[Resolvido!]WINTEMS.EXE...persiste!

[vgomespt 0]

Boas...

Estou já umas 5h tentando resolver e nada, segui a cartilha e népias!

 

Estão visíveis meus arquivos/pastas ocultas...não localizei a maioria dos arquivos citados, não sei se já transformaram em outros...

 

Tá desabilitado o restauro do sistema, mas as vezes ele muda sozinho e volto lá pra colocar antesa de reiniciar...

Abre uma janela "select file to crack" toda vez que é reiniciado...e eu fechava, dava uns 10 minutos e o micro reinicializava, agora vi que deicando aberta a máquina continua sem reiniciar.

 

No gerenciador de tarefas persiste o wintems.exe

No utilitário - msconfig.....

desmarco e volta a aparece um dumprep 0 - k e só tem o ctfmon, o resto esta inativo, mas nunca vi o wintems.exe por lá....nos serviços, fora serviços do win, estão todos inativos.

 

---------------

 

Sat Jan 12 22:34:00 2008

EliBagle v10.84 ©2008 S.G.H. / Satinfo S.L.

----------------------------------------------

Lista de Acciones (por Acción Directa):

C:\WINDOWS\SYSTEM32\WINTEMS.EXE --> Bagle Acceso Denegado.

C:\WINDOWS\SYSTEM32\BAN_LIST.TXT --> Eliminado Bagle

Por favor, envienos una muestra del fichero

C:\Muestras\SROSA.SYS.Muestra EliBagle v10.84

a "virus@satinfo.es". Gracias.

C:\WINDOWS\SYSTEM32\DRIVERS\SROSA.SYS --> Bagle Acceso Denegado.

Por favor, envienos una muestra del fichero

C:\Muestras\HLDRRR.EXE.Muestra EliBagle v10.84

a "virus@satinfo.es". Gracias.

C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE --> Bagle Acceso Denegado.

 

Sat Jan 12 22:36:02 2008

EliBagle v10.84 ©2008 S.G.H. / Satinfo S.L.

----------------------------------------------

Lista de Acciones (por Exploración):

Explorando Unidad C:\

 

Nº Total de Directorios: 25337

Nº Total de Ficheros: 231986

Nº de Ficheros Analizados: 12538

Nº de Ficheros Infectados: 0

Nº de Ficheros Limpiados: 0

 

-------------

Sempre que reinicia aparece isso ainda, falando que o bendido ta lá, mas no final não acha da....

 

Tb lembrando que já segui os passos que vi no outro post que tá encerrado, resolvido, e nada.

 

----------------------------------------------------

 

Logfile of HijackThis v1.99.1

Scan saved at 0:44:45, on 13-01-2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe

C:\Arquivos de programas\Microsoft Office\Office10\WINWORD.EXE

D:\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.br/

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\RunOnce: [ReEXEc] E:\EMULE\EliBaglA.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll

O10 - Unknown file in Winsock LSP: c:\arquivos de programas\bonjour\mdnsnsp.dll

O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab

O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.pt/s/v/24.11/uploader2.cab

O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://creator2.amenworld.com/app/static/activex/msxml4.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab

O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (Controle do DownloadManager) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{7AF635BC-10ED-43F6-BD45-801C307B9558}: NameServer = 195.245.176.19 194.38.131.19

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: dpnmodem32 - dpnmodem32.dll (file missing)

 

 

 

No Running processes não mostra o maldito né, mas aqui sim.... e este semprer apago, e volta, pelos vistos né....

 

----------------------------------------------------------------------

Tô com uma dor nas costas do kcete, me tirou do sério isso aqui....

 

Alguém pode dar uma luz maior e me ajudar a resolver isso ?!

 

Brigadão!

 

t+

Vlad

[vgomespt 0]

Boas...

 

Consegui eliminar somente com o Trojam Remover, foi a única solução e custei chegar até ele.

Agora não estou conseguindo instalar antivirus, no caso o AVG, baixei outro e nada!

Fui no registro e não achei nada da grisoft, avg..nada... e dei uma olha tb e reparei que tb não tinha ou se tinha sumiu....

 

Meti manualmente, tem algum problema, para que isso serve? Estou pasando o TR remover d enovo e depois vou ver se com esta entrada pode resolver o lance do antivirus, jogando no escuro...

 

Tá certo isso ? Com colchete, sem aspas.... ????

