[Resolvido!]Gerenciador de tarefas

[sk8ifb 0]

aí pessoal.

acho que peguei um virus.

e é aquele que está fechando o gerenciador de tarefas.

vou postar o log do HijackThis e se alguém puder me orientar em como resolver, agradeço

 

 

Logfile of HijackThis v1.99.1

Scan saved at 14:00:45, on 28/5/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Windows Defender\MsMpEng.exe

C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\pavsrv51.exe

C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\AVENGINE.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe

C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\PsImSvc.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Windows Defender\MSASCui.exe

C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe

C:\windows\system32\java.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe

C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

c:\arquivos de programas\panda software\panda antivirus 2007\WebProxy.exe

C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\psimreal.exe

C:\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :8080

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [smapp] C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe

O4 - HKLM\..\Run: [APVXDWIN] "C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Arquivos de programas\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Arquivos de programas\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe

O4 - HKLM\..\Run: [Markting] "C:\windows\system32\java.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [DAEMON Tools] "C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://atrativa.com.br/games/applets/gameh...mjolauncher.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.atrativa.com.br/games/applets/p...opcaploader.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\pavsrv51.exe

O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\PsImSvc.exe

O23 - Service: ServiceLayer - Nokia. - C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

 

 

 

está aih

obrigado.

[DigRam 144]

Bom Dia sk8ifb!

 

<!> Faça o download do BankerFix.

<!> Baixe-o para o Desktop!

<!> Feche todas as janelas e o navegador,ao rodar o BankerFix.Desabilite,se possível,as proteções residente de AntiVírus e AntiSpywares!!

<!> Dê um duplo clique no Bankerfix.exe,depois Enter. Aguarde!Ao terminar,leia a mensagem na tela ( Dos ),e dê Enter,novamente.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

<!> Poste o relatorio.txt do BankerFix que está em C:\LinhaDefensiva\relatorio.txt

<!> Poste,também,um nôvo Log do HijackThis ( Feito em Modo Normal ),na sua resposta.

 

Sem Mais!

DigRam

[sk8ifb 0]

Boa tarde DigRam,

passei o Bankerfix a 2 dias atras e ele encontrou um arquivo malicioso e removeu.

Mais o problema continuou

agora fiz outro relatorio como você pediu e vou postar aqui.

 

 

BankerFix 2.3 - Removedor de Bankers

Linha Defensiva - http://www.linhadefensiva.org

http://www.linhadefensiva.org/bankerfix/

Data: 29/5/2007 - 12:44

-------------------------------------------------------

Lista de Definição: 2007-05-28-1

=======================================================

 

 

Log do FoxFix

=======================================================

Iniciando Log do PV

-----------------------------------

 

Killing '*'

 

Arquivos a remover

-----------------------------------

 

 

Arquivos ruins restantes

-----------------------------------

 

 

Reg Importado

-----------------------------------

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

 

 

Logfile of HijackThis v1.99.1

Scan saved at 12:46:09, on 29/5/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Windows Defender\MsMpEng.exe

C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\pavsrv51.exe

C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\AVENGINE.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\PsImSvc.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Windows Defender\MSASCui.exe

C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe

C:\windows\system32\java.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe

C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe

C:\Arquivos de programas\MSN Messenger\usnsvc.exe

C:\WINDOWS\system32\WISPTIS.EXE

C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\Apvxdwin.exe

c:\arquivos de programas\panda software\panda antivirus 2007\WebProxy.exe

C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\psimreal.exe

C:\HijackThis\HijackThis.exe

C:\WINDOWS\system32\NOTEPAD.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :8080

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [smapp] C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe

O4 - HKLM\..\Run: [APVXDWIN] "C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Arquivos de programas\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Arquivos de programas\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe

O4 - HKLM\..\Run: [Markting] "C:\windows\system32\java.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [DAEMON Tools] "C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://atrativa.com.br/games/applets/gameh...mjolauncher.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.atrativa.com.br/games/applets/p...opcaploader.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\pavsrv51.exe

O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\PsImSvc.exe

O23 - Service: ServiceLayer - Nokia. - C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

 

 

 

Obrigado.

[DigRam 144]

Boa Tarde sk8ifb!

 

>@< Vá em Iniciar >> Executar >> Digite: gpedit.msc

>@< Procure por: Configurações de usuários >> Modelos Administrativos >> Sistema >> Opções de CTRL + ALT + DEL.

>@< Na coluna da direita,vá em Remover Gerenciador de Tarefas.

>@< Dê um duplo clique e deixe como Desativado.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

>@< Faça o download do Taskmanager.reg.

>@< Salve-o no Desktop!

>@< Feche todos os programas e o navegador.

>@< Execute,agora,o Taskmanager!

>@< Reinicie o computador!

>@< Confira se o Gerenciador de Tarefas,voltou à normalidade.

 

Sem Mais!

DigRam

[sk8ifb 0]

DigRam,quando clico em Taskmanager.reg para fazer o download aparece uma pagina em branco com isso:Windows Registry Editor Version 5.00[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]"DisableTaskMgr"=dword:00000000[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\System]"DisableTaskMgr"=dword:00000000"**del.DisableTaskMgr"=" "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\]"DisableTaskMgr"=dword:00000000[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"DisableCAD"=dword:00000000e não da opçao de download. :(Obrigado pela ajuda até agora :)

[sk8ifb 0]

Desculpe, era meu navegador.Ja consegui fazer o download.vo seguir os procedimentos agora.=]

[sk8ifb 0]

Fiz o que me pediu DigRam,mais ainda nao resolveu.O Gerenciador de Tarefas abre e fecha em 1 segundo. =/Mais alguma possibilidade?Obrigado.

[DigRam 144]

Bom Dia sk8ifb!

 

Mais alguma possibilidade?

Obrigado.

>@< Ainda existe malware no PC,impedindo o Gerenciador de Tarefas de funcionar.

>@< Teremos,amigo,que utilizar uma ferramenta de diagnóstico ( SilentRunners ),para localizarmos a infecção.Caso,haja necessidade,utilizaremos o ComboFix.( Outra ferramenta de diagnóstico! )

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

<!> Faça o download do SilentRunners.

<!> Baixe-o para o Desktop!

<!> Descompacte-o e extraia o arquivo ( Executável ): SilentRunners.vbs para o Disco Local-C.

<!> Dê um duplo clique nesse arquivo!

<!> Aguarde!Pois será gerado um relatório ( Startup Programs xxxx data ).Onde xxxx é o nome do usuário!

>!< Selecione e copie êste relatório,para a sua resposta!

>!< Faça,também,um nôvo scan com o HijackThis e cole na sua resposta!

 

Abraços!

[sk8ifb 0]

Boa Noite,

aí esta o relatorio:

 

 

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"" ["Nero AG"]

"DAEMON Tools" = ""C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"Smapp" = "C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe" ["Analog Devices, Inc."]

"APVXDWIN" = ""C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s" ["Panda Software International"]

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]

"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]

"Windows Defender" = ""C:\Arquivos de programas\Windows Defender\MSASCui.exe" -hide" [MS]

"RegistryMechanic" = "(empty string)" [file not found]

"SunJavaUpdateSched" = ""C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe"" ["Sun Microsystems, Inc."]

