009-04-09 02:17 . 2009-04-09 02:17 -------- d-----r c:\arquivos de programas\comi

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-03 18:24 . 2008-11-27 18:49 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-03 18:21 . 2001-10-28 15:07 143872 ----a-w c:\windows\system32\httounbu.dll
2009-05-03 18:21 . 2001-10-28 15:07 103936 ----a-w c:\windows\system32\jsksdmf.dll
2009-05-03 01:46 . 2009-02-03 01:46 50688 --sha-w c:\windows\system32\moyofilu.exe
2009-05-02 23:40 . 2008-12-03 19:28 -------- d-----w c:\arquivos de programas\Garena
2009-05-02 02:09 . 2009-02-08 13:34 -------- d-----w c:\arquivos de programas\Free Download Manager
2009-05-01 00:47 . 2009-02-01 00:47 50688 --sha-w c:\windows\system32\lasobemo.exe
2009-04-30 17:33 . 2009-01-26 22:53 -------- d-----w c:\arquivos de programas\DivX
2009-04-30 16:56 . 2009-01-23 01:25 -------- d-----w c:\arquivos de programas\OnGame
2009-04-30 16:45 . 2009-03-28 22:15 -------- d-----w c:\arquivos de programas\Dofus
2009-04-28 12:22 . 2009-01-28 12:21 49664 --sha-w c:\windows\system32\votojoye.dll
2009-04-28 00:21 . 2009-01-28 00:21 50688 --sha-w c:\windows\system32\yawikofe.exe
2009-04-20 22:09 . 2001-10-28 15:07 76460 ----a-w c:\windows\system32\perfc016.dat
2009-04-20 22:09 . 2001-10-28 15:07 463806 ----a-w c:\windows\system32\perfh016.dat
2009-04-20 00:38 . 2009-01-22 15:18 -------- d-----w c:\arquivos de programas\Steam
2009-04-17 16:55 . 2009-03-16 16:29 -------- d-----w c:\arquivos de programas\AGEIA Technologies
2009-04-01 01:05 . 2009-04-01 01:05 -------- d-----w c:\arquivos de programas\Windows Media Connect 2
2009-03-17 22:27 . 2009-02-03 13:52 -------- d-----w c:\arquivos de programas\QuickTime Alternative
2009-03-16 16:32 . 2009-03-16 16:32 -------- d-----w c:\arquivos de programas\EA Games
2009-03-16 16:29 . 2009-01-17 02:12 -------- d-----w c:\arquivos de programas\Arquivos comuns\Wise Installation Wizard
2009-03-16 16:24 . 2009-03-16 16:24 -------- d-----w c:\arquivos de programas\Arquivos comuns\Windows Live
2009-03-08 23:25 . 2009-03-08 23:22 -------- d-----w c:\arquivos de programas\Arquivos comuns\Adobe
2009-03-08 23:23 . 2009-03-08 23:23 -------- d-----w c:\arquivos de programas\Arquivos comuns\Adobe Systems Shared
2009-03-08 19:38 . 2009-03-08 19:38 56 ---ha-w c:\windows\system32\ezsidmv.dat
2009-03-07 13:54 . 2009-03-07 13:54 -------- d-----w c:\arquivos de programas\Circle Development
2009-03-06 14:46 . 2004-08-04 03:45 285696 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:06 . 2004-08-04 03:45 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 17:11 . 2004-08-04 03:45 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 14:17 . 2004-08-04 03:38 1846400 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:50 . 2004-08-04 00:40 2019840 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-09 11:50 . 2004-08-04 03:40 2140160 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-09 10:19 . 2004-08-04 03:45 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:19 . 2004-08-04 03:45 726016 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:19 . 2004-08-04 03:45 683008 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:19 . 2004-08-04 03:45 730624 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:08 . 2004-08-04 03:45 111104 ----a-w c:\windows\system32\services.exe
2009-02-06 16:54 . 2001-10-28 15:07 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 20:10 . 2004-08-04 03:45 55808 ----a-w c:\windows\system32\secur32.dll
