[Arquivado] MeU COMPUTADOR ESTÁ MUITO LENTO , SERÁ QUE É VIRUS

[G_santos 0]

Olá pessoal meu computador está muito lento, estou achando que pode ser algum virus.

Alguem pode me ajudar

 

 

Aqui está o log do hijackthis

 

 

Logfile of HijackThis v1.99.1

Scan saved at 08:27:09, on 21/12/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\CAVTray.exe

C:\Program Files\CAVRID.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\a-squared Free\a2service.exe

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\lock.exe

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\ISafe.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\VetMsg.exe

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgw.exe

C:\Documents and Settings\User\Meus documentos\Meus arquivos recebidos\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orkut.com/GLogin.aspx

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: free-downloads.net Toolbar - {d3e23b4b-f153-4687-82c2-816319dd3c5a} - C:\Arquivos de programas\free-downloads\tbfre1.dll

O3 - Toolbar: free-downloads.net Toolbar - {d3e23b4b-f153-4687-82c2-816319dd3c5a} - C:\Arquivos de programas\free-downloads\tbfre1.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CAVTray.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CAVRID.exe"

O4 - HKLM\..\Run: [shell] C:\WINDOWS\system\winlogin.cmd

O4 - HKLM\..\Run: [mxuptxn] C:\WINDOWS\\rxsetup.exe

O4 - HKLM\..\Run: [iniciarPrograma] "C:\WINDOWS\security.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Free Download Manager] "C:\Arquivos de programas\Free Download Manager\fdm.exe" -autorun

O4 - HKCU\..\Run: [Free Upload Manager] "C:\Arquivos de programas\Free Download Manager\fum\fum.exe" -autorun

O4 - HKCU\..\Run: [Free Uploader Oe Integration] C:\Arquivos de programas\Free Download Manager\FUM\fumoei.exe

O4 - Startup: .protected

O4 - Global Startup: .protected

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: lock.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by122fd.bay122.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Arquivos de programas\a-squared Free\a2service.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\ISafe.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Arquivos de programas\Intel\NCS\Sync\NetSvc.exe

O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\VetMsg.exe

 

 

 

 

Valeu!!!!!!!!!!!!!!!

[Alaerte Gabriel 662]

Deve-se suspeitar dos arquivos que tu não conheces:

 

C:\Program Files\CAVTray.exeC:\Program Files\CAVRID.exeO4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CAVTray.exe"O4 - Startup: .protectedO4 - Global Startup: .protectedO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: lock.exe

 

Se não for de algum programa de uso pessoal, remova-os.

 

Remova as linhas:

 

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O4 - HKLM\..\Run: [IniciarPrograma] "C:\WINDOWS\security.exe"O4 - HKLM\..\Run: [Shell] C:\WINDOWS\system\winlogin.cmdO4 - HKLM\..\Run: [mxuptxn] C:\WINDOWS\\rxsetup.exe

 

Abraço.

[G_santos 0]

OLá amigo

como faço para remover ?

[jgarcia 1]

Opa G_santos,

 

1. Baixe o BankerFix.

 

2. Desative o seu anti-vírus temporariamente.

 

3. Dê um duplo-clique sobre o bankerfix.exe. Uma mensagem aparecerá avisando que o mesmo será baixado via internet. Clique em Ok -> Ok. Aperte Enter e aguarde o término do scan.

 

4. Terminado o scan, leia a mensagem na tela e aperte Enter novamente.

 

5. Habilite o seu anti-vírus.

 

6. Retorne com um novo log do HijackThis, juntamente com o relatorio.txt do BankerFix (ele estará em C:\LinhaDefensiva\).

 

7. Depois de postar a sua resposta você poderá deletar a pasta LinhaDefensiva contida no C.

 

Abraços.

[G_santos 0]

OK !

 

Aqui está o log do hijackthis

 

Logfile of HijackThis v1.99.1

Scan saved at 11:42:19, on 28/12/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\CAVTray.exe

C:\Program Files\CAVRID.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\a-squared Free\a2service.exe

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\ISafe.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\VetMsg.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\User\Meus documentos\Meus arquivos recebidos\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orkut.com/GLogin.aspx

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: free-downloads.net Toolbar - {d3e23b4b-f153-4687-82c2-816319dd3c5a} - C:\Arquivos de programas\free-downloads\tbfre1.dll

O3 - Toolbar: free-downloads.net Toolbar - {d3e23b4b-f153-4687-82c2-816319dd3c5a} - C:\Arquivos de programas\free-downloads\tbfre1.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CAVTray.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CAVRID.exe"

O4 - HKLM\..\Run: [mxuptxn] C:\WINDOWS\\rxsetup.exe

O4 - HKLM\..\Run: [iniciarPrograma] "C:\WINDOWS\security.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - Startup: .protected

O4 - Global Startup: .protected

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by122fd.bay122.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Arquivos de programas\a-squared Free\a2service.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\ISafe.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Arquivos de programas\Intel\NCS\Sync\NetSvc.exe

O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\VetMsg.exe

 

 

E o relatorio txt.

