[Resolvido!] Analise do meu log - HijackThis

pje · Fevereiro 28, 2008

Olá pessoal,

Estou com o seguinte problema, meu computador esta infectado com algo que desabilitou o botao do Gerenciador de Tarefas, não deixa eu executar o REGEDIT pq da uma mensagem falando que foi desabilitado pelo Administrador e outra coisa que notei é que o botão direito do mouse não funciona no IE. (somente no IE). Antes de Rodar o HijackThis eu consegui matar o processo do Virus com a ferramente WinPS.exe que tenho (Eh tipo um gerenciador de tarefas paralelo) mas não consegui descobrir o nome do processo. Segue log abaixo do HijackThis, preciso de ajuda p/ remover este virus...

Obrigado...

---------------------------------

Logfile of HijackThis v1.99.1

Scan saved at 01:01:31, on 28/02/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\GbPlugin\GbpSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\DNHlp32.exe

C:\WINDOWS\vsnpstd3.exe

C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe

C:\Arquivos de programas\Windows Defender\MSASCui.exe

C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\WINDOWS\System32\alg.exe

C:\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R3 - URLSearchHook: Coolstreaming Tool-Bar v1.0 Toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Arquivos de programas\Coolstreaming_Tool-Bar_v1.0\tbCool.dll

O1 - Hosts: 200.221.8.16 smartsearch.ws

O1 - Hosts: 200.221.8.16 www.smartsearch.ws

O1 - Hosts: 200.221.8.16 www.magicsearch.ws

O1 - Hosts: 200.221.8.16 magicsearch.ws

O1 - Hosts: 200.221.8.16 br.mp3u.com

O1 - Hosts: 200.204.77.26 caumode2k005

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\ARQUIV~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Coolstreaming Tool-Bar v1.0 Toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Arquivos de programas\Coolstreaming_Tool-Bar_v1.0\tbCool.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\Arquivos de programas\GbPlugin\gbiehCef.dll

O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\Arquivos de programas\GbPlugin\gbiehuni.dll

O3 - Toolbar: Coolstreaming Tool-Bar v1.0 Toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Arquivos de programas\Coolstreaming_Tool-Bar_v1.0\tbCool.dll

O4 - HKLM\..\Run: [DNHelper32] C:\WINDOWS\system32\DNHlp32.exe

O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [Windows Defender] "C:\Arquivos de programas\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [ASUS Probe] c:\arquivos de programas\Asus\Asus Prob\AsusProb.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [PreInstall] C:\WINDOWS\lsass.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: Abrir com o GetRight Browser - C:\ARQUIV~1\GETRIGHT\GRbrowse.htm

O8 - Extra context menu item: Download com o GetRight - C:\ARQUIV~1\GETRIGHT\GRdownload.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\ARQUIV~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Arquivos de programas\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Arquivos de programas\ICQLite\ICQLite.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {4BFD075D-C36E-4F28-BB0A-5D472795197A} (PowerLoader Class) - http://mz.powerchallenge.com/applet/PowerLoader.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399003} (GbPluginObj Class) - https://imagem.caixa.gov.br/cab/GbPluginCef.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br/GbPlug...GbPluginUni.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: GbPluginCef - C:\Arquivos de programas\GbPlugin\gbiehCef.dll

O20 - Winlogon Notify: GbPluginUni - C:\Arquivos de programas\GbPlugin\gbiehuni.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: MySQL - Unknown owner - C:\Arquivos.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

O23 - Service: ServiceLayer - Nokia. - C:\Arquivos de programas\Arquivos comuns\PCSuite\Services\ServiceLayer.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Apache Tomcat (Tomcat6) - Unknown owner - C:\Arquivos de programas\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe" //RS//Tomcat6 (file missing)

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

O23 - Service: Webcam Corp. Service Starter - Unknown owner - C:\Arquivos de programas\Webcam\Webcam123\dogsvc.exe

---------------------------------

DigRam · Fevereiro 28, 2008

Bom Dia pje!

>@< Faça o download do ComboFix.

>@< Baixe-o para o Desktop!

