[Resolvido!]Start Page alterada - www.gozobil.lx.ro

[JOMALOSA 0]

Olá Pessoal,

Peço a vossa ajuda para o seguinte problema:

 

As "Search Page" e "Start Page" foram alteradas para www.gozobil.lx.ro.

Executei o HijackThis e deletei as seguintes entradas:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gozobil.lx.ro

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gozobil.lx.ro

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gozobil.lx.ro

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gozobil.lx.ro

 

Imediatamente executei de novo o HijackThis e aquelas entradas continuavam ativas.

 

Tentei solucionar o problema da seguinte maneira:

- Entrei no Modo de Segurança.

- Executei o HijackThis.

- Deletei aquelas entradas mencionadas acima.

- Executei o EliStara, seguindo as condições propostas.

- Executei o HijackThis e as entradas não apareceram.

 

- Reiniciei em Modo Normal.

- Executei o HijackThis e as entradas acima voltaram a aparecer.

 

 

Deve ter um processo no boot, que não consigo identificar, que está alterando aquelas entradas.

 

Por favor peço ajuda para este problema

 

Envio também o log do HijackThis

 

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 23:20:45, on 22/6/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\cisvc.exe

C:\Arquivos de programas\Norton AntiVirus\navapsvc.exe

C:\Arquivos de programas\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\system32\locator.exe

C:\Arquivos de programas\Spyware Doctor\svcntaux.exe

C:\Arquivos de programas\Spyware Doctor\swdsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe

C:\Arquivos de programas\Spyware Doctor\SDTrayApp.exe

C:\WINDOWS\system32\rundll32.exe

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe

C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeperUI.exe

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

C:\Arquivos de programas\FSL\FSL_Launcher\FSL_Launcher.exe

C:\WINDOWS\System32\alg.exe

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\Arquivos de programas\Webroot\Spy Sweeper\SSU.EXE

C:\WINDOWS\system32\mdm.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\cidaemon.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Arquivos de programas\Messenger\msmsgs.exe

D:\HijackThis1991\HiJackThis_v2.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gozobil.lx.ro

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gozobil.lx.ro

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gozobil.lx.ro

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gozobil.lx.ro

O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Arquivos de programas\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [sDTray] "C:\Arquivos de programas\Spyware Doctor\SDTrayApp.exe"

O4 - HKLM\..\Run: [Absolute StartUp monitor] C:\Arquivos de programas\F-Group\Absolute StartUp\ASMon.exe

O4 - HKLM\..\Run: [spySweeper] "C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [Absolute StartUp monitor] C:\Arquivos de programas\F-Group\Absolute StartUp\ASMon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: FSL Launcher.lnk = C:\Arquivos de programas\FSL\FSL_Launcher\FSL_Launcher.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab

O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab

O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - http://download.sopcast.com/download/SOPCORE.CAB

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Arquivos de programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe

O23 - Service: Commander Service - Seagull Scientific, Inc - C:\Arquivos de programas\Seagull\BarTender 7.10\Trial\CmdrSrv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: LiveUpdate - Symantec Corporation - C:\ARQUIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Arquivos de programas\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Arquivos de programas\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Arquivos de programas\Norton AntiVirus\SAVScan.exe

O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Arquivos de programas\Spyware Doctor\svcntaux.exe

O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\swdsvc.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe

O23 - Service: SPBBCSvc - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe

 

--

End of file - 7526 bytes

 

-

[jgarcia 1]

Opa JOMALOSA,

 

Baixe o ComboFix em:

ComboFix

 

1) Dê um duplo-clique no combofix.exe e tecle "Y" para prosseguir. O processo vai durar, em média, 10 minutos;

2) O ComboFix reiniciará o PC automaticamente, a fim de que o processo de remoção seja finalizado;

3) Quando a varredura acabar, será gerado um log, que estará em C:\ComboFix.txt;

4) Não clique na janela do ComboFix, nem feche clicando no X, enquanto a ferramenta estiver sendo executada, pois isto implicará na desconfiguração de seu desktop (ele ficará todo branco);

5) Para parar ou sair do ComboFix, tecle "N";

6) Preciso que você cole o conteúdo do ComboFix.txt em sua próxima resposta.

 

Abraços.