2009-01-28 12:22 . 2009-01-28 12:22 49664 --sha-w c:\windows\system32\gezonawo.dll
2009-01-28 12:22 . 2009-01-28 12:22 49664 --sha-w c:\windows\system32\kolayela.dll
2009-01-28 12:22 . 2009-01-28 12:22 49664 --sha-w c:\windows\system32\vowayore.dll
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F65409F-2BA5-4B6B-A3E3-8DFDE16C87B6}]
2009-05-03 18:21 143872 ----a-w c:\windows\system32\httounbu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BDC683C-2949-4E13-931A-9B69A3065074}]
2009-05-03 18:21 143872 ----a-w c:\windows\system32\httounbu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c976976c-5263-4aa9-8c45-c05d1d343a4a}]
2009-01-28 12:22 49664 --sha-w c:\windows\system32\vowayore.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F28129A2-0D74-4101-9BFE-891F7101D495}]
2001-10-28 15:07 103936 ----a-w c:\windows\system32\iscvluu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="c:\arquivos de programas\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="c:\arquivos de programas\Eset\nod32kui.exe" [2008-11-27 921600]
"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre1.5.0\bin\jusched.exe" [2008-12-04 36972]
"StartCCC"="c:\arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"simutiroki"="c:\windows\system32\gezonawo.dll" [2009-01-28 49664]
"Microsoft Windows Hosting Service"="MicrosoftHosting.exe" - c:\windows\MicrosoftHosting.exe [2009-04-29 46642]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Taskman"="c:\recycler\S-1-5-21-8275870238-2721109305-232497608-3086\nissan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\kolayela.dll
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\windows\system32\kolayela.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Orbit.lnk]
path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Orbit.lnk
backup=c:\windows\pss\Orbit.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Felipe^Menu Iniciar^Programas^Inicializar^Adobe Gamma.lnk]
path=c:\documents and settings\Felipe\Menu Iniciar\Programas\Inicializar\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Arquivos de programas\\Ares\\Ares.exe"=
"c:\\Archivos de Programa\\Garena\\Garena.exe"=
"c:\\Arquivos de programas\\Garena\\Garena.exe"=
"c:\\Level Up! Games\\Grand Chase Season 2\\main.exe"=
"c:\\Arquivos de programas\\Eset\\nod32krn.exe"=
"c:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=
"c:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=
"c:\\ComboFix\\NirCmd.cfexe"=
"c:\\WINDOWS\\explorer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"45447:TCP"= 45447:TCPxpsp2res.dll,-22009
"61825:TCP"= 61825:TCPxpsp2res.dll,-22009
"23459:TCP"= 23459:TCPxpsp2res.dll,-22009
"53135:TCP"= 53135:TCPxpsp2res.dll,-22009
"24243:TCP"= 24243:TCPxpsp2res.dll,-22009
"46259:TCP"= 46259:TCPxpsp2res.dll,-22009
"45461:TCP"= 45461:TCPxpsp2res.dll,-22009
"41107:TCP"= 41107:TCPxpsp2res.dll,-22009
"45641:TCP"= 45641:TCPxpsp2res.dll,-22009
"33664:TCP"= 33664:TCPxpsp2res.dll,-22009
"21890:TCP"= 21890:TCPxpsp2res.dll,-22009
"42574:TCP"= 42574:TCPxpsp2res.dll,-22009
"35984:TCP"= 35984:TCPxpsp2res.dll,-22009
"40330:TCP"= 40330:TCPxpsp2res.dll,-22009
"11953:TCP"= 11953:TCPxpsp2res.dll,-22009
"50866:TCP"= 50866:TCPxpsp2res.dll,-22009
"35211:TCP"= 35211:TCPxpsp2res.dll,-22009
"61846:TCP"= 61846:TCPxpsp2res.dll,-22009
"40527:TCP"= 40527:TCPxpsp2res.dll,-22009
"38795:TCP"= 38795:TCPxpsp2res.dll,-22009
"60049:TCP"= 60049:TCPxpsp2res.dll,-22009