 

HKEY_CURRENT_USER\Software\DateTime4

port 0x5B7E

uid [RANDOM]

wdrn 0x00000001

 

T+

Vlad

 

 

Logfile of HijackThis v1.99.1

Scan saved at 16:13:47, on 13-01-2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Vladmir\Dados de aplicativos\Simply Super Software\Trojan Remover\sbf1.exe

C:\Documents and Settings\Vladmir\Dados de aplicativos\Simply Super Software\Trojan Remover\sbf1.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

D:\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.br/

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll

O10 - Unknown file in Winsock LSP: c:\arquivos de programas\bonjour\mdnsnsp.dll

O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.pt/s/v/24.11/uploader2.cab

O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://creator2.amenworld.com/app/static/activex/msxml4.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab

O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (Controle do DownloadManager) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{7AF635BC-10ED-43F6-BD45-801C307B9558}: NameServer = 195.245.176.19 194.38.131.19

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)

 

Será que tá limpoou tem como enxugar melhor ?!

 

t+

Vlad

[vgomespt 0]

Realmente tá F..... !!!

 

Já passei trocentos A.V. online e o ultimo foi o panda...

PANDA ONLIINE

 

PANDA ONLIINE

 

Virus:w32/bagle.hx.worm Disinfected

Operating system

 

 

Adware:adware/savenow Not disinfected

Windows Registry

 

 

Adware:Adware/Aureate-Radiate Not disinfected

C:\Documents and Settings\VLAD\Definições locais\Temp\30.EXE[advert.dll]

 

 

Spyware:Cookie/Com.com Not disinfected

C:\Documents and Settings\VLAD\Application Data\Mozilla\Firefox\Profiles\pyvlwxa6.default\COOKIES.TXT[.ig.com.br/]

 

 

Spyware:Cookie/Toplist Not disinfected

C:\Documents and Settings\Vladmir\Cookies\vladmir@toplist[1].txt

 

 

Virus:W32/Bagle.QW.worm Disinfected

C:\!KillBox\WINTEMS.EXE

 

 

Virus:Generic Malware Disinfected D:\Crack\AVS_Video_Converter_v2[1].3.1.79.zip[Patcher.exe]

 

 

Rodei outros e nada, e por ultimo teste o combofix....

 

ComboFix 08-01-15.1 - Vladmir 2008-01-14 19:40:09.1 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.225 [GMT 0:00]

Executando de: E:\Programas\VIRUS\ComboFix.exe

* Criado um novo ponto de restauro

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\system32\Cache

C:\WINDOWS\system32\drivers\srosa.sys

C:\WINDOWS\system32\msvcrt23.dll

E:\XCOPY.EXE

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

 

.

-------\LEGACY_SROSA

-------\srosa

 

 

((((((((((((((((((((((( Ficheiros criados de 2007-12-15 to 2008-01-15 ))))))))))))))))))))))))))))))))

.

 

2008-01-14 19:37 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

2008-01-14 16:34 . 2008-01-14 16:34 <DIR> d-------- C:\WINDOWS\system32\drivers\down

2008-01-14 12:54 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS

2008-01-14 12:53 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\mtbraaoaoolx.sys

2008-01-14 01:07 . 2008-01-14 01:07 140,288 --a------ C:\vcleaner.exe

2008-01-13 21:51 . 2008-01-13 21:51 <DIR> d-------- C:\Documents and Settings\Vladmir\.housecall6.6

2008-01-13 20:59 . 2008-01-13 20:59 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Dados de aplicativos\Spybot - Search & Destroy

2008-01-13 19:41 . 2008-01-13 19:41 <DIR> d-------- C:\Arquivos de programas\CCleaner

2008-01-13 13:02 . 2008-01-13 13:03 351,612 --a------ C:\WINDOWS\system32\vsconfig.xml

2008-01-13 11:00 . 2008-01-13 11:00 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab

2008-01-13 11:00 . 2008-01-13 11:00 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Dados de aplicativos\Kaspersky Lab

2008-01-13 01:41 . 2008-01-13 01:41 <DIR> d-------- C:\Documents and Settings\Vladmir\Dados de aplicativos\Simply Super Software

2008-01-13 01:41 . 2008-01-13 01:41 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Dados de aplicativos\Simply Super Software

2008-01-13 01:41 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll

2008-01-13 01:41 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll

2008-01-13 01:41 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll

2008-01-13 01:41 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll

2008-01-13 01:41 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll

2008-01-13 01:24 . 2008-01-13 19:20 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx

2008-01-13 01:24 . 2008-01-13 19:20 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat

2008-01-13 01:24 . 2008-01-13 19:20 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx

2008-01-13 01:24 . 2008-01-13 19:20 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat

2008-01-13 01:21 . 2008-01-13 01:21 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Dados de aplicativos\Kaspersky Lab Setup Files

2008-01-12 21:55 . 2008-01-12 21:55 <DIR> d-------- C:\Documents and Settings\Vladmir\Dados de aplicativos\Uniblue

2008-01-12 21:29 . 2008-01-12 21:29 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Dados de aplicativos\Avg7

2008-01-12 19:09 . 2008-01-12 19:09 <DIR> d-------- C:\Muestras

2008-01-12 17:14 . 2008-01-12 17:14 <DIR> d-------- C:\!KillBox

2008-01-12 16:20 . 2006-05-24 08:01 502,243 --------- C:\WINDOWS\system32\drivers\hldrrr.exe

2008-01-03 20:33 . 2008-01-03 20:33 29 --a------ C:\WINDOWS\DEBUGSM.INI

2007-12-27 22:10 . 2007-12-27 22:12 2,176 --ah----- C:\ZbThumbnail.info

2007-12-21 13:52 . 2007-12-21 13:52 160,349 --a------ C:\WINDOWS\Sqirlz Morph Uninstaller.exe

2007-12-20 15:28 . 2007-12-20 15:28 <DIR> d-------- C:\Documents and Settings\Vladmir\Dados de aplicativos\Wings3D

2007-12-20 15:18 . 2007-12-20 15:18 <DIR> d-------- C:\tmp

 

.

((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-12-18 21:44 88,376 ----a-w C:\Documents and Settings\Vladmir\Dados de aplicativos\GDIPFONTCACHEV1.DAT

2007-12-11 21:12 --------- d-----w C:\Documents and Settings\Vladmir\Dados de aplicativos\LEAPS

2007-12-11 12:27 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE

2007-12-11 12:27 286,720 ------w C:\WINDOWS\Setup1.exe

2007-12-11 11:43 --------- d-----w C:\Documents and Settings\Vladmir\Dados de aplicativos\Pegasys Inc

2007-12-10 23:50 56,976 ----a-w C:\WINDOWS\system32\GenSvcInst.exe

2007-12-10 23:50 33,408 ----a-w C:\WINDOWS\system32\drivers\CDRBSDRV.SYS

2007-12-10 23:50 122,512 ----a-w C:\WINDOWS\system32\bgsvcgen.exe

2007-12-10 15:18 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Dados de aplicativos\Ahead

2007-12-10 12:43 --------- d-----w C:\Documents and Settings\Vladmir\Dados de aplicativos\NeroVision

2007-12-06 19:10 --------- d-----w C:\Documents and Settings\Vladmir\Dados de aplicativos\Ahead

2007-12-06 19:08 --------- d-----w C:\Arquivos de programas\Nero

2007-12-06 19:08 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Ahead

2007-12-06 18:59 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Dados de aplicativos\Philips Intelligent Agent

2007-12-06 18:59 --------- d-----w C:\Arquivos de programas\Philips Intelligent Agent

2007-12-06 14:25 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Ulead Systems

2007-12-03 16:00 --------- d-----w C:\Documents and Settings\Vladmir\Dados de aplicativos\Leadertech

2007-12-01 17:15 --------- d-----w C:\Arquivos de programas\ASUSTeK

2007-12-01 12:19 --------- d-----w C:\Arquivos de programas\VIA

2007-11-14 07:28 450,560 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll

2007-11-07 09:28 724,480 ----a-w C:\WINDOWS\system32\lsasrv.dll

2007-11-07 09:28 724,480 ----a-w C:\WINDOWS\system32\dllcache\lsasrv.dll

2007-10-30 17:20 360,064 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys

2007-10-30 10:18 3,079,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll

2007-10-29 22:44 1,292,288 ----a-w C:\WINDOWS\system32\quartz.dll

2007-10-29 22:44 1,292,288 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll

2007-10-25 16:57 8,484,352 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll

2007-10-21 22:35 8,464 ----a-w C:\WINDOWS\system32\sporder.dll

2007-10-20 06:01 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll

2007-10-20 06:01 227,328 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll

2007-10-18 11:06 109,568 ------w C:\WINDOWS\system32\pxinsi64.exe

2007-10-18 11:06 108,544 ------w C:\WINDOWS\system32\pxcpyi64.exe

2007-10-13 16:35 36,868 ----a-w C:\Arquivos de programas\uninst-Particular.exe

2004-01-31 19:54 331,776 ----a-w C:\WINDOWS\inf\pdfinst2.exe

2003-07-14 23:54 205,734,144 ----a-w C:\Documents and Settings\Vladimir\videocd.bin

2006-01-28 09:57 80 --sha-r C:\WINDOWS\Ct4set.bin

2007-09-19 21:43 2,828 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

2007-09-19 21:43 88 --sh--r C:\WINDOWS\system32\5DEDD50FB4.sys

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"german.exe"="C:\WINDOWS\system32\wintems.exe" [ ]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:45 15360]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 03:45 15360]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

 

A chave SafeBoot necessita de ser reparada. Esta m quina nÆo pode entrar em Modo de Seguran‡a.

