Remoção de vírus

qeuzinha · 30/08/2009

Oi Mr. Wolf. como está.

Gostaria de sua ajuda no seguinte: preciso instalar antivirus no meu pc estou entre o avast e norton 360. Qual instalo? se puder me judar agradeço.

Obg.

dalieco33 · 31/08/2009

Tem um spyware Banker,que eu tento fazer uma ação com o Avira,mas ele sempre aparece de nov

HiJackThis não consegue detectar ele.O que eu faço?

karolz · 31/08/2009

Olá Mr.Wolf, tenho uma duvida, toda vez q eu inicio o computador aparece a seguinte tela, o q siginifica?

e taí o log do ComboFix

ComboFix 09-08-30.04 - Nóis Todos 31/08/2009 9:56.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.223.96 [GMT -3:00]
Executando de: c:\documents and settings\Nóis Todos\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1993962763-1645522239-1177238915-1003(2)
c:\windows\Installer\157ebb4.msi
c:\windows\Installer\a7251.msi
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF

(((((((((((((((( Arquivos/Ficheiros criados de 2009-07-28 to 2009-08-31 ))))))))))))))))))))))))))))
.

2009-08-31 12:44 . 2009-08-31 12:44 9728 ----a-w- c:\windows\system32\drivers\npfs64.sys
2009-08-27 20:34 . 2003-06-19 04:31 17920 ----a-w- c:\windows\system32\mdimon.dll
2009-08-27 20:32 . 2009-08-27 20:32 -------- d-----w- c:\arquivos de programas\Microsoft.NET
2009-08-27 20:27 . 2009-08-27 20:27 -------- d--h--r- C:\MSOCache
2009-08-27 14:48 . 2009-08-27 14:48 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-27 14:48 . 2009-08-27 20:32 -------- d-----w- c:\windows\ShellNew
2009-08-27 13:27 . 2009-08-27 14:46 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Yahoo! Companion
2009-08-27 13:26 . 2009-08-27 14:46 -------- d-----w- c:\arquivos de programas\Yahoo!
2009-08-27 12:17 . 2009-08-27 14:47 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Microsoft Help
2009-08-12 17:48 . 2009-08-12 17:48 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\GbPlugin
2009-08-12 17:48 . 2009-08-12 17:48 578560 ----a-w- c:\windows\system32\gbiehcef.dll
2009-08-12 16:58 . 2009-08-12 17:00 2600960 ----a-w- c:\windows\system32\msvfw64.dll
2009-08-04 17:51 . 2009-07-03 16:59 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-04 17:51 . 2009-07-03 16:59 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-08-04 13:09 . 2007-01-08 17:13 603136 ----a-w- c:\windows\luninstall.exe
2009-08-04 13:09 . 2007-10-09 12:09 1640960 ----a-w- c:\windows\lhelp.exe
2009-08-03 15:44 . 2009-08-04 13:09 -------- d-----w- c:\arquivos de programas\Oi Velox

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-31 12:46 . 2008-04-14 12:00 48846 ----a-w- c:\windows\system32\perfc016.dat
2009-08-31 12:46 . 2008-04-14 12:00 344734 ----a-w- c:\windows\system32\perfh016.dat
2009-08-27 19:15 . 2009-06-30 23:40 -------- d-----w- c:\arquivos de programas\eMule
2009-08-27 16:24 . 2009-07-01 14:36 -------- d-----w- c:\arquivos de programas\Total Video Converter
2009-08-18 14:05 . 2009-08-18 14:02 2600960 ----a-w- c:\windows\system32\msvfw64.tmp
2009-08-05 15:47 . 2009-06-30 14:49 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 09:00 . 2008-04-14 12:00 205312 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-30 17:02 . 2009-07-30 17:01 -------- d-----w- c:\arquivos de programas\Philips
2009-07-30 17:02 . 2009-07-30 17:01 -------- d--h--w- c:\arquivos de programas\InstallShield Installation Information
2009-07-20 17:32 . 2009-06-30 14:53 -------- d-----w- c:\arquivos de programas\The KMPlayer
2009-07-17 19:03 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 15:21 . 2008-04-14 12:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 15:12 . 2009-06-30 16:19 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Adobe
2009-07-10 22:36 . 2009-07-10 22:36 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\HPSSUPPLY
2009-07-10 02:45 . 2009-07-10 02:45 -------- d-----w- c:\arquivos de programas\MSXML 4.0
2009-07-09 23:38 . 2009-07-09 22:50 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\HP
2009-07-09 23:05 . 2009-07-09 23:05 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\WEBREG
2009-07-09 22:59 . 2009-07-09 21:24 167986 ----a-w- c:\windows\hpoins28.dat
2009-07-09 22:50 . 2009-07-09 22:50 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\HP Product Assistant
2009-07-09 22:50 . 2009-07-09 22:48 -------- d-----w- c:\arquivos de programas\HP
2009-07-09 22:50 . 2009-07-09 22:50 -------- d-----w- c:\arquivos de programas\Hewlett-Packard
2009-07-09 22:50 . 2009-07-09 22:50 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Hewlett-Packard
2009-07-09 22:49 . 2009-07-09 22:49 -------- d-----w- c:\arquivos de programas\Arquivos comuns\HP
2009-07-09 21:24 . 2009-07-09 21:24 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Hewlett-Packard
2009-07-09 15:52 . 2009-07-09 15:52 -------- d-----w- c:\arquivos de programas\MsoSetup
2009-07-08 17:36 . 2009-07-08 17:36 -------- d-----w- c:\arquivos de programas\Sony Ericsson
2009-07-08 16:56 . 2009-07-08 16:56 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-08 16:56 . 2009-07-08 16:56 -------- d-----w- c:\arquivos de programas\Java
2009-07-06 13:36 . 2009-07-06 13:36 -------- d-----w- c:\arquivos de programas\Programas RFB
2009-07-05 14:53 . 2009-07-05 14:53 -------- d-----w- c:\arquivos de programas\WinAVI Video Converter
2009-07-03 16:59 . 2008-04-14 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-03 14:11 . 2009-07-03 14:11 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Ahead
2009-07-03 14:11 . 2009-07-03 14:11 -------- d-----w- c:\arquivos de programas\Nero
2009-07-02 16:22 . 2009-07-02 16:22 -------- d-----w- c:\arquivos de programas\Sony Setup
2009-06-30 15:20 . 2009-06-30 14:49 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-06-30 15:03 . 2009-06-30 14:25 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-30 14:21 . 2009-06-30 14:21 21844 ----a-w- c:\windows\system32\emptyregdb.dat
2009-06-25 08:27 . 2008-04-14 12:00 732672 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:27 . 2008-04-14 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:27 . 2008-04-14 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:27 . 2008-04-14 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:27 . 2008-04-14 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:27 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2008-04-14 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-23 09:22 . 2009-07-01 13:37 24893616 ----a-w- C:\AdbeRdr910_pt_BR.exe
2009-06-16 14:39 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:39 . 2008-04-14 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 10:44 . 2008-04-14 12:00 77824 ----a-w- c:\windows\system32\telnet.exe
2009-06-15 10:44 . 2008-04-14 12:00 81408 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-10 14:14 . 2008-04-14 12:00 85504 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 12:21 . 2009-06-30 14:20 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:15 . 2008-04-14 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-04 12:19 . 2009-06-04 12:19 577536 ----a-w- c:\windows\system32\CriticasCalculo.dll
2009-06-03 19:10 . 2008-04-14 12:00 1295872 ----a-w- c:\windows\system32\quartz.dll
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB17AC18-365F-4B5C-B506-92896D1B8DE6}]
2009-08-12 17:00 2600960 ----a-w- c:\windows\system32\msvfw64.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"*Microsoft Video For Windows 64 bits"="msvfw64.dll" - c:\windows\system32\msvfw64.dll [2009-08-12 2600960]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*Microsoft Video For Windows 64 bits"="msvfw64.dll" - c:\windows\system32\msvfw64.dll [2009-08-12 2600960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"desp2k"="c:\arquivos de programas\Oi Velox\Manager\desp2k.exe" [2006-08-03 65536]
"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"*Microsoft Video For Windows 64 bits"="msvfw64.dll" - c:\windows\system32\msvfw64.dll [2009-08-12 2600960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*Microsoft Video For Windows 64 bits"="msvfw64.dll" - c:\windows\system32\msvfw64.dll [2009-08-12 2600960]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"*Microsoft Video For Windows 64 bits"="msvfw64.dll" - c:\windows\system32\msvfw64.dll [2009-08-12 2600960]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"*Microsoft Video For Windows 64 bits"="msvfw64.dll" - c:\windows\system32\msvfw64.dll [2009-08-12 2600960]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399003}"= "c:\windows\system32\gbiehcef.dll" [2009-08-12 578560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AabiWin]
2009-08-12 17:00 2600960 ----a-w- c:\windows\system32\msvfw64.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Philips SA30XX Device Manager.lnk]
path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Philips SA30XX Device Manager.lnk
backup=c:\windows\pss\Philips SA30XX Device Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Arquivos de programas\\eMule\\emule.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\WINDOWS\\system32\\NeroCheck.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 npfs64;npfs64;c:\windows\system32\drivers\npfs64.sys [31/08/2009 09:44 9728]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [30/06/2009 11:49 108289]
R2 cmpe;Context Manager Process Extension;c:\windows\system32\cmpe.exe [26/02/2007 10:11 61440]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [10/06/2002 00:09 31232]
S3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\fprnmn.sys --> c:\windows\system32\drivers\fprnmn.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Conteúdo da pasta 'Tarefas Agendadas'
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.ceara.gov.br/
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-08-31 10:05
Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\msvfw64.dll
c:\windows\system32\gbiehcef.dll

- - - - - - - > 'explorer.exe'(912)
c:\windows\system32\WININET.dll
c:\windows\system32\gbiehcef.dll
c:\windows\system32\webcheck.dll
.
------------------------ Outros Processos em Execução ------------------------
.
c:\arquivos de programas\Avira\AntiVir Desktop\avguard.exe
c:\arquivos de programas\Java\jre6\bin\jqs.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Tempo para conclusão: 2009-08-31 10:14 - Máquina reiniciou
ComboFix-quarantined-files.txt 2009-08-31 13:14

Pré-execução: 6 pasta(s) 42.853.715.968 bytes disponíveis
Pós execução: 6 pasta(s) 43.238.883.328 bytes disponíveis

211 --- E O F --- 2009-08-28 18:04

dalieco33 · 31/08/2009

O trojan é esse.Ja tentei deletar,renomear,mover para a quarentena.
NADA ADIANTA!

vimed · 31/08/2009

Vírus no IE??

Oi Mr. Wolf, faz um bom tempo que não vinha encher sua paciência hehehheheh, mas desta vez acho que não tem como escapar, tenho certeza que meu PC está cheio de vírus, pq desde ontem todas as vezes que vou abrir o IE o avira apita acusando: C:\Program Files\GB Plugin\gbieh.dll - TR\Spy.Banker.ABXA.1 Trojan
Aí eu mando pra quarentena, mas qndo abro outras páginas novas acusa a mesma coisa,.......no mozilla não ocorre isso só com o IE....
Segue o Log para sua "santa" análise....
Bjs

Ver anexo hijackthis1.txt

didifpg · 31/08/2009

Olá Mr.Wolf...

to achando que peguei algum vírus.. ou algunS virúS...

toda hora aparece uma tela do Avira Antivirus detectando algum vírus...

ja tentei fazer de tudo... deletar, ignorar, nada adianta....

apareceu mais de 20 vezes essa tela.. o que faço...

to te mandando o log do Hijack...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:39:59, on 31/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\servises.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe
C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\WINDOWS\system32\servises.exe
C:\WINDOWS\system32\servises.exe
C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\servises.exe
C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Arquivos de programas\Arquivos comuns\InterVideo\DeviceService\DevSvc.exe
C:\Arquivos de programas\Arquivos comuns\LightScribe\LSSrvc.exe
C:\Arquivos de programas\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [servises] C:\WINDOWS\system32\servises.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Arquivos de programas\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ares] "C:\Arquivos de programas\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Rainlendar2] C:\Arquivos de programas\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [servises] C:\WINDOWS\system32\servises.exe
O4 - HKLM\..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe
O4 - HKCU\..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Recorte de tela e Iniciador do OneNote 2007.lnk = C:\Arquivos de programas\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {31CB2F01-72C2-4CF4-B265-450E8817B039} (Toontown IE Helper Portuguese) - http://idownload.br.toontown.com/sv1.4.14.8/ttinst-portuguese.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://img4.orkut.com/activex/10036/photouploader.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/DigWXMSN.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF32D210-948A-4A63-BD02-8938A15D4750}: NameServer = 200.225.197.34 200.225.197.37
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Arquivos de programas\Arquivos comuns\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Arquivos de programas\Arquivos comuns\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared files\RichVideo.exe

--
End of file - 9019 bytes

Abraços!!!!

mendesic · 01/09/2009

Boa tarde Mr Wolf .
Agradeço pela resposta , mas tive que agir emergencialmente e precisei fazer uma restauração pelo Ghost e voltou a funcionar normalmente .
Deixo abaixo o novo log e se puder me falar se está tudo ok agora eu agradeço .
Tem como vc me dar uma explicação ( nem que seja superficial ) de como estes vírus cortam a conexão de rede ? Simplesmente não pegava ip externo e posteriormente cortava comunicação interna .
Muito obrigado .

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:05:43, on 28/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\ARQUIV~1\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe
C:\Arquivos de programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Documents and Settings\All Users\Dados de aplicativos\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Arquivos de programas\Firebird\Firebird_2_1\bin\fbguard.exe
C:\Arquivos De Programas\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\Explorer.EXE
C:\Utilitários\Ghost12\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Firebird\Firebird_2_1\bin\fbserver.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Arquivos de programas\Real Internet Empresa\Offline\BIN\RealWebServer.exe
C:\Arquivos de programas\Java\jre6\bin\jusched.exe
C:\Arquivos de programas\Real Internet Empresa\Offline\BIN\ServAppWin.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Utilitários\Ghost12\Agent\VProTray.exe
C:\Arquivos De Programas\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe
C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe
C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe
C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe
C:\mysql\bin\winmysqladmin.exe
C:\Arquivos de programas\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CMD.exe
C:\WINDOWS\system32\ping.exe
G:\Hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Arquivos de programas\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\ARQUIV~1\GbPlugin\gbiehabn.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_1.dll
O4 - HKLM\..\Run: [WEBSERVER] "C:\Arquivos de programas\Real Internet Empresa\Offline\BIN\RealWebServer.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SERVAPP] "C:\Arquivos de programas\Real Internet Empresa\Offline\BIN\ServAppWin.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Norton Ghost 12.0] "C:\Utilitários\Ghost12\Agent\VProTray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Arquivos De Programas\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [EPSON Stylus C92 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBZL.EXE /FU "C:\WINDOWS\TEMP\E_S226.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Arquivos de programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.compartilhando.org/
O16 - DPF: {B3D3825B-2120-4B0E-8C45-80ECC1D3E70D} (GeraCert Class) - https://bradesconetempresa.com.br/ne/CA.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab
O17 - HKLM\System\CS3\Services\Tcpip\..\{53E96D73-CF1B-4089-B281-64099238198C}: NameServer = 200.204.0.10 200.204.0.138
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: GbPluginAbn - C:\ARQUIV~1\GbPlugin\gbiehabn.dll
O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll
O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Arquivos de programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Dados de aplicativos\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - Firebird Project - C:\Arquivos de programas\Firebird\Firebird_2_1\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - Firebird Project - C:\Arquivos de programas\Firebird\Firebird_2_1\bin\fbserver.exe
O23 - Service: Gbp Service (GbpSv) - - C:\ARQUIV~1\GbPlugin\GbpSv.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Arquivos De Programas\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Arquivos de programas\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Arquivos de programas\Borland\InterBase\bin\ibserver.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\ARQUIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Utilitários\Ghost12\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 12117 bytes

Mr.Wolf · 01/09/2009

Olá pessoal, boa tarde! Vou responder à todos neste mesmo post ok, irei por ordem de postagens.

Opa amigo tosko, seu log está limpo. Há uma entrada oculta em seu log, mas pertence ao ObjectDock. portanto, sem mais preocupações.

O ideal seria você postar um log atual, amigo tosko. Pois este log que você quotou é do dia 26/08. Mas fica a seu critério.

_____________________________________

Olá pie†ro, tudo bem comigo também.

Estranho ter ocorrido este erro com o DDS porque ele é compatível com o Vista sim. Mas com certeza foi por causa do SP2 que você possui instalado aí. Algumas ferramentas estão sendo modificadas por estarem gerando erros quando rodam no Vista SP2, e o DDS é uma delas.

Pode deletar o DDS e siga com estas instruções abaixo então pie†ro:

- Faça o download do RSIT e salve no seu desktop;

● Dê dois cliques em RSIT.exe para executar o programa;
● Na janela que abrir clique no botão Continue para que a ferramenta comece a rodar;
● Quando a ferramenta terminar de rodar, abrirá um log automaticamente no bloco de notas contendo o resultado do scan. Cole o resultado desse log (log.txt) na sua próxima resposta;
● Cole também o conteúdo do arquivo info.txt que estará em C:\rsit\info.txt.

_____________________________________

Tiagoquiroga, agradeço as palavras amigo.

O log.txt do RSIT está incompleto. Peço que poste-o na íntegra por gentileza.

_____________________________________

Olá Juliano, tudo bem e você?

Seu log está limpo Juliano. Algum problema?

_____________________________________

Opa Artsimoes, tudo bem. O problema com o firewall não está sendo causado por vírus. Siga o procedimento abaixo:

Abra o Bloco de Notas e cole este texto abaixo dentro:

Código:

REGEDIT 4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 1 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 1 (0x0)

Salve no desktop como Fix.reg e dê um duplo clique neste arquivo. Clique em Sim na mensagem.

Reinicie o PC e veja se o firewall será ativado.

Faça também um scan no Kaspersky, seguinte este tutorial abaixo e poste o relatório final em sua próxima resposta:

http://www.linhadefensiva.org/forum/index.php?showtopic=74159

_____________________________________

palma, temos um enorme problema aí. Recomendo que instale imediatamente um firewall e, caso, possua uma rede configurada aí, desconecte o computador dela. Siga abaixo palma:

1ª Etapa

- Faça download do Lop SD e salve-o no desktop;

● Dê um duplo clique no Lop SD. Na janela que abrir pressione a tecla P e tecle Enter;
● Na próxima tela pressione o numero 2 e tecle Enter;
● Sua tela irá piscar. Isso é normal. Aguarde até que seja gerado um relatório. O mesmo estará em C:\LopR.txt.

2ª Etapa

- Faça o download do ComboFix e salve-o na área de trabalho;

● Desative temporariamente o seu antivirus para não detectar a ferramenta como vírus;
● Duplo clique no ícone combofix.exe para iniciar o scan;
● Leia o contrato que aparecerá e clique em Sim para continuar;
● Abrirá uma janela do Console de Recuperação, clique em Sim para instalar. Se aparecer outra janela do Console, clique em OK > Sim;
● Aguarde enquanto o ComboFix faz o scan;
● Se ocorrer algum problema durante o scan, reinicie seu computador em Modo de Segurança e repita o procedimento;
● Não clique na janela do ComboFix e procure não utilizar o teclado também, para não atrapalhar a varredura da ferramenta;
● Se quiser sair ou parar o ComboFix, tecle N;
● Quando terminar seu micro será reiniciado. Após o reinicio, a ferramenta executará novamente, aguarde;
● Será gerado um log em C:\ComboFix.txt.

Poste os logs do Lop SD e do ComboFix em sua próxima resposta.

_____________________________________

luisednardo, realmente estranho este problema. Nunca vi algo parecido, até então. E olha que trabalho com muitos servidores e clientes que utilizam Word, Excel, PowerPoint, Acess... até eu mesmo utilizo-os bastante.

Mas uma pergunta luisednardo: Este problema ocorre somente com estes arquivos citados? Ou ocorre com qualquer arquivo?

_____________________________________

Oi qeuzinha, entre Norton 360 e Avast!, com certeza, ficaria com o Norton.

Mas se aceitar uma opinião qeuzinha, já que está podendo optar por versão paga da Symantec (empresa criadora do Norton), eu escolheria o Norton 2009, que está excelente, e é muito melhor do que o Norton 360.
Agora se prefere optar por uma opção free, escolheria sem dúvida alguma o Avira AntiVir ao invés do Avast!.

_____________________________________

karolz, qual tela está aperecendo?!

Siga abaixo:

Selecione e copie o texto abaixo. Cole-o no Bloco de Notas e salve-o no desktop como CFScript.txt

Código:

Driver::
npfs64
abp470n5
File::
c:\windows\system32\drivers\npfs64.sys
c:\windows\system32\drivers\fprnmn.sys
c:\windows\system32\msvfw64.dll
c:\windows\system32\msvfw64.tmp
Folder::
c:\documents and settings\All Users\Dados de aplicativos\GbPlugin
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB17AC18-365F-4B5C-B506-92896D1B8DE6}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"*Microsoft Video For Windows 64 bits"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*Microsoft Video For Windows 64 bits"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"*Microsoft Video For Windows 64 bits"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"*Microsoft Video For Windows 64 bits"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"*Microsoft Video For Windows 64 bits"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AabiWin]

Arraste o CFScript para o ComboFix como na imagem aqui abaixo e aguarde a execução automática da ferramenta:

● Se for solicitado à você, pressione Enter para iniciar o processo de remoção;
● Não use o mouse nem o teclado quando o ComboFix estiver rodando;
● Quando terminar, será gerado um novo log que estará em C:\ComboFix.txt;
● Talvez seu computador seja reiniciado automaticamente. Caso não ocorra, reinicie-o manualmente.

Na sua próxima resposta, cole o ComboFix.txt e um novo log do HijackThis.