"PCSuiteTrayApplication" = "C:\Arquivos de programas\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup" ["Nokia"]

"NeroFilterCheck" = "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe" ["Nero AG"]

"PinnacleDriverCheck" = "C:\WINDOWS\system32\PSDrvCheck.exe" [empty string]

"Markting" = ""C:\windows\system32\java.exe"" ["Microsoft"]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"

\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

-> {HKLM...CLSID} = "SSVHelper Class"

\InProcServer32\(Default) = "C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extensão do 'Painel de controle' para panorâmica de vídeo"

-> {HKLM...CLSID} = "Extensão do 'Painel de controle' para panorâmica de vídeo"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extensão de ícone do HyperTerminal"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

"{65756541-C65C-11CD-0000-4B656E696100}" = "Panda Antivirus"

-> {HKLM...CLSID} = "Panda Antivirus"

\InProcServer32\(Default) = "C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\ShellTit.DLL" ["Panda Software International"]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

-> {HKLM...CLSID} = "Microsoft Office Outlook"

\InProcServer32\(Default) = "C:\ARQUIV~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

-> {HKLM...CLSID} = "Extensão de ícone de arquivo do Outlook"

\InProcServer32\(Default) = "C:\ARQUIV~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Arquivos de programas\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

-> {HKLM...CLSID} = "DesktopContext Class"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

-> {HKLM...CLSID} = "NVIDIA CPL Extension"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

-> {HKLM...CLSID} = "Desktop Explorer"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

-> {HKLM...CLSID} = "nView Desktop Context Menu"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

-> {HKLM...CLSID} = "AlcoholShellEx"

\InProcServer32\(Default) = "C:\ARQUIV~1\ALCOHO~1\ALCOHO~1\AxShlex.dll" ["Alcohol Soft Development Team"]

"{4CCEFB41-18FA-11D3-9EF3-00A0C9E897FD}" = "Componente da extensão do shell do CorelDRAW"

-> {HKLM...CLSID} = "CorelDRAW Shell Extension Component"

\InProcServer32\(Default) = "C:\Arquivos de programas\Corel\Corel Graphics 11\DRAW\CDRVIEWER\CrlShell110.dll" [null data]

"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "Nokia Phone Browser"

-> {HKLM...CLSID} = "Nokia Phone Browser"

\InProcServer32\(Default) = "C:\Arquivos de programas\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]

"{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons"

-> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class"

\InProcServer32\(Default) = "C:\Arquivos de programas\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]

"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"

-> {HKLM...CLSID} = "Minhas Pastas de Compartilhamento"

\InProcServer32\(Default) = "C:\Arquivos de programas\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]

"{F5D92341-0A64-11D0-9956-0000E8096023}" = "CD Copy Shell Extension"

-> {HKLM...CLSID} = "CD Copy Shell Extension"

\InProcServer32\(Default) = "C:\WINDOWS\system32\Shellext\CDWshext.dll" ["Pinnacle Systems, Inc."]

"{F5D92342-0A64-11D0-9956-0000E8096023}" = "CD Wizard Shell Extension"

-> {HKLM...CLSID} = "CD Wizard Shell Extension"

\InProcServer32\(Default) = "C:\WINDOWS\system32\Shellext\CDWshext.dll" ["Pinnacle Systems, Inc."]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"

-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"

\InProcServer32\(Default) = "C:\ARQUIV~1\WINDOW~4\MpShHook.dll" [MS]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

-> {HKLM...CLSID} = "WPDShServiceObj Class"

\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

 

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<<!>> avldr\DLLName = "avldr.dll" ["Panda Software"]

 

HKLM\Software\Classes\PROTOCOLS\Filter\

<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

 

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

-> {HKLM...CLSID} = "PDF Shell Extension"

\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

 

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}"

-> {HKLM...CLSID} = "NeroCoverEdContextMenu Class"

\InProcServer32\(Default) = "C:\Arquivos de programas\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]

Panda Antivirus\(Default) = "{65756541-C65C-11CD-0000-4B656E696100}"

-> {HKLM...CLSID} = "Panda Antivirus"

\InProcServer32\(Default) = "C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\ShellTit.DLL" ["Panda Software International"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

 

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

 

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

Panda Antivirus\(Default) = "{65756541-C65C-11CD-0000-4B656E696100}"

-> {HKLM...CLSID} = "Panda Antivirus"

\InProcServer32\(Default) = "C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\ShellTit.DLL" ["Panda Software International"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

 

 

Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------

 

Note: detected settings may not have any effect.

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

 

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

 

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

 

"DisableTaskMgr" = (REG_DWORD) hex:0x00000000

{unrecognized setting}

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Configurações locais\Dados de aplicativos\Microsoft\Wallpaper1.bmp"

 

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Igor tpG\Configurações locais\Dados de aplicativos\Microsoft\Wallpaper1.bmp"

 

 

Startup items in "Igor tpG" & "All Users" startup folders:

----------------------------------------------------------

 

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar

"Adobe Gamma Loader" -> shortcut to: "C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

"Adobe Reader Speed Launch" -> shortcut to: "C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

 

 

Enabled Scheduled Tasks:

------------------------

 

"MP Scheduled Scan" -> launches: "C:\Arquivos de programas\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

 

Transport Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

c:\arquivos de programas\panda software\panda antivirus 2007\pavlsp.dll ["Panda Software International"], 01 - 03, 17

%SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 16

%SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Explorer Bars

 

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

 

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Pesquisar"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

 

Extensions (Tools menu items, main toolbar menu buttons)

 

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}"

-> {HKCU...CLSID} = "Java Plug-in 1.6.0_01"

\InProcServer32\(Default) = "C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]

-> {HKLM...CLSID} = "Java Plug-in 1.6.0_01"

\InProcServer32\(Default) = "C:\Arquivos de programas\Java\jre1.6.0_01\bin\npjpi160_01.dll" ["Sun Microsystems, Inc."]

 

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Pesquisar"

 

{E2E2DD38-D088-4134-82B7-F2BA38496583}\

"MenuText" = "@xpsp3res.dll,-20001"

"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

 

 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

 

NMIndexingService, NMIndexingService, ""C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe"" ["Nero AG"]

NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]

Panda anti-virus service, PAVSRV, ""C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\pavsrv51.exe"" ["Panda Software International"]

Panda IManager Service, PSIMSVC, ""C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\PsImSvc.exe"" ["Panda Software"]

ServiceLayer, ServiceLayer, ""C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe"" ["Nokia."]

SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]

StarWind iSCSI Service, StarWindService, "C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]

Windows Defender, WinDefend, ""C:\Arquivos de programas\Windows Defender\MsMpEng.exe"" [MS]

Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"C:\WINDOWS\System32\WUDFSvc.dll" [MS]}

 

 

Print Monitors:

---------------

 

HKLM\System\CurrentControlSet\Control\Print\Monitors\

4140 Language Monitor\Driver = "AK2KLM.dll" ["Akica"]

4140 Port Monitor\Driver = "AK2KPMSRV.dll" ["Akica"]

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

 

 

----------

<<!>>: Suspicious data at a malware launch point.

 

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

DLL launch points, use the -supp parameter or answer "No" at the

first message box and "Yes" at the second message box.