>@< Feche todas as janelas e execute a ferramenta!

>@< Para quem possui o Avast,surgirá um alerta de malware ( Win32 D adobra-EY[Trj] ),que deverá ser ignorado.

>@< Abrirá a janela Auto Scan. Aguarde!

>@< Digite a opção para continuar e < Enter >

>@< Aguarde a conclusão! Durante o scan,evite tocar no mouse ou teclado!

_________________________

>@< Poste o relatório: C:\ComboFix.txt,na sua resposta + Log do HJT,atualizado.

Abraços!

pje · Fevereiro 28, 2008

Obrigado DigRam!

Parace que tudo voltou ao normal depois que executei o ComboFix... Eu tinha conseguido descobrir o nome da janela do virus, vou postar p/ ver se ajuda em algo... AdsssA, Form2, Form3 e Form4.

Segue abaixo as logs do ComboFix e HJT atualizado...

ComboFix;

------------------------------

ComboFix 08-02-25.3 - Administrador 2008-02-28 20:19:47.1 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.658 [GMT -3:00]

Executando de: C:\Documents and Settings\Administrador\Desktop\ComboFix.exe

* Criado um novo ponto de restauro

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\lsass.exe

C:\WINDOWS\system32\Cache

C:\WINDOWS\system32\drivers\npf.sys

C:\WINDOWS\system32\MabryObj.dll

C:\WINDOWS\system32\packet.dll

C:\WINDOWS\system32\pthreadVC.dll

C:\WINDOWS\system32\system

C:\WINDOWS\system32\system\msxml4.dll

C:\WINDOWS\system32\system\msxml4r.dll

C:\WINDOWS\system32\wpcap.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\LEGACY_NPF

-------\NPF

((((((((((((((((((((((( Ficheiros criados de 2008-01-28 to 2008-02-28 ))))))))))))))))))))))))))))))))

.

2008-02-28 00:39 . 2008-02-28 00:39 <DIR> d-------- C:\Hijack

2008-02-27 23:28 . 2008-02-27 23:28 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy

2008-02-22 15:03 . 2008-02-22 15:03 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Kazaa

2008-02-04 15:24 . 2008-02-04 15:24 <DIR> d-------- C:\Documents and Settings\Kaka\Dados de aplicativos\Apple Computer

.

((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-02-28 23:25 32 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx

2008-02-28 23:25 32 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat

2008-02-28 13:51 20,060,054 ------w C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_02_28_10_47_39_full.dmp.zip

2008-02-28 13:47 2,654,208 ------w C:\WINDOWS\Internet Logs\xDB18.tmp

2008-02-28 13:47 1,062,912 ------w C:\WINDOWS\Internet Logs\xDB17.tmp

2008-02-27 23:40 2,654,208 ------w C:\WINDOWS\Internet Logs\xDB16.tmp

2008-02-27 23:40 2,628,096 ------w C:\WINDOWS\Internet Logs\xDB15.tmp

2008-02-16 03:06 2,918,400 ------w C:\WINDOWS\Internet Logs\xDB14.tmp

2008-02-11 03:29 3,039,232 ------w C:\WINDOWS\Internet Logs\xDB13.tmp

2008-01-27 18:17 4,246,962 ------w C:\WINDOWS\Internet Logs\tvDebug.zip

2008-01-18 20:22 --------- d-----w C:\Documents and Settings\Administrador\Dados de aplicativos\DAEMON Tools

2008-01-18 20:22 --------- d-----w C:\Arquivos de programas\DAEMON Tools

2008-01-18 02:46 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys

2008-01-07 18:48 3,267,072 ------w C:\WINDOWS\Internet Logs\xDB11.tmp

2008-01-07 18:48 2,654,208 ------w C:\WINDOWS\Internet Logs\xDB12.tmp

2008-01-07 03:51 --------- d-----w C:\Arquivos de programas\Pcsx2_0.9.4

2008-01-07 03:10 --------- d-----w C:\Arquivos de programas\Nvdia

2008-01-03 19:50 --------- d-----w C:\Documents and Settings\Kaka\Dados de aplicativos\AdobeUM