[JOMALOSA 0]

Olá Garcia,Obrigado por sua resposta rápida.Tive problemas com o processamento do Combofix.Executei o Combofix e abriu uma tela com a mensagem “Please Wait” e outra de erro com a mensagem “Errors encountered while processing the operation. Look at the information window for more details”Pressionei “OK” e apareceu outra janela com a mensagem “Cannot open c:\combofix\combofix.exe.Pessionei “Close” e esperei 3 horas e 30 minutos com a tela do Combofix ativa, “Please Wait”,Depois deste tempo tentei sair do Combofix teclando “N”, mas deu a seguinte mensagem: “ ‘N’ não é reconhecido como um comando interno ou externo, um programa operável ou um arquivo em lotes”.Cancelei o Combofix pelo Task Manager.Por favor aguardo sua orientação quanto ao procedimento a efetuar.Obrigado

[jgarcia 1]

Opa JOMALOSA,

 

Poste um novo log do HijackThis.

 

Abraços.

[JOMALOSA 0]

Garcia,

 

Aqui está o log do HJT solicitado.

 

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 22:02:26, on 24/6/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\cisvc.exe

C:\Arquivos de programas\Norton AntiVirus\navapsvc.exe

C:\Arquivos de programas\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\system32\locator.exe

C:\Arquivos de programas\Spyware Doctor\svcntaux.exe

C:\Arquivos de programas\Spyware Doctor\swdsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe

C:\Arquivos de programas\Spyware Doctor\SDTrayApp.exe

C:\WINDOWS\system32\rundll32.exe

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe

C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeperUI.exe

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

C:\Arquivos de programas\FSL\FSL_Launcher\FSL_Launcher.exe

C:\WINDOWS\System32\alg.exe

C:\Arquivos de programas\Webroot\Spy Sweeper\SSU.EXE

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\WINDOWS\system32\mdm.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

D:\Tag&Rename_R320_RC2\fixed\TagRename.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Arquivos de programas\Winamp\Winamp.exe

C:\Arquivos de programas\AcqURL73\AcqURL.exe

C:\Arquivos de programas\BearShare\BearShare.exe

c:\arquivos de programas\internet explorer\iexplore.exe

C:\Arquivos de programas\DremTeamShare\DreMule\emule.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

D:\HijackThis1991\HiJackThis_v2.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gozobil.lx.ro

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gozobil.lx.ro

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gozobil.lx.ro

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gozobil.lx.ro

O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Arquivos de programas\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [sDTray] "C:\Arquivos de programas\Spyware Doctor\SDTrayApp.exe"

O4 - HKLM\..\Run: [Absolute StartUp monitor] C:\Arquivos de programas\F-Group\Absolute StartUp\ASMon.exe

O4 - HKLM\..\Run: [spySweeper] "C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [Absolute StartUp monitor] C:\Arquivos de programas\F-Group\Absolute StartUp\ASMon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: FSL Launcher.lnk = C:\Arquivos de programas\FSL\FSL_Launcher\FSL_Launcher.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab

O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab

O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - http://download.sopcast.com/download/SOPCORE.CAB

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Arquivos de programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe

O23 - Service: Commander Service - Seagull Scientific, Inc - C:\Arquivos de programas\Seagull\BarTender 7.10\Trial\CmdrSrv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: LiveUpdate - Symantec Corporation - C:\ARQUIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Arquivos de programas\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Arquivos de programas\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Arquivos de programas\Norton AntiVirus\SAVScan.exe

O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Arquivos de programas\Spyware Doctor\svcntaux.exe

O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\swdsvc.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe

O23 - Service: SPBBCSvc - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe

 

--

End of file - 7870 bytes

[jgarcia 1]

Opa JOMALOSA,

 

1. Baixe o SmitfraudFix;

 

2. Desabilite a proteção do seu anti-vírus (temporariamente);

 

3. Extraia o arquivo SmitFraudFix para o seu desktop;

 

4. Reinicie em Modo Seguro;

 

5. Execute o SmitfraudFix dando um duplo clique sobre smitfraudfix.cmd --> escolha a Opção 2;

 

6. Responda sim (y) à pergunta sobre a limpeza no registro (Do you want to clean the registry?);

 

7. Aguarde o término do scan e a geração do log;

 

8. Reinicie em Modo Normal;

 

9. Reabilite o seu anti-vírus;

 

10. Poste o log do SmitfraudFix (opção 2) + log HijackThis (gerado em Modo Normal).

 

Abraços.

[JOMALOSA 0]

Oi garcia,

 

Executei a rotina recomendada e estou enviando os logs do SmitfraudFix e HJT.

