Ir para o conteúdo

Publicidade

 Estatísticas do Fórum

  • 0 Usuários ativos

    0 membro(s), 0 visitante(s) e 0 membros anônimo(s)

Cursos Online iMasters
Foto:

[Resolvido!] IE não fecha!

  • Por favor, faça o login para responder
23 respostas neste tópico

#1 Pablo3322

Pablo3322
  • Membros
  • 25 posts

Postado 08 março 2008 - 10:57

Mesmo finalizando o IE no ctrl+alt+del, ele volta!!




Logfile of HijackThis v1.99.1
Scan saved at 08:00 PABLO, on 8/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\WinZip\WZQKPICK.EXE
C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe
C:\Arquivos de programas\MessengerDiscovery\MessengerDiscovery Live.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Spybot - Search & Destroy\SpybotSD.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....6...ER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0.:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ADSTechnology module - {831CBAC0-8283-4653-9D81-FEB9F3F6E47C} - C:\Arquivos de programas\ADSTechnology\ADSTechnology.dll
O2 - BHO: ActivationManager module - {86A44EF7-78FC-4e18-A564-B18F806F7F56} - C:\Arquivos de programas\ActivationManager\ActivationManager.dll (file missing)
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Arquivos de programas\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O2 - BHO: Class - {FC9BCC0B-5745-21E7-F5A2-5A6E55758E50} - C:\WINDOWS\axybn1.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar2.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\ARQUIV~1\TEXTAL~1\TAForIE.dll
O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [file wave user bat] C:\Documents and Settings\All Users\Dados de aplicativos\Mail For File Wave\draw bash.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CS Update] copy /Y "C:\Arquivos de programas\ActivationManager\ActivationManager.dll.upd" "C:\Arquivos de programas\ActivationManager\ActivationManager.dll"
O4 - HKCU\..\Run: [DLD.EXE] C:\Arquivos de programas\Download Direct\DLD.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Arquivos de programas\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [CopyBat] C:\WINDOWS\APPLIC~1\SIGNTW~1\biasmail.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Arquivos de programas\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Arquivos de programas\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6FC19219-C47E-4880-9A79-D218A1C374F9} (NMJTransX Control) - http://www.netmarble...b/NMJTransX.cab
O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://200.212.184.2...er_2_0_0_45.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancob.../GbPluginBb.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn....rInstall_br.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://200.212.184.2...d8_2_0_0_28.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WB - C:\Arquivos de programas\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
  • 0

#2 Sam Spade

Sam Spade
  • Membros
  • 1.845 posts

Postado 08 março 2008 - 11:28

Olá Pablo3322! O log mostra várias infecções, com malwares que redirecionam o IE, como o ADSTechnology e o adware Lop, que foi instalado junto com o Messenger Plus, ao aceitar o patrocínio. Mesmo desinstalando o Plus, o Lop pode permanecer. Baixe:

KillBox
FindLop > Extraia os arquivos para uma pasta própria mas não use ainda.

Salve ou imprima estas instruções:

ETAPA 1

Faça o download do Lop Uninstaller
http://lop.com/new_uninstall.exe

Se ao tentar efetuar o Download, aparecer alguma mensagem de restrição, siga os seguintes passos:
  • Abra o Internet Explorer, clique em Ferramentas em seguida Opções da Internet, clique na guia Segurança clique em Sites Confiaveis e em seguida clique em Sites, no campo Adicionar este site à zona coloque:
    http://lop.com e clique em Adicionar
  • Desmarque a opção: Exigir Verificação do Servidor(https)
  • Clique em Ok em todas as janelas e tente realizar o download novamente.
Se o seu antivírus detectar algum problema no arquivo, ignore. O arquivo é seguro.

Desabilite seu antivírus e qualquer antispyware. Rode-o. Coloque os números e confirme.
  • Abra novamente o Internet Explorer, clique em Ferramentas em seguida Opções da Internet, clique na guia Segurança clique em Sites Confiaveis em seguida clique em Sites.
  • Clique em: http://lop.com e clique em Remover.
  • Clique em Ok em todas as janelas.

ETAPA 2

Rode o KillBox, marque Delete on Reboot e depois Unregister .dll Before Deleting. Coloque em Full Path of File to Delete:

C:\Arquivos de programas\ADSTechnology\ADSTechnology.dll

Clique no botão Imagem postada. Responda Sim à pergunta.

Haverá uma contagem regressiva e o PC irá reiniciar.

Após carregar novamente o SO, faça um scan com o HijackThis e salve o log.

Rode o findlop.bat e depois localize o findlop.txt em C:\

Ative novamente o anti vírus e os anti spywares.

Poste:

Log do HijackThis
findlop.txt

OBS: ainda teremos outra etapa após ter o resultado destes logs que pedi.

.
  • 0

#3 Pablo3322

Pablo3322
  • Membros
  • 25 posts

Postado 08 março 2008 - 12:14

Olá Sam, muito obrigado pela ajuda!!



Logfile of HijackThis v1.99.1
Scan saved at 09:28 PABLO, on 8/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\TGTSoft\StyleXP\StyleXP.exe
C:\Arquivos de programas\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....6...ER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0.:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ADSTechnology module - {831CBAC0-8283-4653-9D81-FEB9F3F6E47C} - C:\Arquivos de programas\ADSTechnology\ADSTechnology.dll (file missing)
O2 - BHO: ActivationManager module - {86A44EF7-78FC-4e18-A564-B18F806F7F56} - C:\Arquivos de programas\ActivationManager\ActivationManager.dll (file missing)
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Arquivos de programas\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O2 - BHO: Class - {FC9BCC0B-5745-21E7-F5A2-5A6E55758E50} - C:\WINDOWS\axybn1.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar2.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\ARQUIV~1\TEXTAL~1\TAForIE.dll
O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [file wave user bat] C:\Documents and Settings\All Users\Dados de aplicativos\Mail For File Wave\draw bash.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CS Update] copy /Y "C:\Arquivos de programas\ActivationManager\ActivationManager.dll.upd" "C:\Arquivos de programas\ActivationManager\ActivationManager.dll"
O4 - HKCU\..\Run: [DLD.EXE] C:\Arquivos de programas\Download Direct\DLD.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Arquivos de programas\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [CopyBat] C:\WINDOWS\APPLIC~1\SIGNTW~1\biasmail.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Arquivos de programas\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Arquivos de programas\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6FC19219-C47E-4880-9A79-D218A1C374F9} (NMJTransX Control) - http://www.netmarble...b/NMJTransX.cab
O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://200.212.184.2...er_2_0_0_45.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancob.../GbPluginBb.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn....rInstall_br.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://200.212.184.2...d8_2_0_0_28.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WB - C:\Arquivos de programas\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe





[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'MP Scheduled Scan.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Arquivos de programas\Windows Defender\MpCmdRun.exe'
Parameters: 'Scan -RestrictPrivileges'
WorkingDirectory: ''
Comment: 'Scheduled Scan'
Creator: 'SYSTEM'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 03/08/2008 2:14:00
NextRun: 03/09/2008 2:14:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 1
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 0
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 12/31/2001
EndDate: 00/00/0000
StartTime: 02:14
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job 'A944EF35918B66A5.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\windows\applic~1\signtw~1\Roamheck16.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Particular'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 03/08/2008 9:00:00
NextRun: 03/08/2008 10:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 10/06/2001
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0
  • 0

#4 Sam Spade

Sam Spade
  • Membros
  • 1.845 posts

Postado 10 março 2008 - 01:25

Ok, copie e salve no Bloco de notas este texto em azul:

C:\WINDOWS\Tasks\A944EF35918B66A5.job
C:\WINDOWS\APPLIC~1\SIGNTW~1\biasmail.exe
C:\WINDOWS\APPLIC~1\SIGNTW~1\Roamheck16.exe
C:\Documents and Settings\All Users\Dados de aplicativos\Mail For File Wave\draw bash.exe


Salve ou imprima estas instruções, pois vai segui-las desconectado e sem acesso a esta página:

1 - Copie o texto que salvou no bloco de notas. Rode o KillBox e marque Delete on Reboot, no menu File clique em Paste from Clipboard.
Depois clique no botão All Files.

Clique no botão Imagem postada. Responda Sim à pergunta.

Ao reiniciar o PC, aperte F8 intermitentemente. No menu escolha: modo seguro.

2 - Abra o HijackThis e clique em Do a system scan only. Aguarde o exame acabar.