 

 

 

BankerFix 2.4 - Removedor de Bankers

Linha Defensiva - http://www.linhadefensiva.org

http://www.linhadefensiva.org/bankerfix/

Data: 28/12/2007 - 11:35

-------------------------------------------------------

Lista de Definição: 2007-12-25-1

=======================================================

 

Arquivo infectado detectado: C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\lock.exe

Arquivo infectado removido com sucesso!

 

 

Killando arquivos em Help

-----------------------------------

 

Killing '*'

 

Removendo Arquivos em Help

-----------------------------------

 

 

 

----- Fim -------------------------

[jgarcia 1]

Opa G_santos,

 

Vamos lá.

 

Habilite o Windows para mostrar todos os arquivos (até ocultos).

 

1ª Etapa

 

Baixe o CCleaner em:

CCleaner

 

Baixe, mas não execute ainda.

 

Baixe o Killbox em:

Killbox

 

1. Execute o Killbox, clique em Delete on Reboot.

 

2. Copie a lista abaixo em negrito para a área de transferência. Selecione tudo com o auxílio do mouse --> vá até a aba Editar na barra do navegador --> clique em Copiar.

 

C:\WINDOWS\\rxsetup.exe

C:\WINDOWS\security.exe

 

3. Retorne ao Killbox. Clique em File > Paste from clipboard. Clique em All Files.

 

4. Aperte em "X". Responda "não" à pergunta.

 

É prudente que você faça a impressão deste documento ou salve-o em um lugar de fácil acesso, pois na próxima etapa entraremos em Modo de Seguro e a conexão à internet não será possível.

 

2ª Etapa

 

Reinicie o computador em Modo Seguro (ao reiniciar aperte a tecla F8 repetidamente até que apareça uma tela preta em DOS e escolha a opção Modo Seguro).

 

Execute o HijackThis, clique em Do a system scan only e marque:

O4 - HKLM\..\Run: [mxuptxn] C:\WINDOWS\\rxsetup.exe

O4 - HKLM\..\Run: [iniciarPrograma] "C:\WINDOWS\security.exe"

O4 - Startup: .protected

O4 - Global Startup: .protected

Clique em Fix Checked.

 

3ª Etapa

 

Reinicie em Modo Normal.

 

Delete o conteúdo da pasta C:\!Killbox.

 

Execute o CCleaner e clique em Executar Limpeza.

 

Retorne com um novo log do HijackThis.

 

Aguardo retorno.

 

Um abraço.

[G_santos 0]

Aqui está o log!

 

 

Logfile of HijackThis v1.99.1

Scan saved at 19:27:04, on 4/1/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\a-squared Free\a2service.exe

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Documents and Settings\User\Meus documentos\Meus arquivos recebidos\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orkut.com/GLogin.aspx

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GbPlugin\gbieh.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - Startup: .protected

O4 - Global Startup: .protected

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GbPlugin\gbieh.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Arquivos de programas\a-squared Free\a2service.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\ARQUIV~1\GbPlugin\GbpSv.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Arquivos de programas\Intel\NCS\Sync\NetSvc.exe

[jgarcia 1]

Opa G_santos,

 

Baixe o ComboFix em:

ComboFix

 

1) Desabilite o seu anti-vírus temporariamente;

2) Dê um duplo-clique no combofix.exe e tecle "1" para prosseguir. O processo vai durar, em média, 10 minutos;

3) O ComboFix reiniciará o PC automaticamente, a fim de que o processo de remoção seja finalizado (somente se houver infecção);

4) Quando a varredura acabar, será gerado um log, que estará em C:\ComboFix.txt;

5) Não clique na janela do ComboFix, nem feche clicando no X, enquanto a ferramenta estiver sendo executada, pois isto implicará na desconfiguração de seu desktop (ele ficará todo branco);

6) Para parar ou sair do ComboFix, tecle "N";

7) Reabilite o seu anti-vírus;

8) Preciso que você cole o conteúdo do ComboFix.txt em sua próxima resposta, juntamente com um novo log do HijackThis.

 

Abraços.

[G_santos 0]

Aqui estão os logs

 

 

Logfile of HijackThis v1.99.1

Scan saved at 12:19:38, on 7/1/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\a-squared Free\a2service.exe

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Documents and Settings\User\Meus documentos\Meus arquivos recebidos\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orkut.com/GLogin.aspx

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GbPlugin\gbieh.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GbPlugin\gbieh.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Arquivos de programas\a-squared Free\a2service.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\ARQUIV~1\GbPlugin\GbpSv.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Arquivos de programas\Intel\NCS\Sync\NetSvc.exe

 

 

ComboFix 08-01-04.1 - User 2008-01-07 12:09:56.3 - NTFSx86

Executando de: C:\Documents and Settings\User\Meus documentos\Downloads\ComboFix.exe

* Criado um novo ponto de restauro

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\.protected

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\.protected

C:\Documents and Settings\User\Menu Iniciar\Programas\Inicializar\.protected

C:\WINDOWS\.protected

C:\WINDOWS\dat.txt

C:\WINDOWS\rs.txt

C:\WINDOWS\system32\drivers\etc\.protected

 

.