Faça um scan no Kaspersky seguindo o tutorial abaixo e poste o relatório final em sua resposta, juntamente com o log do ComboFix:

http://www.linhadefensiva.org/forum/index.php?showtopic=74159

_____________________________________

Amigos dalieco33 e vimed, seus casos não se tratam de vírus, mas sim um falso-positivo. O Avira de ambos os amigos estão gerando uma detecção errônea, classificando um legítmo plugin bancário (GbPlugin), que serve para proteger suas transferências e contas bancárias através de um internet banking. O GbPlugin não é um vírus.

Veja que não são só vocês dois que estão sofrendo com este falso-positivo: http://www.linhadefensiva.org/forum/index.php?showtopic=102847

Atentem-se para as próximas atualizações do Avira, que deverá conter a correção para este falso-positivo. Eu também já enviei um comunicado à AntiVir.

OBS: Sugiro que não removam e nem enviem para a quarentena o arquivo encontrado, vimed e dalieco33. Basta quando der o alerta, ignorá-lo, clicando em "Ignore".

_____________________________________

didifpg, seu caso é o mais complicado dentre os amigos aqui. Você está infectado pelo Virut - um file infector que contamina praticamente todos os .exe do sistema e de difícil remoção. Sinceramente, didifpg, digo que será mais fácil e mais rápido formatar a máquina.

Mas não custa tentar. Então vamos lá, siga abaixo:

Primeiro teremos que verificar qual é a variante do Virut.

- Faça o download do Malwarebytes Anti-Malware e salve-o no desktop;

● Dê dois cliques no programa para iniciar a instalação. Selecione o idioma Português (Brasil);
● Ao final da instalação, marque as opções "Atualizar Malwarebytes Anti-Malware" e "Executar Malwarebytes Anti-Malware", e clique em Concluir;
● Após a instalação, reinicie o computador em Modo de Segurança;
● Marque a opção Verificação Completa e depois clique em Verificar. Selecione sua unidade C: e clique no botão Iniciar Verificação;
● Quando o scan terminar, clique em OK e o log será automaticamente aberto para você;
● Se algo for detectado, verifique se todos os itens estão marcados e clique no botão Remover.
OBS: Caso apareça uma mensagem pedindo para que você reinicie o computador para completar o processo de remoção, reinicie-o imediatamente;
● O log pode ser consultado clicando em Logs do menu principal também;

Copie e cole o conteúdo desse log na sua próxima resposta, juntamente com um novo log do HijackThis.

_____________________________________

mendesic, primeiro, é importante saber que, dependendo do vírus, ele pode fazer qualquer ação maléfica após tomar posse de seu sistema. Desde romper sua conexão com a Internet (como foi seu caso) até roubar seus dados pessoais (senhas, endereços de e-mails, hábitos de navegação, etc...). No seu caso, o trojan interferiu na comunicação de seu computador com o provedor, sendo assim, você era impedido de se conectar com a Internet. O porquê disto ocorrer, há vários motivos. Não posso lhe dizer que no seu caso foi tal coisa, pois é complexo. Eu necessitaria da análise que lhe pedi do arquivo anteriormente para ver qual era a variante do trojan e assim seria fácil lhe dizer o que ele fez para provocar este impedimento de conexão.

Bem, seu log está limpo amigo mendesic. Algum problema ainda?

pie†ro · 01/09/2009

Mr.Wolf disse:
Olá pie†ro, tudo bem comigo também.

Estranho ter ocorrido este erro com o DDS porque ele é compatível com o Vista sim. Mas com certeza foi por causa do SP2 que você possui instalado aí. Algumas ferramentas estão sendo modificadas por estarem gerando erros quando rodam no Vista SP2, e o DDS é uma delas.

Pode deletar o DDS e siga com estas instruções abaixo então pie†ro:

- Faça o download do RSIT e salve no seu desktop;

● Dê dois cliques em RSIT.exe para executar o programa;
● Na janela que abrir clique no botão Continue para que a ferramenta comece a rodar;
● Quando a ferramenta terminar de rodar, abrirá um log automaticamente no bloco de notas contendo o resultado do scan. Cole o resultado desse log (log.txt) na sua próxima resposta;
● Cole também o conteúdo do arquivo info.txt que estará em C:\rsit\info.txt.

_____________________________________

Opa meu camarada, segue a log:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Buttman at 2009-09-01 18:40:48
Microsoft® Windows Vista™ Ultimate Service Pack 2
System drive C: has 49 GB (28%) free of 177 GB
Total RAM: 4094 MB (58% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:40:50, on 01/09/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\DNA\btdna.exe
C:\Program Files (x86)\DAP\DAP.exe
C:\Program Files (x86)\LG Soft India\forteManager\bin\Monitor.exe
C:\Program Files (x86)\DreaMule\emule.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\Buttman\Desktop\RSIT.exe
C:\Program Files (x86)\Trend Micro\HijackThis\Buttman.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: DAPIELoader Class - {FF6C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRA~2\DAP\DAPIEL~1.DLL
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files (x86)\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files (x86)\DNA\btdna.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DownloadAccelerator] "C:\Program Files (x86)\DAP\DAP.EXE" /STARTUP
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIÇO DE REDE')
O4 - Global Startup: forteManager.lnk = ?
O8 - Extra context menu item: &Clean Traces - C:\Program Files (x86)\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files (x86)\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files (x86)\DAP\dapextie2.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BDC4CA33-E3AF-46D7-9685-8E9640933BAE}: NameServer = 200.149.55.142 200.165.132.154
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Avira Firewall (AntiVirFirewallService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\avfwsvc.exe
O23 - Service: Avira AntiVir MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\avmailc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira AntiVir WebGuard (AntiVirWebService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE
O23 - Service: Context Manager Process Extension (cmpe) - Unknown owner - C:\Windows\system32\cmpe.exe (file missing)
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 8226 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]
DAPIELoader Class - C:\PROGRA~2\DAP\DAPIEL~1.DLL [2009-08-09 140888]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"=C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe [2004-04-13 69632]
"GrooveMonitor"=C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [2008-10-25 31072]
"Adobe Reader Speed Launcher"=C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"avgnt"=C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]
"StartCCC"=C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2009-07-02 98304]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2009-04-11 1555968]
"ISUSPM Startup"=C:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe [2004-04-17 196608]
"MsnMsgr"=C:\Program Files (x86)\Windows Live\Messenger\MsnMsgr.Exe [2007-10-18 5724184]
"BitTorrent DNA"=C:\Program Files (x86)\DNA\btdna.exe [2009-02-07 342848]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-04-07 138240]
"DownloadAccelerator"=C:\Program Files (x86)\DAP\DAP.EXE [2009-08-09 2754048]
"WMPNSCFG"=C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe []

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
forteManager.lnk - C:\Program Files (x86)\LG Soft India\forteManager\bin\Monitor.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=0
"ConsentPromptBehaviorUser"=0
"EnableInstallerDetection"=0
"EnableLUA"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoActiveDesktop"=
"NoActiveDesktopChanges"=
"ForceActiveDesktopOn"=
"BindDirectlyToPropertySetStorage"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files (x86)\BitTorrent\bittorrent.exe"="C:\Program Files (x86)\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c2ff591-2957-11de-a0f0-001e8c77ef70}]
shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cc723097-fe13-11dd-915e-001e8c77ef70}]
shell\AutoRun\command - F:\setup\rsrc\Autorun.exe
shell\dinstall\command - F:\Directx\dxsetup.exe

======List of files/folders created in the last 1 months======

2009-09-01 18:40:48 ----D---- C:\rsit
2009-08-29 10:16:39 ----A---- C:\ashampoo-acdw-log.txt
2009-08-29 10:16:38 ----D---- C:\Users\Buttman\AppData\Roaming\Ashampoo
2009-08-29 10:11:57 ----D---- C:\ProgramData\ashampoo
2009-08-29 10:11:38 ----D---- C:\Program Files (x86)\Ashampoo
2009-08-29 09:44:45 ----D---- C:\Program Files (x86)\Trend Micro
2009-08-27 08:35:55 ----A---- C:\Windows\system32\tzres.dll
2009-08-22 13:07:12 ----A---- C:\Windows\system32\XAudio2_2.dll
2009-08-22 13:07:12 ----A---- C:\Windows\system32\XAPOFX1_1.dll
2009-08-22 13:07:12 ----A---- C:\Windows\system32\xactengine3_2.dll
2009-08-22 13:07:11 ----A---- C:\Windows\system32\d3dx10_39.dll
2009-08-22 13:07:11 ----A---- C:\Windows\system32\D3DCompiler_39.dll
2009-08-22 13:07:10 ----A---- C:\Windows\system32\D3DX9_39.dll
2009-08-22 13:06:23 ----D---- C:\Windows\system32\AGEIA
2009-08-22 13:06:23 ----D---- C:\Program Files (x86)\AGEIA Technologies
2009-08-22 13:06:10 ----D---- C:\Program Files (x86)\Common Files\Wise Installation Wizard
2009-08-22 11:58:12 ----SHD---- C:\Windows\ftpcache
2009-08-22 11:55:01 ----A---- C:\Windows\system32\XAudio2_3.dll
2009-08-22 11:55:01 ----A---- C:\Windows\system32\XAPOFX1_2.dll
2009-08-22 11:55:01 ----A---- C:\Windows\system32\D3DX9_40.dll
2009-08-22 11:55:00 ----A---- C:\Windows\system32\X3DAudio1_5.dll
2009-08-22 11:54:58 ----A---- C:\Windows\system32\X3DAudio1_4.dll
2009-08-22 11:54:50 ----A---- C:\Windows\system32\xactengine2_8.dll
2009-08-22 11:27:32 ----D---- C:\Program Files (x86)\Ubisoft
2009-08-14 23:04:37 ----D---- C:\Program Files (x86)\CAPCOM
2009-08-14 23:02:56 ----D---- C:\Windows\system32\xlive
2009-08-14 23:02:55 ----D---- C:\Program Files (x86)\Microsoft Games for Windows - LIVE
2009-08-13 16:53:54 ----A---- C:\Windows\system32\xfcodec.dll
2009-08-11 20:13:16 ----A---- C:\Windows\system32\msv1_0.dll
2009-08-11 20:13:16 ----A---- C:\Windows\system32\kerberos.dll
2009-08-11 20:13:15 ----A---- C:\Windows\system32\wdigest.dll
2009-08-11 20:13:15 ----A---- C:\Windows\system32\secur32.dll
2009-08-11 20:13:15 ----A---- C:\Windows\system32\schannel.dll
2009-08-11 20:13:09 ----A---- C:\Windows\system32\wmpdxm.dll
2009-08-11 20:13:09 ----A---- C:\Windows\system32\wmp.dll
2009-08-11 20:13:08 ----A---- C:\Windows\system32\wmploc.DLL
2009-08-11 20:13:08 ----A---- C:\Windows\system32\spwmp.dll
2009-08-11 20:13:08 ----A---- C:\Windows\system32\dxmasf.dll
2009-08-11 20:13:05 ----A---- C:\Windows\system32\atl.dll
2009-08-11 20:12:49 ----A---- C:\Windows\system32\avifil32.dll
2009-08-11 20:12:46 ----A---- C:\Windows\system32\mstscax.dll

======List of files/folders modified in the last 1 months======

2009-09-01 18:40:46 ----D---- C:\Windows\Temp
2009-09-01 18:33:40 ----D---- C:\Program Files (x86)\Mozilla Firefox
2009-09-01 18:32:52 ----D---- C:\Users\Buttman\AppData\Roaming\DNA
2009-09-01 18:27:43 ----D---- C:\Windows\System32
2009-09-01 18:27:43 ----D---- C:\Windows\inf
2009-09-01 18:22:48 ----AD---- C:\ProgramData\TEMP
2009-09-01 18:22:47 ----D---- C:\Program Files (x86)\DNA
2009-09-01 08:14:14 ----D---- C:\Users\Buttman\AppData\Roaming\Audacity
2009-08-30 15:42:58 ----A---- C:\Windows\system32\PnkBstrB.exe
2009-08-29 22:00:26 ----D---- C:\Users\Buttman\AppData\Roaming\Xfire
2009-08-29 21:18:26 ----HD---- C:\Program Files (x86)\InstallShield Installation Information
2009-08-29 21:18:20 ----SHD---- C:\Windows\Installer
2009-08-29 21:18:20 ----D---- C:\ProgramData\CyberLink
2009-08-29 21:18:20 ----D---- C:\Program Files (x86)\Common Files
2009-08-29 21:18:20 ----D---- C:\Program Files (x86)
2009-08-29 21:17:13 ----D---- C:\Windows\Prefetch
2009-08-29 21:16:16 ----SHD---- C:\System Volume Information
2009-08-29 10:11:57 ----D---- C:\ProgramData
2009-08-28 19:13:33 ----D---- C:\Fraps
2009-08-27 22:22:35 ----D---- C:\Windows\rescache
2009-08-27 08:36:55 ----D---- C:\Windows\winsxs
2009-08-27 08:36:55 ----D---- C:\Windows\system32\pt-BR
2009-08-27 08:36:54 ----D---- C:\Windows\SysWOW64
2009-08-27 00:56:42 ----D---- C:\Users\Buttman\AppData\Roaming\BitTorrent
2009-08-22 13:06:57 ----RSD---- C:\Windows\assembly
2009-08-22 13:06:28 ----D---- C:\Windows
2009-08-22 11:59:40 ----D---- C:\Program Files (x86)\Activision
2009-08-21 19:10:26 ----D---- C:\ProgramData\Xfire
2009-08-21 19:10:26 ----D---- C:\Program Files (x86)\Xfire
2009-08-11 20:25:44 ----D---- C:\Windows\Microsoft.NET
2009-08-11 20:17:31 ----D---- C:\ProgramData\Microsoft Help
2009-08-11 20:15:22 ----D---- C:\Program Files (x86)\Windows Media Player
2009-08-09 20:04:39 ----D---- C:\Program Files (x86)\DAP

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avfwot;avfwot; C:\Windows\system32\DRIVERS\avfwot.sys []
R2 avgntflt;avgntflt; C:\Windows\system32\DRIVERS\avgntflt.sys []
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller; C:\Windows\system32\DRIVERS\atl01v64.sys []
R3 AtiHdmiService;ATI Function Driver for HDMI Service; C:\Windows\system32\drivers\AtiHdmi.sys []
R3 atikmdag;atikmdag; C:\Windows\system32\DRIVERS\atikmdag.sys []
R3 avfwim;AvFw Packet Filter Miniport; C:\Windows\system32\DRIVERS\avfwim.sys []
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHD64.sys []
R3 ksthunk;Kernel Streaming Thunks; C:\Windows\system32\drivers\ksthunk.sys []
R3 MTsensor;ATK0110 ACPI UTILITY; C:\Windows\system32\DRIVERS\ASACPI.sys []
R3 pcouffin;VSO Software pcouffin; C:\Windows\System32\Drivers\pcouffin.sys []
S3 auxtfo76;auxtfo76; C:\Windows\system32\drivers\auxtfo76.sys []
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys []
S3 HdAudAddService;Driver de Função Microsoft 1.1 UAA para Serviço de High Definition Audio; C:\Windows\system32\drivers\HdAudio.sys []
S3 LGDDCDevice;LGDDCDevice; \??\C:\Program Files (x86)\LG Soft India\forteManager\bin\I2CDriver.sys [2008-03-27 14336]
S3 LGII2CDevice;LGII2CDevice; \??\C:\Program Files (x86)\LG Soft India\forteManager\bin\PII2CDriver.sys [2008-03-27 13312]
S3 MSKSSRV;Proxy de serviço de streaming Microsoft; C:\Windows\system32\drivers\MSKSSRV.sys []
S3 MSPCLOCK;Proxy do relógio de streaming Microsoft; C:\Windows\system32\drivers\MSPCLOCK.sys []
S3 MSPQM;Proxy de gerenciador de qualidade de streaming Microsoft; C:\Windows\system32\drivers\MSPQM.sys []
S3 MSTEE;Conversor em T entre Coletores de streaming Microsoft; C:\Windows\system32\drivers\MSTEE.sys []
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys []
S4 CSC;Offline Files Driver; C:\Windows\system32\drivers\csc.sys []
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys []
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys []
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AMD External Events Utility;AMD External Events Utility; C:\Windows\system32\atiesrxx.exe []
R2 AntiVirFirewallService;Avira Firewall; C:\Program Files (x86)\Avira\AntiVir Desktop\avfwsvc.exe [2009-06-09 388865]
R2 AntiVirMailService;Avira AntiVir MailGuard; C:\Program Files (x86)\Avira\AntiVir Desktop\avmailc.exe [2009-06-09 194817]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2009-06-09 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2009-08-05 185089]
R2 AntiVirWebService;Avira AntiVir WebGuard; C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE [2009-06-09 434945]
R2 PnkBstrA;PnkBstrA; C:\Windows\system32\PnkBstrA.exe [2009-07-16 75064]
S2 cmpe;Context Manager Process Extension; C:\Windows\system32\cmpe.exe []
S3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2008-04-07 21504]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64; C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-03-29 89920]
S3 Fax;@%systemroot%\system32\fxsresm.dll,-118; C:\Windows\system32\fxssvc.exe []
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files (x86)\Microsoft Office\Office12\GrooveAuditService.exe [2008-10-25 65888]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 PerfHost;@%systemroot%\sysWow64\perfhost.exe,-2; C:\Windows\SysWow64\perfhost.exe [2008-04-07 19968]
S3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2008-04-07 21504]
S3 usnjsvc;Serviço de Compartilhamento de Pastas Messenger do USN Journal Reader; C:\Program Files (x86)\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 wbengine;@%systemroot%\system32\wbengine.exe,-104; C:\Windows\system32\wbengine.exe []
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files (x86)\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S4 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2008-04-07 21504]