---------- (total run time: 58 seconds, including 18 seconds for message boxes)

 

 

e o HijackThis

 

Logfile of HijackThis v1.99.1

Scan saved at 19:34:40, on 30/5/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Windows Defender\MsMpEng.exe

C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\pavsrv51.exe

C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\AVENGINE.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\PsImSvc.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe

C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\Arquivos de programas\Windows Defender\MSASCui.exe

C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe

C:\windows\system32\java.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe

C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe

c:\arquivos de programas\panda software\panda antivirus 2007\WebProxy.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :8080

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [smapp] C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe

O4 - HKLM\..\Run: [APVXDWIN] "C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Arquivos de programas\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Arquivos de programas\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe

O4 - HKLM\..\Run: [Markting] "C:\windows\system32\java.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [DAEMON Tools] "C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://atrativa.com.br/games/applets/gameh...mjolauncher.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.atrativa.com.br/games/applets/p...opcaploader.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\pavsrv51.exe

O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\PsImSvc.exe

O23 - Service: ServiceLayer - Nokia. - C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

 

 

Obrigado.

[DigRam 144]

Bom Dia sk8ifb!

 

>@< O SilentRunners,mostrou entradas e processos legítimos!

>@< Antes de rodarmos o ComboFix,tente o seguinte:

>1< Baixe para o Desktop < http://www.kellys-korner-xp.com/regs_edits/taskmgrenable.reg >

>2< Execute o ( .reg ),e reinicie o computador!

>@< Veja se funcionou!

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

>@< Poderá,também,executar o mesmo procedimento,manualmente.

>@< Vá em Iniciar >> Executar >> Digite: regedit >> Ok.

>@< Navegue até: HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Policies\System

>@< À direita,clique em : DisableTaskMgr e deixe com o valor 0 ( zero ).

>@< Reinicie!

>@< Veja se o procedimento normalizou o Gerenciador de Tarefas.

 

Abraços!

[sk8ifb 0]

Ola DigRam,fiz o procedimento manual mais não achei o local > \CurrentVersion\Policies\Systemaí baixei o arquivo de registro.Mais mesmo assim não deu.=/Obrigado.

[DigRam 144]

Boa Tarde sk8ifb!

 

fiz o procedimento manual mais não achei o local > \CurrentVersion\Policies\System

aí baixei o arquivo de registro.

Mais mesmo assim não deu.

>@< Então,somente,resta pesquisar por algum malware impedindo o Gerenciador de Tarefas de funcionar.@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

>@< Faça o download do ComboFix.

>@< Baixe-o para o Disco Local-C!

>@< Feche todas as janelas e execute o ComboFix.exe

>@< Digite a opção para continuar.. >> Enter.

>@< Aguarde!Terminando,copie o relatório ( C:\ComboFix.txt )

>@< Poste,somente,o relatório do ComboFix!.

 

Sem Mais!

DigRam

[sk8ifb 0]

Ola DigRam

esta aí:

 

 

"Igor tpG" - 2007-06-02 1:00:20 Service Pack 2

ComboFix 07-05.27.BV - Running from: "C:\"

 

 

((((((((((((((((((((((((((((((( Files Created from 2007-05-02 to 2007-06-02 ))))))))))))))))))))))))))))))))))

 

 

2007-06-01 20:12 1,088,077 --a------ C:\ComboFix.exe

2007-05-30 20:01 <DIR> d-------- C:\Arquivos de programas\GameVicio

2007-05-30 19:32 347,253 --a------ C:\Silent Runners.vbs

2007-05-30 00:37 <DIR> d-------- C:\Arquivos de programas\Custom Technology

2007-05-29 20:55 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy

2007-05-28 14:23 <DIR> d-------- C:\WINDOWS\system32\ActiveScan

2007-05-28 13:53 <DIR> d-------- C:\LinhaDefensiva

2007-05-28 13:49 <DIR> d-------- C:\HijackThis

2007-05-28 03:00 <DIR> d-------- C:\WINDOWS\pss

2007-05-28 01:25 215,792 --a------ C:\WINDOWS\system32\msnn.exe

2007-05-28 01:25 150,542 --a------ C:\WINDOWS\system32\svxh.cmd

2007-05-28 01:25 114,284 --a------ C:\WINDOWS\system32\AOSMTP.dll

2007-05-28 01:21 <DIR> d-------- C:\DOCUME~1\IGORTP~1\DADOSD~1\uTorrent

2007-05-23 21:57 745,472 --a------ C:\WINDOWS\system32\xvidcore.dll

2007-05-23 21:57 719,872 --a------ C:\WINDOWS\system32\devil.dll

2007-05-23 21:57 308,224 --a------ C:\WINDOWS\system32\avisynth.dll

2007-05-23 21:57 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll

2007-05-23 21:57 <DIR> d-------- C:\Arquivos de programas\DIKO

2007-05-19 18:08 922 --a------ C:\WINDOWS\Recorder.reg

2007-05-19 18:07 <DIR> d-------- C:\Arquivos de programas\Pinnacle

2007-05-18 14:50 <DIR> d-------- C:\Arquivos de programas\Alcohol Soft

2007-05-18 14:41 <DIR> d-------- C:\Arquivos de programas\DAEMON Tools

2007-05-17 18:41 73,728 --a------ C:\WINDOWS\system32\dpl100.dll

2007-05-17 18:41 639,066 --a------ C:\WINDOWS\system32\divx.dll

2007-05-17 18:41 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll

2007-05-17 18:41 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll

2007-05-17 18:41 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll

2007-05-17 18:41 196,608 --a------ C:\WINDOWS\system32\dtu100.dll

2007-05-17 18:41 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll

2007-05-17 18:41 1,565,480 --a------ C:\WINDOWS\system32\wmv9vcm.dll

2007-05-17 18:41 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll

2007-05-17 18:41 <DIR> d-------- C:\DOCUME~1\IGORTP~1\DADOSD~1\Real

2007-05-17 18:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\Real

2007-05-17 18:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\Apple Computer

2007-05-17 18:41 <DIR> d-------- C:\Arquivos de programas\K-Lite Codec Pack

2007-05-16 21:55 <DIR> d-------- C:\DOCUME~1\IGORTP~1\DADOSD~1\VideoCalc

2007-05-14 23:58 74 --ah----- C:\WINDOWS\sysdws.dat

2007-05-14 23:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\Ulead Systems

2007-05-13 22:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\Nero

2007-05-13 22:18 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Ahead

2007-05-13 20:39 <DIR> d-------- C:\Arquivos de programas\DVD Decrypter

2007-05-13 16:42 <DIR> d-------- C:\Arquivos de programas\Nero

2007-05-13 13:55 <DIR> d-------- C:\Arquivos de programas\MSXML 4.0

2007-05-12 22:26 <DIR> d-------- C:\Arquivos de programas\Sony Setup

2007-05-12 21:39 <DIR> d-------- C:\DOCUME~1\IGORTP~1\DADOSD~1\Publish Providers

2007-05-12 21:36 <DIR> d-------- C:\DOCUME~1\IGORTP~1\DADOSD~1\Sony

2007-05-12 21:35 33,340 --------- C:\WINDOWS\system32\dbmsqlgc.dll

2007-05-12 21:35 24,576 --------- C:\WINDOWS\system32\dbmsgnet.dll

2007-05-12 21:35 <DIR> d-------- C:\Arquivos de programas\Microsoft SQL Server

2007-05-12 21:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\Sony

2007-05-12 21:33 <DIR> d-------- C:\Arquivos de programas\Sony

2007-05-12 01:19 299 --a------ C:\WINDOWS\PowerReg.dat

2007-05-12 00:15 <DIR> d--h----- C:\WINDOWS\PIF

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-05-29 19:17:32 -------- d-----w C:\Arquivos de programas\Windows Defender