Cada entrada tem uma caixa  do lado esquerdo. Marque apenas as caixas das entradas abaixo, que ainda encontrar:

 O2 - BHO: ADSTechnology module - {831CBAC0-8283-4653-9D81-FEB9F3F6E47C} - C:\Arquivos de programas\ADSTechnology\ADSTechnology.dll (file missing)

 O2 - BHO: ActivationManager module - {86A44EF7-78FC-4e18-A564-B18F806F7F56} - C:\Arquivos de programas\ActivationManager\ActivationManager.dll (file missing)

 O2 - BHO: Class - {FC9BCC0B-5745-21E7-F5A2-5A6E55758E50} - C:\WINDOWS\axybn1.dll (file missing)

 O4 - HKLM\..\Run: [file wave user bat] C:\Documents and Settings\All Users\Dados de aplicativos\Mail For File Wave\draw bash.exe

 O4 - HKCU\..\Run: [CS Update] copy /Y "C:\Arquivos de programas\ActivationManager\ActivationManager.dll.upd" "C:\Arquivos de programas\ActivationManager\ActivationManager.dll"

 O4 - HKCU\..\Run: [CopyBat] C:\WINDOWS\APPLIC~1\SIGNTW~1\biasmail.exe

 O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn....rInstall_br.cab


Ficará com um sinal V dentro de cada caixa.

Clique então em Imagem postada. Dê o Ok para a pergunta e depois feche o HijackThis.

3 - Para o log ser analisado, não pode haver ítens desabilitados da inicialização, pois não aparecem. Siga estas instruções:

Vá em Iniciar > Executar > digite msconfig

Na aba Geral marque: Inicialização normal - Carregar todos os drivers de dispositivo e serviços.

Aplicar > Ok

Reinicie o PC em modo normal, gere um novo log e poste.
  • 0

#5 Pablo3322

Pablo3322
  • Membros
  • 25 posts

Postado 10 março 2008 - 02:20

Logfile of HijackThis v1.99.1
Scan saved at 23:37 PABLO, on 9/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\ewido anti-spyware 4.0\guard.exe
C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\UltraVNC\WinVNC.exe
C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe
C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Arquivos de programas\QuickTime\qttask.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Winco\Cliente DDNS\ipcagent.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\WinZip\WZQKPICK.EXE
C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\rundll32.exe
C:\Arquivos de programas\Java\jre1.6.0_03\bin\jucheck.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....6...ER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0.:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar2.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\ARQUIV~1\TEXTAL~1\TAForIE.dll
O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [YMSF Agent] C:\WINDOWS\system32\28463\YMSF.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Arquivos de programas\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Windows Defender] "C:\Arquivos de programas\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [googletalk] C:\Arquivos de programas\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [file wave user bat] C:\Documents and Settings\All Users\Dados de aplicativos\Mail For File Wave\Send This.exe
O4 - HKLM\..\Run: [csrss.exe] C:\WINDOWS\csrss.exe
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DLD.EXE] C:\Arquivos de programas\Download Direct\DLD.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Arquivos de programas\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Arquivos de programas\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [TerraVOIP] C:\Arquivos de programas\Terra VOIP\TerraVOIP.exe
O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Arquivos de programas\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [ddns_agent] C:\Arquivos de programas\Winco\Cliente DDNS\ipcagent.exe
O4 - HKCU\..\Run: [CopyBat] C:\WINDOWS\APPLIC~1\SIGNTW~1\biasmail.exe
O4 - Startup: hamachi.lnk = C:\Arquivos de programas\Hamachi\hamachi.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Arquivos de programas\WinZip\WZQKPICK.EXE
O4 - Global Startup: Google Updater.lnk = C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Administrador de servicios.lnk = C:\Arquivos de programas\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Arquivos de programas\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6FC19219-C47E-4880-9A79-D218A1C374F9} (NMJTransX Control) - http://www.netmarble...b/NMJTransX.cab
O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://200.212.184.2...er_2_0_0_45.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancob.../GbPluginBb.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://200.212.184.2...d8_2_0_0_28.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Arquivos de programas\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StyleXPService - Unknown owner - C:\Arquivos de programas\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Arquivos de programas\UltraVNC\WinVNC.exe" -service (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
  • 0

#6 Sam Spade

Sam Spade
  • Membros
  • 1.845 posts

Postado 10 março 2008 - 12:19

Ok, apareceram mais entradas que não tinha antes depois que habilitou todos os ítens. Preciso que faça uma análise de alguns arquivos:

Acesse http://virusscan.jotti.org/

No site, na caixa Procurar, cole esta linha abaixo:

C:\WINDOWS\system32\28463\YMSF.exe

Clique em Submit, aguarde o resultado da análise aparecer e salve.

Faça o mesmo com esse:

C:\WINDOWS\csrss.exe

Poste os resultados das análises, para podermos prosseguir.
  • 0

#7 Pablo3322

Pablo3322
  • Membros
  • 25 posts

Postado 10 março 2008 - 17:51

Olá Sam, nos dois deus essa mensagen:

"The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"
  • 0

#8 Sam Spade

Sam Spade
  • Membros
  • 1.845 posts

Postado 10 março 2008 - 21:14

Houve algum problema ao usar o KillBox, pois entradas que não deveriam mais estar no log continuam?

Se não acertou usar, explique o que houve para podermos resolver.
  • 0

#9 Pablo3322

Pablo3322
  • Membros
  • 25 posts

Postado 10 março 2008 - 22:07

Olá Sam,
fiz tudo como você escreveu acima, mas quando coloquei estas linhas no site, apareceu esta mensagem que te falei.
"The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"

Tentei repetir o processo anterior, mas não consigo mais entrar no modo seguro!

Abração!
  • 0

#10 Sam Spade

Sam Spade
  • Membros
  • 1.845 posts

Postado 15 março 2008 - 21:39

Olá, não é sobre a análise e sim os arquivos que pedi para deletar com o KillBox. Houve algum problema ou não acertou usar o KillBox?
  • 0

#11 Pablo3322

Pablo3322
  • Membros
  • 25 posts

Postado 17 março 2008 - 20:56

Olá Sam, obrigado pela resposta, e desculpe-me pela demora.

Bom, eu não vi nenhum erro..
Eu tava vendo , e parece que o IE fechou, pois ele não está mais aparecendo nos processos do gerenciador de tarefas!
Será que o problema foi resolvido?

Abraço!
  • 0

#12 Sam Spade

Sam Spade
  • Membros
  • 1.845 posts

Postado 20 março 2008 - 20:36

Olá, poste um novo log do HijackThis, pois o anterior já está defasado.
  • 0

#13 Pablo3322

Pablo3322
  • Membros
  • 25 posts

Postado 26 março 2008 - 21:58

Logfile of HijackThis v1.99.1
Scan saved at 08:34 PABLO, on 1/1/2002
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Bonjour\mDNSResponder.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe
C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\TGTSoft\StyleXP\StyleXP.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\WinZip\WZQKPICK.EXE
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....6...ER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0.:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local
R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {12A6AB00-7C8C-46AA-8426-8825F3F0927C} - C:\WINDOWS\system32\geedd.dll (file missing)
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Arquivos de programas\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O2 - BHO: (no name) - {F501C2AB-834A-4B9D-A86B-A1EADA760B00} - C:\WINDOWS\system32\gebxyyx.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar2.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\ARQUIV~1\TEXTAL~1\TAForIE.dll
O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [YMSF Agent] C:\WINDOWS\system32\28463\YMSF.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [file wave user bat] C:\Documents and Settings\All Users\Dados de aplicativos\Mail For File Wave\Send This.exe
O4 - HKLM\..\Run: [csrss.exe] C:\WINDOWS\csrss.exe
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Arquivos de programas\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Windows Defender] "C:\Arquivos de programas\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [googletalk] C:\Arquivos de programas\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DLD.EXE] C:\Arquivos de programas\Download Direct\DLD.exe
O4 - HKCU\..\Run: [TerraVOIP] C:\Arquivos de programas\Terra VOIP\TerraVOIP.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Arquivos de programas\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Arquivos de programas\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Free Download Manager] C:\Arquivos de programas\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [ddns_agent] C:\Arquivos de programas\Winco\Cliente DDNS\ipcagent.exe
O4 - HKCU\..\Run: [CopyBat] C:\WINDOWS\APPLIC~1\SIGNTW~1\biasmail.exe
O4 - HKCU\..\Run: [ADPHONE] C:\Arquivos de programas\ADPHONE3\ADPHONE.EXE /STARTUP
O4 - Startup: hamachi.lnk = C:\Arquivos de programas\Hamachi\hamachi.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Arquivos de programas\WinZip\WZQKPICK.EXE
O4 - Global Startup: Administrador de servicios.lnk = C:\Arquivos de programas\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Google Updater.lnk = C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\arquivos de programas\bonjour\mdnsnsp.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Arquivos de programas\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6FC19219-C47E-4880-9A79-D218A1C374F9} (NMJTransX Control) - http://www.netmarble...b/NMJTransX.cab
O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://200.212.184.2...er_2_0_0_45.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancob.../GbPluginBb.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://200.212.184.2...d8_2_0_0_28.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: gebxyyx - gebxyyx.dll (file missing)
O20 - Winlogon Notify: WB - C:\Arquivos de programas\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
  • 0