((((((((((((((((((((((( Ficheiros criados de 2007-12-07 to 2008-01-07 ))))))))))))))))))))))))))))))))

.

 

2008-01-04 19:13 . 2008-01-04 19:13 <DIR> d----c--- C:\Arquivos de programas\CCleaner

2008-01-04 17:05 . 2008-01-04 17:05 244 --ah-c--- C:\sqmnoopt15.sqm

2008-01-04 17:05 . 2008-01-04 17:05 232 --ah-c--- C:\sqmdata15.sqm

2008-01-03 23:08 . 2008-01-03 23:08 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\GbPlugin

2008-01-03 23:08 . 2008-01-03 23:09 <DIR> d----c--- C:\Arquivos de programas\GbPlugin

2008-01-03 17:45 . 2008-01-03 18:50 <DIR> d----c--- C:\Arquivos de programas\MSN Messenger

2008-01-02 22:41 . 2005-12-14 15:10 552,960 --a------ C:\WINDOWS\system32\xvidcore.dll

2008-01-02 22:41 . 2005-12-14 15:08 159,744 --a------ C:\WINDOWS\system32\xvidvfw.dll

2008-01-02 22:41 . 2005-12-14 15:11 61,440 --a------ C:\WINDOWS\system32\xvid.ax

2008-01-02 22:41 . 2004-03-09 09:39 8,704 --a------ C:\WINDOWS\system32\vidccleaner.exe

2008-01-02 22:40 . 2008-01-02 22:40 <DIR> d----c--- C:\Arquivos de programas\Samsung

2008-01-02 22:40 . 1998-07-09 19:41 217,088 --a------ C:\WINDOWS\system32\skjpeg40.dll

2008-01-02 22:40 . 1998-03-04 10:40 83,968 --a------ C:\WINDOWS\system32\Skbase40.dll

2007-12-30 14:43 . 2008-01-03 15:28 <DIR> d----c--- C:\Arquivos de programas\Google

2007-12-28 11:34 . 2007-12-28 11:35 <DIR> d----c--- C:\LinhaDefensiva

2007-12-26 11:35 . 2007-12-26 11:35 <DIR> d----c--- C:\Arquivos de programas\IObit

2007-12-12 12:55 . 2007-12-12 12:55 <DIR> d----c--- C:\Arquivos de programas\MSECache

2007-12-08 14:21 . 2007-12-08 14:21 386,560 --a------ C:\WINDOWS\security.exe

2007-12-08 14:21 . 2007-12-08 14:21 5 --a------ C:\WINDOWS\system32\darpxfe

2007-12-08 14:20 . 2007-12-08 14:20 116,224 --a------ C:\WINDOWS\rxsetup.exe

2007-12-08 04:28 . 2007-12-08 04:28 <DIR> d----c--- C:\Arquivos de programas\FLV Hosting

2007-12-08 04:28 . 2004-03-09 01:00 152,848 --a------ C:\WINDOWS\system32\comdlg32.ocx

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-03 00:40 --------- d--h--w C:\Arquivos de programas\InstallShield Installation Information

2008-01-03 00:11 --------- d-----w C:\Arquivos de programas\free-downloads

2007-12-25 13:01 --------- d-----w C:\Documents and Settings\User\Dados de aplicativos\AVG7

2007-12-23 10:01 --------- d-----w C:\Documents and Settings\LocalService\Dados de aplicativos\AVG7

2007-12-09 19:47 --------- d-----w C:\Arquivos de programas\Flash Website Design

2007-12-06 00:04 --------- d-----w C:\Documents and Settings\User\Dados de aplicativos\DMCache

2007-12-01 11:40 --------- d-----w C:\Documents and Settings\User\Dados de aplicativos\fltk.org

2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys

2007-11-09 23:30 --------- d-----w C:\Arquivos de programas\DivX

2007-11-09 22:10 --------- d-----w C:\Documents and Settings\User\Dados de aplicativos\DivX

2007-11-09 19:54 --------- d-----w C:\Documents and Settings\User\Dados de aplicativos\Yahoo!

2007-11-09 19:54 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Yahoo! Companion

2007-11-09 19:50 --------- d-----w C:\Arquivos de programas\Yahoo!