R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-02-12 2777850]
S0 wdfsokng;wdfsokng;c:\windows\system32\drivers\wdfsokng.sys [2001-10-28 23424]

.
- - - - ORFÃOS REMOVIDOS - - - -

HKLM-Run-Emurayden PSX Emulator - (no file)
SharedTaskScheduler-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\suyetebo.dll


.
------- Scan Suplementar -------
.
uStart Page = www.emurayden.net
IE: Baixar com o Free Download Manager - file://c:\arquivos de programas\Free Download Manager\dllink.htm
IE: Baixar tudo com o Free Download Manager - file://c:\arquivos de programas\Free Download Manager\dlall.htm
IE: Baixar vídeo com o Free Download Manager - file://c:\arquivos de programas\Free Download Manager\dlfvideo.htm
IE: Download selecionado pelo Free Download Manager - file://c:\arquivos de programas\Free Download Manager\dlselected.htm
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
FF - ProfilePath - c:\documents and settings\Felipe\Dados de aplicativos\Mozilla\Firefox\Profiles\4w2nqmwq.default\
FF - prefs.js: browser.startup.homepage -
FF - component: c:\arquivos de programas\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - plugin: c:\arquivos de programas\Java\jre1.5.0\bin\NPJava11.dll
FF - plugin: c:\arquivos de programas\Java\jre1.5.0\bin\NPJava12.dll
FF - plugin: c:\arquivos de programas\Java\jre1.5.0\bin\NPJava13.dll
FF - plugin: c:\arquivos de programas\Java\jre1.5.0\bin\NPJava14.dll
FF - plugin: c:\arquivos de programas\Java\jre1.5.0\bin\NPJava32.dll
FF - plugin: c:\arquivos de programas\Java\jre1.5.0\bin\NPJPI150.dll
FF - plugin: c:\arquivos de programas\Java\jre1.5.0\bin\NPOJI610.dll
FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 15:25
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-602162358-606747145-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:1b,32,00,2c,d3,d2,37,02,84,98,1f,84,9a,74,43,fc,2f,28,6c,71,e6,23,57,
87,c3,50,c6,9d,6d,2e,10,76,6f,a7,e1,fe,4d,19,52,7a,6a,b3,97,df,d8,cf,07,f9,\
"??"=hex:68,49,1c,af,7e,66,e2,46,46,b2,59,10,97,f2,42,9f

[HKEY_USERS\S-1-5-21-602162358-606747145-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:7f,e6,f0,dc,83,68,bb,af,23,e7,52,f1,ff,44,b0,e6,de,cf,b2,27,95,
e4,4e,ce,5f,b4,d1,87,bb,c8,e5,a4,17,52,71,93,7e,36,e6,7b,f5,ba,1b,66,a3,88,\
"rkeysecu"=hex:fd,7b,03,8f,ef,73,f0,92,d1,4f,0d,5d,41,cb,80,96
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(736)
c:\windows\system32\imon.dll
c:\arquivos de programas\Eset\pr_imon.dll

- - - - - - - > 'explorer.exe'(3760)
c:\windows\system32\kolayela.dll
c:\windows\system32\gezonawo.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Outros Processos em Execução ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\arquivos de programas\Eset\nod32krn.exe
.
**************************************************************************
.
Tempo para conclusão: 2009-05-03 15:28 - Máquina reiniciou
ComboFix-quarantined-files.txt 2009-05-03 18:28

Pré-execução: 21 pasta(s) 69.970.276.352 bytes disponíveis
Pós execução: 21 pasta(s) 70.893.465.600 bytes disponíveis

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

270 --- E O F --- 2009-04-19 19:19


SDFix:


SDFix: Version 1.240
Run by Administrador on dom 03/05/2009 at 14:39

Microsoft Windows XP [versÆo 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\admintxt.txt - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 14:59:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 1381
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 1381
disk error: C:\Documents and Settings\Felipe\ntuser.dat, 1381
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Arquivos de programas\\Ares\\Ares.exe"="C:\\Arquivos de programas\\Ares\\Ares.exe:*:Enabled:Ares p2p for windows"
"C:\\Archivos de Programa\\Garena\\Garena.exe"="C:\\Archivos de Programa\\Garena\\Garena.exe:*:Enabled:Garena"
"C:\\Arquivos de programas\\Garena\\Garena.exe"="C:\\Arquivos de programas\\Garena\\Garena.exe:*:Enabled:Garena"
"C:\\Level Up! Games\\Grand Chase Season 2\\main.exe"="C:\\Level Up! Games\\Grand Chase Season 2\\main.exe:*:Enabled:GrandChase"
"C:\\Arquivos de programas\\Free Download Manager\\fdm.exe"="C:\\Arquivos de programas\\Free Download Manager\\fdm.exe:*:Enabled:Free Download Manager"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Explorer"
"C:\\WINDOWS\\system32\\winlogon.exe"="C:\\WINDOWS\\system32\\winlogon.exe:*:Enabled:winlogon"
"C:\\Arquivos de programas\\Eset\\nod32krn.exe"="C:\\Arquivos de programas\\Eset\\nod32krn.exe:*:Enabled:nod32krn"
"C:\\WINDOWS\\system32\\lsass.exe"="C:\\WINDOWS\\system32\\lsass.exe:*:Enabled:lsass"
"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"="C:\\Arquivos de programas\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"="C:\\Arquivos de programas\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 28 Mar 2009 2,014,141 A..H. --- "C:\Downloads\emurayden.zip"
Fri 1 May 2009 735,048,244 A..H. --- "C:\Downloads\FlyffUsaSetup_X-Fire_v12.zip"
Wed 4 Mar 2009 18,509,599 A..H. --- "C:\Downloads\SFIV_TM_SE_02252009_SML.pdf.zip"
Wed 29 Apr 2009 46,642 ..SHR --- "C:\WINDOWS\MicrosoftHosting.exe"
Mon 27 Apr 2009 37,938 ..SHR --- "C:\WINDOWS\msnmsgrs.exe"
Fri 1 May 2009 733,071,233 A..H. --- "C:\Downloads\Software\FlyffUsaSetup_v12.exe"
Fri 1 May 2009 733,071,233 A..H. --- "C:\Downloads\Software\FlyffUsaSetup_v12(1).exe"
Tue 17 Feb 2009 33,362,592 A..H. --- "C:\Downloads\Software\Nokia_PC_Suite_7_1_17_4_por_br_web.exe"
Sat 2 May 2009 106,496 ..SHR --- "C:\RECYCLER\S-1-5-21-8275870238-2721109305-232497608-3086\nissan.exe"
Wed 29 Apr 2009 87,040 A.SH. --- "C:\WINDOWS\system32\delahiru.dll"
Tue 28 Apr 2009 88,064 A.SH. --- "C:\WINDOWS\system32\fegenope.dll"
Thu 30 Apr 2009 87,040 A.SH. --- "C:\WINDOWS\system32\feyajute.dll"
Wed 28 Jan 2009 49,664 A.SH. --- "C:\WINDOWS\system32\gezonawo.dll"