#14 Sam Spade

Sam Spade
  • Membros
  • 1.845 posts

Postado 28 março 2008 - 20:08

Olá, para o log ser analisado, não pode haver ítens desabilitados da inicialização, pois não aparecem. Siga estas instruções:

Vá em Iniciar > Executar > digite msconfig

Na aba Geral marque: Inicialização normal - Carregar todos os drivers de dispositivo e serviços.

Aplicar > Ok

Reinicie o PC, gere um novo log e poste.
  • 0

#15 Pablo3322

Pablo3322
  • Membros
  • 25 posts

Postado 10 abril 2008 - 19:27

Logfile of HijackThis v1.99.1
Scan saved at 01:26 PABLO, on 1/1/2002
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\TGTSoft\StyleXP\StyleXPService.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Bonjour\mDNSResponder.exe
C:\Arquivos de programas\ewido anti-spyware 4.0\guard.exe
C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\UltraVNC\WinVNC.exe
C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe
C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Arquivos de programas\QuickTime\qttask.exe
C:\Arquivos de programas\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\TGTSoft\StyleXP\StyleXP.exe
C:\Arquivos de programas\Winco\Cliente DDNS\ipcagent.exe
C:\Arquivos de programas\ADPHONE3\ADPHONE.EXE
C:\Arquivos de programas\WinZip\WZQKPICK.EXE
C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe
C:\Arquivos de programas\Hamachi\hamachi.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....6...ER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0.:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local
R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar2.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\ARQUIV~1\TEXTAL~1\TAForIE.dll
O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [YMSF Agent] C:\WINDOWS\system32\28463\YMSF.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [file wave user bat] C:\Documents and Settings\All Users\Dados de aplicativos\Mail For File Wave\Send This.exe
O4 - HKLM\..\Run: [csrss.exe] C:\WINDOWS\csrss.exe
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Arquivos de programas\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [0d6b155d] rundll32.exe "C:\WINDOWS\system32\bfuqwxvw.dll",b
O4 - HKLM\..\Run: [WinVNC] "C:\Arquivos de programas\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [googletalk] C:\Arquivos de programas\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [BM0e5826c1] Rundll32.exe "C:\WINDOWS\system32\pwwcufgk.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Arquivos de programas\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [TerraVOIP] C:\Arquivos de programas\Terra VOIP\TerraVOIP.exe
O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Arquivos de programas\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Free Download Manager] C:\Arquivos de programas\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [DWQueuedReporting] "C:\ARQUIV~1\ARQUIV~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [DLD.EXE] C:\Arquivos de programas\Download Direct\DLD.exe
O4 - HKCU\..\Run: [ddns_agent] C:\Arquivos de programas\Winco\Cliente DDNS\ipcagent.exe
O4 - HKCU\..\Run: [CopyBat] C:\WINDOWS\APPLIC~1\SIGNTW~1\biasmail.exe
O4 - HKCU\..\Run: [ADPHONE] C:\Arquivos de programas\ADPHONE3\ADPHONE.EXE /STARTUP
O4 - Startup: hamachi.lnk = C:\Arquivos de programas\Hamachi\hamachi.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Arquivos de programas\WinZip\WZQKPICK.EXE
O4 - Global Startup: Google Updater.lnk = C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Administrador de servicios.lnk = C:\Arquivos de programas\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\arquivos de programas\bonjour\mdnsnsp.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Arquivos de programas\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6FC19219-C47E-4880-9A79-D218A1C374F9} (NMJTransX Control) - http://www.netmarble...b/NMJTransX.cab
O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://200.212.184.2...er_2_0_0_45.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancob.../GbPluginBb.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://200.212.184.2...d8_2_0_0_28.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Arquivos de programas\ewido anti-spyware 4.0\guard.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StyleXPService - Unknown owner - C:\Arquivos de programas\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Arquivos de programas\UltraVNC\WinVNC.exe" -service (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
  • 0

#16 Sam Spade

Sam Spade
  • Membros
  • 1.845 posts

Postado 14 abril 2008 - 19:13

Olá, seu log mostra uma infecção nova pelo trojan Vundo (adware Virtumonde), malware de difícil remoção. Baixe: ComboFix > salve na área de trabalho
  • Desative seu antivirus, antispywares e firewall, para não causar conflitos. Mantenha-os desativados até terminar as instruções.
  • Dê um duplo-clique no combofix.exe, marque 1 e dê o enter para prosseguir o Fix. Aguarde pois é um pouco demorado.
  • O ComboFix reiniciará o PC automaticamente para completar o processo de remoção. Caso isso não aconteça, reinicie manualmente.
  • Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.
  • IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando. Para parar ou sair do ComboFix, tecle "N".
  • Poste um novo log do HijackThis.
  • Selecione, copie e cole o conteúdo doComboFix.txt na sua próxima resposta.

    OBS: Não rode o ComboFix mais do que uma vez. Isso irá sobreescrever o log e dificultará a remoção do(s) malware(s)

  • 0

#17 Pablo3322

Pablo3322
  • Membros
  • 25 posts

Postado 15 abril 2008 - 18:28

Olá Sam, muito obrigado!

ComboFix 08-04-14.2 - Particular 2008-04-15 2:23:56.3 - FAT32x86
Executando de: C:\Documents and Settings\Particular\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aijenglm.dll
C:\WINDOWS\system32\budvjudu.dll
C:\WINDOWS\SYSTEM32\DKjPonmp.ini
C:\WINDOWS\SYSTEM32\DKjPonmp.ini2
C:\WINDOWS\system32\gaenuppo.dll
C:\WINDOWS\system32\iifcBqOh.dll
C:\WINDOWS\SYSTEM32\oppuneag.ini

.
((((((((((((((((((((((( Ficheiros criados de 2008-03-14 to 2008-04-14 ))))))))))))))))))))))))))))))))
.