 

SmitFraudFix v2.196

 

Scan done at 19:45:44,84, seg 25/06/2007

Run from C:\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [versÆo 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» hosts

 

 

127.0.0.1 localhost

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» DNS

 

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3FFA3663-7DCC-41A9-9E5C-CF6438BCC7A2}: DhcpNameServer=192.168.0.1

HKLM\SYSTEM\CS1\Services\Tcpip\..\{3FFA3663-7DCC-41A9-9E5C-CF6438BCC7A2}: DhcpNameServer=192.168.0.1

HKLM\SYSTEM\CS2\Services\Tcpip\..\{3FFA3663-7DCC-41A9-9E5C-CF6438BCC7A2}: DhcpNameServer=192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1

HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

 

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 20:07:55, on 25/6/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\cisvc.exe

C:\Arquivos de programas\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\system32\locator.exe

C:\Arquivos de programas\Spyware Doctor\svcntaux.exe

C:\Arquivos de programas\Spyware Doctor\swdsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\System32\alg.exe

C:\Arquivos de programas\Spyware Doctor\SDTrayApp.exe

C:\WINDOWS\system32\rundll32.exe

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe

C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeperUI.exe

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

C:\Arquivos de programas\FSL\FSL_Launcher\FSL_Launcher.exe

C:\Arquivos de programas\Webroot\Spy Sweeper\SSU.EXE

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Arquivos de programas\Norton AntiVirus\navapsvc.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\Notepad.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\Symantec\LiveUpdate\AUpdate.exe

C:\ARQUIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

D:\HijackThis1991\HiJackThis_v2.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gozobil.lx.ro

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gozobil.lx.ro

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gozobil.lx.ro

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gozobil.lx.ro

O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Arquivos de programas\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [sDTray] "C:\Arquivos de programas\Spyware Doctor\SDTrayApp.exe"

O4 - HKLM\..\Run: [Absolute StartUp monitor] C:\Arquivos de programas\F-Group\Absolute StartUp\ASMon.exe

O4 - HKLM\..\Run: [spySweeper] C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [Absolute StartUp monitor] C:\Arquivos de programas\F-Group\Absolute StartUp\ASMon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: FSL Launcher.lnk = C:\Arquivos de programas\FSL\FSL_Launcher\FSL_Launcher.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab

O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab

O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - http://download.sopcast.com/download/SOPCORE.CAB

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Arquivos de programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe

O23 - Service: Commander Service - Seagull Scientific, Inc - C:\Arquivos de programas\Seagull\BarTender 7.10\Trial\CmdrSrv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: LiveUpdate - Symantec Corporation - C:\ARQUIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Arquivos de programas\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Arquivos de programas\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Arquivos de programas\Norton AntiVirus\SAVScan.exe

O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Arquivos de programas\Spyware Doctor\svcntaux.exe

O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\swdsvc.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe

O23 - Service: SPBBCSvc - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe

 

--

End of file - 7431 bytes

[jgarcia 1]

Opa JOMALOSA,

 

Vamos lá.

 

É prudente que você faça a impressão deste documento ou salve-o em um lugar de fácil acesso, pois na próxima etapa entraremos em Modo de Seguro e a conexão à internet não será possível.

 

Reinicie o computador em Modo Seguro.

 

Vá em Iniciar -> Executar -> digite regedit -> dê Ok.

 

Navegue até a seguinte subchave:

 

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

 

No painel à direita localize Search Page, selecione, dê um clique-direito, escolha Modificar e coloque a página de sua preferência.

 

Navegue até a seguinte subchave:

 

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

 

No painel à direita localize Start Page, selecione, dê um clique-direito, escolha Modificar e coloque a página de sua preferência.

 

Navegue até a seguinte subchave:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main

 

No painel à direita localize Search Bar, selecione, dê um clique-direito, escolha Modificar e coloque a página de sua preferência.

 

Navegue até a seguinte subchave:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main

 

No painel à direita localize Start Page, selecione, dê um clique-direito, escolha Modificar e coloque a página de sua preferência.

 

Saia do Editor do Registro.

 

Reinicie em Modo Normal.

 

Poste um novo log do HijackThis.

 

Aguardo retorno.

 

Um abraço.

[JOMALOSA 0]

Garcia,

Este é o log do HJT após executar a rotina.

 

 

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 00:05:31, on 26/6/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\cisvc.exe

C:\Arquivos de programas\Norton AntiVirus\navapsvc.exe

C:\Arquivos de programas\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\system32\locator.exe

C:\Arquivos de programas\Spyware Doctor\svcntaux.exe

C:\Arquivos de programas\Spyware Doctor\swdsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe

C:\Arquivos de programas\Spyware Doctor\SDTrayApp.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\rundll32.exe

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe

C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeperUI.exe

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

C:\WINDOWS\System32\alg.exe

C:\Arquivos de programas\FSL\FSL_Launcher\FSL_Launcher.exe

C:\Arquivos de programas\Webroot\Spy Sweeper\SSU.EXE

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\WINDOWS\system32\mdm.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