2007-05-29 19:17:20 -------- d-----w C:\Arquivos de programas\MSN Messenger

2007-05-29 19:17:19 -------- d-----w C:\Arquivos de programas\MessengerDiscovery

2007-05-29 19:17:19 -------- d-----w C:\Arquivos de programas\Messenger Plus! Live

2007-05-29 19:17:16 -------- d-----w C:\Arquivos de programas\eMule

2007-05-28 17:40:19 -------- d-----w C:\Arquivos de programas\PC Connectivity Solution

2007-05-25 21:23:14 -------- d--h--w C:\Arquivos de programas\InstallShield Installation Information

2007-05-24 21:04:02 -------- d-----w C:\Arquivos de programas\CoolSMS

2007-05-18 17:30:13 682,232 ----a-w C:\WINDOWS\system32\drivers\sptd.sys

2007-05-14 22:36:42 -------- d-----w C:\DOCUME~1\IGORTP~1\DADOSD~1\Ahead

2007-05-13 22:53:00 -------- d-----w C:\Arquivos de programas\Tibia

2007-05-13 16:55:14 -------- d-----w C:\Arquivos de programas\D'Accord Music Software

2007-05-13 16:30:01 -------- d-----w C:\Arquivos de programas\Arquivos comuns\Real

2007-05-13 02:46:32 -------- d-----w C:\Arquivos de programas\Ahead

2007-05-13 00:35:39 70,042 ----a-w C:\WINDOWS\system32\perfc016.dat

2007-05-13 00:35:39 433,870 ----a-w C:\WINDOWS\system32\perfh016.dat

2007-05-08 01:57:05 -------- d-----w C:\Arquivos de programas\Windows Media Connect 2

2007-05-02 01:07:42 -------- d-----w C:\DOCUME~1\IGORTP~1\DADOSD~1\Alien Skin

2007-05-01 01:41:25 -------- d-----w C:\DOCUME~1\IGORTP~1\DADOSD~1\Activision

2007-04-29 22:23:44 -------- d-----w C:\DOCUME~1\IGORTP~1\DADOSD~1\BSplayer Pro

2007-04-29 22:19:30 -------- d-----w C:\Arquivos de programas\Webteh

2007-04-26 00:49:07 -------- d-----w C:\Arquivos de programas\directx

2007-04-26 00:44:06 -------- d-----w C:\Arquivos de programas\MGI

2007-04-20 23:34:40 -------- d-----w C:\DOCUME~1\IGORTP~1\DADOSD~1\Nokia

2007-04-20 23:13:03 -------- d-----w C:\Arquivos de programas\Arquivos comuns\PCSuite

2007-04-20 23:13:00 -------- d-----w C:\Arquivos de programas\Arquivos comuns\Nokia

2007-04-20 23:12:56 -------- d-----w C:\Arquivos de programas\Nokia

2007-04-18 16:13:00 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-17 01:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-17 01:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-17 01:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-17 01:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-17 01:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-17 01:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-17 01:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-17 01:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

2007-04-10 21:50:54 -------- d-----w C:\Arquivos de programas\Arquivos comuns\River Past

2007-04-10 21:50:36 -------- d-----w C:\DOCUME~1\IGORTP~1\DADOSD~1\River Past G2

2007-04-10 20:39:33 -------- d-----w C:\DOCUME~1\IGORTP~1\DADOSD~1\River Past G5

2007-04-10 20:33:57 81 ----a-w C:\WINDOWS\system32\buyurl0502.dat

2007-04-10 20:06:43 -------- d-----w C:\DOCUME~1\IGORTP~1\DADOSD~1\Nokia Multimedia Player

2007-04-10 16:29:40 -------- d-----w C:\DOCUME~1\IGORTP~1\DADOSD~1\PC Suite

2007-04-08 05:46:04 -------- d-----w C:\DOCUME~1\IGORTP~1\DADOSD~1\Hamachi

2007-04-04 01:41:17 -------- d-----w C:\Arquivos de programas\Valve

2007-04-03 00:30:49 17,480 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys

2007-04-02 02:37:48 -------- d-----w C:\DOCUME~1\IGORTP~1\DADOSD~1\Help

2007-03-23 17:39:21 115,200 -c--a-w C:\WINDOWS\snap.dat

2007-03-17 13:44:49 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll

2007-03-14 22:27:58 972,336 ----a-w C:\WINDOWS\UNRecode.exe

2007-03-14 22:19:56 95,864 ----a-w C:\WINDOWS\system32\NeroCo.dll

2007-03-14 22:19:26 972,336 ----a-w C:\WINDOWS\UNNeroBackItUp.exe

2007-03-12 16:51:08 972,336 ----a-w C:\WINDOWS\UNNeroMediaHome.exe

2007-03-08 15:36:54 578,048 ----a-w C:\WINDOWS\system32\user32.dll

2007-03-08 15:36:54 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll

2007-03-08 15:36:54 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll

2007-03-08 15:33:32 1,843,712 ----a-w C:\WINDOWS\system32\win32k.sys

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Smapp"="C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe" [2002-10-11 17:26]

"APVXDWIN"="C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\APVXDWIN.exe" [2006-09-13 06:59]

"nwiz"="nwiz.exe" [2006-08-11 20:43 C:\WINDOWS\system32\nwiz.exe]

"AGRSMMSG"="AGRSMMSG.exe" []

"Windows Defender"="C:\Arquivos de programas\Windows Defender\MSASCui.exe" [2006-11-03 17:20]

"RegistryMechanic"="" []

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

"PCSuiteTrayApplication"="C:\Arquivos de programas\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20]

"NeroFilterCheck"="C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53]

"Markting"="C:\windows\system32\java.exe" [2007-05-28 01:25]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 13:49]

"DAEMON Tools"="C:\Arquivos de programas\DAEMON Tools\daemon.exe" [2007-04-03 19:29]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"Nokia.PCSync"=C:\Arquivos de programas\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]

avldr.dll

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

 

 

Contents of the 'Scheduled Tasks' folder

2007-06-01 05:03:20 C:\WINDOWS\tasks\MP Scheduled Scan.job

 

********************************************************************

 

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-02 01:02:01

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

 

********************************************************************

 

Completion time: 2007-06-02 1:03:29

 

--- E O F ---

 

 

 

Obrigado.

[DigRam 144]

Boa Tarde sk8ifb!

 

>@< Abra o KillBox e marque Delete on reboot.

>@< Insira ou digite o arquivo: C:\WINDOWS\system32\msnn.exe,na caixa Full path of file to delete.

>@< Clique no botão X e,na pergunta,confirme!

>@< O computador vai reiniciar!