2008-04-15 02:16 . 2008-04-15 02:16 3,648 --a------ C:\WINDOWS\SYSTEM32\inotcmeu.dll
2008-04-15 02:14 . 2008-04-15 02:14 3,648 --a------ C:\WINDOWS\SYSTEM32\odyfbajn.dll
2008-04-15 01:40 . 2008-04-15 01:40 3,648 --a------ C:\WINDOWS\SYSTEM32\agkfjoef.dll
2008-04-15 01:33 . 2008-04-15 01:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\config\systemprofile\Configurações locais
2008-04-15 01:33 . 2008-04-15 01:33 <DIR> d-------- C:\Documents and Settings\Particular\Configurações locais
2008-04-15 01:33 . 2008-04-15 01:33 <DIR> d-------- C:\Documents and Settings\NetworkService\Configurações locais
2008-04-15 01:33 . 2008-04-15 01:33 <DIR> d-------- C:\Documents and Settings\LocalService\Configurações locais
2008-04-11 23:03 . 2008-04-11 23:03 <DIR> d-------- C:\Arquivos de programas\Opera
2008-04-11 22:39 . 2002-01-01 00:04 708,714 ---hs---- C:\WINDOWS\SYSTEM32\iqqmhasy.ini
2008-04-11 22:33 . 2008-04-11 22:33 3,648 --a------ C:\WINDOWS\SYSTEM32\roneprhh.dll
2008-04-05 23:01 . 2002-01-01 00:03 720,831 ---hs---- C:\WINDOWS\SYSTEM32\rsxexkue.ini
2008-04-05 22:55 . 2008-04-05 22:55 3,648 --a------ C:\WINDOWS\SYSTEM32\ohdvqdyi.dll
2008-04-02 23:04 . 2008-04-02 23:04 <DIR> d--hs---- C:\FOUND.002
2008-03-25 04:35 . 2008-03-25 04:35 1,434,504 ---hs---- C:\WINDOWS\SYSTEM32\xyfiebcl.ini
2008-03-24 19:24 . 2008-03-25 04:35 1,343,480 ---hs---- C:\WINDOWS\SYSTEM32\hmrowbpc.ini
2008-03-22 00:11 . 2002-01-01 00:04 1,253,150 ---hs---- C:\WINDOWS\SYSTEM32\kjpsmukh.ini
2008-03-21 23:44 . 2008-03-21 23:44 127 --a------ C:\WINDOWS\SYSTEM32\MRT.INI
2008-03-20 20:44 . 2002-01-01 00:04 1,255,686 ---hs---- C:\WINDOWS\SYSTEM32\dahnpbbq.ini
2008-03-19 19:34 . 2002-01-01 00:08 1,389,816 ---hs---- C:\WINDOWS\SYSTEM32\iytggvqa.ini
2008-03-18 19:48 . 2002-01-01 00:03 1,321,257 ---hs---- C:\WINDOWS\SYSTEM32\qjqtnaib.ini
2008-03-17 20:54 . 2008-03-18 18:39 2,105,720 ---hs---- C:\WINDOWS\SYSTEM32\qnkfloue.ini
2008-03-17 20:45 . 2008-03-17 20:54 1,359,967 ---hs---- C:\WINDOWS\SYSTEM32\txjuawxw.ini
2008-03-16 23:38 . 2002-01-01 00:06 1,355,340 ---hs---- C:\WINDOWS\SYSTEM32\ksuukrhv.ini
2008-03-15 14:35 . 2008-03-15 14:35 33,824 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\oreans32.sys
2008-03-15 13:03 . 2001-01-01 00:05 1,367,163 ---hs---- C:\WINDOWS\SYSTEM32\rsdtpdjn.ini
2008-03-15 00:21 . 2002-01-01 00:04 1,366,983 ---hs---- C:\WINDOWS\SYSTEM32\wubgcppt.ini
2008-03-14 23:51 . 2008-03-14 23:52 1,366,863 ---hs---- C:\WINDOWS\SYSTEM32\mgihrvqu.ini

.
((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-29 18:45 1,146,232 ----a-w C:\WINDOWS\SYSTEM32\aswBoot.exe
2008-03-29 18:35 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-29 18:35 20,560 ----a-w C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-03-29 18:31 75,856 ----a-w C:\WINDOWS\system32\drivers\aswSP.sys
2008-03-29 18:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-29 18:27 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-29 18:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-29 18:23 95,608 ----a-w C:\WINDOWS\SYSTEM32\AVASTSS.scr
2008-03-11 15:01 --------- d-----w C:\WINDOWS\Application Data\ADPHONE
2008-03-11 15:01 --------- d-----w C:\Arquivos de programas\ADPHONE3
2008-03-10 14:16 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\FLEXnet
2008-03-10 14:14 37,888 ----a-w C:\WINDOWS\SYSTEM32\rar.exe
2008-03-10 14:03 --------- d-----w C:\Arquivos de programas\Bonjour
2008-03-10 13:45 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Macrovision Shared
2008-03-07 18:01 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\TEMP
2008-02-26 16:30 --------- d-----w C:\Arquivos de programas\ArtMoney
2008-02-21 22:15 --------- d-sh--w C:\Arquivos de programas\Arquivos comuns\WindowsLiveInstaller
2008-02-15 17:54 90,112 ----a-w C:\WINDOWS\Cuninst.exe
2008-02-11 11:05 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-02-11 11:05 311,296 ------w C:\WINDOWS\Setup1.exe
2008-01-17 17:33 42,128 ----a-w C:\WINDOWS\Application Data\GDIPFONTCACHEV1.DAT
2007-10-08 19:53 87,608 ----a-w C:\WINDOWS\Application Data\inst.exe
2007-10-08 19:53 47,360 ----a-w C:\WINDOWS\Application Data\pcouffin.sys
2007-08-08 19:11 169 ----a-w C:\Documents and Settings\Particular\lixeira.reg
2006-04-22 15:06 12 ----a-w C:\Documents and Settings\Particular\aruivo.bat
2005-05-07 19:16 2,376 ----a-w C:\Arquivos de programas\musica.MTP
2004-07-23 10:42 266 --sh--w C:\Arquivos de programas\desktop.ini
2004-07-23 10:42 11,280 ---h--w C:\Arquivos de programas\folder.htt
2002-01-01 10:03 901 ----a-w C:\Documents and Settings\Particular\restore.reg
2006-05-24 12:38 233,472 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\CrazyTalk4Native.dll
2006-05-18 13:00 204,895 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\ctdomemhelper.dll
2005-09-29 10:41 77,824 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\ctframeplayerobject.dll
2006-05-18 12:59 426,081 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\ctplayerobject.dll
2005-02-02 08:19 458,752 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\imagickrt.dll
2006-04-10 14:35 139,264 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\rlcontentclass.dll
2005-11-09 07:10 204,800 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\RLMusicPacker.dll
2005-11-09 07:42 106,496 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\RLMusicUnpacker.dll
2006-01-04 07:22 212,992 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\RLVoicePacker.dll
2006-01-04 07:21 167,936 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\RLVoiceUnpacker.dll
2005-05-01 07:19 14 --sh--w C:\WINDOWS\dpwtpdxp.dll
2005-05-08 15:53 19 --sh--w C:\WINDOWS\dpwtddxp.dll
2005-02-11 07:44 56 --sh--r C:\WINDOWS\SYSTEM32\08E6EFE77D.sys
2005-07-25 17:51 12 --sh--w C:\WINDOWS\SYSTEM32\spwtpaxp.dll
2005-05-01 07:19 14 --sh--w C:\WINDOWS\SYSTEM32\dpwtpaxp.dll
2005-05-01 07:19 19 --sh--w C:\WINDOWS\SYSTEM32\dpwtdaxp.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-15_ 1.30.10.87 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-14 21:04:44 11,368 ----a-w C:\WINDOWS\Application Data\Mozilla\Firefox\pluginreg.dat
+ 2008-04-14 22:17:02 11,368 ----a-w C:\WINDOWS\Application Data\Mozilla\Firefox\pluginreg.dat
- 2008-04-14 21:19:44 72,004 ----a-w C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\lnzl9y3d.default\history.dat
+ 2008-04-14 22:31:04 64,724 ----a-w C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\lnzl9y3d.default\history.dat
- 2008-04-14 21:21:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-14 22:32:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-14 22:32:48 16,384 ----a-w C:\WINDOWS\temp\Perflib_Perfdata_608.dat
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{12A6AB00-7C8C-46AA-8426-8825F3F0927C}]
C:\WINDOWS\system32\geedd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24E9519B-3F70-429B-99BC-4B2B49B96F66}]
2002-01-01 00:03 36864 --a------ C:\WINDOWS\system32\awtsPHYp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E96408F4-C4C1-46E3-BAA2-21D5D69AD1D0}]
2002-01-01 00:09 269824 --a------ C:\WINDOWS\system32\pmnoPjKD.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@={7D688A77-C613-11D0-999B-00C04FD655E1}

[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2007-10-25 20:43 8489984 --a------ C:\WINDOWS\SYSTEM32\SHELL32.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45 15360]
"DWQueuedReporting"="C:\ARQUIV~1\ARQUIV~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]
"Windows Registry Repair Pro"="C:\Arquivos de programas\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe" [ ]
"TerraVOIP"="C:\Arquivos de programas\Terra VOIP\TerraVOIP.exe" [ ]
"swg"="C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-27 21:09 68856]
"STYLEXP"="C:\Arquivos de programas\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 22:31 1372160]
"Free Download Manager"="C:\Arquivos de programas\Free Download Manager\fdm.exe" [ ]
"DLD.EXE"="C:\Arquivos de programas\Download Direct\DLD.exe" [ ]
"ddns_agent"="C:\Arquivos de programas\Winco\Cliente DDNS\ipcagent.exe" [2005-06-03 09:21 631296]
"CopyBat"="C:\WINDOWS\APPLIC~1\SIGNTW~1\biasmail.exe" [ ]
"ADPHONE"="C:\Arquivos de programas\ADPHONE3\ADPHONE.exe" [2008-03-06 13:28 1261568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 14:16 5058560]
"YMSF Agent"="C:\WINDOWS\system32\28463\YMSF.exe" [ ]
"nwiz"="nwiz.exe" [2003-10-06 14:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe]
"file wave user bat"="C:\Documents and Settings\All Users\Dados de aplicativos\Mail For File Wave\Send This.exe" [ ]
"csrss.exe"="C:\WINDOWS\csrss.exe" [ ]
"WinVNC"="C:\Arquivos de programas\UltraVNC\WinVNC.exe" [2006-06-18 14:56 712704]
"Windows Defender"="C:\Arquivos de programas\Windows Defender\MSASCui.exe" [2006-04-03 18:12 777424]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"RemoteControl"="C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [2005-11-12 13:46 155648]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"googletalk"="C:\Arquivos de programas\Google\Google Talk\googletalk.exe" [2007-01-02 03:54 3735552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:45 15360]