2007-10-29 22:44 1,292,288 ----a-w C:\WINDOWS\system32\quartz.dll

2007-10-25 11:28 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll

2007-10-18 09:06 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe

2007-07-30 15:23 8 ----a-w C:\Documents and Settings\All Users\Dados de aplicativos\VGANGMJYMWPP.SYS

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:45 15360]

"updateMgr"="C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]

"MSMSGS"="C:\Arquivos de programas\Messenger\msmsgs.exe" [2004-10-13 14:24 1694208]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:45 15360]

"AVG7_Run"="C:\ARQUIV~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-27 10:22 219136]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveSearch"= 1 (0x1)

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\ARQUIV~1\GbPlugin\gbieh.dll [2007-12-03 15:30 347976]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]

C:\ARQUIV~1\GbPlugin\gbieh.dll 2007-12-03 15:30 347976 C:\ARQUIV~1\GbPlugin\gbieh.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Gamma Loader.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Gamma Loader.lnk

backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Utility Tray.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Utility Tray.lnk

backup=C:\WINDOWS\pss\Utility Tray.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]

Mixer.exe /startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]

RunDll32 cmicnfg.cpl,CMICtrlWnd

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

2004-08-04 01:45 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2004-10-07 22:27 126976 -ra------ C:\WINDOWS\system32\hkcmd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2004-10-07 22:31 155648 -ra------ C:\WINDOWS\system32\igfxtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe /background

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2001-07-09 11:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]

2003-03-11 17:24 86016 --a------ C:\Arquivos de programas\Intel\NCS\PROSet\PRONoMgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]

C:\Arquivos de programas\VIA\RAID\raid_t

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

2003-12-08 18:35 32768 --a------ C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG]

2002-07-12 08:15 106496 --a------ C:\WINDOWS\SiSUSBrg.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

C:\Arquivos de programas\Skype\Phone\Skype.exe /nosplash /minimized

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]

sm56hlpr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

SOUNDMAN.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VModes]

VModes 1024 768 32 60

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]

VTTimer.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]

VTtrayp.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsTranslator]

2000-08-31 17:33 395776 --a------ C:\ARQUIV~1\MICROP~1\DELTAT~1.0\DWinTrsl.exe

 

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys [2005-04-26 01:22]

S2 Ca533av;Icatch(IV) Video Camera Device;C:\WINDOWS\system32\Drivers\Ca533av.sys [2002-10-21 12:37]

S3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys [2002-11-04 05:39]

S3 USBCamera;Icatch(IV) Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk533.sys [2002-07-25 12:19]

 

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-07 12:12:39

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

.

Tempo para conclusão: 2008-01-07 12:14:01

ComboFix-quarantined-files.txt 2008-01-07 14:13:39

ComboFix2.txt 2007-08-08 14:37:05

ComboFix3.txt 2007-08-07 03:56:54

.

2007-12-12 14:51:25 --- E O F ---

[jgarcia 1]

Opa G_santos,

 

Vamos lá.

 

1ª Etapa

 

1. Execute o Killbox, clique em Delete on Reboot.

 

2. Copie a lista abaixo em negrito para a área de transferência. Selecione tudo com o auxílio do mouse --> vá até a aba Editar na barra do navegador --> clique em Copiar.

 

C:\WINDOWS\security.exe

C:\WINDOWS\rxsetup.exe

C:\WINDOWS\system32\darpxfe

C:\Documents and Settings\All Users\Dados de aplicativos\VGANGMJYMWPP.SYS

 

3. Retorne ao Killbox. Clique em File > Paste from clipboard. Clique em All Files.

 

4. Aperte em "X". Responda "não" à pergunta.

 

2ª Etapa

 

Reinicie em Modo Normal.

 

Delete o conteúdo da pasta C:\!Killbox.

 

Retorne com novos logs do ComboFix e HijackThis.

 

Um abraço.

[G_santos 0]

Aqui estão!

 

 

ComboFix 08-01-04.1 - User 2008-01-11 11:03:03.4 - NTFSx86

Executando de: C:\Documents and Settings\User\Meus documentos\Downloads\ComboFix.exe

.

 

((((((((((((((((((((((( Ficheiros criados de 2007-12-11 to 2008-01-11 ))))))))))))))))))))))))))))))))

.

 

2008-01-11 07:29 . 2008-01-11 07:29 244 --ah-c--- C:\sqmnoopt17.sqm

2008-01-11 07:29 . 2008-01-11 07:29 232 --ah-c--- C:\sqmdata17.sqm

2008-01-11 06:35 . 2008-01-11 06:35 244 --ah-c--- C:\sqmnoopt16.sqm

2008-01-11 06:35 . 2008-01-11 06:35 232 --ah-c--- C:\sqmdata16.sqm

2008-01-09 13:24 . 2008-01-09 13:24 1,355 --a------ C:\WINDOWS\imsins.BAK

2008-01-04 19:13 . 2008-01-04 19:13 <DIR> d----c--- C:\Arquivos de programas\CCleaner