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]

@="Driver Group"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]

@="DiskDrive"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]

@="Hdc"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]

@="Keyboard"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]

@="Mouse"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]

@="System"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]

@="Volume"

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Iniciar^Programas^Inicializar^Adobe Gamma Loader.exe.lnk]

path=C:\Documents and Settings\All Users.WINDOWS\Menu Iniciar\Programas\Inicializar\Adobe Gamma Loader.exe.lnk

backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Iniciar^Programas^Inicializar^Adobe Gamma Loader.lnk]

path=C:\Documents and Settings\All Users.WINDOWS\Menu Iniciar\Programas\Inicializar\Adobe Gamma Loader.lnk

backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Iniciar^Programas^Inicializar^Microsoft Office.lnk]

path=C:\Documents and Settings\All Users.WINDOWS\Menu Iniciar\Programas\Inicializar\Microsoft Office.lnk

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Iniciar^Programas^Inicializar^VIA RAID TOOL.lnk]

path=C:\Documents and Settings\All Users.WINDOWS\Menu Iniciar\Programas\Inicializar\VIA RAID TOOL.lnk

backup=C:\WINDOWS\pss\VIA RAID TOOL.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Vladmir^Menu Iniciar^Programas^Inicializar^Adobe Gamma.lnk]

path=C:\Documents and Settings\Vladmir\Menu Iniciar\Programas\Inicializar\Adobe Gamma.lnk

backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Vladmir^Menu Iniciar^Programas^Inicializar^WinMySQLadmin.lnk]

path=C:\Documents and Settings\Vladmir\Menu Iniciar\Programas\Inicializar\WinMySQLadmin.lnk

backup=C:\WINDOWS\pss\WinMySQLadmin.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]

C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2007-05-11 03:06 40048 C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]

C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CorelCorelDRAW10 Reminder]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy PDF Creator]

--a------ 2004-02-09 09:50 463872 E:\Arquivos de programas\Easy PDF Creator\EasyPDFCreator.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]

--a------ 2002-11-03 22:13 188416 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

--a------ 2005-02-16 16:15 221184 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\UPDATE~1\ISUSPM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

--a------ 2005-02-16 16:15 81920 C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

C:\Arquivos de programas\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

C:\WINDOWS\system32\dumprep 0 -k

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2004-10-13 17:24 1694208 C:\Arquivos de programas\Messenger\msmsgs.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau]

C:\Arquivos de programas\MSN Apps\Updater\01.02.0002.1001\pt-br\msnappau.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

--a------ 2006-01-24 20:31 7094272 C:\Arquivos de programas\MSN Messenger\MsnMsgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2006-01-12 15:40 155648 C:\WINDOWS\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]

C:\ARQUIV~1\NEWDOT~1\NEWDOT~1.DLL

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Philips Intelligent Agent]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]

--a------ 2007-08-17 21:48 439872 C:\Arquivos de programas\Picasa2\PicasaMediaDetector.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2006-09-24 03:24 282624 C:\Arquivos de programas\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

C:\Arquivos de programas\ASUSTeK\ASUSDVD\PDVDServ.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxAssistant]

--a------ 2003-01-13 14:15 86016 C:\Arquivos de programas\Arquivos comuns\Roxio Shared\Upgrade\RoxAssist.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]

--a------ 2003-01-09 09:21 253952 C:\Arquivos de programas\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]

--a------ 2003-01-13 10:19 757760 C:\Arquivos de programas\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]

--a------ 2003-01-13 14:05 69632 C:\Arquivos de programas\Arquivos comuns\Roxio Shared\System\EngUtil.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScanRegistry]

C:\W

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]

--a------ 2002-06-06 11:15 861184 C:\Arquivos de programas\Alcatel\SpeedTouch USB\Dragdiag.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

E:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StillImageMonitor]

C:\W

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2004-02-22 23:44 32881 C:\Arquivos de programas\Java\j2re1.4.2_04\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]