C:\WINDOWS\Menu Iniciar\Programas\Iniciar\
hamachi.lnk - C:\Arquivos de programas\Hamachi\hamachi.exe [2007-09-17 23:01:34 PABLO 619048]

C:\WINDOWS\All Users\Menu Iniciar\Programas\Iniciar\
Microsoft Office.lnk - C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE [2001-02-13 09:01:04 PABLO 83360]
WinZip Quick Pick.lnk - C:\Arquivos de programas\WinZip\WZQKPICK.EXE [2004-07-23 16:51:24 PABLO 106560]
Administrador de servicios.lnk - C:\Arquivos de programas\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2007-06-19 20:19:08 PABLO 69632]
Google Updater.lnk - C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe [2008-01-01 12:02:34 PABLO 124400]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Shell"= c:explorer1.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"RestrictRun"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"Windows Printing Driver"= WinSpooler.exe
"WinUpdating"= WinUpdating.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"RestrictRun"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\WINDOWS\Downloaded Program Files\gbieh.dll [2006-03-27 10:52 201256]
"{24E9519B-3F70-429B-99BC-4B2B49B96F66}"= C:\WINDOWS\system32\awtsPHYp.dll [2002-01-01 00:03 36864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsPHYp]
awtsPHYp.dll 2002-01-01 00:03 36864 C:\WINDOWS\SYSTEM32\awtsPHYp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebxyyx]
gebxyyx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Arquivos de programas\AlienGUIse\fastload.dll 2001-12-20 23:34 24576 C:\Arquivos de programas\AlienGUIse\FASTLOAD.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
Notification Packages REG_MULTI_SZ :\WINDOWS\system32\srrstr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Arquivos de programas\\MessengerDiscovery\\MessengerDiscovery Live.exe"=
"C:\\Arquivos de programas\\Windows Media Player\\WMPLAYER.EXE"=
"C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=
"C:\\Arquivos de programas\\Internet Explorer\\iexplore.exe"=
"C:\\Arquivos de programas\\jlgsolera\\OnLineLiveSetup\\OnLineLive.exe"=
"C:\\Sierra\\Counter-Strike\\cstrike.exe"=
"C:\\Arquivos de programas\\K-LiteNitro\\giFT\\giFTl.exe"=
"\\\\10.1.1.20\\c\\Muserver1\\CS\\CS.exe"=
"C:\\Arquivos de programas\\Winco\\Cliente DDNS\\wizard.exe"=
"\\\\10.1.1.20\\Sharing Folders\\pbbinho@hotmail.com\\LieroX v0.56 Pack 1.9\\LieroX.exe"=
"\\\\10.1.1.20\\c\\Muserver\\GameServer\\GameServer.exe"=
"C:\\Arquivos de programas\\RealVNC\\VNC4\\winvnc4.exe"=
"D:\\MuServer\\GameServer\\GameServer.exe"=
"D:\\MuServer\\DataServer1\\Dataserver.exe"=
"D:\\MuServer\\DataServer2\\Dataserver.exe"=
"D:\\MuServer\\CS\\CS.exe"=
"D:\\MuServer\\JoinServer\\JoinServer.exe"=
"D:\\MuServer\\RankingServer\\DevilSqure_EventServer.exe"=
"D:\\MuServer\\ExDB\\Exdb.exe"=
"D:\\MuServer\\MU2003_EVENT_SERVER\\WZ_MU2003_EVENT_SERVER.exe"=
"C:\\Muserver\\JoinServer\\JoinServer.exe"=
"C:\\Muserver\\CS\\CS.EXE"=
"C:\\Muserver\\DataServer1\\Dataserver.exe"=
"C:\\Muserver\\DataServer2\\Dataserver.exe"=
"C:\\MuServer99b+\\DataServer1\\Dataserver.exe"=
"C:\\MuServer99b+\\DataServer2\\Dataserver.exe"=
"C:\\MuServer99b+\\cs\\cs.exe"=
"C:\\MuServer99b+\\JoinServer\\JoinServer.exe"=
"C:\\Arquivos de programas\\Google\\Google Talk\\googletalk.exe"=
"C:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"=
"C:\\Arquivos de programas\\Darkeden\\darkeden.exe"=
"C:\\Documents and Settings\\Particular\\Desktop\\Dark Eden\\dk2.exe"=
"C:\\Arquivos de programas\\Valve\\hl.exe"=
"C:\\Arquivos de programas\\Ares\\Ares.exe"=
"C:\\Arquivos de programas\\MegaCubo\\megacubo.exe"=
"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Arquivos de programas\\ADPHONE3\\ADPHONE.exe"=
"C:\\Documents and Settings\\Particular\\Desktop\\Nova pasta (4)\\Dark Eden\\dk2.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 22:31]
R1 NPPTNT;NPPTNT;C:\WINDOWS\System32\npptNT.sys [2003-07-22 03:14]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2008-03-15 14:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 22:35]
R2 vnccom;vnccom;C:\WINDOWS\system32\Drivers\vnccom.SYS [2004-06-26 13:22]
S3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\system32\DRIVERS\loop.sys [2001-08-17 21:53]
S3 SPCA508A;11043 Ver1.3;C:\WINDOWS\system32\DRIVERS\SP508PIX.SYS []
S3 XDva009;XDva009;C:\WINDOWS\system32\XDva009.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##Pablo#pablo ©]
\Shell\AutoRun\command - setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - setup.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA851-CC51-11CF-AAFA-00AA00B6015C}]
rundll32.exeadvpack.dll
.
Conte£do da pasta 'Tarefas Agendadas'
"2008-04-14 22:14:28 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Arquivos de programas\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-15 02:36:34
Windows 5.1.2600 Service Pack 2 FAT NTAPI

Procurando processos ocultos ...

Procurando entradas auto inicializ veis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso
Ficheiros ocultos: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
-> C:\WINDOWS\system32\awtsPHYp.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\byXRHyvw.dll
.
------------------------ Other Running Processes ------------------------
.
C:\ARQUIVOS DE PROGRAMAS\TGTSOFT\STYLEXP\STYLEXPSERVICE.EXE
C:\ARQUIVOS DE PROGRAMAS\ALWIL SOFTWARE\AVAST4\ASWUPDSV.EXE
C:\ARQUIVOS DE PROGRAMAS\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\ARQUIVOS DE PROGRAMAS\BONJOUR\MDNSRESPONDER.EXE
C:\ARQUIVOS DE PROGRAMAS\EWIDO ANTI-SPYWARE 4.0\GUARD.EXE
C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\ARQUIVOS DE PROGRAMAS\ARQUIVOS COMUNS\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SYSTEM32\WSCNTFY.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Arquivos de programas\Java\jre1.6.0_03\bin\jucheck.exe
.
**************************************************************************
.
Tempo para conclusÆo: 2008-04-15 2:43:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-14 22:42:42
ComboFix2.txt 2008-04-14 21:32:58

Pre-Run: 6,011,387,904 bytes disponíveis
Post-Run: 5,989,924,864 bytes dispon¡veis
.
2001-12-31 21:49:06 --- E O F ---


________________________________________________________________________________
____________________________________
________________________________________________________________________________
____________________________________