2008-01-04 17:05 . 2008-01-04 17:05 244 --ah-c--- C:\sqmnoopt15.sqm

2008-01-04 17:05 . 2008-01-04 17:05 232 --ah-c--- C:\sqmdata15.sqm

2008-01-03 23:08 . 2008-01-03 23:08 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\GbPlugin

2008-01-03 23:08 . 2008-01-03 23:09 <DIR> d----c--- C:\Arquivos de programas\GbPlugin

2008-01-03 17:45 . 2008-01-03 18:50 <DIR> d----c--- C:\Arquivos de programas\MSN Messenger

2008-01-02 22:41 . 2005-12-14 15:10 552,960 --a------ C:\WINDOWS\system32\xvidcore.dll

2008-01-02 22:41 . 2005-12-14 15:08 159,744 --a------ C:\WINDOWS\system32\xvidvfw.dll

2008-01-02 22:41 . 2005-12-14 15:11 61,440 --a------ C:\WINDOWS\system32\xvid.ax

2008-01-02 22:41 . 2004-03-09 09:39 8,704 --a------ C:\WINDOWS\system32\vidccleaner.exe

2008-01-02 22:40 . 2008-01-02 22:40 <DIR> d----c--- C:\Arquivos de programas\Samsung

2008-01-02 22:40 . 1998-07-09 19:41 217,088 --a------ C:\WINDOWS\system32\skjpeg40.dll

2008-01-02 22:40 . 1998-03-04 10:40 83,968 --a------ C:\WINDOWS\system32\Skbase40.dll

2007-12-30 14:43 . 2008-01-03 15:28 <DIR> d----c--- C:\Arquivos de programas\Google

2007-12-28 11:34 . 2007-12-28 11:35 <DIR> d----c--- C:\LinhaDefensiva

2007-12-26 11:35 . 2007-12-26 11:35 <DIR> d----c--- C:\Arquivos de programas\IObit

2007-12-12 12:55 . 2007-12-12 12:55 <DIR> d----c--- C:\Arquivos de programas\MSECache

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-11 10:00 --------- d-----w C:\Documents and Settings\LocalService\Dados de aplicativos\AVG7

2008-01-03 00:40 --------- d--h--w C:\Arquivos de programas\InstallShield Installation Information

2008-01-03 00:11 --------- d-----w C:\Arquivos de programas\free-downloads

2007-12-25 13:01 --------- d-----w C:\Documents and Settings\User\Dados de aplicativos\AVG7

2007-12-09 19:47 --------- d-----w C:\Arquivos de programas\Flash Website Design

2007-12-08 06:28 --------- dc----w C:\Arquivos de programas\FLV Hosting

2007-12-06 00:04 --------- d-----w C:\Documents and Settings\User\Dados de aplicativos\DMCache

2007-12-01 11:40 --------- d-----w C:\Documents and Settings\User\Dados de aplicativos\fltk.org

2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys

2007-11-07 09:28 724,480 ----a-w C:\WINDOWS\system32\lsasrv.dll

2007-10-29 22:44 1,292,288 ----a-w C:\WINDOWS\system32\quartz.dll

2007-10-25 11:28 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll

2007-10-18 09:06 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe

.

 

((((((((((((((((((((((((((((( snapshot@2008-01-07_12.13.19,18 )))))))))))))))))))))))))))))))))))))))))

.

- 2006-08-17 12:28:32 724,480 -c--a-w C:\WINDOWS\system32\dllcache\lsasrv.dll

+ 2007-11-07 09:28:43 724,480 -c--a-w C:\WINDOWS\system32\dllcache\lsasrv.dll

- 2006-04-20 11:51:50 359,808 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys

+ 2007-10-30 17:20:55 360,064 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys

- 2006-04-20 11:51:50 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys

+ 2007-10-30 17:20:55 360,064 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys

- 2007-12-02 23:00:05 18,684,536 ----a-w C:\WINDOWS\system32\MRT.exe

+ 2008-01-02 18:21:36 17,642,616 ----a-w C:\WINDOWS\system32\MRT.exe

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:45 15360]

"updateMgr"="C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]

"MSMSGS"="C:\Arquivos de programas\Messenger\msmsgs.exe" [2004-10-13 14:24 1694208]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:45 15360]

"AVG7_Run"="C:\ARQUIV~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-27 10:22 219136]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveSearch"= 1 (0x1)

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\ARQUIV~1\GbPlugin\gbieh.dll [2007-12-03 15:30 347976]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]

C:\ARQUIV~1\GbPlugin\gbieh.dll 2007-12-03 15:30 347976 C:\ARQUIV~1\GbPlugin\gbieh.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Gamma Loader.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Gamma Loader.lnk

backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Utility Tray.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Utility Tray.lnk

backup=C:\WINDOWS\pss\Utility Tray.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]

Mixer.exe /startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]