Thu 30 Apr 2009 88,576 A.SH. --- "C:\WINDOWS\system32\hemafovi.dll"
Mon 27 Apr 2009 383 ..SH. --- "C:\WINDOWS\system32\jopisado.exe"
Thu 30 Apr 2009 52,224 A.SH. --- "C:\WINDOWS\system32\kalahavi.exe"
Wed 28 Jan 2009 49,664 A.SH. --- "C:\WINDOWS\system32\kolayela.dll"
Fri 1 May 2009 88,576 A.SH. --- "C:\WINDOWS\system32\kudegovu.dll"
Thu 30 Apr 2009 50,688 A.SH. --- "C:\WINDOWS\system32\lasobemo.exe"
Sat 2 May 2009 50,688 A.SH. --- "C:\WINDOWS\system32\moyofilu.exe"
Sun 3 May 2009 79,360 A.SH. --- "C:\WINDOWS\system32\pasugusa.dll"
Tue 28 Apr 2009 88,576 A.SH. --- "C:\WINDOWS\system32\pihenedo.dll"
Sat 2 May 2009 88,064 A.SH. --- "C:\WINDOWS\system32\pofokago.dll"
Tue 27 Jan 2009 86,016 A.SH. --- "C:\WINDOWS\system32\ruvekifo.dll"
Sun 3 May 2009 87,552 A.SH. --- "C:\WINDOWS\system32\suyetebo.dll"
Sat 2 May 2009 87,552 A.SH. --- "C:\WINDOWS\system32\vikuzeja.dll"
Tue 28 Apr 2009 49,664 A.SH. --- "C:\WINDOWS\system32\votojoye.dll"
Wed 28 Jan 2009 49,664 A.SH. --- "C:\WINDOWS\system32\vowayore.dll"
Mon 27 Apr 2009 50,688 A.SH. --- "C:\WINDOWS\system32\yawikofe.exe"
Fri 1 May 2009 88,576 A.SH. --- "C:\WINDOWS\system32\yotenodo.dll"
Thu 5 Mar 2009 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 7 Jan 2000 20 A..H. --- "C:\Arquivos de programas\Maxis\The Sims\The Sims (E)\00000001.TMP"
Fri 7 Jan 2000 6,784 A..H. --- "C:\Arquivos de programas\Maxis\The Sims\The Sims (E)\clcd16.dll"
Fri 7 Jan 2000 27,648 A..H. --- "C:\Arquivos de programas\Maxis\The Sims\The Sims (E)\clcd32.dll"
Fri 7 Jan 2000 177,152 A..H. --- "C:\Arquivos de programas\Maxis\The Sims\The Sims (E)\clokspl.exe"
Fri 7 Jan 2000 172,544 A..H. --- "C:\Arquivos de programas\Maxis\The Sims\The Sims (E)\dplayerx.dll"
Fri 7 Jan 2000 31,744 A..H. --- "C:\Arquivos de programas\Maxis\The Sims\The Sims (E)\drvmgt.dll"
Fri 7 Jan 2000 10,848 A..H. --- "C:\Arquivos de programas\Maxis\The Sims\The Sims (E)\secdrv.sys"
Tue 31 Mar 2009 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 3 Dec 2008 1,332 A..HR --- "C:\Documents and Settings\Felipe\Dados de aplicativos\SecuROM\UserData\securom_v7_01.bak"
Thu 5 Mar 2009 4,348 ...H. --- "C:\Documents and Settings\Felipe\Meus documentos\Minhas m£sicas\Backup de Licen‡a\drmv1key.bak"
Thu 5 Mar 2009 20 A..H. --- "C:\Documents and Settings\Felipe\Meus documentos\Minhas m£sicas\Backup de Licen‡a\drmv1lic.bak"
Thu 5 Mar 2009 312 ...H. --- "C:\Documents and Settings\Felipe\Meus documentos\Minhas m£sicas\Backup de Licen‡a\drmv2key.bak"
Thu 5 Mar 2009 1,536 A..H. --- "C:\Documents and Settings\Felipe\Meus documentos\Minhas m£sicas\Backup de Licen‡a\drmv2lic.bak"