Logfile of HijackThis v1.99.1
Scan saved at 00:26 PABLO, on 1/1/2002
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Bonjour\mDNSResponder.exe
C:\Arquivos de programas\ewido anti-spyware 4.0\guard.exe
C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\UltraVNC\WinVNC.exe
C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe
C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Arquivos de programas\QuickTime\qttask.exe
C:\Arquivos de programas\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\TGTSoft\StyleXP\StyleXP.exe
C:\Arquivos de programas\Winco\Cliente DDNS\ipcagent.exe
C:\Arquivos de programas\ADPHONE3\ADPHONE.EXE
C:\Arquivos de programas\WinZip\WZQKPICK.EXE
C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe
C:\Arquivos de programas\Hamachi\hamachi.exe
C:\Arquivos de programas\Java\jre1.6.0_03\bin\jucheck.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....6...ER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0.:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local
R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar2.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\ARQUIV~1\TEXTAL~1\TAForIE.dll
O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [YMSF Agent] C:\WINDOWS\system32\28463\YMSF.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [file wave user bat] C:\Documents and Settings\All Users\Dados de aplicativos\Mail For File Wave\Send This.exe
O4 - HKLM\..\Run: [csrss.exe] C:\WINDOWS\csrss.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Arquivos de programas\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Windows Defender] "C:\Arquivos de programas\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [googletalk] C:\Arquivos de programas\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [BM0e5826c1] Rundll32.exe "C:\WINDOWS\system32\goojlbks.dll",s
O4 - HKLM\..\Run: [0d6b155d] rundll32.exe "C:\WINDOWS\system32\vwdqlmfa.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DWQueuedReporting] "C:\ARQUIV~1\ARQUIV~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Arquivos de programas\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [TerraVOIP] C:\Arquivos de programas\Terra VOIP\TerraVOIP.exe
O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Arquivos de programas\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Free Download Manager] C:\Arquivos de programas\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [DLD.EXE] C:\Arquivos de programas\Download Direct\DLD.exe
O4 - HKCU\..\Run: [ddns_agent] C:\Arquivos de programas\Winco\Cliente DDNS\ipcagent.exe
O4 - HKCU\..\Run: [CopyBat] C:\WINDOWS\APPLIC~1\SIGNTW~1\biasmail.exe
O4 - HKCU\..\Run: [ADPHONE] C:\Arquivos de programas\ADPHONE3\ADPHONE.EXE /STARTUP
O4 - Startup: hamachi.lnk = C:\Arquivos de programas\Hamachi\hamachi.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Arquivos de programas\WinZip\WZQKPICK.EXE
O4 - Global Startup: Administrador de servicios.lnk = C:\Arquivos de programas\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Google Updater.lnk = C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\arquivos de programas\bonjour\mdnsnsp.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Arquivos de programas\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6FC19219-C47E-4880-9A79-D218A1C374F9} (NMJTransX Control) - http://www.netmarble...b/NMJTransX.cab
O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://200.212.184.2...er_2_0_0_45.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancob.../GbPluginBb.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://200.212.184.2...d8_2_0_0_28.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Arquivos de programas\ewido anti-spyware 4.0\guard.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StyleXPService - Unknown owner - C:\Arquivos de programas\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Arquivos de programas\UltraVNC\WinVNC.exe" -service (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
  • 0

#18 Sam Spade

Sam Spade
  • Membros
  • 1.845 posts

Postado 18 abril 2008 - 13:17

Salve ou imprima estas instruções, pois vai segui-las desconectado e sem acesso a esta página:

1 - Delete a pasta C:\Qoobox (se ela existir), e delete o log anterior do Combofix -> C:\combofix.txt

2 - Desative seu antivirus, antispywares e firewall, para não causar conflitos. Mantenha-os desativados até terminar as instruções.

3 - Selecione e copie o texto dentro do QUOTE. Abra o Bloco de notas e cole o que copiou. Salve então, na área de trabalho, com o nome de CFScript.txt.

File::
C:\WINDOWS\SYSTEM32\inotcmeu.dll
C:\WINDOWS\SYSTEM32\odyfbajn.dll
C:\WINDOWS\SYSTEM32\agkfjoef.dll
C:\WINDOWS\SYSTEM32\iqqmhasy.ini
C:\WINDOWS\SYSTEM32\roneprhh.dll
C:\WINDOWS\SYSTEM32\rsxexkue.ini
C:\WINDOWS\SYSTEM32\ohdvqdyi.dll
C:\WINDOWS\SYSTEM32\xyfiebcl.ini
C:\WINDOWS\SYSTEM32\hmrowbpc.ini
C:\WINDOWS\SYSTEM32\kjpsmukh.ini
C:\WINDOWS\SYSTEM32\dahnpbbq.ini
C:\WINDOWS\SYSTEM32\iytggvqa.ini
C:\WINDOWS\SYSTEM32\qjqtnaib.ini
C:\WINDOWS\SYSTEM32\qnkfloue.ini
C:\WINDOWS\SYSTEM32\txjuawxw.ini
C:\WINDOWS\SYSTEM32\ksuukrhv.ini
C:\WINDOWS\SYSTEM32\rsdtpdjn.ini
C:\WINDOWS\SYSTEM32\wubgcppt.ini
C:\WINDOWS\SYSTEM32\mgihrvqu.ini
C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\awtsPHYp.dll
C:\WINDOWS\system32\pmnoPjKD.dll
C:\WINDOWS\system32\WinSpooler.exe
C:\WINDOWS\system32\WinUpdating.exe
C:\WINDOWS\system32\byXRHyvw.dll
C:\WINDOWS\system32\goojlbks.dll
C:\WINDOWS\system32\vwdqlmfa.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{12A6AB00-7C8C-46AA-8426-8825F3F0927C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24E9519B-3F70-429B-99BC-4B2B49B96F66}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E96408F4-C4C1-46E3-BAA2-21D5D69AD1D0}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CopyBat"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YMSF Agent"=-
"file wave user bat"=-
"csrss.exe"=-
"BM0e5826c1"=-
"0d6b155d"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Shell"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"Windows Printing Driver"=-
"WinUpdating"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{24E9519B-3F70-429B-99BC-4B2B49B96F66}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsPHYp]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebxyyx]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##Pablo#pablo ©]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]

4 - Arraste agora o CFScript.txt para o ComboFix conforme a demonstração abaixo.

Imagem postada

O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção.

IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando.

Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.

OBS: Não rode o ComboFix mais do que uma vez. Isso irá sobreescrever o log e dificultará a remoção do(s) malware(s)

5 - Acesse http://virusscan.jotti.org/

No site, na caixa Procurar, cole esta linha abaixo:

C:\WINDOWS\system32\tsd32.dll

Clique em Submit, aguarde o resultado da análise aparecer e salve.

6 - Poste um novo log do HijackThis. Selecione, copie e cole o conteúdo doComboFix.txt na sua próxima resposta. Poste também o resultado do Jotti.
  • 0

#19 Pablo3322

Pablo3322
  • Membros
  • 25 posts

Postado 29 abril 2008 - 19:55

Olá Sam, desculpe pela demora!
Logfile of HijackThis v1.99.1
Scan saved at 20:01 PABLO, on 29/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\TGTSoft\StyleXP\StyleXPService.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Bonjour\mDNSResponder.exe
C:\Arquivos de programas\ewido anti-spyware 4.0\guard.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\UltraVNC\WinVNC.exe
C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe
C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Arquivos de programas\QuickTime\qttask.exe
C:\Arquivos de programas\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\TGTSoft\StyleXP\StyleXP.exe
C:\Arquivos de programas\Winco\Cliente DDNS\ipcagent.exe
C:\Arquivos de programas\WinZip\WZQKPICK.EXE
C:\Arquivos de programas\Hamachi\hamachi.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Arquivos de programas\K-Meleon\k-meleon.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....6...ER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0.:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local
R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Arquivos de programas\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar2.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\ARQUIV~1\TEXTAL~1\TAForIE.dll
O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinVNC] "C:\Arquivos de programas\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Windows Defender] "C:\Arquivos de programas\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [googletalk] C:\Arquivos de programas\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ADPHONE] C:\Arquivos de programas\ADPHONE3\ADPHONE.EXE /STARTUP
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Arquivos de programas\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [TerraVOIP] C:\Arquivos de programas\Terra VOIP\TerraVOIP.exe
O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Arquivos de programas\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Free Download Manager] C:\Arquivos de programas\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [DLD.EXE] C:\Arquivos de programas\Download Direct\DLD.exe
O4 - HKCU\..\Run: [ddns_agent] C:\Arquivos de programas\Winco\Cliente DDNS\ipcagent.exe
O4 - HKCU\..\Run: [CopyBat] C:\WINDOWS\APPLIC~1\SIGNTW~1\biasmail.exe
O4 - Startup: hamachi.lnk = C:\Arquivos de programas\Hamachi\hamachi.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Arquivos de programas\WinZip\WZQKPICK.EXE
O4 - Global Startup: Google Updater.lnk = C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Administrador de servicios.lnk = C:\Arquivos de programas\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\arquivos de programas\bonjour\mdnsnsp.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Arquivos de programas\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6FC19219-C47E-4880-9A79-D218A1C374F9} (NMJTransX Control) - http://www.netmarble...b/NMJTransX.cab
O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://200.212.184.2...er_2_0_0_45.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancob.../GbPluginBb.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://200.212.184.2...d8_2_0_0_28.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WB - C:\Arquivos de programas\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Arquivos de programas\ewido anti-spyware 4.0\guard.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StyleXPService - Unknown owner - C:\Arquivos de programas\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Arquivos de programas\UltraVNC\WinVNC.exe" -service (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe" -service (file missing)