RunDll32 cmicnfg.cpl,CMICtrlWnd

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

2004-08-04 01:45 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2004-10-07 22:27 126976 -ra------ C:\WINDOWS\system32\hkcmd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2004-10-07 22:31 155648 -ra------ C:\WINDOWS\system32\igfxtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe /background

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2001-07-09 11:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]

2003-03-11 17:24 86016 --a------ C:\Arquivos de programas\Intel\NCS\PROSet\PRONoMgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]

C:\Arquivos de programas\VIA\RAID\raid_t

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

2003-12-08 18:35 32768 --a------ C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG]

2002-07-12 08:15 106496 --a------ C:\WINDOWS\SiSUSBrg.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

C:\Arquivos de programas\Skype\Phone\Skype.exe /nosplash /minimized

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]

sm56hlpr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

SOUNDMAN.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VModes]

VModes 1024 768 32 60

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]

VTTimer.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]

VTtrayp.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsTranslator]

2000-08-31 17:33 395776 --a------ C:\ARQUIV~1\MICROP~1\DELTAT~1.0\DWinTrsl.exe

 

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys [2005-04-26 01:22]

S2 Ca533av;Icatch(IV) Video Camera Device;C:\WINDOWS\system32\Drivers\Ca533av.sys [2002-10-21 12:37]

S3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys [2002-11-04 05:39]

S3 USBCamera;Icatch(IV) Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk533.sys [2002-07-25 12:19]

 

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-11 11:06:01

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

.

Tempo para conclusão: 2008-01-11 11:07:54

ComboFix-quarantined-files.txt 2008-01-11 13:07:37

ComboFix2.txt 2008-01-07 14:14:02

ComboFix3.txt 2007-08-08 14:37:05

ComboFix4.txt 2007-08-07 03:56:54

.

2008-01-09 15:27:28 --- E O F ---

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 11:10:29, on 11/1/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\a-squared Free\a2service.exe

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\User\Meus documentos\Meus arquivos recebidos\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orkut.com/GLogin.aspx

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GbPlugin\gbieh.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GbPlugin\gbieh.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Arquivos de programas\a-squared Free\a2service.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\ARQUIV~1\GbPlugin\GbpSv.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Arquivos de programas\Intel\NCS\Sync\NetSvc.exe

[jgarcia 1]

Opa G_santos,

 

Submeta o arquivo abaixo ao site da Jotti:

 

C:\WINDOWS\imsins.BAK

 

... e retorne com o resultado.

 

Abraços.

[G_santos 0]

Scanner results

Scan taken on 14 Jan 2008 19:10:50 (GMT)

A-Squared Found nothing

AntiVir Found nothing

ArcaVir Found nothing

Avast Found nothing

AVG Antivirus Found nothing

BitDefender Found nothing

ClamAV Found nothing

CPsecure Found nothing

Dr.Web Found nothing

F-Prot Antivirus Found nothing

F-Secure Anti-Virus Found nothing

Fortinet Found nothing

Ikarus Found nothing

Kaspersky Anti-Virus Found nothing

NOD32 Found nothing

Norman Virus Control Found nothing

Panda Antivirus Found nothing

Rising Antivirus Found nothing

Sophos Antivirus Found nothing

VirusBuster Found nothing

VBA32 Found nothing

 

Powered by

 

 

 

J garcia

 

N estou conseguindo entrar na pagina do orkut pelo meu computador será que pode ser algum virus

em outro computador consigo acessar .

[jgarcia 1]

J garcia

 

N estou conseguindo entrar na pagina do orkut pelo meu computador será que pode ser algum virus

em outro computador consigo acessar .

O que ocorre quando você tenta acessar o Orkut por meio de sua máquina?

[G_santos 0]

OK!

 

Quando vou acessar minha pagina do orkut ,

a pagina da web só fica carregando

mais não entra na pagina inicial.

[jgarcia 1]

Opa G_santos,

 

Baixe o SilentRunners.

 

Extraia o arquivo SilentRunners.vbs para o C. Dê duplo clique sobre o arquivo para executá-lo.

 

Após executá-lo aguarde até que seja gerado um documento denominado Startup Programs (USUÁRIO) data. Copie o conteúdo deste documento e cole em sua próxima resposta.

 

Abraços.

 

Obs.: Caso o seu AV detecte o arquivo como sendo um script malicioso não se preocupe e autorize a execução.

[G_santos 0]

"Silent Runners.vbs", revision 55, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"updateMgr" = "C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9" ["Adobe Systems Incorporated"]

"MSMSGS" = ""C:\Arquivos de programas\Messenger\msmsgs.exe" /background" [MS]

"eMuleAutoStart" = "C:\Arquivos de programas\eMule\emule.exe -AutoStart" [file not found]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"SunJavaUpdateSched" = ""C:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exe"" ["Sun Microsystems, Inc."]