Finished!

Aqui uma imagem dos Scans do meu NOD32 :

Se ajudar , tenho aqui alguns arquivos que o ComboFix me disse que seria importante anotar para uso posterior . Segue :

C:\windows\system32\drivers\ovfsthxyrxtkbsi.sys
C:\windows\system32\ovfsthxtuedxwhp.dll
C:\windows\system32\ovfsthxdkinpbab.dat
C:\windows\system32\ovfsthxrfwridww.dll
C:\windows\system32\ovfsthxiebuskq.dll
C:\windows\system32\ovfsthxrowxredp.dat

Se puder me ajudar agradeço. E parabens pelo trabalho!
Poderia falar se é muito grave ^^"?

 

[BrunoBsB]

- Faça o download do ComboFix e salve-o na área de trabalho;

● Desative temporariamente o seu antivirus para não detectar a ferramenta como vírus;
● Duplo clique no ícone combofix.exe para iniciar o scan;
● Leia o contrato que aparecerá e clique em Sim para continuar;
● Abrirá uma janela do Console de Recuperação, clique em Sim para instalar. Se aparecer outra janela do Console, clique em OK > Sim;
● Aguarde enquanto o ComboFix faz o scan;
● Se ocorrer algum problema durante o scan, reinicie seu computador em Modo de Segurança e repita o procedimento;
● Não clique na janela do ComboFix e procure não utilizar o teclado também, para não atrapalhar a varredura da ferramenta;
● Se quiser sair ou parar o ComboFix, tecle N;
● Quando terminar seu micro será reiniciado. Após o reinicio, a ferramenta executará novamente, aguarde;
● Será gerado um log em C:\ComboFix.txt.

Cole este log em sua próxima resposta.

Nao deu certo cara, agora to instalando o windows denovo, nao posso reniciar o pc senao tenho q repetir a instalacao, o combofix reniciou o pc dai nao tem como eu entrar aqui em modo de seguranca (em modo de segunraca nao tem suporte a wireless)

to postando do notebook da minha mae, por favor se tiver outra solucao que nao envolva reniciar o pc eu agradeceria...

[]`s

 

[Mr.Wolf]

Olá Felipoison, seja bem vindo ao fórum!

Você está infectado pelo Adware Vundo Virtumonde. A remoção dele é meio chata mesmo. Siga as instruções do spoiler abaixo:

Spoiler

Selecione e copie este texto abaixo. Cole-o no Bloco de Notas do PC e salve no desktop como CFScript.txt

KILLALL::

Folder::
C:\SDFix
c:\documents and settings\Felipe\Dados de aplicativos\cfyelmyo
c:\documents and settings\NetworkService\Dados de aplicativos\cfyelmyo
File::
c:\windows\MicrosoftHosting.exe
c:\windows\system32\httounbu.dll
c:\windows\system32\jsksdmf.dll
c:\windows\system32\moyofilu.exe
c:\windows\system32\lasobemo.exe
c:\windows\system32\votojoye.dll
c:\windows\system32\yawikofe.exe
c:\windows\system32\ezsidmv.dat
c:\windows\system32\gezonawo.dll
c:\windows\system32\kolayela.dll
c:\windows\system32\vowayore.dll
c:\windows\system32\iscvluu.dll
c:\recycler\S-1-5-21-8275870238-2721109305-232497608-3086\nissan.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F65409F-2BA5-4B6B-A3E3-8DFDE16C87B6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BDC683C-2949-4E13-931A-9B69A3065074}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c976976c-5263-4aa9-8c45-c05d1d343a4a}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F28129A2-0D74-4101-9BFE-891F7101D495}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"simutiroki"=-
"Microsoft Windows Hosting Service"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Taskman"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
"LoadAppInit_DLLs"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=-
Firefox::
FF - ProfilePath - c:\documents and settings\Felipe\Dados de aplicativos\Mozilla\Firefox\Profiles\4w2nqmwq.default\

Arraste o CFScript para o ComboFix como na imagem aqui abaixo e aguarde a execução automática da ferramenta:

● Se for solicitado à você, pressione Enter para iniciar o processo de remoção;
● Não use o mouse nem o teclado quando o ComboFix estiver rodando;
● Quando terminar, será gerado um novo log que estará em C:\ComboFix.txt;
● Talvez seu computador seja reiniciado automaticamente. Caso não ocorra, reinicie-o manualmente.