>@< Aproveite êste reboot e entre em Modo de Segurança.

>@< Faça um scan com o seu AntiVírus e,o que for encontrado,envie para a quarentena.

>@< Reinicie o computador!

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

>@< Faça uma verificação pelo Jotti,aos arquivos:

 

C:\WINDOWS\system32\svxh.cmd

 

C:\WINDOWS\system32\AOSMTP.dll

 

C:\WINDOWS\sysdws.dat

 

>@< Em File to upload,coloque os caminhos de cada arquivo.

>@< Clique em Submit.

>@< Faça um por vêz!

>@< Copie e poste os relatórios das verificações!

 

Sem Mais!

DigRam

[sk8ifb 0]

Ae DigRam,

Malwares encontrados. =]

 

C:\WINDOWS\system32\svxh.cmd

 

A-Squared

Found Trojan.Win32.Agent.ho

AntiVir

Found nothing

ArcaVir

Found Trojan.Agent.Ho

Avast

Found Win32:KillAV-CF

AVG Antivirus

Found nothing

BitDefender

Found DeepScan:Generic.KillAV.9983ECE1

ClamAV

Found nothing

Dr.Web

Found nothing

F-Prot Antivirus

Found nothing

F-Secure Anti-Virus

Found Trojan.BAT.KillAV.eh

Fortinet

Found nothing

Kaspersky Anti-Virus

Found Trojan.BAT.KillAV.eh

NOD32

Found nothing

Norman Virus Control

Found nothing

Panda Antivirus

Found Trj/KillAv.GI

Rising Antivirus

Found nothing

VirusBuster

Found nothing

VBA32

Found Trojan.BAT.KillAV.eh

 

 

C:\WINDOWS\system32\AOSMTP.dll

 

A-Squared

Found nothing

AntiVir

Found nothing

ArcaVir

Found nothing

Avast

Found Win32:Banker-BXU

AVG Antivirus

Found nothing

BitDefender

Found nothing

ClamAV

Found nothing

Dr.Web

Found nothing

F-Prot Antivirus

Found nothing

F-Secure Anti-Virus

Found nothing

Fortinet

Found Spy/ZPacker

Kaspersky Anti-Virus

Found nothing

NOD32

Found nothing

Norman Virus Control

Found W32/Suspicious_U.gen

Panda Antivirus

Found nothing

Rising Antivirus

Found Backdoor.Agent.ica

VirusBuster

Found Packed/Upack

VBA32

Found nothing

 

 

C:\WINDOWS\sysdws.dat

 

A-Squared

Found nothing

AntiVir

Found nothing

ArcaVir

Found nothing

Avast

Found nothing

AVG Antivirus

Found nothing

BitDefender

Found nothing

ClamAV

Found nothing

Dr.Web

Found nothing

F-Prot Antivirus

Found nothing

F-Secure Anti-Virus

Found nothing

Fortinet

Found nothing

Kaspersky Anti-Virus

Found nothing

NOD32

Found nothing

Norman Virus Control

Found nothing

Panda Antivirus

Found nothing

Rising Antivirus

Found nothing

VirusBuster

Found nothing

VBA32

Found nothing

 

 

Obrigado.

[DigRam 144]

Bom Dia sk8ifb!

 

<!> Faça o download do Clean.

<!> Salve-o no Disco Local-C e descompacte-o aí mesmo,enviando o executável ( clean ),para o Desktop. ( Atalho! )

<!> Mas não rode-o ainda!

<!> Faça o download do RemDelf2b.

<!> Mas não execute-o ainda!

<!> Faça o download do Avenger.

<!> Descompacte-o e crie uma pasta para o programa!Coloque esta pasta no Disco Local-C ou Desktop!

<!> Rode o programa e marque Input script manually.

<!> Clique no ícone da lupa!

Files to delete:

C:\WINDOWS\system32\msnn.exe

C:\WINDOWS\system32\svxh.cmd

C:\WINDOWS\system32\AOSMTP.dll

C:\Windows\ezVidC60.ocx

 

registry keys to delete:

HKEY_CLASSES_ROOT\CLSID\{69620165-77DD-44EE-995C-3632E525A22B}

HKEY_CLASSES_ROOT\CLSID\{DF6D655A-5B0C-11D3-9396-008029E9B3A6}

HKEY_CLASSES_ROOT\CLSID\{DF6D6569-5B0C-11D3-9396-008029E9B3A6}

HKEY_CLASSES_ROOT\CLSID\{F8D07B72-B4B4-46A0-ACC0-C771D4614B82}

HKEY_CLASSES_ROOT\Interface\{1ECC44FB-970D-4BC8-90E3-002DA4DD21B8}

HKEY_CLASSES_ROOT\Interface\{63BD4EE4-660B-434D-A54B-7C1F53E2FEDD}

HKEY_CLASSES_ROOT\Interface\{6D2C09C4-EC95-4251-81FD-1CD01FD8AE44}

HKEY_CLASSES_ROOT\Interface\{D622E87A-35F9-4FB2-AFEE-4F5BF8407C7A}

HKEY_CLASSES_ROOT\Interface\{DF6D6559-5B0C-11D3-9396-008029E9B3A6}

HKEY_CLASSES_ROOT\Interface\{DF6D6568-5B0C-11D3-9396-008029E9B3A6}

HKEY_CLASSES_ROOT\Interface\{DF6D656E-5B0C-11D3-9396-008029E9B3A6}

HKEY_CLASSES_ROOT\TypeLib\{DF6D6558-5B0C-11D3-9396-008029E9B3A6}

HKEY_CLASSES_ROOT\TypeLib\{FF14B02B-6EE4-400F-A729-B0EA35F921C2}

HKEY_CLASSES_ROOT\AOSMTP.FastSender

HKEY_CLASSES_ROOT\AOSMTP.FastSender.1

HKEY_CLASSES_ROOT\AOSMTP.Mail

HKEY_CLASSES_ROOT\AOSMTP.Mail.1

HKEY_CLASSES_ROOT\vbVidC60.ezVidCap

HKEY_CLASSES_ROOT\vbVidC60.ICapCallBack

<!> Na caixa que abrir,cole o que foi copiado na área do cote,logo àcima!

<!> Clique em Done.

<!> Clique no ícone do semáforo!

<!> Clique em Ok.

<!> O computador irá reiniciar!

<!> Aproveite êste reboot e entre em Modo de Segurança.

<!> Execute a ferramenta Clean.

<!> Dê um duplo clique em clean.( É o ícone denominado clean! )

<!> Abrir-se-á um prompt com três opções: Escolha o dois ( 2 )!

<!> Aperte Enter! >> Aperte Enter,novamente! >> Aguarde!

<!> Aperte Enter,novamente!

<!> Surgirá um relatório ( rapport_clean ),que voçê deverá copiar e postar para análise.

<!> Ainda em Modo Seguro,digite no Executar: C:\remdelf.exe >> Clique Ok!

<!> Caso existam outras unidades de Disco,digite: C:\remdelf C: D:

<!> Abrir-se-à um Prompt,mostrando a verificação da ferramenta.Aguarde!

<!> Terminando,aperte Enter.

<!> O computador será reiniciado!

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

<!> Poste,na sua resposta: C:\Avenger.txt + rapport_clean + Log do HJT,atualizado.