D:\HijackThis1991\HiJackThis_v2.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Arquivos de programas\Symantec\LiveUpdate\AUpdate.exe

C:\ARQUIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gozobil.lx.ro

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gozobil.lx.ro

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gozobil.lx.ro

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gozobil.lx.ro

O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Arquivos de programas\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [sDTray] "C:\Arquivos de programas\Spyware Doctor\SDTrayApp.exe"

O4 - HKLM\..\Run: [Absolute StartUp monitor] C:\Arquivos de programas\F-Group\Absolute StartUp\ASMon.exe

O4 - HKLM\..\Run: [spySweeper] "C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [Absolute StartUp monitor] C:\Arquivos de programas\F-Group\Absolute StartUp\ASMon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: FSL Launcher.lnk = C:\Arquivos de programas\FSL\FSL_Launcher\FSL_Launcher.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab

O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab

O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - http://download.sopcast.com/download/SOPCORE.CAB

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Arquivos de programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe

O23 - Service: Commander Service - Seagull Scientific, Inc - C:\Arquivos de programas\Seagull\BarTender 7.10\Trial\CmdrSrv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: LiveUpdate - Symantec Corporation - C:\ARQUIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Arquivos de programas\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Arquivos de programas\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Arquivos de programas\Norton AntiVirus\SAVScan.exe

O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Arquivos de programas\Spyware Doctor\svcntaux.exe

O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\swdsvc.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe

O23 - Service: SPBBCSvc - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe

 

--

End of file - 7428 bytes

[jgarcia 1]

Opa JOMALOSA,

 

Vamos lá.

 

1ª Etapa

 

Baixe o CCleaner em:

CCleaner

 

Baixe, mas não execute ainda.

 

Baixe o AVG AntiSpyware em:

AVG AntiSpyware

 

* Selecione "English" como idioma para a instalação;

* Clique em Next --> I Agree --> Next --> Next. Desmarque a caixa Install background guard e clique em Install e depois Finish;

* Na janela principal do AVG AntiSpyware clique em Actualizar no menu esquerdo e então clique em Iniciar actualização;

* Quando a atualização terminar, você verá a mensagem Actualizado com sucesso no canto inferior esquerdo;

* Pronto, mas não o execute ainda.

 

É prudente que você faça a impressão deste documento ou salve-o em um lugar de fácil acesso, pois na próxima etapa entraremos em Modo Seguro e a conexão à internet não será possível.

 

2ª Etapa

 

Reinicie em Modo Seguro.

 

Execute uma verificação completa com o AVG AntiSpyware.

 

* Abra o AVG AntiSpyware e clique em Verificar --> Verificação Completa do Sistema;

* O AVG AntiSpyware detecta alguns programas legítimos, portanto não marque a caixa que diz Executar a ação em todas as infecções. Se o AVG AntiSpyware encontrar um arquivo que você acredita ser legítimo, escolha a opção "Nenhuma" e clique em OK. Caso contrário, deixe em Remover e clique em OK.

* Quando o AVG AntiSpyware terminar, feche-o.

 

3ª Etapa

 

Reinicie o computador em Modo Normal.

 

Execute o CCleaner e clique em Executar Cleaner.

 

Retorne com um novo log do HijackThis.

 

Abraços.

[JOMALOSA 0]

Olá Garcia,

Sobre a rotina que mandou executar gostaria de dizer que durante a instalação o AVG AntiSpyware não solicitou “Install background guard”. Por isso não tive acesso à caixa para desmarcar.

Estou enviando o log do HJT após AVG/CCleaner e também o log do AVG, para sua análise.

 

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 00:13:27, on 28/6/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\cisvc.exe

C:\Arquivos de programas\Norton AntiVirus\navapsvc.exe

C:\Arquivos de programas\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\system32\locator.exe

C:\Arquivos de programas\Spyware Doctor\svcntaux.exe

C:\Arquivos de programas\Spyware Doctor\swdsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe

C:\Arquivos de programas\Spyware Doctor\SDTrayApp.exe

C:\WINDOWS\system32\rundll32.exe

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe

C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeperUI.exe

C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

C:\WINDOWS\System32\alg.exe

C:\Arquivos de programas\FSL\FSL_Launcher\FSL_Launcher.exe

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\Arquivos de programas\Webroot\Spy Sweeper\SSU.EXE

C:\WINDOWS\system32\mdm.exe

C:\WINDOWS\system32\cidaemon.exe

D:\HijackThis1991\HiJackThis_v2.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gozobil.lx.ro