-----------------EOF-----------------

E o info.txt

info.txt logfile of random's system information tool 1.06 2009-09-01 18:40:51

======Uninstall list======

-->MsiExec /X{64F67489-76BB-4CDD-A236-F954BE774B35}
Adobe Flash Player 10 ActiveX-->C:\Windows\SysWOW64\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\Windows\SysWOW64\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.1.1 - Português-->MsiExec.exe /I{AC76BA86-7AD7-1046-7B44-A91000000001}
Ashampoo Burning Studio 2009 Advanced-->"C:\Program Files (x86)\Ashampoo\Ashampoo Burning Studio 2009 Advanced\unins000.exe"
Attansic Ethernet Utility-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{1F698102-5739-441E-96F0-74F4EA540F06}\setup.exe" -l0x9 -removeonly
Attansic L1 Gigabit Ethernet Driver-->rundll32.exe C:\Windows\SysWOW64\Attansic\L1\atcInst.dll,VisUninst C:\Windows\SysWOW64\Attansic\L1 x64 pci\ven_1969&dev_1048
Avira Premium Security Suite-->C:\Program Files (x86)\Avira\AntiVir Desktop\setup.exe /REMOVE
Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch-->C:\Program Files (x86)\InstallShield Installation Information\{8A15B7D9-908A-4EF9-BA84-5AEDE61743EE}\setup.exe -runfromtemp -l0x0409
Call of Duty(R) 4 - Modern Warfare(TM) 1.7 Patch-->C:\Program Files (x86)\InstallShield Installation Information\{931C37FC-594D-43A9-B10F-A2F2B1F03498}\setup.exe -runfromtemp -l0x0409
Call of Duty(R) 4 - Modern Warfare(TM)-->C:\Program Files (x86)\InstallShield Installation Information\{E48469CC-635E-4FD5-A122-1497C286D217}\setup.exe -runfromtemp -l0x0409
Call of Juarez - Bound in Blood-->C:\Program Files (x86)\InstallShield Installation Information\{FEFAF112-4DA8-479C-89E2-7DE25091711A}\Setup.exe -runfromtemp -l0x0409
Catalyst Control Center - Branding-->MsiExec.exe /I{D3B1C799-CB73-42DE-BA0F-2344793A095C}
Cheating-Death 4.33.4-->C:\Program Files (x86)\Cheating-Death\UninstCD.exe
ConvertXtoDVD 3.4.7.121-->"C:\Program Files (x86)\VSO\ConvertX\3\unins000.exe"
Counter-Strike 1.6-->"C:\Program Files (x86)\Counter-Strike 1.6\unins000.exe"
Download Accelerator Plus (DAP)-->C:\PROGRA~2\DAP\DAPREMOVE.EXE
DreaMule 3.2-->"C:\Program Files (x86)\DreaMule\unins000.exe"
FEARCombat-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{75E607CF-7BAE-4B88-84B3-97F3DF44BA28}\setup.exe" -l0x9 /zU -removeonly
forteManager-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{DA6FAB8D-E87A-4E8E-A3D3-B7B9F479C725}\setup.exe" -l0x816 -removeonly
Fraps-->"C:\Fraps\uninstall.exe"
HijackThis 2.0.2-->"C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\SysWOW64\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\SysWOW64\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {08155812-0202-4D5F-A7FF-12A2782DC548} /qb+ REBOOTPROMPT=""
ImgBurn-->"C:\Program Files (x86)\ImgBurn\uninstall.exe"
K-Lite Mega Codec Pack 4.5.3-->"C:\Program Files (x86)\K-Lite Codec Pack\unins000.exe"
Messenger Plus! Live-->"C:\Program Files (x86)\Messenger Plus! Live\Uninstall.exe"
Microsoft Games for Windows - LIVE -->MsiExec.exe /X{4D243BA7-9AC4-46D1-90E5-EEB88974F501}
Microsoft Games for Windows - LIVE Redistributable-->MsiExec.exe /X{05B49229-22A2-4F88-842A-BBC2EBE1CCF6}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0015-0416-0000-0000000FF1CE} /uninstall {02A880E2-B8B9-4BF5-8822-EA1374734E2E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0016-0416-0000-0000000FF1CE} /uninstall {02A880E2-B8B9-4BF5-8822-EA1374734E2E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0018-0416-0000-0000000FF1CE} /uninstall {02A880E2-B8B9-4BF5-8822-EA1374734E2E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0019-0416-0000-0000000FF1CE} /uninstall {02A880E2-B8B9-4BF5-8822-EA1374734E2E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001A-0416-0000-0000000FF1CE} /uninstall {02A880E2-B8B9-4BF5-8822-EA1374734E2E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001B-0416-0000-0000000FF1CE} /uninstall {02A880E2-B8B9-4BF5-8822-EA1374734E2E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-002A-0000-1000-0000000FF1CE} /uninstall {E64BA721-2310-4B55-BE5A-2925F9706192}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-002A-0416-1000-0000000FF1CE} /uninstall {9A141B2B-7C5E-47D2-8E9E-9AC6018F3C42}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0044-0416-0000-0000000FF1CE} /uninstall {02A880E2-B8B9-4BF5-8822-EA1374734E2E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0416-0000-0000000FF1CE} /uninstall {9A141B2B-7C5E-47D2-8E9E-9AC6018F3C42}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00A1-0416-0000-0000000FF1CE} /uninstall {02A880E2-B8B9-4BF5-8822-EA1374734E2E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00BA-0416-0000-0000000FF1CE} /uninstall {02A880E2-B8B9-4BF5-8822-EA1374734E2E}
Microsoft Office Access MUI (Portuguese (Brazil)) 2007-->MsiExec.exe /X{90120000-0015-0416-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (Portuguese (Brazil)) 2007-->MsiExec.exe /X{90120000-0016-0416-0000-0000000FF1CE}
Microsoft Office Groove MUI (Portuguese (Brazil)) 2007-->MsiExec.exe /X{90120000-00BA-0416-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2007-->MsiExec.exe /X{90120000-0044-0416-0000-0000000FF1CE}
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2007-->MsiExec.exe /X{90120000-00A1-0416-0000-0000000FF1CE}
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2007-->MsiExec.exe /X{90120000-001A-0416-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2007-->MsiExec.exe /X{90120000-0018-0416-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (Portuguese (Brazil)) 2007-->MsiExec.exe /X{90120000-001F-0416-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (Portuguese (Brazil)) 2007-->MsiExec.exe /X{90120000-002C-0416-0000-0000000FF1CE}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {ABDDE972-355B-4AF1-89A8-DA50B7B5C045}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0416-0000-0000000FF1CE} /uninstall {75EBE365-7FC5-4720-A7D3-804BF550D1BC}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {187308AB-5FA7-4F14-9AB9-D290383A10D9}
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2007-->MsiExec.exe /X{90120000-0019-0416-0000-0000000FF1CE}
Microsoft Office Shared MUI (Portuguese (Brazil)) 2007-->MsiExec.exe /X{90120000-006E-0416-0000-0000000FF1CE}
Microsoft Office Word MUI (Portuguese (Brazil)) 2007-->MsiExec.exe /X{90120000-001B-0416-0000-0000000FF1CE}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148-->MsiExec.exe /X{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Mozilla Firefox (3.5.2)-->C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe
NVIDIA PhysX-->MsiExec.exe /X{64F67489-76BB-4CDD-A236-F954BE774B35}
Realtek High Definition Audio Driver-->RtlUpd64.exe -r -m
Security Update for 2007 Microsoft Office System (KB969559)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {69F52148-9BF6-4CDC-BF76-103DEAF3DD08}
Security Update for 2007 Microsoft Office System (KB969679)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {C66E4A6C-6E07-4C63-8CCD-2493B5087C73}
Security Update for Microsoft Office Excel 2007 (KB969682)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {C03803BD-745A-46F8-8557-817DED578780}
Security Update for Microsoft Office PowerPoint 2007 (KB957789)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {7559E742-FF9F-4FAE-B279-008ED296CB4D}
Security Update for Microsoft Office Publisher 2007 (KB969693)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {7BE67088-1EB3-4569-8E75-DDAFBF61BC4E}
Security Update for Microsoft Office system 2007 (KB969613)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5ECEB317-CBE9-4E08-AB10-756CB6F0FB6C}
Security Update for Microsoft Office Word 2007 (KB969604)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {CF3D6499-709C-43D0-8908-BC5652656050}
Skype™ 4.0-->MsiExec.exe /X{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}
STREET FIGHTER IV-->MsiExec.exe /X{59ABBDF0-E1E5-48AF-85FB-F523A08C3490}
The KMPlayer (remove only)-->"C:\Program Files (x86)\The KMPlayer\uninstall.exe"
Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\SysWOW64\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Microsoft Office Outlook 2007 (KB969907)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {74F98B24-AFBD-4800-9BD6-87D349B5C462}
Update for Outlook 2007 Junk Email Filter (kb972691)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {AA020E6E-E2FB-45EF-B732-2400E2296742}
Virtual DJ - Atomix Productions-->C:\PROGRA~2\VIRTUA~1\UNWISE.EXE C:\PROGRA~2\VIRTUA~1\INSTALL.LOG
Windows Live installer-->MsiExec.exe /X{3A417047-2E30-4D05-8977-F706D40BFF39}
Windows Live Messenger-->MsiExec.exe /X{8EADB73B-026D-4978-A8F0-1EEF5E1ECEC7}
WinRAR archiver-->C:\Program Files (x86)\WinRAR\uninstall.exe
Xfire (remove only)-->"C:\Program Files (x86)\Xfire\uninst.exe"
X-Men Origins - Wolverine(TM)-->C:\Program Files (x86)\InstallShield Installation Information\{7F0B94C6-828C-4EDE-A86B-ECF4D792B68D}\setup.exe -runfromtemp -l0x0409

======Security center information======

AS: Windows Defender

======System event log======

Computer Name: Buttman-PC
Event Code: 10029
Message: O DCOM iniciou o serviço VSS com argumentos "" para executar o servidor:
{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}
Record Number: 12102
Source Name: Microsoft-Windows-DistributedCOM
Time Written: 20090226223219.000000-000
Event Type: Informações
User:

Computer Name: Buttman-PC
Event Code: 7036
Message: O serviço Instalador de Módulos do Windows entrou no estado executando.
Record Number: 12101
Source Name: Service Control Manager
Time Written: 20090226223046.000000-000
Event Type: Informações
User:

Computer Name: Buttman-PC
Event Code: 10029
Message: O DCOM iniciou o serviço TrustedInstaller com argumentos "" para executar o servidor:
{752073A1-23F2-4396-85F0-8FDB879ED0ED}
Record Number: 12100
Source Name: Microsoft-Windows-DistributedCOM
Time Written: 20090226223046.000000-000
Event Type: Informações
User:

Computer Name: Buttman-PC
Event Code: 7036
Message: O serviço Windows Update entrou no estado executando.
Record Number: 12099
Source Name: Service Control Manager
Time Written: 20090226222930.000000-000
Event Type: Informações
User:

Computer Name: Buttman-PC
Event Code: 7036
Message: O serviço Iniciador de Serviços do Windows Media Center entrou no estado interrompido.
Record Number: 12098
Source Name: Service Control Manager
Time Written: 20090226222929.000000-000
Event Type: Informações
User:

=====Application event log=====

Computer Name: WIN-9WXF4QYF3GN
Event Code: 4625
Message: O subsistema EventSystem está suprimindo entradas de log de eventos duplicadas para uma duração de 86400 segundos. O tempo limite de supressão pode ser controlado por um valor REG_DWORD denominado SuppressDuplicateDuration sob esta chave do Registro: HKLM\Software\Microsoft\EventSystem\EventLog.
Record Number: 5
Source Name: Microsoft-Windows-EventSystem
Time Written: 20090206233452.000000-000
Event Type: Informações
User:

Computer Name: WIN-9WXF4QYF3GN
Event Code: 900
Message: O serviço de Licenciamento de Software está sendo iniciado.

Record Number: 4
Source Name: Microsoft-Windows-Security-Licensing-SLC
Time Written: 20090206233451.000000-000
Event Type: Informações
User:

Computer Name: WIN-9WXF4QYF3GN
Event Code: 1531
Message: Serviço de Perfil de Usuário iniciado com êxito.

Record Number: 3
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20090206233451.000000-000
Event Type: Informações
User: AUTORIDADE NT\SYSTEM

Computer Name: 26L2233A1-13
Event Code: 2
Message: Cliente de Serviços de Certificados interrompido.
Record Number: 2
Source Name: Microsoft-Windows-CertificateServicesClient
Time Written: 20061102160003.208200-000
Event Type: Informações
User:

Computer Name: 26L2233A1-13
Event Code: 2
Message: Cliente de Serviços de Certificados interrompido.
Record Number: 1
Source Name: Microsoft-Windows-CertificateServicesClient
Time Written: 20061102160003.145800-000
Event Type: Informações
User: AUTORIDADE NT\SYSTEM

=====Security event log=====

Computer Name: 26L2233A1-13
Event Code: 4902
Message: Criada tabela de diretivas de auditoria por usuário.

Número de elementos: 0
Identificação da diretiva: 0x8ca14
Record Number: 5
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090206233429.979572-000
Event Type: Sucesso da Auditoria
User:

Computer Name: 26L2233A1-13
Event Code: 4624
Message: O logon de uma conta foi efetuado com sucesso.

Requerente:
Identificação de segurança: S-1-0-0
Nome da conta: -
Domínio da conta: -
Identificação de logon: 0x0

Tipo de logon: 0

Novo logon:
Identificação de segurança: S-1-5-18
Nome da conta: SYSTEM
Domínio da conta: AUTORIDADE NT
Identificação de logon: 0x3e7
GUID de logon: {00000000-0000-0000-0000-000000000000}

Informações do processo:
Identificação do processo: 0x4
Nome do processo:

Informações da rede:
Nome da estação de trabalho: -
Endereço da rede de origem: -
Porta de origem: -

Informações detalhadas da autenticação:
Processo de logon: -
Pacote de autenticação: -
Serviços transitados: -
Nome do pacote (somente NTLM): -
Comprimento da chave: 0

Este evento é gerado quando uma sessão de logon é criada. Ele é gerado no computador acessado.

Os campos do assunto indicam a conta do sistema local que solicitou o logon. Comumente, isto é um serviço como o de servidor ou um processo local como Winlogon.exe ou Services.exe.

O campo tipo de logon indica o tipo de logon ocorrido. Os tipos mais comuns são 2 (interativo) e 3 (em rede).

Os campos Novo logon indicam as contas para a qual o novo logon foi criada, isto é, a conta na qual o logon foi efetuado.

Os campos de rede indicam onde a solicitação de logon remoto se originou. O nome da estação de trabalho nem sempre está disponível e pode ser deixado em branco em alguns casos.

Os campos de informações de autenticação fornecem informações detalhadas sobre esta solicitação específica de logon.
-O GUID de logon é um identificador exclusivo que pode ser usado para correlacionar este evento com um evento de KDC.
- Serviços transitados indicam qual serviço intermediário participou desta solicitação de logon.
- Nome de pacote indica qual subprotocolo foi usado, entre os protocolos NTLM.
- Comprimento da chave indica o comprimento da chave da sessão gerada. Ele será 0 se nenhuma chave de sessão foi solicitada.
Record Number: 4
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090206233428.669163-000
Event Type: Sucesso da Auditoria
User:

Computer Name: 26L2233A1-13
Event Code: 4608
Message: Windows está iniciando.

Este evento é registrado quando o LSASS.EXE inicia e o subsistema de auditoria é inicializado.
Record Number: 3
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090206233428.669163-000
Event Type: Sucesso da Auditoria
User:

Computer Name: 26L2233A1-13
Event Code: 4647
Message: O usuário iniciou o logoff:

Requerente:
Identificação de segurança: S-1-5-21-3991871189-2232181320-2112149827-500
Nome da conta: Administrator
Domínio da conta: 26L2233A1-13
Identificação de logon: 0x92456

Este evento é gerado quando o logon é iniciado, porém a contagem de referência do token não é zero e a sessão de logon não pode ser destruída. Nenhuma outra atividade iniciada pelo usuário pode ocorrer. Este evento pode ser interpretado como um evento de logoff.
Record Number: 2
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20061102160004.159800-000
Event Type: Sucesso da Auditoria
User:

Computer Name: 26L2233A1-13
Event Code: 4634
Message: Foi efetuado o logoff de uma conta.

Requerente:
Identificação de segurança: S-1-5-7
Nome da conta: ANONYMOUS LOGON
Domínio da conta: NT AUTHORITY
Identificação de logon: 0x1f471

Tipo de logon: 3

Este evento é gerado quando uma sessão de logon é destruída. Ele pode ser positivamente correlacionado com um evento de logon, utilizando o valor Identificação de logon. As identificações de logon são exclusivas apenas entre as reinicializações do mesmo computador.
Record Number: 1
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20061102160003.192600-000
Event Type: Sucesso da Auditoria
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=AMD64
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=Intel64 Family 6 Model 23 Stepping 6, GenuineIntel
"PROCESSOR_REVISION"=1706
"NUMBER_OF_PROCESSORS"=2

-----------------EOF-----------------

Valeu meu querido.

Abraaaço!

Tiagoquiroga · 01/09/2009

Ae vai o log do Rsit

Logfile of random's system information tool 1.06 (written by random/random)
Run by User at 2009-09-01 21:39:38
Microsoft Windows XP Professional Service Pack 2
System drive C: has 26 GB (64%) free of 40 GB
Total RAM: 1015 MB (40% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:39:46, on 1/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\VM_STI.EXE
C:\Arquivos de programas\Winamp\winampa.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\DAEMON Tools Lite\daemon.exe
C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Arquivos de programas\Orbitdownloader\orbitdm.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Orbitdownloader\orbitnet.exe
C:\Documents and Settings\LocalService\Dados de aplicativos\Microsoft\caref.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\Arquivos de programas\Winamp\winamp.exe
C:\Arquivos de programas\Sony Ericsson\Sony Ericsson Wireless Manager 5\WirelessManager.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\Windows Live\Contacts\wlcomm.exe
C:\Documents and Settings\User\Desktop\RSIT.exe
C:\Arquivos de programas\Trend Micro\HijackThis\User.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pesbrasil.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - Default URLSearchHook is missing
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Arquivos de programas\Orbitdownloader\orbitcth.dll
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Arquivos de programas\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Arquivos de programas\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Arquivos de programas\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE LG webpro2 Camera
O4 - HKLM\..\Run: [WinampAgent] "C:\Arquivos de programas\Winamp\winampa.exe"
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [zoussyb] C:\WINDOWS\system32\bokafeque.exe
O4 - HKLM\..\RunServices: [zoussyb] C:\WINDOWS\system32\bokafeque.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Arquivos de programas\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Arquivos de programas\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [zoussyb] C:\Documents and Settings\LocalService\Dados de aplicativos\Microsoft\caref.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Orbit.lnk = C:\Arquivos de programas\Orbitdownloader\orbitdm.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://127.0.0.1:9070/etc/var/TVUAx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe (file missing)
O23 - Service: Backbone Service (e1dgkiyryoc) - Unknown owner - C:\Documents and Settings\LocalService\Dados de aplicativos\Microsoft\caref.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 8719 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000123B4-9B42-4900-B3F7-F4B073EFC214}]
Octh Class - C:\Arquivos de programas\Orbitdownloader\orbitcth.dll [2008-10-31 130248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Facilitador de Leitor de Link Adobe PDF - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll [2008-01-28 1554256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Arquivos de programas\Google\Google Toolbar\GoogleToolbar.dll [2009-01-20 251504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Arquivos de programas\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll [2009-07-07 669168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Arquivos de programas\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll [2009-01-20 522224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{C55BBCD6-41AD-48AD-9953-3609C48EACC7} - Grab Pro - C:\Arquivos de programas\Orbitdownloader\GrabPro.dll [2008-10-31 441464]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"=C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe [2007-03-01 153136]
"Adobe Reader Speed Launcher"=C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"SunJavaUpdateSched"=C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"BigDogPath"=C:\WINDOWS\VM_STI.EXE [2003-01-21 40960]
"WinampAgent"=C:\Arquivos de programas\Winamp\winampa.exe [2008-08-03 36352]
"avast!"=C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe [2009-08-17 81000]
"zoussyb"=C:\WINDOWS\system32\bokafeque.exe [2009-08-27 266240]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"=C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe [2009-02-06 3885408]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"AlcoholAutomount"=C:\Arquivos de programas\Alcohol Soft\Alcohol 120\axcmd.exe [2007-07-02 219520]
"DAEMON Tools Lite"=C:\Arquivos de programas\DAEMON Tools Lite\daemon.exe [2008-12-29 687560]
"swg"=C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-11-07 68856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe [2007-01-12 163840]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe [2007-01-12 131072]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
C:\WINDOWS\system32\igfxpers.exe [2007-01-12 135168]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
C:\WINDOWS\RTHDCPL.EXE [2007-06-13 16377344]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
C:\Arquivos de programas\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe /startoptions []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe [2008-01-28 2097488]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-11-07 68856]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar
Orbit.lnk - C:\Arquivos de programas\Orbitdownloader\orbitdm.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2007-01-12 204800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 267304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"
"C:\Arquivos de programas\MSN Messenger\livecall.exe"="C:\Arquivos de programas\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"D:\JOGOS\Medal\mohpa.exe"="D:\JOGOS\Medal\mohpa.exe:*:Enabled:Medal of Honor Pacific Assault(tm)"
"D:\JOGOS\LOTR BFME\game.dat"="D:\JOGOS\LOTR BFME\game.dat:*:Enabled:The Battle for Middle-earth (tm)"
"C:\Arquivos de programas\Nero\Nero 7\Nero Home\NeroHome.exe"="C:\Arquivos de programas\Nero\Nero 7\Nero Home\NeroHome.exe:*:Enabled:Nero Home"
"C:\Arquivos de programas\DreaMule\emule.exe"="C:\Arquivos de programas\DreaMule\emule.exe:*:Enabled

reamule"
"C:\Arquivos de programas\Orbitdownloader\orbitdm.exe"="C:\Arquivos de programas\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit"
"C:\Arquivos de programas\Orbitdownloader\orbitnet.exe"="C:\Arquivos de programas\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit"
"C:\Documents and Settings\All Users\Dados de aplicativos\NexonUS\NGM\NGM.exe"="C:\Documents and Settings\All Users\Dados de aplicativos\NexonUS\NGM\NGM.exe:*:Enabled:Nexon Game Manager"
"D:\JOGOS\combat\Combat Arms\CombatArms.exe"="D:\JOGOS\combat\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe"
"D:\JOGOS\combat\Combat Arms\Engine.exe"="D:\JOGOS\combat\Combat Arms\Engine.exe:*Enabled:Engine.exe"
"D:\JOGOS\combat\Combat Arms\NMService.exe"="D:\JOGOS\combat\Combat Arms\NMService.exe:*:Enabled:Nexon Messenger Core"
"C:\Arquivos de programas\uTorrent\uTorrent.exe"="C:\Arquivos de programas\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"D:\JOGOS\LOTR BFME\patchget.dat"="D:\JOGOS\LOTR BFME\patchget.dat:*:Enabled

atchgrabber"
"C:\Arquivos de programas\Garena\Garena.exe"="C:\Arquivos de programas\Garena\Garena.exe:*

isabled:Garena"
"D:\JOGOS\Left for dead\Left 4 Dead\left4dead.exe"="D:\JOGOS\Left for dead\Left 4 Dead\left4dead.exe:*

isabled:left4dead"
"D:\JOGOS\Futebol\pes2009.exe"="D:\JOGOS\Futebol\pes2009.exe:*:Enabled

ro Evolution Soccer 2009"
"D:\JOGOS\Futebol\PES2008\PES2008.exe"="D:\JOGOS\Futebol\PES2008\PES2008.exe:*:Enabled

ro Evolution Soccer 2008"
"C:\Arquivos de programas\KONAMI\Pro Evolution Soccer 2008\PES2008.exe"="C:\Arquivos de programas\KONAMI\Pro Evolution Soccer 2008\PES2008.exe:*:Enabled

ro Evolution Soccer 2008"
"C:\Arquivos de programas\PEScript2009\mirc_wem.exe"="C:\Arquivos de programas\PEScript2009\mirc_wem.exe:*:Enabled:mIRC traduzido por Teco"
"C:\Arquivos de programas\Megacubo\megacubo.exe"="C:\Arquivos de programas\Megacubo\megacubo.exe:*

isabled:MegaCubo"
"C:\Arquivos de programas\KONAMI\Pro Evolution Soccer 2008\WEM2008.exe"="C:\Arquivos de programas\KONAMI\Pro Evolution Soccer 2008\WEM2008.exe:*:Enabled

ro Evolution Soccer 2008"
"C:\Nexon\Combat Arms\CombatArms.exe"="C:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe"
"C:\Nexon\Combat Arms\Engine.exe"="C:\Nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe"
"C:\Arquivos de programas\Valve\hl.exe"="C:\Arquivos de programas\Valve\hl.exe:*:Enabled:Half-Life Launcher"
"C:\Arquivos de programas\Windows Live\Messenger\wlcsdk.exe"="C:\Arquivos de programas\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe"="C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"
"C:\Arquivos de programas\MSN Messenger\livecall.exe"="C:\Arquivos de programas\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"D:\JOGOS\combat\Combat Arms\CombatArms.exe"="D:\JOGOS\combat\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe"
"D:\JOGOS\combat\Combat Arms\Engine.exe"="D:\JOGOS\combat\Combat Arms\Engine.exe:*Enabled:Engine.exe"
"C:\Nexon\Combat Arms\CombatArms.exe"="C:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe"
"C:\Nexon\Combat Arms\Engine.exe"="C:\Nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe"
"C:\Arquivos de programas\Windows Live\Messenger\wlcsdk.exe"="C:\Arquivos de programas\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe"="C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

======List of files/folders created in the last 1 months======

2009-08-29 17:39:46 ----D---- C:\Downloads
2009-08-27 16:33:10 ----RASH---- C:\WINDOWS\system32\bokafeque.exe
2009-08-26 17:49:01 ----D---- C:\rsit
2009-08-25 18:56:36 ----A---- C:\b3_log_8.txt
2009-08-23 13:46:31 ----RASH---- C:\WINDOWS\system32\caref.exe
2009-08-02 12:08:53 ----A---- C:\WINDOWS\system32\aswBoot.exe