<!> Ps: Devido à atuação,no registro,pelo Avenger,é recomendável criar um ponto de restauração do sistema,antes dos procedimentos.Provavelmente,muitas chaves não serão encontradas!Mas esta é uma recomendação padrão da Symantec,para a eliminação das chaves criadas pelo malware.

 

Sem Mais!

DigRam

[sk8ifb 0]

Ola DigRam

deu varios erros na hora de exluir os registros no avenger, é normal?

 

Aí esta os relatorios:

 

//////////////////////////////////////////

Avenger Pre-Processor log

//////////////////////////////////////////

 

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.

Error code: 0

Line: HKEY_CLASSES_ROOT\CLSID\{69620165-77DD-44EE-995C-3632E525A22B}

 

 

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.

Error code: 0

Line: HKEY_CLASSES_ROOT\CLSID\{DF6D655A-5B0C-11D3-9396-008029E9B3A6}

 

 

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.

Error code: 0

Line: HKEY_CLASSES_ROOT\CLSID\{DF6D6569-5B0C-11D3-9396-008029E9B3A6}

 

 

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.

Error code: 0

Line: HKEY_CLASSES_ROOT\CLSID\{F8D07B72-B4B4-46A0-ACC0-C771D4614B82}

 

 

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.

Error code: 0

Line: HKEY_CLASSES_ROOT\Interface\{1ECC44FB-970D-4BC8-90E3-002DA4DD21B8}

 

 

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.

Error code: 0

Line: HKEY_CLASSES_ROOT\Interface\{63BD4EE4-660B-434D-A54B-7C1F53E2FEDD}

 

 

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.

Error code: 0

Line: HKEY_CLASSES_ROOT\Interface\{6D2C09C4-EC95-4251-81FD-1CD01FD8AE44}

 

 

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.

Error code: 0

Line: HKEY_CLASSES_ROOT\Interface\{D622E87A-35F9-4FB2-AFEE-4F5BF8407C7A}

 

 

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.

Error code: 0

Line: HKEY_CLASSES_ROOT\Interface\{DF6D6559-5B0C-11D3-9396-008029E9B3A6}

 

 

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.

Error code: 0

Line: HKEY_CLASSES_ROOT\Interface\{DF6D6568-5B0C-11D3-9396-008029E9B3A6}

 

 

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.

Error code: 0

Line: HKEY_CLASSES_ROOT\Interface\{DF6D656E-5B0C-11D3-9396-008029E9B3A6}

 

 

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.

Error code: 0

Line: HKEY_CLASSES_ROOT\TypeLib\{DF6D6558-5B0C-11D3-9396-008029E9B3A6}

 

 

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.

Error code: 0

Line: HKEY_CLASSES_ROOT\TypeLib\{FF14B02B-6EE4-400F-A729-B0EA35F921C2}

 

 

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.

Error code: 0

Line: HKEY_CLASSES_ROOT\AOSMTP.FastSender

 

 

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.

Error code: 0

Line: HKEY_CLASSES_ROOT\AOSMTP.FastSender.1

 

 

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.

Error code: 0

Line: HKEY_CLASSES_ROOT\AOSMTP.Mail

 

 

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.

Error code: 0

Line: HKEY_CLASSES_ROOT\AOSMTP.Mail.1

 

 

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.

Error code: 0

Line: HKEY_CLASSES_ROOT\vbVidC60.ezVidCap

 

 

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.

Error code: 0

Line: HKEY_CLASSES_ROOT\vbVidC60.ICapCallBack

 

 

 

 

Script executed in Safe Mode

Rapport clean par Malekal_morte - http://www.malekal.com

Script executed in Safe Mode dom 03/06/2007 a 10:02:14,00

 

Microsoft Windows XP [versÆo 5.1.2600]

 

*** Suppression C:

 

*** Suppression C:\WINDOWS\

 

*** Suppression C:\WINDOWS\system32

 

*** Suppression C:\Arquivos de programas

 

*** Deletion of the registry keys successful..

*** End of the report !

 

 

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 10:13:47, on 3/6/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Windows Defender\MsMpEng.exe

C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\pavsrv51.exe

C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\AVENGINE.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\PsImSvc.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\apvxdwin.exe

c:\arquivos de programas\panda software\panda antivirus 2007\WebProxy.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Arquivos de programas\Windows Defender\MSASCui.exe

C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe

C:\windows\system32\java.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe

C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :8080

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [smapp] C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe

O4 - HKLM\..\Run: [APVXDWIN] "C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Arquivos de programas\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Arquivos de programas\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [Markting] "C:\windows\system32\java.exe"

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [DAEMON Tools] "C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://atrativa.com.br/games/applets/gameh...mjolauncher.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.atrativa.com.br/games/applets/p...opcaploader.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\pavsrv51.exe

O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\PsImSvc.exe

O23 - Service: ServiceLayer - Nokia. - C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Arquivos de programas\Windows Live\installer\WLSetupSvc.exe

 

 

Obrigado

[DigRam 144]

Boa Dia sk8ifb!

 

Ola DigRam

deu varios erros na hora de exluir os registros no avenger, é normal?

>@< Não é normal!O erro mais comum,é quando o Avenger não encontra o arquivo e reporta-nos a impossibilidade de excluí-los. Nesse caso,o erro é de sintaxe!

>@< Abra o Editor do Registro e navegue até as chaves.Delete-as,caso as encontre,manualmente!

>@< Faça um nôvo scan com o ComboFix,e cole o relatório na sua resposta.

>@< Configure o Windows para que mostre: Ver todos os Arquivos,até os ocultos!

>@< Desabilite as proteções residentes de AntiVírus e AntiSpywares!

>@< Faça o download do EliStarA.

>@< Baixe-a para o Desktop!

>@< Mas não execute-a ainda!

>@< Faça o download do EliTriIP.

>@< Baixe-o para o Desktop!

>@< Ps: Ambas,as ferramentas,estarão na página descargas ( Descargas > Utilidades SATINFO ).

>@< Selecione as ferramentas ( Uma por vez! ) e clique no pé da página,no botão Descargar xxx.Onde xxx é a denominação da ferramenta escolhida!

>@< Reinicie o computador e entre em Modo de Segurança.

>@< Execute,primeiro,a ferramenta: EliStart.

>@< Vá ao seu ícone e execute-a!

>@< Aceite as condições propostas e aguarde o término do scan.Aguarde!Pois vai demorar um pouco para concluír a varredura do PC.

>@< Terminando,execute a ferramenta EliTriIP.

>@< O scan desta ferramenta é mais rápido!

>@< Finalize os programas e reinicie o computador!

>@< Desfaça as alterações na configuração do Windows e programas de proteção!

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

>@< Poste o relatório infoSAT.txt que está na raíz C:\ ( Disco Local-C ).

>@< Poste,também,um nôvo Log do ComboFix,feito em Modo Normal,na sua resposta.

 

Sem Mais!

DigRam

[sk8ifb 0]

Ola DigRam,

ai esta.

 

 

Tue Jun 05 00:02:56 2007

EliStartPage v14.11 ©2007 S.G.H. / Satinfo S.L.