"MDNS" = "C:\WINDOWS\system32\service.exe" ["M i r a r"]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = (no title provided)

-> {HKLM...CLSID} = "&Yahoo! Toolbar Helper"

\InProcServer32\(Default) = "C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"

\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{5ABBD91B-0215-2FE1-7A7E-753F05B40CB8}\(Default) = (no title provided)

-> {HKLM...CLSID} = "BrowsingEnhancer"

\InProcServer32\(Default) = "C:\Arquivos de programas\BrowsingEnhancer\BrowsingEnhancer-2.dll" [empty string]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

-> {HKLM...CLSID} = "SSVHelper Class"

\InProcServer32\(Default) = "C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]

{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Windows Live Sign-in Helper"

\InProcServer32\(Default) = "C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]

{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}\(Default) = "Mirar"

-> {HKLM...CLSID} = "Mirar"

\InProcServer32\(Default) = "C:\WINDOWS\system32\WinNB58.dll" [empty string]

{C41A1C0E-EA6C-11D4-B1B8-444553540000}\(Default) = "G-Buster Browser Defense"

-> {HKLM...CLSID} = "GbIehObj Class"

\InProcServer32\(Default) = "C:\ARQUIV~1\GbPlugin\gbieh.dll" ["Banco do Brasil"]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extensão do 'Painel de controle' para panorâmica de vídeo"

-> {HKLM...CLSID} = "Extensão do 'Painel de controle' para panorâmica de vídeo"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extensão de ícone do HyperTerminal"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

[jgarcia 1]

Opa G_santos,

 

O log do Silent está incompleto. Um log completo apresenta esta conjuntura aqui (Post #5).

 

Execute o SilentRunners novamente e poste um novo log. ;)

 

Abraços.

[G_santos 0]

Aqui está

 

 

"Silent Runners.vbs", revision 55, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"updateMgr" = "C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9" ["Adobe Systems Incorporated"]

"MSMSGS" = ""C:\Arquivos de programas\Messenger\msmsgs.exe" /background" [MS]

"eMuleAutoStart" = "C:\Arquivos de programas\eMule\emule.exe -AutoStart" [file not found]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"SunJavaUpdateSched" = ""C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."]

"MDNS" = "C:\WINDOWS\system32\service.exe" ["M i r a r"]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = (no title provided)

-> {HKLM...CLSID} = "&Yahoo! Toolbar Helper"

\InProcServer32\(Default) = "C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"

\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{5ABBD91B-0215-2FE1-7A7E-753F05B40CB8}\(Default) = (no title provided)

-> {HKLM...CLSID} = "BrowsingEnhancer"

\InProcServer32\(Default) = "C:\Arquivos de programas\BrowsingEnhancer\BrowsingEnhancer-2.dll" [empty string]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

-> {HKLM...CLSID} = "SSVHelper Class"

\InProcServer32\(Default) = "C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]

{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Windows Live Sign-in Helper"

\InProcServer32\(Default) = "C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]

{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}\(Default) = "Mirar"

-> {HKLM...CLSID} = "Mirar"

\InProcServer32\(Default) = "C:\WINDOWS\system32\WinNB58.dll" [empty string]

{C41A1C0E-EA6C-11D4-B1B8-444553540000}\(Default) = "G-Buster Browser Defense"

-> {HKLM...CLSID} = "GbIehObj Class"

\InProcServer32\(Default) = "C:\ARQUIV~1\GbPlugin\gbieh.dll" ["Banco do Brasil"]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extensão do 'Painel de controle' para panorâmica de vídeo"

-> {HKLM...CLSID} = "Extensão do 'Painel de controle' para panorâmica de vídeo"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extensão de ícone do HyperTerminal"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

-> {HKLM...CLSID} = "Microsoft Office Outlook"

\InProcServer32\(Default) = "C:\ARQUIV~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

-> {HKLM...CLSID} = "Extensão de ícone de arquivo do Outlook"

\InProcServer32\(Default) = "C:\ARQUIV~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Arquivos de programas\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"

-> {HKLM...CLSID} = "AVG7 Shell Extension Class"

\InProcServer32\(Default) = "C:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"

-> {HKLM...CLSID} = "AVG7 Find Extension Class"

\InProcServer32\(Default) = "C:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

"{A155339D-CCCD-4714-85EB-3754B804C9DF}" = "a-squared Free Shell Extension"

-> {HKLM...CLSID} = "a-squared Free Shell Extension"

\InProcServer32\(Default) = "C:\Arquivos de programas\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"

-> {HKLM...CLSID} = "Minhas Pastas de Compartilhamento"

\InProcServer32\(Default) = "C:\Arquivos de programas\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]

"{E37CB5F0-51F5-4395-A808-5FA49E399F83}" = "GbPlugin ShlObj"

-> {HKLM...CLSID} = "GbPluginObj Class"