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gozobil.lx.ro

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gozobil.lx.ro

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gozobil.lx.ro

O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Arquivos de programas\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [sDTray] "C:\Arquivos de programas\Spyware Doctor\SDTrayApp.exe"

O4 - HKLM\..\Run: [Absolute StartUp monitor] C:\Arquivos de programas\F-Group\Absolute StartUp\ASMon.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [spySweeper] "C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [Absolute StartUp monitor] C:\Arquivos de programas\F-Group\Absolute StartUp\ASMon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: FSL Launcher.lnk = C:\Arquivos de programas\FSL\FSL_Launcher\FSL_Launcher.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab

O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab

O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - http://download.sopcast.com/download/SOPCORE.CAB

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Arquivos de programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe

O23 - Service: Commander Service - Seagull Scientific, Inc - C:\Arquivos de programas\Seagull\BarTender 7.10\Trial\CmdrSrv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: LiveUpdate - Symantec Corporation - C:\ARQUIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Arquivos de programas\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Arquivos de programas\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Arquivos de programas\Norton AntiVirus\SAVScan.exe

O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Arquivos de programas\Spyware Doctor\svcntaux.exe

O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\swdsvc.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe

O23 - Service: SPBBCSvc - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe

 

--

End of file - 7560 bytes

 

 

---------------------------------------------------------

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

 

+ Created at: 23:46:04 27/6/2007

 

+ Scan result:

 

 

 

C:\RECYCLER\S-1-5-21-2000478354-688789844-725345543-1003\Dc306.zip/BitDownload-3.2.0.0-setup-0310.exe -> Adware.Lop : Cleaned.

C:\WINDOWS\system32\tables.ini -> Backdoor.Zapchast.NY : Cleaned.

C:\RECYCLER\S-1-5-21-2000478354-688789844-725345543-1003\Dc333.exe -> Downloader.Agent.aii : Cleaned.

D:\data -> Downloader.IstBar.kc : Cleaned.

D:\Downloads\Downs_Softwares\GNU CRACK GEN 2.2 CRACKS ANY SOFTWARE- SolSuite 2005 - Solitaire Card Games Suite 5 Spy Cleaner Gold 9 Spybot - Search & Destroy 1 Spyware Doctor 3 serial all versions 1.rar/Setup.exe -> Hijacker.Agent.hz : Cleaned.

D:\System Volume Information\_restore{21C7B9F3-886C-4274-B504-CE3FEC9E865F}\RP318\A0089285.exe -> Hijacker.StartPage.aop : Cleaned.

D:\RECYCLER\S-1-5-21-2000478354-688789844-725345543-1003\Dd17025.exe -> Logger.Ardamax.i : Cleaned.

D:\Windows_XP_Tudo\Windows_Genuine_Make.rar/Make Windows Genuine\Make Your Copy of Windows 100% Genuine in 2 Seconds\Port_RockXP_v4.exe/RockXP4.exe -> Not-A-Virus.PSWTool.Win32.RAS.a : Ignored.

C:\Documents and Settings\JM\Cookies\jm@3.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.

C:\Documents and Settings\JM\Cookies\jm@4.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.

C:\Documents and Settings\JM\Cookies\jm@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.

C:\Documents and Settings\JM\Cookies\jm@ads.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.

C:\Documents and Settings\JM\Cookies\jm@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned.

C:\Documents and Settings\JM\Cookies\jm@ie.search.msn[1].txt -> TrackingCookie.Msn : Cleaned.

C:\Documents and Settings\JM\Cookies\jm@ie.search.msn[3].txt -> TrackingCookie.Msn : Cleaned.

C:\Documents and Settings\JM\Cookies\jm@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Cleaned.

C:\Documents and Settings\JM\Cookies\jm@www.paypal[2].txt -> TrackingCookie.Paypal : Cleaned.

C:\RECYCLER\S-1-5-21-2000478354-688789844-725345543-1003\Dc307.zip/BitDownload fastets Bittorrent downloader.exe -> Trojan.Obfuscated.en : Cleaned.

D:\Downloads\Downs_Softwares\Windows_Genuine_In_5_sec.rar/Windows Toolkit.zip/windowsxp_keygen.exe -> Trojan.Small.edz : Cleaned.

D:\Downloads\Downs_Softwares\VSO_ConvertXToDVD_2[1].1.8_Build_193.rar/VSO ConvertXToDVD 2.1.8 Build 193\Patch\convertxtodvd.2.1.x.xxx-patch.exe -> Trojan.Small.q : Cleaned.

C:\WINDOWS\system32\winname.crt -> Trojan.Zapchast.p : Cleaned.

 

 

::Report end

[jgarcia 1]

Opa JOMALOSA,

 

Baixe, instale e execute o Ad-Ware 2007.