--------------------------------------------------

Lista de Acciones (por Acción Directa):

Eliminadas las Paginas de Inicio y de Busqueda del IE

Eliminados Ficheros Temporales del IE

 

Tue Jun 05 00:13:39 2007

EliStartPage v14.11 ©2007 S.G.H. / Satinfo S.L.

--------------------------------------------------

Lista de Acciones (por Acción Directa):

Eliminadas las Paginas de Inicio y de Busqueda del IE

Eliminados Ficheros Temporales del IE

 

Tue Jun 05 00:13:42 2007

EliStartPage v14.11 ©2007 S.G.H. / Satinfo S.L.

--------------------------------------------------

Lista de Acciones (por Exploración):

Explorando Unidad C:\

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMSEARCHPLUGINSIMILARIMAGES.DLL --> Eliminado, WinAntiVirus Pro 2006

C:\Arquivos de programas\Pinnacle\Shared Files\InstantCDDVD\SMARTMESSENGER.EXE --> Eliminado, Spy.Delf (BHO)

C:\Arquivos de programas\Pinnacle\Shared Files\RecordingAPI\PCLEDIAL.DLL --> Eliminado, Desktoper

C:\Documents and Settings\Igor tpG\Desktop\PDITOOL\PDITOOL.EXE --> Eliminado, Malware.WINDOSW

C:\WINDOWS\system32\SVXH.CMD --> Eliminado, QuickBatch

 

Tue Jun 05 00:27:17 2007

EliStartPage v14.11 ©2007 S.G.H. / Satinfo S.L.

--------------------------------------------------

Lista de Acciones (por Exploración):

Explorando Unidad D:\

 

Tue Jun 05 00:30:13 2007

EliTriIP v3.61 ©2007 S.G.H. / Satinfo S.L.

---------------------------------------------

Lista de Acciones (por Acción Directa):

 

Tue Jun 05 00:30:16 2007

EliTriIP v3.61 ©2007 S.G.H. / Satinfo S.L.

---------------------------------------------

Lista de Acciones (por Exploración):

Explorando Unidad C:\

 

Tue Jun 05 00:40:18 2007

EliTriIP v3.61 ©2007 S.G.H. / Satinfo S.L.

---------------------------------------------

Lista de Acciones (por Exploración):

Explorando Unidad D:\

 

 

 

"Igor tpG" - 2007-06-05 0:49:58 Service Pack 2

ComboFix 07-05.27.BV - Running from: "C:\"

 

 

((((((((((((((((((((((((((((((( Files Created from 2007-05-05 to 2007-06-05 ))))))))))))))))))))))))))))))))))

 

 

2007-06-03 09:58 <DIR> d-------- C:\avenger

2007-06-03 09:50 <DIR> d-------- C:\clean

2007-06-03 09:42 4,608 --a------ C:\remdelf.exe

2007-06-02 19:22 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT

2007-06-02 19:22 <DIR> dr-h----- C:\DOCUME~1\ADMINI~1\Dados de aplicativos

2007-06-02 19:22 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Menu Iniciar

2007-06-02 19:22 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Modelos

2007-06-02 19:22 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Configura‡äes locais

2007-06-02 19:22 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Ambiente de rede

2007-06-02 19:22 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Ambiente de impressÆo

2007-06-02 19:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Meus documentos

2007-06-02 19:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Favoritos

2007-06-02 19:10 <DIR> d-------- C:\!KillBox

2007-06-02 09:38 271,224 --a------ C:\WINDOWS\system32\mucltui.dll

2007-06-02 09:38 208,248 --a------ C:\WINDOWS\system32\muweb.dll

2007-06-02 03:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\WindowsLiveInstaller

2007-06-02 03:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\WLInstaller

2007-06-02 03:20 <DIR> d-------- C:\Arquivos de programas\Windows Live

2007-06-02 01:03 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-06-01 20:12 1,088,077 --a------ C:\ComboFix.exe

2007-05-30 20:01 <DIR> d-------- C:\Arquivos de programas\GameVicio

2007-05-30 19:32 347,253 --a------ C:\Silent Runners.vbs

2007-05-30 00:37 <DIR> d-------- C:\Arquivos de programas\Custom Technology

2007-05-29 20:55 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy

2007-05-28 14:23 <DIR> d-------- C:\WINDOWS\system32\ActiveScan

2007-05-28 13:49 <DIR> d-------- C:\HijackThis

2007-05-28 03:00 <DIR> d-------- C:\WINDOWS\pss

2007-05-28 01:25 114,284 --a------ C:\WINDOWS\system32\AOSMTP.dll

2007-05-28 01:21 <DIR> d-------- C:\DOCUME~1\IGORTP~1\DADOSD~1\uTorrent

2007-05-23 21:57 <DIR> d-------- C:\Arquivos de programas\DIKO

2007-05-19 18:08 922 --a------ C:\WINDOWS\Recorder.reg

2007-05-19 18:07 <DIR> d-------- C:\Arquivos de programas\Pinnacle

2007-05-18 14:50 <DIR> d-------- C:\Arquivos de programas\Alcohol Soft

2007-05-18 14:41 <DIR> d-------- C:\Arquivos de programas\DAEMON Tools

2007-05-17 18:41 73,728 --a------ C:\WINDOWS\system32\dpl100.dll

2007-05-17 18:41 639,066 --a------ C:\WINDOWS\system32\divx.dll

2007-05-17 18:41 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll

2007-05-17 18:41 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll

2007-05-17 18:41 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll

2007-05-17 18:41 196,608 --a------ C:\WINDOWS\system32\dtu100.dll

2007-05-17 18:41 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll

2007-05-17 18:41 1,565,480 --a------ C:\WINDOWS\system32\wmv9vcm.dll

2007-05-17 18:41 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll

2007-05-17 18:41 <DIR> d-------- C:\DOCUME~1\IGORTP~1\DADOSD~1\Real

2007-05-17 18:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\Real

2007-05-17 18:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\Apple Computer

2007-05-17 18:41 <DIR> d-------- C:\Arquivos de programas\K-Lite Codec Pack

2007-05-17 13:09 51,568 --a------ C:\WINDOWS\system32\sirenacm.dll

2007-05-16 21:55 <DIR> d-------- C:\DOCUME~1\IGORTP~1\DADOSD~1\VideoCalc

2007-05-14 23:58 74 --ah----- C:\WINDOWS\sysdws.dat

2007-05-14 23:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\Ulead Systems

2007-05-13 22:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\Nero

2007-05-13 22:18 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Ahead

2007-05-13 20:39 <DIR> d-------- C:\Arquivos de programas\DVD Decrypter

2007-05-13 16:42 <DIR> d-------- C:\Arquivos de programas\Nero

2007-05-13 13:55 <DIR> d-------- C:\Arquivos de programas\MSXML 4.0

2007-05-12 22:26 <DIR> d-------- C:\Arquivos de programas\Sony Setup

2007-05-12 21:39 <DIR> d-------- C:\DOCUME~1\IGORTP~1\DADOSD~1\Publish Providers

2007-05-12 21:36 <DIR> d-------- C:\DOCUME~1\IGORTP~1\DADOSD~1\Sony

2007-05-12 21:35 33,340 --------- C:\WINDOWS\system32\dbmsqlgc.dll

2007-05-12 21:35 24,576 --------- C:\WINDOWS\system32\dbmsgnet.dll

2007-05-12 21:35 <DIR> d-------- C:\Arquivos de programas\Microsoft SQL Server

2007-05-12 21:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\Sony

2007-05-12 21:33 <DIR> d-------- C:\Arquivos de programas\Sony

2007-05-12 01:19 299 --a------ C:\WINDOWS\PowerReg.dat

2007-05-12 00:15 <DIR> d--h----- C:\WINDOWS\PIF

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-06-03 07:53:51 70,042 ----a-w C:\WINDOWS\system32\perfc016.dat