________________________________________________________________________________
___________________________________





ComboFix 08-04-28.2 - Particular 2008-04-29 18:09:21.5 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.57 [GMT 4:00]
Executando de: C:\Documents and Settings\Particular\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Particular\Desktop\CFScript.txt
* Criado um novo ponto de restauro

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\SYSTEM32\agkfjoef.dll
C:\WINDOWS\system32\awtsPHYp.dll
C:\WINDOWS\system32\byXRHyvw.dll
C:\WINDOWS\SYSTEM32\dahnpbbq.ini
C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\goojlbks.dll
C:\WINDOWS\SYSTEM32\hmrowbpc.ini
C:\WINDOWS\SYSTEM32\inotcmeu.dll
C:\WINDOWS\SYSTEM32\iqqmhasy.ini
C:\WINDOWS\SYSTEM32\iytggvqa.ini
C:\WINDOWS\SYSTEM32\kjpsmukh.ini
C:\WINDOWS\SYSTEM32\ksuukrhv.ini
C:\WINDOWS\SYSTEM32\mgihrvqu.ini
C:\WINDOWS\SYSTEM32\odyfbajn.dll
C:\WINDOWS\SYSTEM32\ohdvqdyi.dll
C:\WINDOWS\system32\pmnoPjKD.dll
C:\WINDOWS\SYSTEM32\qjqtnaib.ini
C:\WINDOWS\SYSTEM32\qnkfloue.ini
C:\WINDOWS\SYSTEM32\roneprhh.dll
C:\WINDOWS\SYSTEM32\rsdtpdjn.ini
C:\WINDOWS\SYSTEM32\rsxexkue.ini
C:\WINDOWS\SYSTEM32\txjuawxw.ini
C:\WINDOWS\system32\vwdqlmfa.dll
C:\WINDOWS\system32\WinSpooler.exe
C:\WINDOWS\system32\WinUpdating.exe
C:\WINDOWS\SYSTEM32\wubgcppt.ini
C:\WINDOWS\SYSTEM32\xyfiebcl.ini
.

((((((((((((((((((((((( Ficheiros criados de 2008-03-28 to 2008-04-29 ))))))))))))))))))))))))))))))))
.

2008-07-31 10:00 . 2008-07-31 10:00 <DIR> d--hs---- C:\FOUND.000
2008-04-18 01:05 . 2008-04-18 01:05 <DIR> d-------- C:\WINDOWS\Application Data\K-Meleon
2008-04-18 01:04 . 2008-04-18 01:04 <DIR> d-------- C:\Arquivos de programas\K-Meleon
2008-04-15 01:33 . 2008-04-15 01:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\config\systemprofile\Configurações locais
2008-04-15 01:33 . 2008-04-15 01:33 <DIR> d-------- C:\Documents and Settings\Particular\Configurações locais
2008-04-15 01:33 . 2008-04-15 01:33 <DIR> d-------- C:\Documents and Settings\NetworkService\Configurações locais
2008-04-15 01:33 . 2008-04-15 01:33 <DIR> d-------- C:\Documents and Settings\LocalService\Configurações locais
2008-04-11 23:03 . 2008-04-11 23:03 <DIR> d-------- C:\Arquivos de programas\Opera
2008-04-02 23:04 . 2008-04-02 23:04 <DIR> d--hs---- C:\FOUND.002

.
((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-20 08:09 1,845,376 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-20 08:09 1,845,376 ------w C:\WINDOWS\SYSTEM32\dllcache\win32k.sys
2008-03-15 10:35 33,824 ----a-w C:\WINDOWS\system32\drivers\oreans32.sys
2008-03-11 15:01 --------- d-----w C:\WINDOWS\Application Data\ADPHONE
2008-03-11 15:01 --------- d-----w C:\Arquivos de programas\ADPHONE3
2008-03-10 14:16 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\FLEXnet
2008-03-10 14:14 37,888 ----a-w C:\WINDOWS\SYSTEM32\rar.exe
2008-03-10 14:03 --------- d-----w C:\Arquivos de programas\Bonjour
2008-03-10 13:45 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Macrovision Shared
2008-03-07 18:01 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\TEMP
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\SYSTEM32\dllcache\gdi32.dll
2008-02-20 05:38 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:38 45,568 ------w C:\WINDOWS\SYSTEM32\dllcache\dnsrslvr.dll
2008-02-20 05:38 148,992 ------w C:\WINDOWS\SYSTEM32\dllcache\dnsapi.dll
2008-02-16 22:33 3,080,704 ------w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2008-02-15 17:54 90,112 ----a-w C:\WINDOWS\Cuninst.exe
2008-02-15 09:23 18,432 ------w C:\WINDOWS\SYSTEM32\dllcache\iedw.exe
2008-02-11 11:05 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-02-11 11:05 311,296 ------w C:\WINDOWS\Setup1.exe
2008-01-17 17:33 42,128 ----a-w C:\WINDOWS\Application Data\GDIPFONTCACHEV1.DAT
2007-10-08 19:53 87,608 ----a-w C:\WINDOWS\Application Data\inst.exe
2007-10-08 19:53 47,360 ----a-w C:\WINDOWS\Application Data\pcouffin.sys
2007-08-08 19:11 169 ----a-w C:\Documents and Settings\Particular\lixeira.reg
2006-04-22 15:06 12 ----a-w C:\Documents and Settings\Particular\aruivo.bat
2005-05-07 19:16 2,376 ----a-w C:\Arquivos de programas\musica.MTP
2004-07-23 10:42 266 --sh--w C:\Arquivos de programas\desktop.ini
2004-07-23 10:42 11,280 ---h--w C:\Arquivos de programas\folder.htt
2002-01-01 10:03 901 ----a-w C:\Documents and Settings\Particular\restore.reg
2006-05-24 12:38 233,472 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\CrazyTalk4Native.dll
2006-05-18 13:00 204,895 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\ctdomemhelper.dll
2005-09-29 10:41 77,824 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\ctframeplayerobject.dll
2006-05-18 12:59 426,081 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\ctplayerobject.dll
2005-02-02 08:19 458,752 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\imagickrt.dll
2006-04-10 14:35 139,264 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\rlcontentclass.dll
2005-11-09 07:10 204,800 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\RLMusicPacker.dll
2005-11-09 07:42 106,496 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\RLMusicUnpacker.dll
2006-01-04 07:22 212,992 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\RLVoicePacker.dll
2006-01-04 07:21 167,936 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\RLVoiceUnpacker.dll
2005-05-01 07:19 14 --sh--w C:\WINDOWS\dpwtpdxp.dll
2005-05-08 15:53 19 --sh--w C:\WINDOWS\dpwtddxp.dll
2005-02-11 07:44 56 --sh--r C:\WINDOWS\SYSTEM32\08E6EFE77D.sys
2005-07-25 17:51 12 --sh--w C:\WINDOWS\SYSTEM32\spwtpaxp.dll
2005-05-01 07:19 14 --sh--w C:\WINDOWS\SYSTEM32\dpwtpaxp.dll
2005-05-01 07:19 19 --sh--w C:\WINDOWS\SYSTEM32\dpwtdaxp.dll
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@={7D688A77-C613-11D0-999B-00C04FD655E1}