======List of files/folders modified in the last 1 months======

2009-09-01 21:23:26 ----D---- C:\WINDOWS\Temp
2009-09-01 21:22:59 ----D---- C:\Arquivos de programas\Mozilla Firefox
2009-09-01 20:45:50 ----D---- C:\WINDOWS\system32\CatRoot2
2009-09-01 20:45:43 ----D---- C:\Documents and Settings\User\Dados de aplicativos\Orbit
2009-09-01 20:45:28 ----D---- C:\WINDOWS\system32
2009-09-01 20:45:06 ----D---- C:\WINDOWS\system32\drivers
2009-09-01 20:45:06 ----D---- C:\WINDOWS\system32\config
2009-09-01 20:34:54 ----D---- C:\Documents and Settings\User\Dados de aplicativos\uTorrent
2009-09-01 20:00:10 ----D---- C:\WINDOWS\Prefetch
2009-09-01 17:03:08 ----A---- C:\WINDOWS\NeroDigital.ini
2009-08-31 20:35:18 ----D---- C:\Arquivos de programas\DreaMule
2009-08-31 07:55:45 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-08-29 17:35:00 ----D---- C:\Arquivos de programas\PEScript2009
2009-08-23 13:50:09 ----D---- C:\WINDOWS
2009-08-23 13:46:40 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-08-23 13:46:35 ----HD---- C:\WINDOWS\inf
2009-08-18 21:04:21 ----A---- C:\WINDOWS\win.ini
2009-08-02 13:24:17 ----D---- C:\Arquivos de programas
2009-08-02 13:22:27 ----HD---- C:\Arquivos de programas\InstallShield Installation Information
2009-08-02 13:22:23 ----SHD---- C:\WINDOWS\Installer

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2009-08-17 26944]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2009-08-17 114768]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2009-08-17 51376]
R1 Avg7RsW;AVG7 Wrap Driver; C:\WINDOWS\System32\Drivers\avg7rsw.sys [2008-02-20 4224]
R1 AvgClean;AVG7 Clean Driver; C:\WINDOWS\System32\Drivers\avgclean.sys [2008-02-20 3968]
R1 intelppm;Driver de Processador Intel; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 40192]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-04 14848]
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2009-08-17 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2009-08-17 94160]
R2 atksgt;atksgt; C:\WINDOWS\system32\DRIVERS\atksgt.sys [2008-06-02 278984]
R2 AvgTdi;AVG Network Redirector; C:\WINDOWS\System32\Drivers\avgtdi.sys [2008-02-20 4960]
R2 lirsgt;lirsgt; C:\WINDOWS\system32\DRIVERS\lirsgt.sys [2008-06-02 25416]
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2009-08-17 23152]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 HidUsb;Driver de classe HID da Microsoft; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2007-01-12 5672032]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-06-22 4432384]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-09-05 12288]
R3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys [2007-04-14 94592]
R3 sembbus;SEMC WMC Composite Device driver (WDM); C:\WINDOWS\system32\DRIVERS\sembbus.sys [2008-02-06 260992]
R3 sembcard;Sony Ericsson PC300 Mobile Broadband Command Interface Drivers (WDM); C:\WINDOWS\system32\DRIVERS\sembcard.sys [2008-02-06 337408]
R3 sembmdfl2;Sony Ericsson PC300 Wireless Modem Filter; C:\WINDOWS\system32\DRIVERS\sembmdfl2.sys [2008-02-06 14976]
R3 sembmdm2;Sony Ericsson PC300 Wireless Modem Driver; C:\WINDOWS\system32\DRIVERS\sembmdm2.sys [2008-02-06 380672]
R3 sembmgmt;Sony Ericsson PC300 Mobile Broadband Device Management Drivers (WDM); C:\WINDOWS\system32\DRIVERS\sembmgmt.sys [2008-02-06 343680]
R3 sembnd5;Sony Ericsson PC300 Mobile Broadband Network Adapter SENECA (NDIS); C:\WINDOWS\system32\DRIVERS\sembnd5.sys [2008-02-06 24960]
R3 sembunic;Sony Ericsson PC300 Mobile Broadband Network Adapter SENECA (WDM); C:\WINDOWS\system32\DRIVERS\sembunic.sys [2008-02-06 344064]
R3 sembwwan;Sony Ericsson PC300 Mobile Broadband Ethernet Control Drivers (WDM); C:\WINDOWS\system32\DRIVERS\sembwwan.sys [2008-02-06 337408]
R3 SEMCReserved;SEMC Reserved Interface; C:\WINDOWS\system32\DRIVERS\semcreserved.sys [2008-02-15 17408]
R3 Sony_EricssonWWSC;Sony Ericsson SIM Card Reader; C:\WINDOWS\system32\DRIVERS\sesc.sys [2007-08-14 12672]
R3 usbaudio;Driver de áudio USB (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2004-08-03 59264]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-03 20480]
R3 ZSMC302;LG webpro2 Camera; C:\WINDOWS\System32\Drivers\usbvm302.sys [2004-06-16 91271]
S1 Avg7Core;AVG7 Kernel; C:\WINDOWS\System32\Drivers\avg7core.sys [2008-02-20 775680]
S1 Avg7RsXP;AVG7 Resident Driver XP; C:\WINDOWS\System32\Drivers\avg7rsxp.sys [2008-02-20 27776]
S2 asc3550p;asc3550p; C:\WINDOWS\system32\drivers\asc3550p.sys []
S3 ae2gr81c;ae2gr81c; C:\WINDOWS\system32\drivers\ae2gr81c.sys []
S3 ave8le4c;ave8le4c; C:\WINDOWS\system32\drivers\ave8le4c.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-03 17024]
S3 EagleNT;EagleNT; \??\C:\WINDOWS\system32\drivers\EagleNT.sys []
S3 GMSIPCI;GMSIPCI; \??\D:\INSTALL\GMSIPCI.SYS []
S3 MSTEE;Conversor em T entre locais de fluxo contínuo Microsoft; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]
S3 NdisIP;Conexão de TV e vídeo da Microsoft; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 w200bus;Sony Ericsson W200 driver (WDM); C:\WINDOWS\system32\DRIVERS\w200bus.sys [2006-11-07 61504]
S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\w200mdfl.sys [2006-11-07 9328]
S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver; C:\WINDOWS\system32\DRIVERS\w200mdm.sys [2006-11-07 97056]
S3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM); C:\WINDOWS\system32\DRIVERS\w200mgmt.sys [2006-11-07 88560]
S3 w200obex;Sony Ericsson W200 USB WMC OBEX Interface; C:\WINDOWS\system32\DRIVERS\w200obex.sys [2006-11-07 86368]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;Driver de filtro de restauração do sistema; C:\WINDOWS\system32\DRIVERS\sr.sys [2004-08-04 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aswUpdSv;avast! iAVS4 Control Service; C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe [2009-08-17 18752]
R2 avast! Antivirus;avast! Antivirus; C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe [2009-08-17 138680]
R2 MDM;Machine Debug Manager; C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 StarWindServiceAE;StarWind AE Service; C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe [2007-05-28 275968]
R3 avast! Web Scanner;avast! Web Scanner; C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe [2009-08-17 352920]
S2 Avg7Alrt;AVG7 Alert Manager Server; C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe []
S2 Avg7UpdSvc;AVG7 Update Service; C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe []
S2 AVGEMS;AVG E-mail Scanner; C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe []
S2 e1dgkiyryoc;Backbone Service; C:\Documents and Settings\LocalService\Dados de aplicativos\Microsoft\caref.exe []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 avast! Mail Scanner;avast! Mail Scanner; C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe [2009-08-17 254040]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864]
S3 gusvc;Google Updater Service; C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-20 137200]
S3 IDriverT;InstallDriver Table Manager; C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376]
S3 NBService;NBService; C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-04-13 792112]
S3 NMIndexingService;NMIndexingService; C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe [2007-06-01 271920]
S3 ose;Office Source Engine; C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Serviço de Compartilhamento de Rede do Windows Media Player; C:\Arquivos de programas\Windows Media Player\WMPNetwk.exe [2006-11-02 914944]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880]

-----------------EOF-----------------

didifpg · 01/09/2009

Oi Mr. Wolf...

Fiz tudo que me pediu, tomara que tenha dado certo pois não queria ter que formatar meu Pc...

ta aí o log do Malwarebytes' Anti-Malware >>>

Malwarebytes' Anti-Malware 1.40
Versão do banco de dados: 2728
Windows 5.1.2600 Service Pack 3 (Safe Mode)

2/9/2009 01:56:38
mbam-log-2009-09-02 (01-56-38).txt

Tipo de Verificação: Completa (C:\|)
Objetos verificados: 157420
Tempo decorrido: 52 minute(s), 56 second(s)

Processos da Memória infectados: 0
Módulos de Memória Infectados: 0
Chaves do Registro infectadas: 0
Valores do Registro infectados: 0
Ítens do Registro infectados: 0
Pastas infectadas: 0
Arquivos infectados: 4

Processos da Memória infectados:
(Nenhum ítem malicioso foi detectado)

Módulos de Memória Infectados:
(Nenhum ítem malicioso foi detectado)

Chaves do Registro infectadas:
(Nenhum ítem malicioso foi detectado)

Valores do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Ítens do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Pastas infectadas:
(Nenhum ítem malicioso foi detectado)

Arquivos infectados:
C:\System Volume Information\_restore{4CEB0A6A-E11D-4D23-949B-241A815C4E31}\RP140\A0039153.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4CEB0A6A-E11D-4D23-949B-241A815C4E31}\RP140\A0039154.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4CEB0A6A-E11D-4D23-949B-241A815C4E31}\RP140\A0039155.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4CEB0A6A-E11D-4D23-949B-241A815C4E31}\RP140\A0039156.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

<<<

E agora o Log do HijackThis >>>

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:00:28, on 2/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe
C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe
C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe
C:\Arquivos de programas\Ares\Ares.exe
C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Arquivos de programas\Arquivos comuns\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Arquivos de programas\Arquivos comuns\LightScribe\LSSrvc.exe
C:\Arquivos de programas\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Arquivos de programas\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ares] "C:\Arquivos de programas\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Rainlendar2] C:\Arquivos de programas\Rainlendar2\Rainlendar2.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Recorte de tela e Iniciador do OneNote 2007.lnk = C:\Arquivos de programas\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {31CB2F01-72C2-4CF4-B265-450E8817B039} (Toontown IE Helper Portuguese) - http://idownload.br.toontown.com/sv1.4.14.8/ttinst-portuguese.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://img4.orkut.com/activex/10036/photouploader.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/DigWXMSN.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF32D210-948A-4A63-BD02-8938A15D4750}: NameServer = 200.225.197.34 200.225.197.37
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Arquivos de programas\Arquivos comuns\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Arquivos de programas\Arquivos comuns\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared files\RichVideo.exe

--
End of file - 8789 bytes

<<<

Um abraço e aguardo respostas!!!
=]

palma · 01/09/2009

Mr.Wolf disse:
palma, temos um enorme problema aí. Recomendo que instale imediatamente um firewall e, caso, possua uma rede configurada aí, desconecte o computador dela. Siga abaixo palma:

1ª Etapa

- Faça download do Lop SD e salve-o no desktop;

? Dê um duplo clique no Lop SD. Na janela que abrir pressione a tecla P e tecle Enter;
? Na próxima tela pressione o numero 2 e tecle Enter;
? Sua tela irá piscar. Isso é normal. Aguarde até que seja gerado um relatório. O mesmo estará em C:\LopR.txt.

2ª Etapa

- Faça o download do ComboFix e salve-o na área de trabalho;

? Desative temporariamente o seu antivirus para não detectar a ferramenta como vírus;
? Duplo clique no ícone combofix.exe para iniciar o scan;
? Leia o contrato que aparecerá e clique em Sim para continuar;
? Abrirá uma janela do Console de Recuperação, clique em Sim para instalar. Se aparecer outra janela do Console, clique em OK > Sim;
? Aguarde enquanto o ComboFix faz o scan;
? Se ocorrer algum problema durante o scan, reinicie seu computador em Modo de Segurança e repita o procedimento;
? Não clique na janela do ComboFix e procure não utilizar o teclado também, para não atrapalhar a varredura da ferramenta;
? Se quiser sair ou parar o ComboFix, tecle N;
? Quando terminar seu micro será reiniciado. Após o reinicio, a ferramenta executará novamente, aguarde;
? Será gerado um log em C:\ComboFix.txt.

Poste os logs do Lop SD e do ComboFix em sua próxima resposta.

Mr. Wolf, como sempre, eternamente grato pela ajuda de sempre. segue os logs que vc solicitou:

Lop SD

--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 2
X86-based PC ( Multiprocessor Free : Intel(R) Pentium(R) Dual CPU E2160 @ 1.80GHz )
BIOS : BIOS Date: 01/23/09 18:13:27 Ver: 08.00.12
USER : palma ( Administrator )
BOOT : Normal boot
Antivirus : AntiVir Desktop 9.0.1.32 (Activated)
A:\ (USB)
C:\ (Local Disk) - NTFS - Total:96 Go (Free:6 Go)
D:\ (Local Disk) - NTFS - Total:369 Go (Free:1 Go)
E:\ (CD or DVD)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [2] ( ter 01/09/2009|23:12 )

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ REMOVIDOS

Deletado! - C:\WINDOWS\Tasks\A3C15B5A906ACC6E.job
Deletado! - C:\DOCUME~1\ALLUSE~1\DADOSD~1\SETUP BEND FIRST 01\type poke.dat
Deletado! - C:\DOCUME~1\ALLUSE~1\DADOSD~1\SETUP BEND FIRST 01\type poke.exe
Deletado! - C:\DOCUME~1\LOCALS~1\DADOSD~1\blehtr~1\Skip Slow.exe
Deletado! - C:\DOCUME~1\palma\DADOSD~1\blehtr~1\BOLTLOUDFINDDEFAULT.exe
Deletado! - C:\DOCUME~1\palma\DADOSD~1\blehtr~1\Move mode drv.exe
Deletado! - C:\DOCUME~1\palma\DADOSD~1\blehtr~1\pqhvycre.exe
Deletado! - C:\DOCUME~1\palma\DADOSD~1\blehtr~1\Skip Slow.exe
Deletado! - C:\DOCUME~1\palma\CONFIG~1\Temp\sta154.exe
Deletado! - C:\DOCUME~1\palma\Cookies\palma@www.adserver5[2].txt
Deletado! - C:\DOCUME~1\palma\Cookies\palma@advertising.marketnetwork[1].txt
Deletado! - C:\DOCUME~1\palma\Cookies\palma@advertising[2].txt
Deletado! - C:\DOCUME~1\ALLUSE~1\DADOSD~1\SETUP BEND FIRST 01
Deletado! - C:\DOCUME~1\LOCALS~1\DADOSD~1\blehtr~1
Deletado! - C:\DOCUME~1\palma\DADOSD~1\blehtr~1
Deletado! - C:\Arquivos de programas\blehtr~1

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

--------------------\\ Lista de pastas em DADOSD~1

[09/06/2009|00:43] C:\DOCUME~1\ALLUSE~1\DADOSD~1\Adobe
[07/06/2009|00:33] C:\DOCUME~1\ALLUSE~1\DADOSD~1\ATI
[29/08/2009|21:47] C:\DOCUME~1\ALLUSE~1\DADOSD~1\Avira
[12/07/2009|23:12] C:\DOCUME~1\ALLUSE~1\DADOSD~1\FLEXnet
[18/07/2009|20:43] C:\DOCUME~1\ALLUSE~1\DADOSD~1\GbPlugin
[12/07/2009|12:20] C:\DOCUME~1\ALLUSE~1\DADOSD~1\Hagel Technologies
[31/07/2009|20:03] C:\DOCUME~1\ALLUSE~1\DADOSD~1\Messenger Plus!
[07/06/2009|00:02] C:\DOCUME~1\ALLUSE~1\DADOSD~1\Microsoft
[07/06/2009|00:17] C:\DOCUME~1\ALLUSE~1\DADOSD~1\OrbNetworks
[28/07/2009|20:20] C:\DOCUME~1\ALLUSE~1\DADOSD~1\TEMP
[07/06/2009|00:14] C:\DOCUME~1\ALLUSE~1\DADOSD~1\Winamp Toolbar

[06/06/2009|19:04] C:\DOCUME~1\DEFAUL~1\DADOSD~1\Microsoft

[30/08/2009|17:53] C:\DOCUME~1\LOCALS~1\DADOSD~1\Adobe
[06/06/2009|19:04] C:\DOCUME~1\LOCALS~1\DADOSD~1\Microsoft

[06/06/2009|19:04] C:\DOCUME~1\NETWOR~1\DADOSD~1\Microsoft

[19/08/2009|01:10] C:\DOCUME~1\palma\DADOSD~1\Adobe
[08/06/2009|11:56] C:\DOCUME~1\palma\DADOSD~1\Ahead
[07/06/2009|00:33] C:\DOCUME~1\palma\DADOSD~1\ATI
[29/07/2009|23:42] C:\DOCUME~1\palma\DADOSD~1\Cool Record Edit Pro
[08/08/2009|14:37] C:\DOCUME~1\palma\DADOSD~1\Desktopicon
[28/07/2009|19:11] C:\DOCUME~1\palma\DADOSD~1\Free Sound Recorder
[06/06/2009|19:09] C:\DOCUME~1\palma\DADOSD~1\Identities
[07/06/2009|17:21] C:\DOCUME~1\palma\DADOSD~1\ImgBurn
[06/06/2009|19:12] C:\DOCUME~1\palma\DADOSD~1\InstallShield
[08/08/2009|14:30] C:\DOCUME~1\palma\DADOSD~1\LimeWire
[07/06/2009|00:02] C:\DOCUME~1\palma\DADOSD~1\Macromedia
[09/06/2009|16:49] C:\DOCUME~1\palma\DADOSD~1\Media Player Classic
[13/07/2009|21:53] C:\DOCUME~1\palma\DADOSD~1\Microsoft
[07/06/2009|00:25] C:\DOCUME~1\palma\DADOSD~1\Mozilla
[06/08/2009|22:48] C:\DOCUME~1\palma\DADOSD~1\Opera
[29/08/2009|21:41] C:\DOCUME~1\palma\DADOSD~1\S03-7323-GEYNAWT-2623-TGAW
[27/07/2009|23:14] C:\DOCUME~1\palma\DADOSD~1\Sun
[31/07/2009|01:13] C:\DOCUME~1\palma\DADOSD~1\Tibia
[17/06/2009|00:28] C:\DOCUME~1\palma\DADOSD~1\TMP
[01/09/2009|23:12] C:\DOCUME~1\palma\DADOSD~1\uTorrent
[07/06/2009|00:19] C:\DOCUME~1\palma\DADOSD~1\Winamp
[06/06/2009|19:19] C:\DOCUME~1\palma\DADOSD~1\WinRAR

--------------------\\ Tarefas Agendadas na pasta C:\WINDOWS\Tasks

[01/09/2009 00:51][--a------] C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-1454471165-682003330-1003UA.job
[30/08/2009 22:51][--a------] C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-1454471165-682003330-1003Core.job
[01/09/2009 23:02][--ah-----] C:\WINDOWS\tasks\SA.DAT
[28/10/2001 12:07][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Lista de pastas em C:\Arquivos de programas

[26/07/2009|19:15] C:\Arquivos de programas\abgx360
[12/07/2009|23:08] C:\Arquivos de programas\Adobe
[07/06/2009|00:15] C:\Arquivos de programas\Analog Devices
[12/07/2009|23:02] C:\Arquivos de programas\Arquivos comuns
[07/06/2009|00:35] C:\Arquivos de programas\AskBarDis
[07/06/2009|00:35] C:\Arquivos de programas\AskSearch
[11/08/2009|18:22] C:\Arquivos de programas\Asprate
[07/06/2009|00:31] C:\Arquivos de programas\ATI Technologies
[29/08/2009|21:47] C:\Arquivos de programas\Avira
[12/07/2009|23:08] C:\Arquivos de programas\Bonjour
[31/07/2009|20:01] C:\Arquivos de programas\Circl Developement
[06/06/2009|19:01] C:\Arquivos de programas\ComPlus Applications
[12/07/2009|12:20] C:\Arquivos de programas\DU Meter
[28/07/2009|19:11] C:\Arquivos de programas\Free Sound Recorder
[07/06/2009|02:22] C:\Arquivos de programas\Guitar Pro 5
[13/07/2009|18:29] C:\Arquivos de programas\Imagenomic
[07/06/2009|16:30] C:\Arquivos de programas\ImgBurn
[07/06/2009|00:31] C:\Arquivos de programas\InstallShield Installation Information
[06/06/2009|19:12] C:\Arquivos de programas\Intel
[06/06/2009|19:24] C:\Arquivos de programas\Internet Explorer
[27/07/2009|23:39] C:\Arquivos de programas\Java
[15/06/2009|22:56] C:\Arquivos de programas\KLC
[09/06/2009|16:49] C:\Arquivos de programas\K-Lite Codec Pack
[27/07/2009|23:39] C:\Arquivos de programas\LimeWire
[17/06/2009|00:27] C:\Arquivos de programas\Marvell
[06/06/2009|19:00] C:\Arquivos de programas\Messenger
[31/07/2009|20:01] C:\Arquivos de programas\Messenger Plus! Live
[06/06/2009|19:04] C:\Arquivos de programas\microsoft frontpage
[06/06/2009|19:02] C:\Arquivos de programas\Movie Maker
[01/09/2009|23:05] C:\Arquivos de programas\Mozilla Firefox
[06/06/2009|19:00] C:\Arquivos de programas\MSN Gaming Zone
[31/07/2009|20:01] C:\Arquivos de programas\MSN Messenger
[08/06/2009|11:14] C:\Arquivos de programas\Nero
[06/06/2009|19:02] C:\Arquivos de programas\NetMeeting
[06/08/2009|22:48] C:\Arquivos de programas\Opera
[06/06/2009|19:02] C:\Arquivos de programas\Outlook Express
[06/06/2009|19:03] C:\Arquivos de programas\Servi‡os on-line
[01/09/2009|23:02] C:\Arquivos de programas\Steam
[31/07/2009|01:13] C:\Arquivos de programas\Tibia
[30/08/2009|15:10] C:\Arquivos de programas\Trend Micro
[06/06/2009|19:09] C:\Arquivos de programas\Uninstall Information
[07/06/2009|00:35] C:\Arquivos de programas\uTorrent
[08/08/2009|14:38] C:\Arquivos de programas\VDOWNLOADER
[07/06/2009|00:15] C:\Arquivos de programas\Winamp
[27/08/2009|22:47] C:\Arquivos de programas\Winamp Remote
[07/06/2009|00:14] C:\Arquivos de programas\Winamp Toolbar
[31/07/2009|20:01] C:\Arquivos de programas\Windows Live
[07/06/2009|00:14] C:\Arquivos de programas\Windows Media Player
[06/06/2009|19:00] C:\Arquivos de programas\Windows NT
[06/06/2009|19:03] C:\Arquivos de programas\WindowsUpdate
[06/06/2009|19:19] C:\Arquivos de programas\WinRAR
[06/06/2009|19:04] C:\Arquivos de programas\xerox

--------------------\\ Lista de pastas em C:\Arquivos de programas\Arquivos comuns

[12/07/2009|23:07] C:\Arquivos de programas\Arquivos comuns\Adobe
[08/06/2009|11:16] C:\Arquivos de programas\Arquivos comuns\Ahead
[07/06/2009|00:30] C:\Arquivos de programas\Arquivos comuns\InstallShield
[12/07/2009|23:02] C:\Arquivos de programas\Arquivos comuns\Macrovision Shared
[29/08/2009|21:47] C:\Arquivos de programas\Arquivos comuns\Microsoft Shared
[06/06/2009|19:02] C:\Arquivos de programas\Arquivos comuns\MSSoap
[06/06/2009|15:47] C:\Arquivos de programas\Arquivos comuns\ODBC
[06/06/2009|19:02] C:\Arquivos de programas\Arquivos comuns\Servi‡os
[06/06/2009|15:47] C:\Arquivos de programas\Arquivos comuns\SpeechEngines
[06/06/2009|19:01] C:\Arquivos de programas\Arquivos comuns\System

--------------------\\ Process

( 36 Processes )

... OK !