 

Depois de executá-lo, retorne com um novo log do HijackThis.

 

Abraços.

[JOMALOSA 0]

Garcia,Parece que meu problema é maior do que imagino.Baixei e tentei instalar o Ad-Ware 2007.Durante a instalação recebi a seguinte mensagem:"Error 1401. Could not create key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\InProgress. Verify that you have sufficient access to that key, or contact your support personnel."Como informação:Desde o último post troquei o antivirus Norton pelo Kaspersky.Mais uma vez peço ajudaObrigado

[jgarcia 1]

Opa JOMALOSA,

 

Baixe o SilentRunners.

 

Extraia o arquivo SilentRunners.vbs para o C. Dê duplo clique sobre o arquivo para executá-lo.

 

Após executá-lo aguarde até que seja gerado um documento denominado Startup Programs (USUÁRIO) data. Copie o conteúdo deste documento e cole em sua próxima resposta.

 

Abraços.

 

Obs.: Caso o seu AV detecte o arquivo como sendo um script malicioso não se preocupe e autorize a execução.

[JOMALOSA 0]

Ola Garcia,

 

Após executar sua rotina aqui está o documento gerado:

 

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"msnmsgr" = ""C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background" [MS]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"BluetoothAuthenticationAgent" = ""rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent" [MS]

"ccApp" = ""C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"" [file not found]

"Absolute StartUp monitor" = "C:\Arquivos de programas\F-Group\Absolute StartUp\ASMon.exe" [file not found]

"SDTray" = ""C:\Arquivos de programas\Spyware Doctor\SDTrayApp.exe"" ["PC Tools"]

"AVP" = ""C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"" ["Kaspersky Lab"]

"SpySweeper" = "C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray" ["Webroot Software, Inc."]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extensão do 'Painel de controle' para panorâmica de vídeo"

-> {HKLM...CLSID} = "Extensão do 'Painel de controle' para panorâmica de vídeo"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extensão de ícone do HyperTerminal"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

-> {HKLM...CLSID} = "DesktopContext Class"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

-> {HKLM...CLSID} = "NVIDIA CPL Extension"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

-> {HKLM...CLSID} = "Desktop Explorer"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

-> {HKLM...CLSID} = "nView Desktop Context Menu"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{20082881-FC36-4E47-9A7A-644C95FF749F}" = "IntelliPoint Wireless Control Panel Property Page"

-> {HKLM...CLSID} = "Página de Propriedades de Produtos sem Fio"

\InProcServer32\(Default) = ""C:\Arquivos de programas\Microsoft IntelliPoint\ipcplwir.dll"" [MS]

"{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}" = "IntelliPoint Wheel Control Panel Property Page"

-> {HKLM...CLSID} = "Página de Propriedades da Roda"

\InProcServer32\(Default) = ""C:\Arquivos de programas\Microsoft IntelliPoint\ipcplwhl.dll"" [MS]

"{653DCCC2-13DB-45B2-A389-427885776CFE}" = "IntelliPoint Activities Control Panel Property Page"

-> {HKLM...CLSID} = "Página de Propriedades das Atividades"

\InProcServer32\(Default) = ""C:\Arquivos de programas\Microsoft IntelliPoint\ipcplact.dll"" [MS]

"{124597D8-850A-41AE-849C-017A4FA99CA2}" = "IntelliPoint Buttons Control Panel Property Page"

-> {HKLM...CLSID} = "Página de Propriedades dos Botões"

\InProcServer32\(Default) = ""C:\Arquivos de programas\Microsoft IntelliPoint\ipcplbtn.dll"" [MS]

"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"

-> {HKLM...CLSID} = "iTunes"

\InProcServer32\(Default) = "C:\Arquivos de programas\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

-> {HKLM...CLSID} = "Microsoft Office Outlook"

\InProcServer32\(Default) = "C:\ARQUIV~1\MICROS~3\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

-> {HKLM...CLSID} = "Outlook File Icon Extension"

\InProcServer32\(Default) = "C:\ARQUIV~1\MICROS~3\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Arquivos de programas\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

-> {HKLM...CLSID} = "Portable Media Devices Menu"

\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

-> {HKLM...CLSID} = "RealOne Player Context Menu Class"

\InProcServer32\(Default) = "C:\Arquivos de programas\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"

-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"

\InProcServer32\(Default) = "C:\ARQUIV~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]

"{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension"

-> {HKLM...CLSID} = "Trojan Remover Shell Extension"

\InProcServer32\(Default) = "C:\ARQUIV~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]

"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Web Anti-Virus statistics"

-> {HKLM...CLSID} = "Web Anti-Virus statistics"

\InProcServer32\(Default) = "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll" ["Kaspersky Lab"]

 

HKLM\System\CurrentControlSet\Control\Session Manager\

<<!>> "BootExecute" = "autocheck autochk *"|"SsiEfr.e" [file not found]|"SsiEfr.e" [file not found]

 

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<<!>> klogon\DLLName = "C:\WINDOWS\system32\klogon.dll" ["Kaspersky Lab"]

<<!>> WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."]