2007-06-03 07:53:51 433,870 ----a-w C:\WINDOWS\system32\perfh016.dat

2007-06-02 22:43:05 -------- d-----w C:\Arquivos de programas\Windows Defender

2007-06-02 07:44:44 -------- d-----w C:\Arquivos de programas\Valve

2007-06-02 06:22:20 -------- d-----w C:\Arquivos de programas\MSN Messenger

2007-05-29 19:17:19 -------- d-----w C:\Arquivos de programas\MessengerDiscovery

2007-05-29 19:17:19 -------- d-----w C:\Arquivos de programas\Messenger Plus! Live

2007-05-29 19:17:16 -------- d-----w C:\Arquivos de programas\eMule

2007-05-28 17:40:19 -------- d-----w C:\Arquivos de programas\PC Connectivity Solution

2007-05-25 21:23:14 -------- d--h--w C:\Arquivos de programas\InstallShield Installation Information

2007-05-24 21:04:02 -------- d-----w C:\Arquivos de programas\CoolSMS

2007-05-18 17:30:13 682,232 ----a-w C:\WINDOWS\system32\drivers\sptd.sys

2007-05-14 22:36:42 -------- d-----w C:\DOCUME~1\IGORTP~1\DADOSD~1\Ahead

2007-05-13 22:53:00 -------- d-----w C:\Arquivos de programas\Tibia

2007-05-13 16:55:14 -------- d-----w C:\Arquivos de programas\D'Accord Music Software

2007-05-13 16:30:01 -------- d-----w C:\Arquivos de programas\Arquivos comuns\Real

2007-05-13 02:46:32 -------- d-----w C:\Arquivos de programas\Ahead

2007-05-08 01:57:05 -------- d-----w C:\Arquivos de programas\Windows Media Connect 2

2007-05-02 01:07:42 -------- d-----w C:\DOCUME~1\IGORTP~1\DADOSD~1\Alien Skin

2007-05-01 01:41:25 -------- d-----w C:\DOCUME~1\IGORTP~1\DADOSD~1\Activision

2007-04-29 22:23:44 -------- d-----w C:\DOCUME~1\IGORTP~1\DADOSD~1\BSplayer Pro

2007-04-29 22:19:30 -------- d-----w C:\Arquivos de programas\Webteh

2007-04-26 00:49:07 -------- d-----w C:\Arquivos de programas\directx

2007-04-26 00:44:06 -------- d-----w C:\Arquivos de programas\MGI

2007-04-20 23:34:40 -------- d-----w C:\DOCUME~1\IGORTP~1\DADOSD~1\Nokia

2007-04-20 23:13:03 -------- d-----w C:\Arquivos de programas\Arquivos comuns\PCSuite

2007-04-20 23:13:00 -------- d-----w C:\Arquivos de programas\Arquivos comuns\Nokia

2007-04-20 23:12:56 -------- d-----w C:\Arquivos de programas\Nokia

2007-04-18 16:13:00 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-17 01:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-17 01:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-17 01:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-17 01:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-17 01:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-17 01:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-17 01:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-17 01:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

2007-04-10 21:50:54 -------- d-----w C:\Arquivos de programas\Arquivos comuns\River Past

2007-04-10 21:50:36 -------- d-----w C:\DOCUME~1\IGORTP~1\DADOSD~1\River Past G2

2007-04-10 20:39:33 -------- d-----w C:\DOCUME~1\IGORTP~1\DADOSD~1\River Past G5

2007-04-10 20:33:57 81 ----a-w C:\WINDOWS\system32\buyurl0502.dat

2007-04-10 20:06:43 -------- d-----w C:\DOCUME~1\IGORTP~1\DADOSD~1\Nokia Multimedia Player

2007-04-10 16:29:40 -------- d-----w C:\DOCUME~1\IGORTP~1\DADOSD~1\PC Suite

2007-04-08 05:46:04 -------- d-----w C:\DOCUME~1\IGORTP~1\DADOSD~1\Hamachi

2007-03-23 17:39:21 115,200 -c--a-w C:\WINDOWS\snap.dat

2007-03-17 13:44:49 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll

2007-03-14 22:27:58 972,336 ----a-w C:\WINDOWS\UNRecode.exe

2007-03-14 22:19:56 95,864 ----a-w C:\WINDOWS\system32\NeroCo.dll

2007-03-14 22:19:26 972,336 ----a-w C:\WINDOWS\UNNeroBackItUp.exe

2007-03-12 16:51:08 972,336 ----a-w C:\WINDOWS\UNNeroMediaHome.exe

2007-03-08 15:36:54 578,048 ----a-w C:\WINDOWS\system32\user32.dll

2007-03-08 15:36:54 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll

2007-03-08 15:36:54 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll

2007-03-08 15:33:32 1,843,712 ----a-w C:\WINDOWS\system32\win32k.sys

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Smapp"="C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe" [2002-10-11 17:26]

"APVXDWIN"="C:\Arquivos de programas\Panda Software\Panda Antivirus 2007\APVXDWIN.exe" [2006-09-13 06:59]

"nwiz"="nwiz.exe" [2006-08-11 20:43 C:\WINDOWS\system32\nwiz.exe]

"AGRSMMSG"="AGRSMMSG.exe" []

"Windows Defender"="C:\Arquivos de programas\Windows Defender\MSASCui.exe" [2006-11-03 17:20]

"RegistryMechanic"="" []

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

"PCSuiteTrayApplication"="C:\Arquivos de programas\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20]

"NeroFilterCheck"="C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53]

"Markting"="C:\windows\system32\java.exe" [2007-05-28 01:25]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 13:49]

"DAEMON Tools"="C:\Arquivos de programas\DAEMON Tools\daemon.exe" [2007-04-03 19:29]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"Nokia.PCSync"=C:\Arquivos de programas\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]

avldr.dll

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

 

 

Contents of the 'Scheduled Tasks' folder

2007-06-05 03:45:20 C:\WINDOWS\tasks\MP Scheduled Scan.job

 

********************************************************************

 

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-05 00:51:19

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

 

********************************************************************

 

Completion time: 2007-06-05 0:52:18

C:\ComboFix2.txt ... 2007-06-04 23:49

 

--- E O F ---

 

 

Obrigado.

[DigRam 144]

Boa Noite sk8ifb!

 

>@< Como está o Gerenciador de Tarefas?

>@< EliStarA encontrou alguns arquivos malware!

>@< Resta-nos,apenas,uma comprovação OnLine,na pesquisa por malware,ainda no PC.

>@< Sugiro Kaspersky.

>@< Faça o scan e poste o relatório!

 

Abraços!