--------------------\\ Procura pelo S_Lop

Não foram encontradas pastas com o Lop!

--------------------\\ Procura por Arquivos/Ficheiros e pastas do Lop

Não foram encontradas pastas com o Lop!

--------------------\\ Procura no Registro

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

..... OK !

--------------------\\ Verificando o Arquivos/Ficheiros Hosts

Arquivos/Ficheiros Hosts LIMPO

--------------------\\ Procurando Arquivos/Ficheiros ocultos com o Catchme

--------------------\\ Procurando por outras infecções

--------------------\\ Suspect ..

C:\Photoshop Plugin - Eyecandy 4000.zip

--------------------\\ Cracks & Keygens ..

C:\DOCUME~1\palma\Desktop\CS3\CS3\CRACK
C:\DOCUME~1\palma\Desktop\CS3\CS3\CRACK.rar
C:\DOCUME~1\palma\Desktop\CS3\CS3\CRACK\CRACK
C:\DOCUME~1\palma\Desktop\CS3\CS3\CRACK\CRACK\photoshop.exe
C:\DOCUME~1\palma\Desktop\CS3\CS3\CRACK\CRACK\SERIAL.NFO
C:\DOCUME~1\palma\Recent\CRACK.lnk

[F:1354][D:51]-> C:\DOCUME~1\palma\CONFIG~1\Temp
[F:98][D:0]-> C:\DOCUME~1\palma\Cookies
[F:7705][D:8]-> C:\DOCUME~1\palma\CONFIG~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - ter 01/09/2009|23:14 - Option : [2]

--------------------\\ Verificação completa em 23:14:02

ComboFix

ComboFix 09-09-01.04 - palma 02/09/2009 2:33.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.3327.2583 [GMT -3:00]
Executando de: c:\documents and settings\palma\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Outpost Firewall *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
* Criado um novo ponto de restauração
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\arquivos de programas\AskSearch\bin\DefaultSearch.dll
c:\recycler\S-1-5-21-1659004503-1454471165-682003330-500
c:\windows\system32\a.exe

.
(((((((((((((((( Arquivos/Ficheiros criados de 2009-08-02 to 2009-09-02 ))))))))))))))))))))))))))))
.

2009-09-02 05:04 . 2009-09-02 05:05 -------- d-----w- C:\Analyze.This.That.Pack.DVDRip.x264.AC3-DEViSE
2009-09-02 02:43 . 2009-04-06 14:37 704384 ----a-w- c:\windows\system32\drivers\SandBox.sys
2009-09-02 02:42 . 2009-02-10 19:15 257432 ----a-w- c:\windows\system32\drivers\afwcore.sys
2009-09-02 02:41 . 2009-02-18 20:30 31128 ----a-w- c:\windows\system32\drivers\afw.sys
2009-09-02 02:41 . 2009-09-02 02:41 -------- d-----w- c:\arquivos de programas\Agnitum
2009-09-02 02:41 . 2009-09-02 02:41 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Agnitum
2009-09-02 02:12 . 2009-09-02 02:14 -------- d-----w- C:\Lop SD
2009-09-02 02:11 . 2009-09-02 04:12 -------- d-----w- C:\GREEK.S03E01.720p.HDTV.x264-CTU
2009-08-30 18:10 . 2009-08-30 18:10 -------- d-----w- c:\arquivos de programas\Trend Micro
2009-08-30 00:47 . 2009-07-28 19:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-30 00:47 . 2009-03-30 13:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-08-30 00:47 . 2009-02-13 15:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-08-30 00:47 . 2009-02-13 15:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-08-30 00:47 . 2009-08-30 00:47 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Avira
2009-08-30 00:47 . 2009-08-30 00:47 -------- d-----w- c:\arquivos de programas\Avira
2009-08-30 00:41 . 2009-08-30 00:41 -------- d-sh--w- c:\documents and settings\palma\Dados de aplicativos\S03-7323-GEYNAWT-2623-TGAW
2009-08-29 18:37 . 2009-08-29 21:09 -------- d-----w- C:\Psych.S04E04.720p.HDTV.x264-CTU
2009-08-28 15:58 . 2009-08-28 16:02 -------- d-----w- C:\Will.Smith.Movie.Pack.DVDRip.XviD-Torrentleech
2009-08-26 02:19 . 2009-08-29 18:40 -------- d-----w- C:\Good.Will.Hunting.1997.720p.BluRay.x264-SiNNERS
2009-08-23 23:47 . 2009-08-23 23:49 -------- d-----w- C:\Harry Potter - The Half Blood Prince TS XVID - STG
2009-08-23 02:48 . 2009-08-26 02:16 -------- d-----w- C:\The.Shawshank.Redemption.1994.720p.BluRay.x264-SiNNERS
2009-08-19 15:30 . 2009-08-19 15:45 -------- d-----w- C:\Aly And AJ - Into The Rush [2006][CD+SkidVid+Cov]
2009-08-19 15:29 . 2009-08-19 15:32 -------- d-----w- C:\Aly And AJ - Insomniatic [2007][CD+SkidVid+Cov]192Kbps
2009-08-16 23:48 . 2009-08-17 00:10 -------- d-----w- C:\Psych.S03.DVDRip.XviD-TorrentLeech
2009-08-14 01:44 . 2009-08-31 00:42 -------- d-----w- C:\Nova pasta
2009-08-11 21:22 . 2009-08-11 21:22 -------- d-----w- c:\arquivos de programas\Asprate
2009-08-10 16:01 . 2009-08-10 16:01 -------- d-----w- C:\Psych.S02.DVDRip.XViD-FoV
2009-08-09 22:04 . 2009-08-28 15:39 -------- d-----w- C:\Psych.S01.DVDRip.XviD-TOPAZ
2009-08-08 17:37 . 2009-08-08 17:37 -------- d-----w- c:\documents and settings\palma\Dados de aplicativos\Desktopicon
2009-08-08 17:37 . 2009-08-08 17:38 -------- d-----w- c:\arquivos de programas\VDOWNLOADER
2009-08-07 01:48 . 2009-08-07 01:48 -------- d-----w- c:\arquivos de programas\Opera
2009-08-05 22:04 . 2009-08-05 22:04 -------- d-----w- C:\Eye Candy 4000
2009-08-05 22:02 . 2009-08-05 22:04 2516584 ----a-w- C:\Photoshop Plugin - Eyecandy 4000.zip
2009-08-05 16:00 . 2009-07-13 23:52 380928 ----a-w- c:\documents and settings\palma\Dados de aplicativos\Mozilla\Firefox\Profiles\lgq26p0n.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
2009-08-05 00:16 . 2009-08-05 00:16 -------- d-----w- C:\Rise_Against-The_Unraveling-2005-XXL
2009-08-05 00:16 . 2009-08-05 00:40 -------- d-----w- C:\Rise_Against-The_Sufferer_And_The_Witness-(Proper_Retail)-2006-ZyK
2009-08-05 00:14 . 2009-08-05 00:14 -------- d-----w- C:\Rise_Against-Revolutions_Per_Minute-2003-EMG_INT
2009-08-04 03:40 . 2009-08-04 03:40 -------- d-----w- c:\windows\Sun

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-02 05:32 . 2009-06-07 03:35 -------- d-----w- c:\documents and settings\palma\Dados de aplicativos\uTorrent
2009-09-02 02:44 . 2009-07-19 00:05 -------- d-----w- c:\arquivos de programas\Steam
2009-08-28 01:47 . 2009-06-07 03:14 -------- d-----w- c:\arquivos de programas\Winamp Remote
2009-08-08 17:30 . 2009-07-28 02:40 -------- d-----w- c:\documents and settings\palma\Dados de aplicativos\LimeWire
2009-08-03 00:06 . 2009-07-20 06:48 536870912 --sha-w- C:\WinPEpge.sys
2009-07-31 23:03 . 2009-07-31 23:03 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Messenger Plus!
2009-07-31 23:01 . 2009-07-31 23:01 -------- d-----w- c:\arquivos de programas\Circl Developement
2009-07-31 23:01 . 2009-07-31 23:01 -------- d-----w- c:\arquivos de programas\Messenger Plus! Live
2009-07-31 23:01 . 2009-06-06 22:38 -------- d-----w- c:\arquivos de programas\MSN Messenger
2009-07-31 23:01 . 2009-07-31 23:01 -------- d-----w- c:\arquivos de programas\Windows Live
2009-07-31 04:13 . 2009-07-31 04:12 -------- d-----w- c:\arquivos de programas\Tibia
2009-07-31 04:13 . 2009-07-31 04:12 -------- d-----w- c:\documents and settings\palma\Dados de aplicativos\Tibia
2009-07-30 02:42 . 2009-07-30 02:41 -------- d-----w- c:\documents and settings\palma\Dados de aplicativos\Cool Record Edit Pro
2009-07-28 23:20 . 2009-07-13 01:32 -------- d---a-w- c:\documents and settings\All Users\Dados de aplicativos\TEMP
2009-07-28 22:11 . 2009-07-28 22:11 -------- d-----w- c:\documents and settings\palma\Dados de aplicativos\Free Sound Recorder
2009-07-28 22:11 . 2009-07-28 22:10 -------- d-----w- c:\arquivos de programas\Free Sound Recorder
2009-07-28 02:39 . 2009-07-28 02:14 -------- d-----w- c:\arquivos de programas\LimeWire
2009-07-28 02:39 . 2009-07-28 02:39 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-28 02:39 . 2009-07-28 02:39 -------- d-----w- c:\arquivos de programas\Java
2009-07-28 02:39 . 2009-07-28 02:39 152576 ----a-w- c:\documents and settings\palma\Dados de aplicativos\Sun\Java\jre1.6.0_11\lzma.dll
2009-07-26 22:15 . 2009-06-07 19:29 -------- d-----w- c:\arquivos de programas\abgx360
2009-07-18 23:43 . 2009-07-18 23:43 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\GbPlugin
2009-07-13 21:29 . 2009-07-13 21:29 -------- d-----w- c:\arquivos de programas\Imagenomic
2009-07-13 02:12 . 2009-07-13 02:12 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\FLEXnet
2009-07-13 02:08 . 2009-07-13 02:08 -------- d-----w- c:\arquivos de programas\Bonjour
2009-07-13 02:07 . 2009-06-09 03:42 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Adobe
2009-07-13 02:02 . 2009-07-13 02:02 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Macrovision Shared
2009-07-12 15:20 . 2009-07-12 15:20 -------- d-----w- c:\arquivos de programas\DU Meter
2009-07-12 15:20 . 2009-07-12 15:20 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Hagel Technologies
2009-07-04 01:43 . 2001-10-28 15:07 67450 ----a-w- c:\windows\system32\perfc016.dat
2009-07-04 01:43 . 2001-10-28 15:07 425426 ----a-w- c:\windows\system32\perfh016.dat
2009-06-07 03:33 . 2009-06-07 03:33 0 ----a-w- c:\windows\ativpsrm.bin
2009-06-07 03:25 . 2009-06-07 03:25 0 ----a-w- c:\windows\nsreg.dat
2009-06-06 22:22 . 2009-06-06 22:04 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-06 22:01 . 2009-06-06 22:01 21844 ----a-w- c:\windows\system32\emptyregdb.dat
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\arquivos de programas\Winamp Toolbar\winamptb.dll" [2009-02-19 1262888]

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 15:47 333192 ----a-w- c:\arquivos de programas\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\arquivos de programas\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\arquivos de programas\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\arquivos de programas\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"Orb"="c:\arquivos de programas\Winamp Remote\bin\OrbTray.exe" [2008-04-01 507904]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe" [2006-09-13 139264]
"DU Meter"="c:\arquivos de programas\DU Meter\DUMeter.exe" [2008-06-10 2645528]
"Steam"="c:\arquivos de programas\Steam\Steam.exe" [2009-07-19 1217784]
"Google Update"="c:\documents and settings\palma\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" [2009-08-07 133104]
"MSMSGS"="c:\arquivos de programas\Messenger\msmsgs.exe" [2004-08-04 1667584]
"Windows Login Assistant"="c:\documents and settings\palma\Dados de aplicativos\S03-7323-GEYNAWT-2623-TGAW\winlogon.exe" [2004-08-04 68176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="c:\arquivos de programas\Winamp\winampa.exe" [2008-08-03 36352]
"StartCCC"="c:\arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-04-29 61440]
"NeroFilterCheck"="c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SoundMAXPnP"="c:\arquivos de programas\Analog Devices\Core\smax4pnp.exe" [2007-10-09 1036288]
"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre6\bin\jusched.exe" [2009-07-28 136600]
"Windows Login Assistant"="c:\documents and settings\palma\Dados de aplicativos\S03-7323-GEYNAWT-2623-TGAW\winlogon.exe" [2004-08-04 68176]
"avgnt"="c:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"OutpostMonitor"="c:\arquiv~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-04-28 2374464]
"OutpostFeedBack"="c:\arquivos de programas\Agnitum\Outpost Firewall\feedback.exe" [2009-04-28 428032]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"Windows Login Assistant"="c:\documents and settings\palma\Dados de aplicativos\S03-7323-GEYNAWT-2623-TGAW\winlogon.exe" [2004-08-04 68176]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"Windows Login Assistant"="c:\documents and settings\palma\Dados de aplicativos\S03-7323-GEYNAWT-2623-TGAW\winlogon.exe" [2004-08-04 68176]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=
"c:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=
"c:\\Arquivos de programas\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Arquivos de programas\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Arquivos de programas\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Arquivos de programas\\uTorrent\\uTorrent.exe"=
"c:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\cerealk2410\\counter-strike\\hl.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\red orchestra\\System\\RedOrchestra.exe"=
"c:\\Arquivos de programas\\LimeWire\\LimeWire.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\cerealk2410\\counter-strike source\\hl2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [1/9/2009 23:43 704384]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [29/8/2009 21:47 108289]
R2 DUMeterSvc;DU Meter Service;c:\arquivos de programas\DU Meter\DUMeterSvc.exe [12/7/2009 12:20 1386008]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [1/9/2009 23:41 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [1/9/2009 23:42 257432]
R3 portio32;portio32;c:\windows\system32\drivers\portio32.sys [6/6/2009 19:19 2048]
S2 acssrv;Agnitum Client Security Service;c:\arquiv~1\Agnitum\OUTPOS~1\acs.exe [1/9/2009 23:41 1195008]
S2 ASKUpgrade;ASKUpgrade;c:\arquivos de programas\AskBarDis\bar\bin\ASKUpgrade.exe [7/6/2009 00:35 234888]

--- =Outros Serviços/Drivers Na Memória ---

*NewlyCreated* - ACSSRV
*NewlyCreated* - AFWCORE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4175C5F3-D47F-143B-DD4D-E67A0EB4E773}]
"c:\documents and settings\palma\Dados de aplicativos\S03-7323-GEYNAWT-2623-TGAW\winlogon.exe"
.
Conteúdo da pasta 'Tarefas Agendadas'
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.ask.com/?o=13928&l=dis
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13925&gct=&gc=1&q=%s
IE: &Winamp Search - c:\documents and settings\All Users\Dados de aplicativos\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
FF - ProfilePath - c:\documents and settings\palma\Dados de aplicativos\Mozilla\Firefox\Profiles\lgq26p0n.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.adrenaline.com.br/forum/
FF - component: c:\documents and settings\palma\Dados de aplicativos\Mozilla\Firefox\Profiles\lgq26p0n.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\documents and settings\palma\Dados de aplicativos\Mozilla\Firefox\Profiles\lgq26p0n.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E8873}\components\GbMzhUni.dll
FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\np-mswmp.dll

---- FIREFOX POLICIES ----
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-02 02:36
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

c:\documents and settings\palma\Dados de aplicativos\S03-7323-GEYNAWT-2623-TGAW\winlogon.exe [856] 0x89CEDC08

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DUMeterSvc]
"ImagePath"="c:\arquivos de programas\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(1200)
c:\windows\system32\Ati2evxx.dll
.
Tempo para conclusão: 2009-09-02 2:36
ComboFix-quarantined-files.txt 2009-09-02 05:36

Pré-execução: 2.861.043.712 bytes disponíveis
Pós execução: 3.605.725.184 bytes disponíveis

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

215

Artsimoes · 02/09/2009

Olá, Mr. Wolf.

Valeu pela resposta. Quanto a questão do firewall, fiz o que você disse, porem não deu certo, o alerta continua aparecendo cada vez que eu ligo o note. Não estou conseguindo postar o resultado do Kaspersky, porem eu rodei ele duas vezes e não foi detectado nada, nenhum virus.

Aguardo seus comentários.

Mais uma vez muito obrigado.
Artur

bosalla · 02/09/2009

por favor...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:45:57, on 2/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\Ati2evxx.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\Ati2evxx.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\Explorer.EXE
C:\WINXP\RTHDCPL.EXE
C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Arquivos de programas\GIGABYTE\EnergySaver\GSvr.exe
C:\Arquivos de programas\Arquivos comuns\Nero\Nero BackItUp 4\NBService.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\WINXP\system32\NOTEPAD.EXE
C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe
C:\Arquivos de programas\Windows Live\Contacts\wlcomm.exe
C:\Arquivos de programas\Megaupload\Mega Manager\MegaManager.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=13928&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13925&gct=&gc=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13925&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=13925&gct=&gc=1&q=%s
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Arquivos de programas\AskSearch\bin\DefaultSearch.dll
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Arquivos de programas\AskBarDis\bar\bin\askBar.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Arquivos de programas\Megaupload\Mega Manager\MegaIEMn.dll (file missing)
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Arquivos de programas\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [kava] C:\WINXP\system32\kavo.exe
O4 - HKCU\..\Run: [anhtaas] C:\WINXP\system32\cvsdfw.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O17 - HKLM\System\CCS\Services\Tcpip\..\{AAD12B5B-4F64-499D-BCB1-8419A4620C8F}: NameServer = 208.67.222.222,208.67.220.220
O20 - AppInit_DLLs: ,C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\581246kou.dll
O23 - Service: ASKUpgrade - Unknown owner - C:\Arquivos de programas\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINXP\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINXP\system32\ati2sgag.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Arquivos de programas\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Arquivos de programas\Arquivos comuns\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINXP\system32\HPZipm12.exe

--
End of file - 4954 bytes

Obrigado !

mendesic · 02/09/2009

Muito obrigado Mr Wolf . Tua ajuda foi de grande valia .
Fico muito mais aliviado de saber que agora está tudo ok .
Boa sorte para você e parabéns pela iniciativa de ajudar-nos na identificação e remoção de vírus , pois hoje em dia está bastante complicado essa leva de vírus cada vez mais fortes .

aerotfs · 03/09/2009

Mr. Wolf, andei lendo alguns posts aqui e realmente você está fazendo um ótimo trabalho, cara! Uso o fórum há um ano já e nunca tinha visitado este tópico, mas adorei tê-lo encontrado! Assinado desde já

Bem, aqui na empresa que trabalho, pegamos o vírus reader_s que vi num outro problema de um user em março deste ano. Suas recomendações diziam que era a pior praga até então e que em último caso seria inclusive a formatação (último recurso mesmo, já que jogar o hd pela janela não conta, né? Vai que pega num pedestre... :lol: )

Gostaria de saber se já existe solução para ele. Não tenho acesso para instalar programas aqui na máquina (a minha e a do meu chefe estão contaminadas, parece que ele se espalhou imediatamente) mas uma pessoa da empresa de suporte virá aqui amanhã e provavelmente formatarão as duas máquinas. Se tiveres outra idéia, gostaria de sugerir ao técnico de plantão. Sei que já tentaram o malware remover, combo fix, e os antivirus convencionais, mas não tenho certeza se seguiram a ordem necessária para maximizar os resultados dessas ferramentas.

karolz · 03/09/2009

Olá Mr. Wolf taí os logs! Só q eu nao consegui usar o Kaspersky, ele fica travando o tempo todo e nao vai nem pra frente nem pra trás :fist:

Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:31:26, on 03/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\cmpe.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\update.exe
C:\WINDOWS\system32\notepad.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ceara.gov.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Arquivos de programas\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\WINDOWS\system32\gbiehcef.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Arquivos de programas\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [desp2k] C:\Arquivos de programas\Oi Velox\Manager\desp2k.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Seleção HP Smart - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Arquivos de programas\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1246401445375
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{296EF59E-B6E5-41FB-95E7-7542B2586E78}: NameServer = 200.165.132.155 200.149.55.140
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Context Manager Process Extension (cmpe) - LightComm - C:\WINDOWS\system32\cmpe.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

--
End of file - 5350 bytes

ComboFix:

ComboFix 09-09-02.02 - Nóis Todos 03/09/2009 9:04.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.223.91 [GMT -3:00]
Executando de: c:\documents and settings\Nóis Todos\Desktop\ComboFix.exe
Comandos utilizados :: c:\documents and settings\Nóis Todos\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\windows\system32\drivers\fprnmn.sys"
"c:\windows\system32\drivers\npfs64.sys"
"c:\windows\system32\msvfw64.dll"
"c:\windows\system32\msvfw64.tmp"
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Dados de aplicativos\GbPlugin
c:\documents and settings\All Users\Dados de aplicativos\GbPlugin\Cef\Cef.gdt
c:\windows\system32\msvfw64.dll
c:\windows\system32\msvfw64.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPFS64
-------\Service_abp470n5
-------\Service_npfs64

(((((((((((((((( Arquivos/Ficheiros criados de 2009-08-03 to 2009-09-03 ))))))))))))))))))))))))))))
.