Na sua próxima resposta, cole o ComboFix.txt e um log do HijackThis.

Se ajudar , tenho aqui alguns arquivos que o ComboFix me disse que seria importante anotar para uso posterior . Segue :

C:\windows\system32\drivers\ovfsthxyrxtkbsi.sys
C:\windows\system32\ovfsthxtuedxwhp.dll
C:\windows\system32\ovfsthxdkinpbab.dat
C:\windows\system32\ovfsthxrfwridww.dll
C:\windows\system32\ovfsthxiebuskq.dll
C:\windows\system32\ovfsthxrowxredp.dat

Felipoison, não entendi essa do "ComboFix lhe dizer" que seria importante anotar estes arquivos.

 

[BrunoBsB]

acho q encontrei o virus, mas nao consigo deletar ou excluir dos processos...
ai vai onde eu encontrie ele e os nomes

http://i39.tinypic.com/314ct2f.jpg

to usando o A Squared HiJackFree mas quando deleto ele dos processos ele volta, e tem 2...

edit:
e ele vai adicionando mais:

http://i44.tinypic.com/eq1i6a.jpg

o que posso fazer?

[]´s

 

[kym3ra]

Estou tendo varios erros, será que tem algo errado?


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:43:11, on 03/05/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9BE2DB0F-2DE2-4C2B-B502-8F3C5C7ABA39} - C:\Windows\system32\efCUoPJc.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIÇO DE REDE')
O13 - Gopher Prefix:
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: RealtekUSB - Realtek - C:\Program Files\REALTEK\RTL8187 Wireless LAN Utility\RtlService.exe

--
End of file - 3658 bytes

 

[luisednardo]

Aí está o log do hijackthis como pediu Mr Wolf,

Spoiler

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:36, on 4/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Arquivos de programas\QuickTime\qttask.exe
C:\Arquivos de programas\Windows Live\Family Safety\fsui.exe
C:\Arquivos de programas\DAEMON Tools\daemon.exe
C:\Arquivos de programas\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe
C:\Arquivos de programas\Save\Save.exe
C:\Documents and Settings\Pedro\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\7225D3\FDF101.EXE
C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Arquivos de programas\Bonjour\mDNSResponder.exe
C:\Arquivos de programas\Windows Live\Family Safety\fsssvc.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\Arquivos de programas\Photodex\ProShowGold\ScsiAccess.exe
C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Ulead Systems\DVD\ULCDRSvr.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
c:\arquivos de programas\arquivos comuns\installshield\updateservice\isuspm.exe
C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\agent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Arquivos de programas\Windows Live\Toolbar\wltuser.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.live.com/sphome.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.live.com/sphome.aspx
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Arquivos de programas\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Windows Live Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Arquivos de programas\Windows Live\Family Safety\fssbho.dll
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Arquivos de programas\Windows Live\Messenger\wlchtc.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Arquivos de programas\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\ARQUIV~1\GbPlugin\gbiehabn.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\WINDOWS\BricoPacks\LeopardXP\FindeXer.dll (file missing)
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [fssui] "C:\Arquivos de programas\Windows Live\Family Safety\fsui.exe" -autorun
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [FDF101] C:\WINDOWS\system32\7225D3\FDF101.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Arquivos de programas\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WhenUSave] "C:\Arquivos de programas\Save\Save.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Pedro\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP.exe" -s
O4 - HKCU\..\Run: [wsctf.exe] wsctf.exe
O4 - HKCU\..\Run: [EXPLORER.EXE] EXPLORER.EXE
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ¡¡¡¡¡¡.lnk = C:\WINDOWS\system32\7225D3\FDF101.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab
O20 - Winlogon Notify: GbPluginAbn - C:\ARQUIV~1\GbPlugin\gbiehabn.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Gbp Service (GbpSv) - - C:\ARQUIV~1\GbPlugin\GbpSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Arquivos de programas\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Arquivos de programas\Arquivos comuns\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9934 bytes