 

HKLM\Software\Classes\PROTOCOLS\Filter\

<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

 

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

-> {HKLM...CLSID} = "PDF Shell Extension"

\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

 

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

CuteFTP 8 Professional\(Default) = "{8f7261d0-d2b9-11d2-9909-00605205b24c}"

-> {HKLM...CLSID} = "CuteFTP 8 Professional Shell Extension"

\InProcServer32\(Default) = "C:\Arquivos de programas\GlobalSCAPE\CuteFTP 8 Professional\CuteShell.dll" ["GlobalSCAPE Texas, LP."]

FileEncrypt\(Default) = "{90A07ACC-0331-4aee-9AAD-A854A9C37667}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Arquivos de programas\Advanced System Optimizer\ShellExt.dll" ["Systweak Inc"]

Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\ShellEx.dll" ["Kaspersky Lab"]

Trojan Remover\(Default) = "{52B87208-9CCF-42C9-B88E-069281105805}"

-> {HKLM...CLSID} = "Trojan Remover Shell Extension"

\InProcServer32\(Default) = "C:\ARQUIV~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

 

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

CuteFTP 8 Professional\(Default) = "{8f7261d0-d2b9-11d2-9909-00605205b24c}"

-> {HKLM...CLSID} = "CuteFTP 8 Professional Shell Extension"

\InProcServer32\(Default) = "C:\Arquivos de programas\GlobalSCAPE\CuteFTP 8 Professional\CuteShell.dll" ["GlobalSCAPE Texas, LP."]

FileEncrypt\(Default) = "{90A07ACC-0331-4aee-9AAD-A854A9C37667}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Arquivos de programas\Advanced System Optimizer\ShellExt.dll" ["Systweak Inc"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

 

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\ShellEx.dll" ["Kaspersky Lab"]

SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"

-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"

\InProcServer32\(Default) = "C:\ARQUIV~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]

Trojan Remover\(Default) = "{52B87208-9CCF-42C9-B88E-069281105805}"

-> {HKLM...CLSID} = "Trojan Remover Shell Extension"

\InProcServer32\(Default) = "C:\ARQUIV~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

 

HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"

-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"

\InProcServer32\(Default) = "C:\ARQUIV~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]

 

 

Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------

 

Note: detected settings may not have any effect.

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

 

"NoRecentDocsHistory" = (REG_DWORD) hex:0x00000000

{unrecognized setting}

 

"ClearRecentDocsOnExit" = (REG_DWORD) hex:0x00000000

{unrecognized setting}

 

"NoInstrumentation" = (REG_DWORD) hex:0x00000000

{unrecognized setting}

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

 

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000

{User Configuration|Administrative Templates|System|

Prevent access to registry editing tools}

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

 

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

 

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Configurações locais\Dados de aplicativos\Microsoft\Wallpaper1.bmp"

 

 

Enabled Screen Saver:

---------------------

 

HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]

 

 

Startup items in "JM" & "All Users" startup folders:

----------------------------------------------------

 

C:\Documents and Settings\JM\Menu Iniciar\Programas\Inicializar

"FSL Launcher" -> shortcut to: "C:\Arquivos de programas\FSL\FSL_Launcher\FSL_Launcher.exe" ["FSL - FreeSoftLand"]

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]

 

Transport Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 24

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Toolbars

 

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{F2E259E8-0FC8-438C-A6E0-342DD80FA53E}"

-> {HKLM...CLSID} = "Copernic Agent"

\InProcServer32\(Default) = "C:\Arquivos de programas\Copernic Agent\CopernicAgentExt.dll" ["Copernic Technologies Inc."]

 

Explorer Bars

 

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

{6F480F82-C3A6-4D35-96F7-B297AD49FBE8}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Copernic Agent Results"

\InProcServer32\(Default) = "C:\Arquivos de programas\Copernic Agent\CopernicAgentExt.dll" ["Copernic Technologies Inc."]

{F2E259E8-0FC8-438C-A6E0-342DD80FA53E}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Copernic Agent"

\InProcServer32\(Default) = "C:\Arquivos de programas\Copernic Agent\CopernicAgentExt.dll" ["Copernic Technologies Inc."]