2009-09-03 12:10 . 2009-09-03 12:10 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\GbPlugin
2009-08-27 20:34 . 2007-04-09 16:23 28040 ----a-w- c:\windows\system32\mdimon.dll
2009-08-27 20:32 . 2009-08-27 20:32 -------- d-----w- c:\arquivos de programas\Microsoft.NET
2009-08-27 20:27 . 2009-08-27 20:27 -------- d--h--r- C:\MSOCache
2009-08-27 14:48 . 2009-08-27 14:48 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-27 14:48 . 2009-08-27 20:32 -------- d-----w- c:\windows\ShellNew
2009-08-27 13:27 . 2009-08-27 14:46 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Yahoo! Companion
2009-08-27 13:26 . 2009-08-27 14:46 -------- d-----w- c:\arquivos de programas\Yahoo!
2009-08-27 12:17 . 2009-08-27 14:47 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Microsoft Help
2009-08-12 17:48 . 2009-08-12 17:48 578560 ----a-w- c:\windows\system32\gbiehcef.dll
2009-08-04 17:51 . 2009-07-03 16:59 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-04 17:51 . 2009-07-03 16:59 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-08-04 13:09 . 2007-01-08 17:13 603136 ----a-w- c:\windows\luninstall.exe
2009-08-04 13:09 . 2007-10-09 12:09 1640960 ----a-w- c:\windows\lhelp.exe

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-31 12:46 . 2008-04-14 12:00 48846 ----a-w- c:\windows\system32\perfc016.dat
2009-08-31 12:46 . 2008-04-14 12:00 344734 ----a-w- c:\windows\system32\perfh016.dat
2009-08-27 19:15 . 2009-06-30 23:40 -------- d-----w- c:\arquivos de programas\eMule
2009-08-27 16:24 . 2009-07-01 14:36 -------- d-----w- c:\arquivos de programas\Total Video Converter
2009-08-05 15:47 . 2009-06-30 14:49 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 09:00 . 2008-04-14 12:00 205312 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 13:09 . 2009-08-03 15:44 -------- d-----w- c:\arquivos de programas\Oi Velox
2009-07-30 17:02 . 2009-07-30 17:01 -------- d-----w- c:\arquivos de programas\Philips
2009-07-30 17:02 . 2009-07-30 17:01 -------- d--h--w- c:\arquivos de programas\InstallShield Installation Information
2009-07-20 17:32 . 2009-06-30 14:53 -------- d-----w- c:\arquivos de programas\The KMPlayer
2009-07-17 19:03 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 15:21 . 2008-04-14 12:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 15:12 . 2009-06-30 16:19 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Adobe
2009-07-10 22:36 . 2009-07-10 22:36 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\HPSSUPPLY
2009-07-10 02:45 . 2009-07-10 02:45 -------- d-----w- c:\arquivos de programas\MSXML 4.0
2009-07-09 23:38 . 2009-07-09 22:50 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\HP
2009-07-09 23:05 . 2009-07-09 23:05 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\WEBREG
2009-07-09 22:59 . 2009-07-09 21:24 167986 ----a-w- c:\windows\hpoins28.dat
2009-07-09 22:50 . 2009-07-09 22:50 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\HP Product Assistant
2009-07-09 22:50 . 2009-07-09 22:48 -------- d-----w- c:\arquivos de programas\HP
2009-07-09 22:50 . 2009-07-09 22:50 -------- d-----w- c:\arquivos de programas\Hewlett-Packard
2009-07-09 22:50 . 2009-07-09 22:50 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Hewlett-Packard
2009-07-09 22:49 . 2009-07-09 22:49 -------- d-----w- c:\arquivos de programas\Arquivos comuns\HP
2009-07-09 21:24 . 2009-07-09 21:24 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Hewlett-Packard
2009-07-09 15:52 . 2009-07-09 15:52 -------- d-----w- c:\arquivos de programas\MsoSetup
2009-07-08 17:36 . 2009-07-08 17:36 -------- d-----w- c:\arquivos de programas\Sony Ericsson
2009-07-08 16:56 . 2009-07-08 16:56 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-08 16:56 . 2009-07-08 16:56 -------- d-----w- c:\arquivos de programas\Java
2009-07-06 13:36 . 2009-07-06 13:36 -------- d-----w- c:\arquivos de programas\Programas RFB
2009-07-05 14:53 . 2009-07-05 14:53 -------- d-----w- c:\arquivos de programas\WinAVI Video Converter
2009-07-03 16:59 . 2008-04-14 12:00 915456 ------w- c:\windows\system32\wininet.dll
2009-06-30 15:20 . 2009-06-30 14:49 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-06-30 14:21 . 2009-06-30 14:21 21844 ----a-w- c:\windows\system32\emptyregdb.dat
2009-06-25 08:27 . 2008-04-14 12:00 732672 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:27 . 2008-04-14 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:27 . 2008-04-14 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:27 . 2008-04-14 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:27 . 2008-04-14 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:27 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2008-04-14 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-23 09:22 . 2009-07-01 13:37 24893616 ----a-w- C:\AdbeRdr910_pt_BR.exe
2009-06-16 14:39 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:39 . 2008-04-14 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 10:44 . 2008-04-14 12:00 77824 ----a-w- c:\windows\system32\telnet.exe
2009-06-15 10:44 . 2008-04-14 12:00 81408 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-10 14:14 . 2008-04-14 12:00 85504 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 12:21 . 2009-06-30 14:20 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:15 . 2008-04-14 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-09-03_11.42.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-03 12:10 . 2009-09-03 12:10 16384 c:\windows\temp\Perflib_Perfdata_2c4.dat
+ 2009-06-30 11:12 . 2009-09-03 12:10 194568 c:\windows\system32\FNTCACHE.DAT
- 2009-06-30 11:12 . 2009-08-28 11:33 194568 c:\windows\system32\FNTCACHE.DAT
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"desp2k"="c:\arquivos de programas\Oi Velox\Manager\desp2k.exe" [2006-08-03 65536]
"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399003}"= "c:\windows\system32\gbiehcef.dll" [2009-08-12 578560]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Philips SA30XX Device Manager.lnk]
path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Philips SA30XX Device Manager.lnk
backup=c:\windows\pss\Philips SA30XX Device Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Arquivos de programas\\eMule\\emule.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\WINDOWS\\system32\\NeroCheck.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [30/06/2009 11:49 108289]
R2 cmpe;Context Manager Process Extension;c:\windows\system32\cmpe.exe [26/02/2007 10:11 61440]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [10/06/2002 00:09 31232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.ceara.gov.br/
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-09-03 09:12
Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•6~*]
"6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\gbiehcef.dll

- - - - - - - > 'explorer.exe'(2780)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
.
------------------------ Outros Processos em Execução ------------------------
.
c:\arquivos de programas\Avira\AntiVir Desktop\avguard.exe
c:\arquivos de programas\Java\jre6\bin\jqs.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Tempo para conclusão: 2009-09-03 9:17 - Máquina reiniciou
ComboFix-quarantined-files.txt 2009-09-03 12:17
ComboFix2.txt 2009-09-03 11:45
ComboFix3.txt 2009-08-31 13:14

Pré-execução: 6 pasta(s) 42.609.074.176 bytes disponíveis
Pós execução: 6 pasta(s) 42.576.351.232 bytes disponíveis

198 --- E O F --- 2009-09-03 11:35

e quanto a imagem era essa aí \/, mas depois q eu fiz o q vc mandou da outra vez a tela mudou dizendo q n era possivel executar o ''essetroçoaíqueeunaoseidizeronome'' :yes:
Tinha alguma coisa a ver com o dito-vírus? :huh:

Mr.Wolf · 03/09/2009

Olá pessoal, boa tarde! Vou reponder aos logs neste mesmo post ok.

Amigo pie†ro, siga, por gantileza, as instruções no spoiler:

- Faça o download do UsbFix e salve-o no desktop (área de trabalho):

● Desative temporariamente seu antivírus;
● Dê um duplo clique no ícone do programa e instale-o normalmente;
● Dê um duplo clique no ícone do UsbFix criado no desktop para executá-lo;
● Na tela inicial, digite P | Portugues e tecle Enter. Na outra tela, digite 2 e dê um Enter para prosseguir;
● Surgirá um aviso pedindo que insira seu dispositivo removível na(s) entrada(s) USB de seu computador. Faça isso, conecte seu pen drive, HD Externo, MP3, MP4, celular, cartão de memória, câmera digital ou qualquer outra mídia removível que possua e clique OK nas duas mensagens. Seu computador será desligado automaticamente!
● Mantenha a(s) mídia(s) no local. Não remova!
● Quando seu computador estiver reiniciando, seu desktop não será apresentado e a ferramenta será executada novamente fazendo uma verificação final. Apenas aguarde;
● Ao término, será aberto o Bloco de Notas com o log para você. Feche o Bloco clicando no X da janela. O mesmo também estará em C:\UsbFix.txt

OBS: Se após reiniciar o desktop ficar somente com o plano de fundo, sem ícones e barras, tecle Ctrl + Alt + Delete para rodar o gerenciador de tarefas. Clique em Arquivo > Executar nova tarefa, digite: explorer.exe e dê um OK.

Poste o log do UsbFix, juntamente com um novo log.txt do RSIT - não precisa postar o info.txt.

_________________________________

Tiagoquiroga, recomendo à você instalar um firewall no computador. Siga abaixo:

- Faça o download do ComboFix e salve-o na área de trabalho;

● Desative temporariamente o seu antivirus para não detectar a ferramenta como vírus;
● Duplo clique no ícone combofix.exe para iniciar o scan;
● Leia o contrato que aparecerá e clique em Sim para continuar;
● Abrirá uma janela do Console de Recuperação, clique em Sim para instalar. Se aparecer outra janela do Console, clique em OK > Sim;
● Aguarde enquanto o ComboFix faz o scan;
● Se ocorrer algum problema durante o scan, reinicie seu computador em Modo de Segurança e repita o procedimento;
● Não clique na janela do ComboFix e procure não utilizar o teclado também, para não atrapalhar a varredura da ferramenta;
● Se quiser sair ou parar o ComboFix, tecle N;
● Quando terminar seu micro será reiniciado. Após o reinicio, a ferramenta executará novamente, aguarde;
● Será gerado um log em C:\ComboFix.txt.

Cole este log em sua próxima resposta.

_________________________________

didifpg, vamos lá, siga abaixo no spoiler:

Vá em Iniciar > Executar, digite sysdm.cpl e dê um OK. Clique na aba Restauração do Sistema e marque a opção a opção "Desativar restauração do sistema" > OK. Mantenha o recurso desativado por enquanto.

- Faça o download do ComboFix e salve-o na área de trabalho;

● Desative temporariamente o seu antivirus para não detectar a ferramenta como vírus;
● Duplo clique no ícone combofix.exe para iniciar o scan;
● Leia o contrato que aparecerá e clique em Sim para continuar;
● Abrirá uma janela do Console de Recuperação, clique em Sim para instalar. Se aparecer outra janela do Console, clique em OK > Sim;
● Aguarde enquanto o ComboFix faz o scan;
● Se ocorrer algum problema durante o scan, reinicie seu computador em Modo de Segurança e repita o procedimento;
● Não clique na janela do ComboFix e procure não utilizar o teclado também, para não atrapalhar a varredura da ferramenta;
● Se quiser sair ou parar o ComboFix, tecle N;
● Quando terminar seu micro será reiniciado. Após o reinicio, a ferramenta executará novamente, aguarde;
● Será gerado um log em C:\ComboFix.txt.

Cole este log em sua próxima resposta.

_________________________________

palma, o P2P LimeWire foi o principal causador das infecções pelos malwares em sua máquina. Atualmente, este compartilhador não está seguro para ser utilizado, inclusive, o programa vem instalando adwares e spywares por si próprio, sem que o usuário permita tal instalação. Sugiro que opte por um outro compartilhador. os mais seguros atualmente são: DreaMule (versão mais nova e brasileira do eMule), eMule, Ares Galaxy, SoulSeek, Shareaza. Mas a escolha é sua!

Siga as instruções abaixo amigo palma:

Selecione e copie este texto abaixo. Cole no Bloco de Notas de seu computador e salve-o no desktop com o nome de CFScript.txt

Código:

Folder::
C:\Lop SD
C:\arquivos de programas\AskBarDis
File::
c:\documents and settings\palma\Dados de aplicativos\S03-7323-GEYNAWT-2623-TGAW\winlogon.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"=-
[-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"=-
[-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Login Assistant"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Login Assistant"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"Windows Login Assistant"=-
[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"Windows Login Assistant"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4175C5F3-D47F-143B-DD4D-E67A0EB4E773}]
Driver::
ASKUpgrade
DirLook::
c:\documents and settings\palma\Dados de aplicativos\S03-7323-GEYNAWT-2623-TGAW

Arraste o CFScript para o ComboFix como na imagem aqui abaixo e aguarde a execução automática da ferramenta:

● Se for solicitado à você, pressione Enter para iniciar o processo de remoção;
● Não use o mouse nem o teclado quando o ComboFix estiver rodando;
● Quando terminar, será gerado um novo log que estará em C:\ComboFix.txt;
● Talvez seu computador seja reiniciado automaticamente. Caso não ocorra, reinicie-o manualmente.

Na sua próxima resposta, cole o ComboFix.txt e um novo log do HijackThis.

_________________________________

Artsimoes, poderia, ou conseguiria, tirar uma screen do alerta que aparece quando liga o notebook e postar aqui para melhor analisarmos?!

Pois vendo a imagem torna-se mais claro para que possamos lhe ajudar melhor, e enterdermos talvez o porquê que isso está ocorrendo. Caso não consiga, ou não possa, postar a imagem, peço que diga o que exatamente está escrito na mensagem de alerta quando ela é apresentada.

_________________________________

bosalla, siga abaixo no spoiler:

Vá em Painel de Controle > Adicionar ou Remover Programas. Encontre e desinstale o componente AskBarDis.

- Faça o download do UsbFix e salve-o no desktop (área de trabalho):

● Desative temporariamente seu antivírus;
● Dê um duplo clique no ícone do programa e instale-o normalmente;
● Dê um duplo clique no ícone do UsbFix criado no desktop para executá-lo;
● Na tela inicial, digite P | Portugues e tecle Enter. Na outra tela, digite 2 e dê um Enter para prosseguir;
● Surgirá um aviso pedindo que insira seu dispositivo removível na(s) entrada(s) USB de seu computador. Faça isso, conecte seu pen drive, HD Externo, MP3, MP4, celular, cartão de memória, câmera digital ou qualquer outra mídia removível que possua e clique OK nas duas mensagens. Seu computador será desligado automaticamente!
● Mantenha a(s) mídia(s) no local. Não remova!
● Quando seu computador estiver reiniciando, seu desktop não será apresentado e a ferramenta será executada novamente fazendo uma verificação final. Apenas aguarde;
● Ao término, será aberto o Bloco de Notas com o log para você. Feche o Bloco clicando no X da janela. O mesmo também estará em C:\UsbFix.txt

OBS: Se após reiniciar o desktop ficar somente com o plano de fundo, sem ícones e barras, tecle Ctrl + Alt + Delete para rodar o gerenciador de tarefas. Clique em Arquivo > Executar nova tarefa, digite: explorer.exe e dê um OK.

Poste o log do UsbFix, juntamente com um novo do HijackThis.

_________________________________

karolz, talvez será necessário que você entre em contato com o suporte do internet banking que utiliza em seu computador, pelo que aparece no log é o Caixa Econômica Federal, e pedir ao suporte do banco que enviem o meio de remoção do plugin GbPlugin em seu e-mail para que você possa removê-lo. Pois pra cada computador, este plugin possui um meio de remoção diferente.

Siga abaixo Karol:

Reinicie o computador em modo de segurança.

Cole este texto no Bloco de Notas e salve-o no desktop como CFScript.txt

Código:

KILLALL::

Folder::
c:\documents and settings\All Users\Dados de aplicativos\GbPlugin
c:\documents and settings\All Users\Dados de aplicativos\Yahoo! Companion
c:\arquivos de programas\Yahoo!

File::
c:\windows\system32\gbiehcef.dll

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399003}"=-

Arraste o CFScript para o ComboFix como na imagem aqui abaixo e aguarde a execução automática da ferramenta:

● Se for solicitado à você, pressione Enter para iniciar o processo de remoção;
● Não use o mouse nem o teclado quando o ComboFix estiver rodando;
● Quando terminar, será gerado um novo log que estará em C:\ComboFix.txt;
● Talvez seu computador seja reiniciado automaticamente. Caso não ocorra, reinicie-o manualmente.

Na sua próxima resposta, cole o ComboFix.txt e um novo log do HijackThis.

Mr.Wolf · 03/09/2009

aerotfs disse:
Mr. Wolf, andei lendo alguns posts aqui e realmente você está fazendo um ótimo trabalho, cara! Uso o fórum há um ano já e nunca tinha visitado este tópico, mas adorei tê-lo encontrado! Assinado desde já

Bem, aqui na empresa que trabalho, pegamos o vírus reader_s que vi num outro problema de um user em março deste ano. Suas recomendações diziam que era a pior praga até então e que em último caso seria inclusive a formatação (último recurso mesmo, já que jogar o hd pela janela não conta, né? Vai que pega num pedestre... :lol: )

Gostaria de saber se já existe solução para ele. Não tenho acesso para instalar programas aqui na máquina (a minha e a do meu chefe estão contaminadas, parece que ele se espalhou imediatamente) mas uma pessoa da empresa de suporte virá aqui amanhã e provavelmente formatarão as duas máquinas. Se tiveres outra idéia, gostaria de sugerir ao técnico de plantão. Sei que já tentaram o malware remover, combo fix, e os antivirus convencionais, mas não tenho certeza se seguiram a ordem necessária para maximizar os resultados dessas ferramentas.

Olá aerotfs, fico feliz que tenha gostado do tópico.

Bem, amigo aerotfs, já até sei de qual caso você citou (que agora não estou encontrando aqui no tópico) em que eu pedi ao usuário que formatasse a máquina por causa da infecção pelo file infector reader_s. Primeiramente, irei explicar à você o porquê de ter pedido ao usuário que formatasse, e o que é esse vírus.

O reader_s nada mais é que um file infector, como acabei de relatar, chamado Virut. Este tipo de vírus simplesmente contamina todos os executáveis (.exe) do Windows, sem exceção, seja os .exe do antivirus, do sistema, do anti-spyware e etc. E quanto mais mexe no computador, mais o vírus o danifica e o instabiliza, até o momento em que não conseguirá mais fazer absolutamente nada.

Pois bem, apesar de ser recomendado, ainda não trata-se de um caso de formatação pelo fato fato de existirem algumas, poucas, ferramentas para a remoção do Virut. O caso em que eu mandei o amigo formatar, foi devido a uma variante de um rootkit que, às vezes, vem acompanhada nos códigos do Virut, chamado Rootkit Russo - pior praga criada até hoje e que ainda, infelizmente, não há nenhuma solução para o mesmo. O Virut (reader_s) que estava no computador do amigo que pedi que formatasse, veio justamente com a variante deste rootkit russo. Somente por este fato pedi ao usuário que tomasse a medida drástica de formatar, porque não iria adiantar nada tentarmos remover o rootkit russo, sendo que não meios de remoção. Apenas iríamos perder tempo e nos desgastar tentando um ato impossível, até então. Neste link aqui explico ao grande amigo |St1ng3r| mais sobre o rootkit russo. Recomendo que dê uma lida.

Resumindo, amigo aerotfs, se o Virut (reader_s) que está em seu computador, estiver com as variantes do rootkit russo, apenas posso lhe dizer que formate o HD. Mesmo que a variante deste rootkit não esteja com o Virut, se o mesmo já está em um nível alto, também é impossível removê-lo. Já adianto que nem ComboFix e nem Malware Remover, removem o dito cujo. Sendo necessário ferramentas próprias para lidar com esta infecção.

Porém, preciso saber a variante do Virut que está em sua máquina aerotfs.