\InProcServer32\(Default) = "C:\ARQUIV~1\GbPlugin\gbieh.dll" ["Banco do Brasil"]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<<!>> "{E37CB5F0-51F5-4395-A808-5FA49E399F83}" = "GbPlugin ShlObj"

-> {HKLM...CLSID} = "GbPluginObj Class"

\InProcServer32\(Default) = "C:\ARQUIV~1\GbPlugin\gbieh.dll" ["Banco do Brasil"]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

-> {HKLM...CLSID} = "WPDShServiceObj Class"

\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<<!>> GbPluginBb\DLLName = "C:\ARQUIV~1\GbPlugin\gbieh.dll" ["Banco do Brasil"]

<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

 

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\

<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

 

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

-> {HKLM...CLSID} = "PDF Shell Extension"

\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

 

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

-> {HKLM...CLSID} = "AVG7 Shell Extension Class"

\InProcServer32\(Default) = "C:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

 

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

 

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"

-> {HKLM...CLSID} = "a-squared Free Shell Extension"

\InProcServer32\(Default) = "C:\Arquivos de programas\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]

AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

-> {HKLM...CLSID} = "AVG7 Shell Extension Class"

\InProcServer32\(Default) = "C:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

 

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"

-> {HKLM...CLSID} = "a-squared Free Shell Extension"

\InProcServer32\(Default) = "C:\Arquivos de programas\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]

 

 

Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------

 

Note: detected settings may not have any effect.

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

 

"LinkResolveIgnoreLinkInfo" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

 

"LinkResolveIgnoreLinkInfo" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"NoResolveSearch" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\

 

"NoUpdateCheck" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

 

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

 

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Configurações locais\Dados de aplicativos\Microsoft\Wallpaper1.bmp"

 

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\User\Configurações locais\Dados de aplicativos\Microsoft\Wallpaper1.bmp"

 

 

Startup items in "User" & "All Users" startup folders:

------------------------------------------------------

 

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar

"Adobe Reader Speed Launch" -> shortcut to: "C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

 

Transport Service Providers

 

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 23

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Toolbars

 

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"

-> {HKLM...CLSID} = "Mirar"

\InProcServer32\(Default) = "C:\WINDOWS\system32\WinNB58.dll" [empty string]

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)

-> {HKLM...CLSID} = "Yahoo! Toolbar"

\InProcServer32\(Default) = "C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}" = (no title provided)

-> {HKLM...CLSID} = "Mirar"

\InProcServer32\(Default) = "C:\WINDOWS\system32\WinNB58.dll" [empty string]

 

Explorer Bars

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

 

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Pesquisar"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

 

Extensions (Tools menu items, main toolbar menu buttons)

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}"

-> {HKCU...CLSID} = "Java Plug-in 1.6.0_03"

\InProcServer32\(Default) = "C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]

-> {HKLM...CLSID} = "Java Plug-in 1.6.0_03"

\InProcServer32\(Default) = "C:\Arquivos de programas\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."]

 

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Pesquisar"

 

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Arquivos de programas\Messenger\msmsgs.exe" [MS]

 

 

Miscellaneous IE Hijack Points

------------------------------

 

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

<<H>> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)

-> {HKLM...CLSID} = "Yahoo! Toolbar"

\InProcServer32\(Default) = "C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

 

 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

 

a-squared Free Service, a2free, "C:\Arquivos de programas\a-squared Free\a2service.exe" ["Emsi Software GmbH"]

AVG E-mail Scanner, AVGEMS, "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]

AVG7 Alert Manager Server, Avg7Alrt, "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]

AVG7 Update Service, Avg7UpdSvc, "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]

Machine Debug Manager, MDM, ""C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]

 

 

Print Monitors:

---------------

 

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

 

 

---------- (launch time: 2008-01-27 08:15:56)

<<!>>: Suspicious data at a malware launch point.

<<H>>: Suspicious data at a browser hijack point.

 

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

DLL launch points, use the -supp parameter or answer "No" at the

first message box and "Yes" at the second message box.

---------- (total run time: 76 seconds, including 12 seconds for message boxes)

[jgarcia 1]

Opa G_santos,

 

Vamos lá.

 

1ª Etapa

 

1. Execute o Killbox, clique em Delete on Reboot.

 

2. Copie a lista abaixo em negrito para a área de transferência. Selecione tudo com o auxílio do mouse --> vá até a aba Editar na barra do navegador --> clique em Copiar.

 

C:\WINDOWS\system32\service.exe

C:\WINDOWS\system32\WinNB58.dll

 

3. Retorne ao Killbox. Clique em File > Paste from clipboard. Clique em All Files.

 

4. Aperte em "X". Responda "não" à pergunta.

 

2ª Etapa

 

Reinicie em Modo Normal.

 

Delete o conteúdo da seguinte pasta:

 

C:\!Killbox

 

Retorne com um novo log do SilentRunners.

 

Um abraço.