 

HKLM\Software\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Web Anti-Virus statistics"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll" ["Kaspersky Lab"]

 

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\ARQUIV~1\MICROS~3\OFFICE11\REFIEBAR.DLL" [MS]

 

Extensions (Tools menu items, main toolbar menu buttons)

 

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\

"ButtonText" = "Web Anti-Virus statistics"

 

 

Miscellaneous IE Hijack Points

------------------------------

 

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

 

Added lines (compared with English-language version):

[strings]: SEARCH_PAGE_URL="&http://home.microsoft.com/intl/br/access/allinone.asp"

[strings]: SAFESITE_VALUE="search.msn.com.br"

 

Missing lines (compared with English-language version):

[strings]: 2 lines

 

 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

 

Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}

Kaspersky Anti-Virus 7.0, AVP, ""C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r" ["Kaspersky Lab"]

LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]

Spyware Doctor Auxiliary Service, sdAuxService, "C:\Arquivos de programas\Spyware Doctor\svcntaux.exe" ["PC Tools"]

Spyware Doctor Service, sdCoreService, "C:\Arquivos de programas\Spyware Doctor\swdsvc.exe" ["PC Tools"]

Webroot Spy Sweeper Engine, WebrootSpySweeperService, ""C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe"" ["Webroot Software, Inc."]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

 

 

Keyboard Driver Filters:

------------------------

 

HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\

"UpperFilters" = <<!>> "SSKBFD" ["Webroot Software Inc (www.webroot.com)"]

 

 

Print Monitors:

---------------

 

HKLM\System\CurrentControlSet\Control\Print\Monitors\

Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

 

 

----------

<<!>>: Suspicious data at a malware launch point.

 

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

DLL launch points, use the -supp parameter or answer "No" at the

first message box and "Yes" at the second message box.

---------- (total run time: 77 seconds, including 18 seconds for message boxes)

 

 

Abraços e obrigado

[jgarcia 1]

Opa JOMALOSA,

 

Reinicie o computador em Modo Seguro (ao reiniciar aperte a tecla F8 repetidamente até que apareça uma tela preta em DOS e escolha a opção Modo Seguro).

 

Execute o HijackThis, clique em Do a system scan only e marque:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gozobil.lx.ro

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gozobil.lx.ro

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gozobil.lx.ro

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gozobil.lx.ro

Clique em Fix Checked.

 

Reinicie em Modo Normal.

 

Poste um novo log do HijackThis.

 

Um abraço.

[JOMALOSA 0]

Garcia,

Aproveito para lhe dizer que que já consegui instalar o Ad-Ware 2007.

 

Logfile of HijackThis v1.99.1

Scan saved at 17:42:31, on 4/7/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\rundll32.exe

C:\Arquivos de programas\Spyware Doctor\SDTrayApp.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\system32\locator.exe

C:\Arquivos de programas\FSL\FSL_Launcher\FSL_Launcher.exe

C:\Arquivos de programas\Spyware Doctor\svcntaux.exe

C:\Arquivos de programas\Spyware Doctor\swdsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\mdm.exe

D:\HijackThis1991\HijackThis.exe

 

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Absolute StartUp monitor] C:\Arquivos de programas\F-Group\Absolute StartUp\ASMon.exe

O4 - HKLM\..\Run: [sDTray] "C:\Arquivos de programas\Spyware Doctor\SDTrayApp.exe"

O4 - HKLM\..\Run: [AVP] "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background

O4 - Startup: FSL Launcher.lnk = C:\Arquivos de programas\FSL\FSL_Launcher\FSL_Launcher.exe

O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab

O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab

O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - http://download.sopcast.com/download/SOPCORE.CAB

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)

O23 - Service: Commander Service - Seagull Scientific, Inc - C:\Arquivos de programas\Seagull\BarTender 7.10\Trial\CmdrSrv.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\svcntaux.exe

O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\swdsvc.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe

[jgarcia 1]

Opa JOMALOSA,

 

A maldita gozobil já não mais aparece no log. A sua startpage continua alterada?

[JOMALOSA 0]

Garcia,A Start Page agora está ok.Aparentemente está tudo funcionando inclusive a instalação do Ad-Ware 2007.Muito Obrigado pela ajuda.JMário

[jgarcia 1]

Opa JOMALOSA,

 

É bom saber que o problema foi resolvido. :thumbsup:

 

Para finalizar:

 

1. Desabilite e Reabilite a função de Restauração Automática do XP. Clique aqui para ver como;

 

2. Leia o artigo Cuidados ao navegar na net e saiba como evitar novas infecções.

 

Abraços.