Mas como precisa disso urgentemente, para que não formatem o PC aí precipitadamente, vou lhe dizer algumas ferramentas que podem ser utilizadas na remoção do Virut reader_s. São elas:

Kaspersky AVP Tool ou instalando o próprio antivirus que pode ser baixado aqui
Dr.Web CureIt
Malwarebytes' Anti-Malware (rode esta primeiro)
ESET NOD32 Online Scanner (scan online, deve ser feito pelo Internet Explorer) ou instalando o antivirus
Virut Removal Tool by Symatec
RMVIRUT.exe e RMVIRUT.nt by Grisoft (ambas as ferramentas precisam estar na mesma pasta, e do seguinte comando no Iniciar > Executar: "C:\Pasta\rmvirut.exe C:" sem aspas. Também é necessário estar em modo de segurança)
Kaspersky Rescue Disk (grave-o em um CD e dê o boot no computador com ele. Tutorial do programa aqui)

Existem outras alternativas que pode-se tentar para a remoção do Virut também. Mas não são tão eficientes quanto as instruidas acima.

Só lembrando, aerotfs, que se o Virut estiver com a variante do rootkit russo, não perca tempo rodando estas ferramentas que lhe passei, pois não farão nem "cócegas" no rootkit. Caso não consiga identificá-lo, peço que poste o relatório do Kaspersky AVP Tool aqui que eu lhe ajudo na identificação do rootkit.

Boa sorte nesta briga !!!

Qualquer coisa, poste.

palma · 03/09/2009

Mr.Wolf disse:
palma, o P2P LimeWire foi o principal causador das infecções pelos malwares em sua máquina. Atualmente, este compartilhador não está seguro para ser utilizado, inclusive, o programa vem instalando adwares e spywares por si próprio, sem que o usuário permita tal instalação. Sugiro que opte por um outro compartilhador. os mais seguros atualmente são: DreaMule (versão mais nova e brasileira do eMule), eMule, Ares Galaxy, SoulSeek, Shareaza. Mas a escolha é sua!

Siga as instruções abaixo amigo palma:

Selecione e copie este texto abaixo. Cole no Bloco de Notas de seu computador e salve-o no desktop com o nome de CFScript.txt

Código:

Folder:: C:\Lop SD C:\arquivos de programas\AskBarDis File:: c:\documents and settings\palma\Dados de aplicativos\S03-7323-GEYNAWT-2623-TGAW\winlogon.exe Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"=- [-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"=- [-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Login Assistant"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Login Assistant"=- [HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run] "Windows Login Assistant"=- [HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run] "Windows Login Assistant"=- [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4175C5F3-D47F-143B-DD4D-E67A0EB4E773}] Driver:: ASKUpgrade DirLook:: c:\documents and settings\palma\Dados de aplicativos\S03-7323-GEYNAWT-2623-TGAW

Arraste o CFScript para o ComboFix como na imagem aqui abaixo e aguarde a execução automática da ferramenta:

● Se for solicitado à você, pressione Enter para iniciar o processo de remoção;
● Não use o mouse nem o teclado quando o ComboFix estiver rodando;
● Quando terminar, será gerado um novo log que estará em C:\ComboFix.txt;
● Talvez seu computador seja reiniciado automaticamente. Caso não ocorra, reinicie-o manualmente.

Na sua próxima resposta, cole o ComboFix.txt e um novo log do HijackThis.

Mr Wolf, obrigado pela dica. eu usava o LimeWire ainda quando era seguro e o Kazaa dominava. precisei usar de novo e achei que ainda fosse seguro. já vou desinstalar aqui.

segue os logs que vc pediu:

HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:44:37, on 3/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe
C:\Arquivos de programas\Winamp\winampa.exe
C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe
C:\Arquivos de programas\Java\jre6\bin\jusched.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe
C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe
C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe
C:\Arquivos de programas\DU Meter\DUMeter.exe
C:\Arquivos de programas\Steam\Steam.exe
C:\Documents and Settings\palma\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe
C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe
C:\Arquivos de programas\Bonjour\mDNSResponder.exe
C:\Arquivos de programas\DU Meter\DUMeterSvc.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Arquivos de programas\Winamp Remote\bin\Orb.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\Winamp\winamp.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=13928&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13925&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=13925&gct=&gc=1&q=%s
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Arquivos de programas\Winamp Toolbar\winamptb.dll
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Arquivos de programas\Winamp Toolbar\winamptb.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Arquivos de programas\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Arquivos de programas\Winamp\winampa.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [OutpostMonitor] C:\ARQUIV~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Arquivos de programas\Agnitum\Outpost Firewall\feedback.exe" /dump

s_startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Orb] "C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DU Meter] C:\Arquivos de programas\DU Meter\DUMeter.exe
O4 - HKCU\..\Run: [Steam] "C:\Arquivos de programas\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\palma\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Dados de aplicativos\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\ARQUIV~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Arquivos de programas\DU Meter\DUMeterSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 7697 bytes

ComboFix

ComboFix 09-09-03.02 - palma 03/09/2009 17:31.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.3327.2722 [GMT -3:00]
Executando de: c:\documents and settings\palma\Desktop\ComboFix.exe
Comandos utilizados :: c:\documents and settings\palma\Desktop\CFScript.txt.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Outpost Firewall *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}

FILE ::
"c:\documents and settings\palma\Dados de aplicativos\S03-7323-GEYNAWT-2623-TGAW\winlogon.exe"
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\arquivos de programas\AskBarDis
c:\arquivos de programas\AskBarDis\bar\bin\askBar.dll
c:\arquivos de programas\AskBarDis\bar\bin\askPopStp.dll
c:\arquivos de programas\AskBarDis\bar\bin\AskSplash.exe
c:\arquivos de programas\AskBarDis\bar\bin\AskTBApp.exe
c:\arquivos de programas\AskBarDis\bar\bin\ASKUpgrade.exe
c:\arquivos de programas\AskBarDis\bar\bin\psvince.dll
c:\arquivos de programas\AskBarDis\bar\Cache\0001ADA0.bin
c:\arquivos de programas\AskBarDis\bar\Cache\0001B272.bin
c:\arquivos de programas\AskBarDis\bar\Cache\0001B418.bin
c:\arquivos de programas\AskBarDis\bar\Cache\0001B5AE.bin
c:\arquivos de programas\AskBarDis\bar\Cache\0001B745.bin
c:\arquivos de programas\AskBarDis\bar\Cache\0001B8EB.bin
c:\arquivos de programas\AskBarDis\bar\Cache\0070342E
c:\arquivos de programas\AskBarDis\bar\Cache\files.ini
c:\arquivos de programas\AskBarDis\bar\History\search
c:\arquivos de programas\AskBarDis\bar\Settings\AskLogo.ico
c:\arquivos de programas\AskBarDis\bar\Settings\config.dat
c:\arquivos de programas\AskBarDis\bar\Settings\config.dat.bak
c:\arquivos de programas\AskBarDis\bar\Settings\prevcfg.htm
c:\arquivos de programas\AskBarDis\bar\Settings\prevCfg2.htm
c:\arquivos de programas\AskBarDis\unins000.dat
c:\arquivos de programas\AskBarDis\unins000.exe
c:\documents and settings\palma\Dados de aplicativos\S03-7323-GEYNAWT-2623-TGAW\winlogon.exe
C:\Lop SD
c:\lop sd\App-Prog.lsd
c:\lop sd\AuDoss.lsd
c:\lop sd\AutrInf.cmd
c:\lop sd\AWF.cmd
c:\lop sd\Back.cmd
c:\lop sd\Backup-Lop\DOCUME~1\ALLUSE~1\DADOSD~1\SETUP BEND FIRST 01\type poke.dat
c:\lop sd\Backup-Lop\DOCUME~1\ALLUSE~1\DADOSD~1\SETUP BEND FIRST 01\type poke.exe
c:\lop sd\Backup-Lop\DOCUME~1\LOCALS~1\DADOSD~1\BLEHTR~1\Skip Slow.exe
c:\lop sd\Backup-Lop\DOCUME~1\palma\CONFIG~1\Temp\sta154.exe
c:\lop sd\Backup-Lop\DOCUME~1\palma\Cookies\palma@advertising.marketnetwork[1].txt
c:\lop sd\Backup-Lop\DOCUME~1\palma\Cookies\palma@advertising[2].txt
c:\lop sd\Backup-Lop\DOCUME~1\palma\Cookies\palma@www.adserver5[2].txt
c:\lop sd\Backup-Lop\DOCUME~1\palma\DADOSD~1\BLEHTR~1\BOLTLOUDFINDDEFAULT.exe
c:\lop sd\Backup-Lop\DOCUME~1\palma\DADOSD~1\BLEHTR~1\Move mode drv.exe
c:\lop sd\Backup-Lop\DOCUME~1\palma\DADOSD~1\BLEHTR~1\pqhvycre.exe
c:\lop sd\Backup-Lop\DOCUME~1\palma\DADOSD~1\BLEHTR~1\Skip Slow.exe
c:\lop sd\Backup-Lop\Reg\HKCU_Run.reg
c:\lop sd\Backup-Lop\Reg\HKLM_Run.reg
c:\lop sd\Backup-Lop\Reg\HKLM_Uninstall.reg
c:\lop sd\Backup-Lop\Windows\Tasks\A3C15B5A906ACC6E.job
c:\lop sd\Boo.reg
c:\lop sd\BooFix.cmd
c:\lop sd\catchme.exe
c:\lop sd\catchme.log
c:\lop sd\Changelog Lop SD.txt
c:\lop sd\Crack.txt
c:\lop sd\DirectFix.cmd
c:\lop sd\Discl_en.vbs
c:\lop sd\Discl_fr.vbs
c:\lop sd\Discl_ne.vbs
c:\lop sd\Discl_sp.vbs
c:\lop sd\Discl_su.vbs
c:\lop sd\Doss.lsd
c:\lop sd\Icon_Lop.ico
c:\lop sd\iNv.exe
c:\lop sd\Key.txt
c:\lop sd\KILL.cmd
c:\lop sd\Langues.cmd
c:\lop sd\LopR_1.txt
c:\lop sd\LopScript.cmd
c:\lop sd\LopSD.cmd
c:\lop sd\lsTasks.exe
c:\lop sd\Orph.egd
c:\lop sd\OsV.exe
c:\lop sd\paths.bat
c:\lop sd\PrefKill.txt
c:\lop sd\Proc.txt
c:\lop sd\pv.exe
c:\lop sd\RegLop.reg
c:\lop sd\Rkeys.txt
c:\lop sd\RKit.lsd
c:\lop sd\RoGUeS.lsd
c:\lop sd\RunTool.txt
c:\lop sd\S_LopV.cmd
c:\lop sd\S_LopX.cmd
c:\lop sd\sed.exe
c:\lop sd\setpath.exe
c:\lop sd\Susp.txt
c:\lop sd\task.txt
c:\lop sd\WhL.lsd

.
((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASKUPGRADE
-------\Service_ASKUpgrade

(((((((((((((((( Arquivos/Ficheiros criados de 2009-08-03 to 2009-09-03 ))))))))))))))))))))))))))))
.

2009-09-02 05:04 . 2009-09-02 05:05 -------- d-----w- C:\Analyze.This.That.Pack.DVDRip.x264.AC3-DEViSE
2009-09-02 02:43 . 2009-04-06 14:37 704384 ----a-w- c:\windows\system32\drivers\SandBox.sys
2009-09-02 02:42 . 2009-02-10 19:15 257432 ----a-w- c:\windows\system32\drivers\afwcore.sys
2009-09-02 02:41 . 2009-02-18 20:30 31128 ----a-w- c:\windows\system32\drivers\afw.sys
2009-09-02 02:41 . 2009-09-02 02:41 -------- d-----w- c:\arquivos de programas\Agnitum
2009-09-02 02:41 . 2009-09-02 02:41 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Agnitum
2009-09-02 02:11 . 2009-09-02 04:12 -------- d-----w- C:\GREEK.S03E01.720p.HDTV.x264-CTU
2009-08-30 18:10 . 2009-08-30 18:10 -------- d-----w- c:\arquivos de programas\Trend Micro
2009-08-30 00:47 . 2009-07-28 19:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-30 00:47 . 2009-03-30 13:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-08-30 00:47 . 2009-02-13 15:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-08-30 00:47 . 2009-02-13 15:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-08-30 00:47 . 2009-08-30 00:47 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Avira
2009-08-30 00:47 . 2009-08-30 00:47 -------- d-----w- c:\arquivos de programas\Avira
2009-08-30 00:41 . 2009-09-03 20:38 -------- d-sh--w- c:\documents and settings\palma\Dados de aplicativos\S03-7323-GEYNAWT-2623-TGAW
2009-08-29 18:37 . 2009-09-02 15:26 -------- d-----w- C:\Psych.S04E04.720p.HDTV.x264-CTU
2009-08-19 15:30 . 2009-08-19 15:45 -------- d-----w- C:\Aly And AJ - Into The Rush [2006][CD+SkidVid+Cov]
2009-08-19 15:29 . 2009-08-19 15:32 -------- d-----w- C:\Aly And AJ - Insomniatic [2007][CD+SkidVid+Cov]192Kbps
2009-08-16 23:48 . 2009-08-17 00:10 -------- d-----w- C:\Psych.S03.DVDRip.XviD-TorrentLeech
2009-08-14 01:44 . 2009-08-31 00:42 -------- d-----w- C:\Nova pasta
2009-08-11 21:22 . 2009-08-11 21:22 -------- d-----w- c:\arquivos de programas\Asprate
2009-08-08 17:37 . 2009-08-08 17:37 -------- d-----w- c:\documents and settings\palma\Dados de aplicativos\Desktopicon
2009-08-08 17:37 . 2009-08-08 17:38 -------- d-----w- c:\arquivos de programas\VDOWNLOADER
2009-08-07 01:48 . 2009-08-07 01:48 -------- d-----w- c:\arquivos de programas\Opera
2009-08-05 22:04 . 2009-08-05 22:04 -------- d-----w- C:\Eye Candy 4000
2009-08-05 22:02 . 2009-08-05 22:04 2516584 ----a-w- C:\Photoshop Plugin - Eyecandy 4000.zip
2009-08-05 00:16 . 2009-08-05 00:16 -------- d-----w- C:\Rise_Against-The_Unraveling-2005-XXL
2009-08-05 00:16 . 2009-08-05 00:40 -------- d-----w- C:\Rise_Against-The_Sufferer_And_The_Witness-(Proper_Retail)-2006-ZyK
2009-08-05 00:14 . 2009-08-05 00:14 -------- d-----w- C:\Rise_Against-Revolutions_Per_Minute-2003-EMG_INT

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-03 20:41 . 2009-07-19 00:05 -------- d-----w- c:\arquivos de programas\Steam
2009-09-03 16:13 . 2009-06-07 03:35 -------- d-----w- c:\documents and settings\palma\Dados de aplicativos\uTorrent
2009-08-28 01:47 . 2009-06-07 03:14 -------- d-----w- c:\arquivos de programas\Winamp Remote
2009-08-08 17:30 . 2009-07-28 02:40 -------- d-----w- c:\documents and settings\palma\Dados de aplicativos\LimeWire
2009-08-03 00:06 . 2009-07-20 06:48 536870912 --sha-w- C:\WinPEpge.sys
2009-07-31 23:03 . 2009-07-31 23:03 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Messenger Plus!
2009-07-31 23:01 . 2009-07-31 23:01 -------- d-----w- c:\arquivos de programas\Circl Developement
2009-07-31 23:01 . 2009-07-31 23:01 -------- d-----w- c:\arquivos de programas\Messenger Plus! Live
2009-07-31 23:01 . 2009-06-06 22:38 -------- d-----w- c:\arquivos de programas\MSN Messenger
2009-07-31 23:01 . 2009-07-31 23:01 -------- d-----w- c:\arquivos de programas\Windows Live
2009-07-31 04:13 . 2009-07-31 04:12 -------- d-----w- c:\arquivos de programas\Tibia
2009-07-31 04:13 . 2009-07-31 04:12 -------- d-----w- c:\documents and settings\palma\Dados de aplicativos\Tibia
2009-07-30 02:42 . 2009-07-30 02:41 -------- d-----w- c:\documents and settings\palma\Dados de aplicativos\Cool Record Edit Pro
2009-07-28 23:20 . 2009-07-13 01:32 -------- d---a-w- c:\documents and settings\All Users\Dados de aplicativos\TEMP
2009-07-28 22:11 . 2009-07-28 22:11 -------- d-----w- c:\documents and settings\palma\Dados de aplicativos\Free Sound Recorder
2009-07-28 22:11 . 2009-07-28 22:10 -------- d-----w- c:\arquivos de programas\Free Sound Recorder
2009-07-28 02:39 . 2009-07-28 02:14 -------- d-----w- c:\arquivos de programas\LimeWire
2009-07-28 02:39 . 2009-07-28 02:39 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-28 02:39 . 2009-07-28 02:39 -------- d-----w- c:\arquivos de programas\Java
2009-07-26 22:15 . 2009-06-07 19:29 -------- d-----w- c:\arquivos de programas\abgx360
2009-07-18 23:43 . 2009-07-18 23:43 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\GbPlugin
2009-07-13 21:29 . 2009-07-13 21:29 -------- d-----w- c:\arquivos de programas\Imagenomic
2009-07-13 02:12 . 2009-07-13 02:12 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\FLEXnet
2009-07-13 02:08 . 2009-07-13 02:08 -------- d-----w- c:\arquivos de programas\Bonjour
2009-07-13 02:07 . 2009-06-09 03:42 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Adobe
2009-07-13 02:02 . 2009-07-13 02:02 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Macrovision Shared
2009-07-12 15:20 . 2009-07-12 15:20 -------- d-----w- c:\arquivos de programas\DU Meter
2009-07-12 15:20 . 2009-07-12 15:20 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Hagel Technologies
2009-07-04 01:43 . 2001-10-28 15:07 67450 ----a-w- c:\windows\system32\perfc016.dat
2009-07-04 01:43 . 2001-10-28 15:07 425426 ----a-w- c:\windows\system32\perfh016.dat
2009-06-07 03:33 . 2009-06-07 03:33 0 ----a-w- c:\windows\ativpsrm.bin
2009-06-07 03:25 . 2009-06-07 03:25 0 ----a-w- c:\windows\nsreg.dat
2009-06-06 22:01 . 2009-06-06 22:01 21844 ----a-w- c:\windows\system32\emptyregdb.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\palma\Dados de aplicativos\S03-7323-GEYNAWT-2623-TGAW ----

2009-08-30 00:41 . 2009-09-02 05:31 64 --sh--r- c:\documents and settings\palma\Dados de aplicativos\S03-7323-GEYNAWT-2623-TGAW\Desktop.ini
2004-08-04 03:45 . 2004-08-04 03:45 68176 --sh--r- c:\documents and settings\palma\Dados de aplicativos\S03-7323-GEYNAWT-2623-TGAW\winlogon.exe

((((((((((((((((((((((((((((( SnapShot@2009-09-02_05.36.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-03 20:41 . 2009-09-03 20:41 16384 c:\windows\temp\Perflib_Perfdata_9dc.dat
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\arquivos de programas\Winamp Toolbar\winamptb.dll" [2009-02-19 1262888]

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\arquivos de programas\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"Orb"="c:\arquivos de programas\Winamp Remote\bin\OrbTray.exe" [2008-04-01 507904]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe" [2006-09-13 139264]
"DU Meter"="c:\arquivos de programas\DU Meter\DUMeter.exe" [2008-06-10 2645528]
"Steam"="c:\arquivos de programas\Steam\Steam.exe" [2009-07-19 1217784]
"Google Update"="c:\documents and settings\palma\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" [2009-08-07 133104]
"MSMSGS"="c:\arquivos de programas\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="c:\arquivos de programas\Winamp\winampa.exe" [2008-08-03 36352]
"StartCCC"="c:\arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-04-29 61440]
"NeroFilterCheck"="c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SoundMAXPnP"="c:\arquivos de programas\Analog Devices\Core\smax4pnp.exe" [2007-10-09 1036288]
"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre6\bin\jusched.exe" [2009-07-28 136600]
"avgnt"="c:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"OutpostMonitor"="c:\arquiv~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-04-28 2374464]
"OutpostFeedBack"="c:\arquivos de programas\Agnitum\Outpost Firewall\feedback.exe" [2009-04-28 428032]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=
"c:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=
"c:\\Arquivos de programas\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Arquivos de programas\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Arquivos de programas\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Arquivos de programas\\uTorrent\\uTorrent.exe"=
"c:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\cerealk2410\\counter-strike\\hl.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\red orchestra\\System\\RedOrchestra.exe"=
"c:\\Arquivos de programas\\LimeWire\\LimeWire.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\cerealk2410\\counter-strike source\\hl2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [1/9/2009 23:43 704384]
R2 acssrv;Agnitum Client Security Service;c:\arquiv~1\Agnitum\OUTPOS~1\acs.exe [1/9/2009 23:41 1195008]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [29/8/2009 21:47 108289]
R2 DUMeterSvc;DU Meter Service;c:\arquivos de programas\DU Meter\DUMeterSvc.exe [12/7/2009 12:20 1386008]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [1/9/2009 23:41 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [1/9/2009 23:42 257432]
R3 portio32;portio32;c:\windows\system32\drivers\portio32.sys [6/6/2009 19:19 2048]
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.ask.com/?o=13928&l=dis
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13925&gct=&gc=1&q=%s
IE: &Winamp Search - c:\documents and settings\All Users\Dados de aplicativos\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
FF - ProfilePath - c:\documents and settings\palma\Dados de aplicativos\Mozilla\Firefox\Profiles\lgq26p0n.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.adrenaline.com.br/forum/
FF - component: c:\documents and settings\palma\Dados de aplicativos\Mozilla\Firefox\Profiles\lgq26p0n.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\documents and settings\palma\Dados de aplicativos\Mozilla\Firefox\Profiles\lgq26p0n.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E8873}\components\GbMzhUni.dll
FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\np-mswmp.dll

---- FIREFOX POLICIES ----
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-09-03 17:41
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DUMeterSvc]
"ImagePath"="c:\arquivos de programas\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(1204)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1668)
c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NeroSearchBar.dll
c:\arquivos de programas\Arquivos comuns\Ahead\Lib\MFC71U.DLL
c:\arquivos de programas\Arquivos comuns\Ahead\Lib\BCGCBPRO800u.dll
c:\windows\system32\msi.dll
.
------------------------ Outros Processos em Execução ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\arquivos de programas\Agnitum\Outpost Firewall\op_mon.exe
c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe
c:\arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\arquivos de programas\Avira\AntiVir Desktop\avguard.exe
c:\arquivos de programas\Bonjour\mDNSResponder.exe
c:\arquivos de programas\Java\jre6\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\arquivos de programas\Winamp Remote\bin\Orb.exe
.
**************************************************************************
.
Tempo para conclusão: 2009-09-03 17:43 - Máquina reiniciou
ComboFix-quarantined-files.txt 2009-09-03 20:43
ComboFix2.txt 2009-09-02 05:36

Pré-execução: 23 pasta(s) 50.115.031.040 bytes disponíveis
Pós execução: 22 pasta(s) 50.048.712.704 bytes disponíveis

292

Flea · 03/09/2009

Opa, se puder dar uma olhada no log, minha tia está tendo problemas com aqueles malware que ficam mandando links suspeitos para a lista do hotmail:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:50:24, on 26/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SnAgOS.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\ARQUIV~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\SnMgrSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SnLiveUp.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\ARQUIV~1\AVG\AVG8\avgtray.exe
C:\Arquivos de programas\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe
C:\Arquivos de programas\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Arquivos de programas\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\system32\SnEngine.EXE
C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe
C:\Arquivos de programas\Windows Live\Contacts\wlcomm.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Arquivos de programas\Arquivos comuns\Adobe\Updater5\AdobeUpdater.exe
C:\ARQUIV~1\WinZip\winzip32.exe
C:\DOCUME~1\MARIAI~2\CONFIG~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Arquivos de programas\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Arquivos de programas\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Arquivos de programas\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Arquivos de programas\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\5.1.1309.15 642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Arquivos de programas\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.d ll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Arquivos de programas\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Arquivos de programas\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Arquivos de programas\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\ARQUIV~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolb arNotifier.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Arquivos de programas\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {3A5A2021-0895-11D2-8817-0060089E0724} (GlobalEnglish Learning Technology) - http://corp.globalenglish.com/html/setup/cabs/ge.cab
O16 - DPF: {3C8B9651-4E3E-424D-B51C-54544ABF536B} (CAtmCap Object) - https://ww7.banrisul.com.br/bxz/data...econtrol2k.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1187265538578
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Arquivos de programas\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Arquivos de programas\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate1c9ccfee49e11b6) (gupdate1c9ccfee49e11b6) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SNMgrSvc - Open Communications Security S/A - C:\WINDOWS\system32\SnMgrSvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Arquivos de programas\Arquivos comuns\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 9185 bytes

didifpg · 03/09/2009

Tah aí o log que você pediu pra eu colar...