[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2007-10-25 20:43 8489984 --a------ C:\WINDOWS\SYSTEM32\SHELL32.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45 15360]
"ADPHONE"="C:\Arquivos de programas\ADPHONE3\ADPHONE.exe" [2008-03-06 13:28 1261568]
"Windows Registry Repair Pro"="C:\Arquivos de programas\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe" [ ]
"TerraVOIP"="C:\Arquivos de programas\Terra VOIP\TerraVOIP.exe" [ ]
"swg"="C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-27 21:09 68856]
"STYLEXP"="C:\Arquivos de programas\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 22:31 1372160]
"Free Download Manager"="C:\Arquivos de programas\Free Download Manager\fdm.exe" [ ]
"DLD.EXE"="C:\Arquivos de programas\Download Direct\DLD.exe" [ ]
"ddns_agent"="C:\Arquivos de programas\Winco\Cliente DDNS\ipcagent.exe" [2005-06-03 09:21 631296]
"CopyBat"="C:\WINDOWS\APPLIC~1\SIGNTW~1\biasmail.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 14:16 5058560]
"nwiz"="nwiz.exe" [2003-10-06 14:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe]
"WinVNC"="C:\Arquivos de programas\UltraVNC\WinVNC.exe" [2006-06-18 14:56 712704]
"Windows Defender"="C:\Arquivos de programas\Windows Defender\MSASCui.exe" [2006-04-03 18:12 777424]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"RemoteControl"="C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [2005-11-12 13:46 155648]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"googletalk"="C:\Arquivos de programas\Google\Google Talk\googletalk.exe" [2007-01-02 03:54 3735552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:45 15360]

C:\WINDOWS\Menu Iniciar\Programas\Iniciar\
hamachi.lnk - C:\Arquivos de programas\Hamachi\hamachi.exe [2007-09-17 23:01:34 PABLO 619048]

C:\WINDOWS\All Users\Menu Iniciar\Programas\Iniciar\
Microsoft Office.lnk - C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE [2001-02-13 09:01:04 PABLO 83360]
WinZip Quick Pick.lnk - C:\Arquivos de programas\WinZip\WZQKPICK.EXE [2004-07-23 16:51:24 PABLO 106560]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"RestrictRun"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"RestrictRun"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\WINDOWS\Downloaded Program Files\gbieh.dll [2006-03-27 10:52 201256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Arquivos de programas\AlienGUIse\fastload.dll 2001-12-20 23:34 24576 C:\Arquivos de programas\AlienGUIse\FASTLOAD.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.MSNAUDIO"= msnaudio.acm
"vidc.yv12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Arquivos de programas\\MessengerDiscovery\\MessengerDiscovery Live.exe"=
"C:\\Arquivos de programas\\Windows Media Player\\WMPLAYER.EXE"=
"C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=
"C:\\Arquivos de programas\\Internet Explorer\\iexplore.exe"=
"C:\\Arquivos de programas\\jlgsolera\\OnLineLiveSetup\\OnLineLive.exe"=
"C:\\Sierra\\Counter-Strike\\cstrike.exe"=
"C:\\Arquivos de programas\\K-LiteNitro\\giFT\\giFTl.exe"=
"\\\\10.1.1.20\\c\\Muserver1\\CS\\CS.exe"=
"C:\\Arquivos de programas\\Winco\\Cliente DDNS\\wizard.exe"=
"\\\\10.1.1.20\\Sharing Folders\\pbbinho@hotmail.com\\LieroX v0.56 Pack 1.9\\LieroX.exe"=
"\\\\10.1.1.20\\c\\Muserver\\GameServer\\GameServer.exe"=
"C:\\Arquivos de programas\\RealVNC\\VNC4\\winvnc4.exe"=
"D:\\MuServer\\GameServer\\GameServer.exe"=
"D:\\MuServer\\DataServer1\\Dataserver.exe"=
"D:\\MuServer\\DataServer2\\Dataserver.exe"=
"D:\\MuServer\\CS\\CS.exe"=
"D:\\MuServer\\JoinServer\\JoinServer.exe"=
"D:\\MuServer\\RankingServer\\DevilSqure_EventServer.exe"=
"D:\\MuServer\\ExDB\\Exdb.exe"=
"D:\\MuServer\\MU2003_EVENT_SERVER\\WZ_MU2003_EVENT_SERVER.exe"=
"C:\\Muserver\\JoinServer\\JoinServer.exe"=
"C:\\Muserver\\CS\\CS.EXE"=
"C:\\Muserver\\DataServer1\\Dataserver.exe"=
"C:\\Muserver\\DataServer2\\Dataserver.exe"=
"C:\\MuServer99b+\\DataServer1\\Dataserver.exe"=
"C:\\MuServer99b+\\DataServer2\\Dataserver.exe"=
"C:\\MuServer99b+\\cs\\cs.exe"=
"C:\\MuServer99b+\\JoinServer\\JoinServer.exe"=
"C:\\Arquivos de programas\\Google\\Google Talk\\googletalk.exe"=
"C:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"=
"C:\\Arquivos de programas\\Darkeden\\darkeden.exe"=
"C:\\Documents and Settings\\Particular\\Desktop\\Dark Eden\\dk2.exe"=
"C:\\Arquivos de programas\\Valve\\hl.exe"=
"C:\\Arquivos de programas\\Ares\\Ares.exe"=
"C:\\Arquivos de programas\\MegaCubo\\megacubo.exe"=
"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Arquivos de programas\\ADPHONE3\\ADPHONE.exe"=
"C:\\Documents and Settings\\Particular\\Desktop\\Nova pasta (4)\\Dark Eden\\dk2.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 22:31]
R1 NPPTNT;NPPTNT;C:\WINDOWS\System32\npptNT.sys [2003-07-22 03:14]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2008-03-15 14:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 22:35]
R2 vnccom;vnccom;C:\WINDOWS\system32\Drivers\vnccom.SYS [2004-06-26 13:22]
S3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\system32\DRIVERS\loop.sys [2001-08-17 21:53]
S3 SPCA508A;11043 Ver1.3;C:\WINDOWS\system32\DRIVERS\SP508PIX.SYS []
S3 XDva009;XDva009;C:\WINDOWS\system32\XDva009.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##Pablo#pablo ©]
\Shell\AutoRun\command - setup.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA851-CC51-11CF-AAFA-00AA00B6015C}]
rundll32.exeadvpack.dll
.
Conte£do da pasta 'Tarefas Agendadas'
"2001-12-31 22:14:08 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Arquivos de programas\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-29 18:20:24
Windows 5.1.2600 Service Pack 2 FAT NTAPI

Procurando processos ocultos ...

Procurando entradas auto inicializ veis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso
Ficheiros ocultos: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\ARQUIVOS DE PROGRAMAS\TGTSOFT\STYLEXP\STYLEXPSERVICE.EXE
C:\ARQUIVOS DE PROGRAMAS\ALWIL SOFTWARE\AVAST4\ASWUPDSV.EXE
C:\ARQUIVOS DE PROGRAMAS\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\ARQUIVOS DE PROGRAMAS\BONJOUR\MDNSRESPONDER.EXE
C:\ARQUIVOS DE PROGRAMAS\EWIDO ANTI-SPYWARE 4.0\GUARD.EXE
C:\ARQUIVOS DE PROGRAMAS\ARQUIVOS COMUNS\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\Arquivos de programas\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
.
**************************************************************************
.
Tempo para conclusÆo: 2008-04-29 18:24:54 - machine was rebooted [Particular]
ComboFix-quarantined-files.txt 2008-04-29 14:24:40

Pre-Run: 5,678,301,184 bytes disponíveis
Post-Run: 5,651,365,888 bytes dispon¡veis

248 --- E O F --- 2008-04-16 21:39:39



________________________________________________________________________________
___________________________________


Scanner results
Scan taken on 29 Apr 2008 22:49:32 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
  • 0

#20 Sam Spade

Sam Spade
  • Membros
  • 1.845 posts

Postado 29 abril 2008 - 21:16

Siga estas instruções:

Abra o HijackThis e clique em Do a system scan only
Aguarde o exame acabar.
Cada entrada tem uma caixa  do lado esquerdo.
Marque apenas a caixa da entrada abaixo:

 O4 - HKCU\..\Run: [CopyBat] C:\WINDOWS\APPLIC~1\SIGNTW~1\biasmail.exe

Ficará com um sinal V dentro da caixa.

Clique então em Imagem postada. Dê o Ok para a pergunta e depois gere um novo log com o HijackThis e poste.

  • 0




Publicidade

/ins>