E:\Arquivos de programas\Trojan Remover\Trjscan.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]

--a------ 2006-09-07 17:19 15872 C:\Arquivos de programas\Unlocker\UnlockerAssistant.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherCast]

C:\Arquivos de programas\WeatherCast\Weather.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

E:\Arquivos de programas\windows_defender\MSASCui.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WinDefend"=2 (0x2)

"XAMPP"=2 (0x2)

"SoundMAX Agent Service (default)"=2 (0x2)

"Service1"=2 (0x2)

"SandraTheSrv"=3 (0x3)

"SandraDataSrv"=3 (0x3)

"ProtexisLicensing"=2 (0x2)

"IDriverT"=3 (0x3)

"gusvc"=3 (0x3)

"FLEXnet Licensing Service"=3 (0x3)

"CCALib8"=2 (0x2)

"Bonjour Service"=2 (0x2)

"bgsvcgen"=2 (0x2)

"AVG Anti-Spyware Guard"=2 (0x2)

"Adobe LM Service"=3 (0x3)

 

R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys [2003-10-31 11:22]

R2 HWiNFO32;HWiNFO32 Kernel Driver;E:\Programas\HWiNFO32\HWiNFO32.SYS [2005-11-03 13:44]

R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]

S4 ewido security suite driver;ewido security suite driver;C:\Arquivos de programas\ewido\security suite\guard.sys [2004-11-22 14:15]

 

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-15 19:51:37

Windows 5.1.2600 Service Pack 2 FAT NTAPI

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializ veis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

.

Tempo para conclusÆo: 2008-01-15 19:56:09 - machine was rebooted

ComboFix-quarantined-files.txt 2008-01-15 19:56:08

.

2008-01-09 10:13:22 --- E O F ---

 

Agora deu para instalar o AVG e tô correndo com ele, já achou HLDRRR.EXE....

 

Li acima que tenho que alterar a apradinha para entrar no modo de segurança....não sei ainda como fazer....

 

Fui ver o Hijackthis, e agora o puto tá mostrando o wintems.exe que pensei que já tinha ido embora há um tempão...putz! Que zona ! Vou esperar o avg acabr e ver o que ele detona, se não detonar, vou detonar pelo hijackthis...e se não funcionar, vou ter que fazer aquele processo pela 10º vez, e por favor, deverá funcionar né....

 

Hã, meus arquivos ainda estão setados com atributo de arquivo morto, até o hijackthis...

 

Putz e mais putz!

 

Então tenho que alterar isto no regedit a unha ?

A chave SafeBoot necessita de ser reparada. Esta m quina nÆo pode entrar em Modo de Seguran‡a.

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]

@="Driver Group"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]

@="DiskDrive"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]

@="Hdc"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]

@="Keyboard"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]

@="Mouse"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]

@="System"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]

@="Volume"

 

t+

 

Vou dando notícias até isso sumir....

[Lucasg3 0]

Passo 1

 

Faça o download do AVG Anti-rootkit:

http://www.softpedia.com/get/Antivirus/AVG...i-Rootkit.shtml

 

* Instale e execute-o.

* Algumas infecções poderão detectadas. Selecione-as.

* Ao final, clique em Remove Selected Items.

 

Passo 2

 

Faça o download do SafeMode Repair.zip:

http://www.hijackthis-forum.de/attachment....mp;d=1187631899

 

* Descompacte-o em seu desktop.

* Clique com o botão direito no arquivo SafeModeRepair.reg e em Mesclar.

 

Passo 3

Faça o download do F-Secure Blacklight:

http://linhadefensiva.uol.com.br/dl/blacklight

 

* Salve-o na área de trabalho e execute-o. Aceite o acordo.

 

Se ele encontrar qualquer arquivo, ignore. Queremos apenas o log.

 

Ao final do scan, anexe o arquivo fsb-xxxxx.log (onde xxx são números) na sua resposta.

[vgomespt 0]

beleza Lucas !

Resolvi e tudo voltou a normalidade, me parece.

 

Nesta briga usei os pgms:

 

ComboFix.exe

avast_aswclnr.exe

SafeBootKeyRepair.exe

KillBox.exe

bankerfix.exe

ccsetup203.exe

fsbl.exe

EliBaglA.exe

 

E os A.V. online....putz! foi briga feia!

 

t+

Vlad

[DigRam 144]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o Tópico seja reaberto é preciso enviar uma Mensagem Privada,para um Moderador,com um Link para o Tópico.