>>

ComboFix 09-09-03.02 - Administrador 03/09/2009 19:29.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.1015.605 [GMT -3:00]
Executando de: c:\documents and settings\Administrador\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\update93828.exe
c:\windows\UA000071.DLL

.
(((((((((((((((( Arquivos/Ficheiros criados de 2009-08-03 to 2009-09-03 ))))))))))))))))))))))))))))
.

2009-09-01 23:12 . 2009-09-01 23:12 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\Malwarebytes
2009-09-01 23:11 . 2009-08-03 16:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-01 23:11 . 2009-09-01 23:11 -------- d-----w- c:\arquivos de programas\Malwarebytes' Anti-Malware
2009-09-01 23:11 . 2009-09-01 23:11 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes
2009-09-01 23:11 . 2009-08-03 16:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-27 01:31 . 2009-08-27 01:31 12 ----a-w- c:\windows\Emcmm.dat
2009-08-25 01:42 . 2009-08-25 01:47 -------- d-----w- c:\documents and settings\Administrador\.rainlendar2
2009-08-25 01:41 . 2009-08-25 01:47 -------- d-----w- c:\arquivos de programas\Rainlendar2
2009-08-22 00:50 . 2009-08-28 02:27 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\Ulead Systems
2009-08-22 00:48 . 2009-08-22 00:49 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\DivX
2009-08-22 00:38 . 2009-08-22 00:38 -------- d-----w- c:\arquivos de programas\Arquivos comuns\InterVideo
2009-08-22 00:37 . 2007-01-03 21:58 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-08-22 00:37 . 2007-01-03 21:58 116472 ------w- c:\windows\system32\pxcpyi64.exe
2009-08-22 00:37 . 2009-08-28 02:04 -------- d-----w- c:\arquivos de programas\DivX
2009-08-22 00:37 . 2009-08-22 00:37 -------- d-----w- c:\arquivos de programas\Arquivos comuns\LightScribe
2009-08-22 00:35 . 2009-08-28 02:27 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Ulead Systems
2009-08-22 00:34 . 2005-05-26 18:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2009-08-11 19:35 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-05 09:00 . 2009-08-05 09:00 205312 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 23:31 . 2009-08-04 23:31 -------- d-sh--w- c:\documents and settings\Administrador\PrivacIE
2009-08-04 23:31 . 2009-08-04 23:31 -------- d-sh--w- c:\documents and settings\Administrador\IECompatCache
2009-08-04 23:27 . 2009-08-04 23:27 -------- d-sh--w- c:\documents and settings\Administrador\IETldCache
2009-08-04 23:16 . 2009-07-03 16:59 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-08-04 23:16 . 2009-07-03 16:59 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-04 23:16 . 2009-08-04 23:16 -------- d-----w- c:\windows\ie8updates
2009-08-04 23:16 . 2009-07-01 07:08 101376 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-08-04 23:14 . 2009-08-04 23:16 -------- dc-h--w- c:\windows\ie8

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-02 01:47 . 2008-04-23 01:53 -------- d-----w- c:\arquivos de programas\Circle Developement
2009-08-28 19:43 . 2008-09-30 17:59 -------- d---a-w- c:\documents and settings\All Users\Dados de aplicativos\TEMP
2009-08-28 02:30 . 2008-04-04 11:39 -------- d--h--w- c:\arquivos de programas\InstallShield Installation Information
2009-08-21 02:46 . 2008-08-28 17:44 -------- d-----w- c:\arquivos de programas\Alldj_DVD_To_AVI
2009-08-12 03:09 . 2008-04-04 11:45 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Microsoft Help
2009-08-05 09:00 . 2004-08-04 01:45 205312 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-22 20:27 . 2009-03-05 18:09 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\DVD Shrink
2009-07-20 21:46 . 2008-04-23 01:53 -------- d-----w- c:\arquivos de programas\Messenger Plus! Live
2009-07-17 19:03 . 2004-08-04 01:45 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 02:43 . 2004-08-04 01:45 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 16:59 . 2004-08-04 01:45 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:27 . 2004-08-04 01:45 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:27 . 2004-08-04 01:45 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:27 . 2004-08-04 01:45 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:27 . 2004-08-04 01:45 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:27 . 2004-08-04 01:45 732672 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:27 . 2004-08-04 01:45 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2004-08-03 23:59 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:39 . 2004-08-04 01:45 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:39 . 2001-10-28 15:06 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 10:44 . 2004-08-04 01:45 77824 ----a-w- c:\windows\system32\telnet.exe
2009-06-15 10:44 . 2004-08-04 01:45 81408 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-10 14:14 . 2004-08-04 01:45 85504 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 12:21 . 2008-04-03 19:49 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:15 . 2004-08-04 01:45 132096 ----a-w- c:\windows\system32\wkssvc.dll
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe" [2006-08-22 94208]
"MsnMsgr"="c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"ares"="c:\arquivos de programas\Ares\Ares.exe" [2008-02-20 963072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"GrooveMonitor"="c:\arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"RemoteControl"="c:\arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-08 30208]
"LanguageShortcut"="c:\arquivos de programas\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 49152]
"NeroFilterCheck"="c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"avgnt"="c:\arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-21 266497]
"QuickTime Task"="c:\arquivos de programas\QuickTime\qttask.exe" [2008-09-06 413696]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-05 16380416]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2007-06-15 1826816]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Administrador\Menu Iniciar\Programas\Inicializar\
Recorte de tela e Iniciador do OneNote 2007.lnk - c:\arquivos de programas\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\
Adobe Reader Speed Launch.lnk - c:\arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Arquivos de programas\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Arquivos de programas\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Arquivos de programas\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Arquivos de programas\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=
"c:\\Arquivos de programas\\Ares\\Ares.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Arquivos de programas\\eMule\\emule.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1631:UDP"= 1631:UDP:Windows Media Format SDK (iexplore.exe)
"1630:UDP"= 1630:UDP:Windows Media Format SDK (iexplore.exe)
"1632:UDP"= 1632:UDP:Windows Media Format SDK (iexplore.exe)

R3 PAC207;PC Camera;c:\windows\system32\drivers\PFC027.SYS [29/5/2007 13:30 508160]
S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys --> c:\windows\system32\DRIVERS\epfwtdir.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Conteúdo da pasta 'Tarefas Agendadas'

2009-09-26 c:\windows\Tasks\User_Feed_Synchronization-{B5B75B04-9D3F-4EC5-89D1-00F64AD34F8D}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 07:31]
.
- - - - ORFÃOS REMOVIDOS - - - -

HKCU-Run-Picasa Media Detector - c:\arquivos de programas\Picasa2\PicasaMediaDetector.exe
HKCU-Run-Rainlendar2 - c:\arquivos de programas\Rainlendar2\Rainlendar2.exe

.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.google.com.br/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {AF32D210-948A-4A63-BD02-8938A15D4750} = 200.225.197.34 200.225.197.37
DPF: {31CB2F01-72C2-4CF4-B265-450E8817B039} - hxxp://idownload.br.toontown.com/sv1.4.14.8/ttinst-portuguese.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-09-03 19:32
Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-842925246-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5a,9b,c9,1c,c3,4f,0d,45,a3,92,c0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5a,9b,c9,1c,c3,4f,0d,45,a3,92,c0,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,5f,4e,ce,03,43,
03,3d,b0,2e,e8,e1,00,eb,16,2b,de,eb,81,b1,2d,26,63,54,81,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,b2,3e,12,48,36,
fb,7d,f7,46,47,15,b0,92,4b,c7,ef,f8,4c,75,ab,af,6c,44,e7,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,f0,be,bc,5c,de,
9d,2a,f3,7a,45,05,fd,91,e8,6f,31,f6,1f,4e,18,25,df,97,3e,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,c0,5e,53,a5,ed,
45,78,c4,6b,65,49,6a,7e,99,74,f7,0c,64,a9,89,48,99,49,d0,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,56,16,9d,4d,85,
f8,cc,9c,e9,02,6c,fa,fb,1d,47,57,ec,86,40,d5,2e,ae,ab,81,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,2a,3f,13,d4,ac,
0b,59,85,50,93,e5,ab,ec,6a,4e,ab,85,f8,21,33,f4,e8,40,d9,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,c8,aa,39,23,a2,
b3,f7,52,97,20,4e,9a,c7,f1,35,ee,63,f5,37,18,e7,30,21,c9,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,44,b8,ce,c6,70,
f5,37,1d,aa,52,c6,00,84,3c,26,64,2e,6c,f0,0e,83,fd,e8,21,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,ea,4b,a0,22,11,
12,bc,2f,b2,46,9a,e2,1b,fe,1b,94,96,25,79,db,b2,72,57,da,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,e5,50,a6,a1,e0,
68,d8,92,37,a4,aa,c3,a6,15,56,0a,1d,25,02,05,3c,c2,dd,c1,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,66,2e,85,84,9d,
1e,8c,26,f8,31,0f,a9,5f,a0,ec,fb,08,ad,5a,1b,da,a7,7b,32,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,6f,ee,29,30,d0,
28,83,84,05,73,21,dd,54,d8,4a,c5,74,25,74,9f,36,05,7a,9a,6c,43,2d,1e,aa,22,\
.
Tempo para conclusão: 2009-09-03 19:34
ComboFix-quarantined-files.txt 2009-09-03 22:34
ComboFix2.txt 2008-11-24 08:54

Pré-execução: 9 pasta(s) 20.910.829.568 bytes disponíveis
Pós execução: 9 pasta(s) 25.194.983.424 bytes disponíveis

221 --- E O F --- 2009-09-02 03:04

<<

Abraços...

Tiagoquiroga · 03/09/2009

Aí vai o log do combofix

ComboFix 09-09-03.02 - User 03/09/2009 21:42.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.1015.586 [GMT -3:00]
Executando de: c:\documents and settings\User\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1351 [VPS 090903-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: AVG 7.5.446 *On-access scanning enabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\290bff3.msi
c:\windows\Installer\3914f4.msp
c:\windows\system32\config\44271290.Evt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASC3550P
-------\Service_asc3550p

(((((((((((((((( Arquivos/Ficheiros criados de 2009-08-04 to 2009-09-04 ))))))))))))))))))))))))))))
.

2009-09-02 03:36 . 2009-08-27 19:32 266240 --sha-r- c:\windows\system32\bokafeque.exe
2009-08-29 20:39 . 2009-08-29 20:39 -------- d-----w- C:\Downloads
2009-08-26 20:49 . 2009-08-26 20:49 -------- d-----w- C:\rsit
2009-08-23 16:46 . 2009-08-27 19:32 266240 --sha-r- c:\windows\system32\caref.exe

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-04 00:47 . 2008-11-02 20:17 -------- d-----w- c:\documents and settings\User\Dados de aplicativos\Orbit
2009-09-04 00:35 . 2008-11-10 21:23 -------- d-----w- c:\documents and settings\User\Dados de aplicativos\uTorrent
2009-09-02 00:41 . 2008-11-01 04:17 -------- d-----w- c:\arquivos de programas\DreaMule
2009-08-29 20:35 . 2009-07-18 01:40 -------- d-----w- c:\arquivos de programas\PEScript2009
2009-08-17 16:10 . 2009-08-02 15:08 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-17 16:06 . 2009-08-02 15:09 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-08-17 16:06 . 2009-08-02 15:09 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-08-17 16:05 . 2009-08-02 15:09 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-17 16:05 . 2009-08-02 15:09 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-17 16:04 . 2009-08-02 15:09 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-17 16:04 . 2009-08-02 15:09 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-17 16:03 . 2009-08-02 15:09 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-08-17 16:02 . 2009-08-02 15:09 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-02 16:22 . 2008-02-20 16:30 -------- d--h--w- c:\arquivos de programas\InstallShield Installation Information
2009-07-18 00:21 . 2001-10-28 15:07 78760 ----a-w- c:\windows\system32\perfc016.dat
2009-07-18 00:21 . 2001-10-28 15:07 469136 ----a-w- c:\windows\system32\perfh016.dat
2009-07-18 00:21 . 2009-07-18 00:21 -------- d-----w- c:\arquivos de programas\MSBuild
2009-07-18 00:18 . 2009-07-18 00:18 -------- d-----w- c:\arquivos de programas\Reference Assemblies
2009-07-08 22:21 . 2009-07-08 22:21 -------- d-----w- c:\documents and settings\User\Dados de aplicativos\Malwarebytes
2009-07-08 22:21 . 2009-07-08 22:21 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes
2009-07-07 23:17 . 2009-07-07 23:17 152904 ----a-w- c:\windows\system32\vghd.scr
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"AlcoholAutomount"="c:\arquivos de programas\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-07-02 219520]
"DAEMON Tools Lite"="c:\arquivos de programas\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
"swg"="c:\arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-07 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"BigDogPath"="c:\windows\VM_STI.EXE" [2003-01-21 40960]
"WinampAgent"="c:\arquivos de programas\Winamp\winampa.exe" [2008-08-03 36352]
"avast!"="c:\arquiv~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"zoussyb"="c:\windows\system32\bokafeque.exe" [2009-08-27 266240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"zoussyb"="c:\windows\system32\bokafeque.exe" [2009-08-27 266240]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\
Orbit.lnk - c:\arquivos de programas\Orbitdownloader\orbitdm.exe [2008-11-2 1690824]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\JOGOS\\Medal\\mohpa.exe"=
"d:\\JOGOS\\LOTR BFME\\game.dat"=
"c:\\Arquivos de programas\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Arquivos de programas\\DreaMule\\emule.exe"=
"c:\\Arquivos de programas\\Orbitdownloader\\orbitdm.exe"=
"c:\\Arquivos de programas\\Orbitdownloader\\orbitnet.exe"=
"c:\\Documents and Settings\\All Users\\Dados de aplicativos\\NexonUS\\NGM\\NGM.exe"=
"c:\\Arquivos de programas\\uTorrent\\uTorrent.exe"=
"d:\\JOGOS\\LOTR BFME\\patchget.dat"=
"c:\\Arquivos de programas\\PEScript2009\\mirc_wem.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2/8/2009 12:09 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/8/2009 12:09 20560]
R3 sembbus;SEMC WMC Composite Device driver (WDM);c:\windows\system32\drivers\sembbus.sys [12/11/2008 21:10 260992]
R3 sembcard;Sony Ericsson PC300 Mobile Broadband Command Interface Drivers (WDM);c:\windows\system32\drivers\sembcard.sys [12/11/2008 21:11 337408]
R3 sembmdfl2;Sony Ericsson PC300 Wireless Modem Filter;c:\windows\system32\drivers\sembmdfl2.sys [12/11/2008 21:11 14976]
R3 sembmdm2;Sony Ericsson PC300 Wireless Modem Driver;c:\windows\system32\drivers\sembmdm2.sys [12/11/2008 21:11 380672]
R3 sembmgmt;Sony Ericsson PC300 Mobile Broadband Device Management Drivers (WDM);c:\windows\system32\drivers\sembmgmt.sys [12/11/2008 21:11 343680]
R3 sembnd5;Sony Ericsson PC300 Mobile Broadband Network Adapter SENECA (NDIS);c:\windows\system32\drivers\sembnd5.sys [12/11/2008 21:11 24960]
R3 sembunic;Sony Ericsson PC300 Mobile Broadband Network Adapter SENECA (WDM);c:\windows\system32\drivers\sembunic.sys [12/11/2008 21:11 344064]
R3 sembwwan;Sony Ericsson PC300 Mobile Broadband Ethernet Control Drivers (WDM);c:\windows\system32\drivers\sembwwan.sys [12/11/2008 21:11 337408]
R3 SEMCReserved;SEMC Reserved Interface;c:\windows\system32\drivers\semcreserved.sys [12/11/2008 21:11 17408]
R3 Sony_EricssonWWSC;Sony Ericsson SIM Card Reader;c:\windows\system32\drivers\sesc.sys [12/11/2008 21:11 12672]
R3 ZSMC302;LG webpro2 Camera;c:\windows\system32\drivers\usbvm302.sys [11/11/2008 20:01 91271]
S2 e1dgkiyryoc;Backbone Service;c:\windows\system32\caref.exe [23/8/2009 13:46 266240]
.
- - - - ORFÃOS REMOVIDOS - - - -

WebBrowser-{A057A204-BACC-4D26-C39E-35F1D2A32EC8} - (no file)

.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.pesbrasil.org/
mWindow Title =
IE: &Download by Orbit - c:\arquivos de programas\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\arquivos de programas\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\arquivos de programas\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\arquivos de programas\Orbitdownloader\orbitmxt.dll/202
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\User\Dados de aplicativos\Mozilla\Firefox\Profiles\pxxltaeb.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.pesbrasil.org/comunidade/
FF - prefs.js: keyword.URL - hxxp://br.search.yahoo.com/search?ei=ISO-8859-1&fr=megaup&p=
FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\documents and settings\All Users\Dados de aplicativos\NexonUS\NGM\npNxGameUS.dll

---- FIREFOX POLICIES ----
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-09-03 21:47
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'explorer.exe'(3424)
c:\windows\system32\browselc.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Outros Processos em Execução ------------------------
.
c:\arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
c:\arquivos de programas\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\scardsvr.exe
c:\arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\arquivos de programas\Orbitdownloader\orbitnet.exe
c:\arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
c:\arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Tempo para conclusão: 2009-09-04 21:49 - Máquina reiniciou
ComboFix-quarantined-files.txt 2009-09-04 00:49

Pré-execução: 8 pasta(s) 26.557.026.304 bytes disponíveis
Pós execução: 8 pasta(s) 26.616.811.520 bytes disponíveis

159 --- E O F --- 2009-01-18 15:45

LuiZz`` · 03/09/2009

To mandando um log do Hijack pq estão me falando no Msn que estou enviando aquelas msg instantanea com link e tal. Se puderem me ajudar... o nod32 ta detectando 1 infecção e nao tava tirando.
PS: o forum possui a ferramenta "spoiler" pro topico ficar mais limpo, nao custa a galera utiliza-lo né. O didifpg poluiu a pagina....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:27:15, on 25/08/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIÇO DE REDE')
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Dispositivo Celular da Apple (Apple Mobile Device) - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 7509 bytes

PS: passei o NOD32 novamente e não tem mais nada. Mas agradeço se puderem analizar o log para ver se nao ficou nenhum resquísio

Artsimoes · 03/09/2009

Olá, Mr. Wolf!

Em relação aos vírus meu note está livre deles depois que eu rodei o último antivírus?

Em relação ao firewall acontece o seguinte:

Quando ligo o note, aparece na barra de tarefas um icone alertando para verificar a segurança do computador com a seguinte mensagem: "O serviço geral de segurança não está em execução. Clique nesta notificação para resolver o problema".

Quando dou o clique aparece uma tela dizendo que a central de segurança do windons está desativada. Dou o clique em ativar. Aparece uma outra tela dizendo que, o firewall, atualização automática, proteção contra malware e outras configurações de segurça estão ativados.

Agradeço mais uma vez a gentileza.

Obrigado,
Artur Simões

Remoção de vírus

Member

Banido

Member

Banido

Attachments

Member

Member

know-it-all Member

Malware Removal

Well-Known Member

Member

Member

Old member

New Member

know-it-all Member

know-it-all Member

know-it-all Member

Member

Attachments

Malware Removal

Malware Removal

Old member

d=

Member

Member

know-it-all Member

New Member

Users who are viewing this thread