2007-12-05 02:13 4,358,144 ------w C:\WINDOWS\Internet Logs\xDB10.tmp

2007-11-17 06:12 53,760 ------w C:\WINDOWS\Internet Logs\xDBF.tmp

2007-11-16 14:13 29,696 ------w C:\WINDOWS\Internet Logs\xDBD.tmp

2007-11-16 14:13 1,496,576 ------w C:\WINDOWS\Internet Logs\xDBE.tmp

2007-11-16 14:00 260,096 ------w C:\WINDOWS\Internet Logs\xDBC.tmp

2007-11-15 03:41 1,495,552 ------w C:\WINDOWS\Internet Logs\xDBB.tmp

2007-11-11 05:06 1,480,704 ------w C:\WINDOWS\Internet Logs\xDB3.tmp

2007-11-09 15:33 1,479,168 ------w C:\WINDOWS\Internet Logs\xDBA.tmp

2007-11-09 05:08 73,216 ------w C:\WINDOWS\Internet Logs\xDB8.tmp

2007-11-09 05:08 1,475,072 ------w C:\WINDOWS\Internet Logs\xDB9.tmp

2007-11-08 00:49 26,112 ------w C:\WINDOWS\Internet Logs\xDB6.tmp

2007-11-08 00:49 1,464,832 ------w C:\WINDOWS\Internet Logs\xDB7.tmp

2007-11-08 00:47 1,464,832 ------w C:\WINDOWS\Internet Logs\xDB5.tmp

2007-11-07 18:13 2,912,256 ------w C:\WINDOWS\Internet Logs\xDB4.tmp

2007-11-05 00:11 2,977,792 ------w C:\WINDOWS\Internet Logs\xDB1.tmp

2007-11-05 00:11 1,460,224 ------w C:\WINDOWS\Internet Logs\xDB2.tmp

2007-06-22 00:25 61,440 ----a-w C:\Arquivos de programas\Arquivos comuns\msado21.tlb

2007-04-23 23:26 19,893,634 ----a-w C:\Arquivos de programas\nvidia.zip

2006-07-08 16:41 0 ----a-w C:\Arquivos de programas\serial.dat

2006-06-21 03:52 397,312 ----a-w C:\Documents and Settings\Administrador\jogl.dll

2006-04-18 15:22 185,645 --sha-r C:\Arquivos de programas\patcher.exe

2005-01-03 16:12 9,668 ----a-w C:\Documents and Settings\Administrador\CPF.ZIP

2005-01-03 16:03 9,664 ----a-w C:\Documents and Settings\Administrador\CGC.ZIP

2004-03-11 16:27 40,960 ----a-w C:\Arquivos de programas\Uninstall_CDS.exe

2007-06-10 14:06 952 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

REGEDIT4

*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PowerBar"="" []

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DNHelper32"="C:\WINDOWS\system32\DNHlp32.exe" [2002-01-03 07:20 49152]

"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2005-01-14 11:00 339968]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

"Windows Defender"="C:\Arquivos de programas\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

"ZoneAlarm Client"="C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14 919016]

"AVG7_CC"="C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 19:13 579072]

"ASUS Probe"="c:\arquivos de programas\Asus\Asus Prob\AsusProb.exe" [2002-12-06 16:07 617984]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]

"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]

"PreInstall"="C:\WINDOWS\lsass.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"AVG7_Run"="C:\ARQUIV~1\Grisoft\AVG7\avgw.exe" [2007-11-23 11:38 219136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399008}"= C:\Arquivos de programas\GbPlugin\gbiehuni.dll [2008-01-29 16:34 345504]

"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\WINDOWS\Downloaded Program Files\gbieh.dll [2006-08-22 14:40 213032]

"{F6329918-1A8E-4DBB-A427-D9371AEB988F}"= C:\Arquivos de programas\TracePlus\ShellExt.dll [2003-10-13 02:46 65536]

"{E37CB5F0-51F5-4395-A808-5FA49E399003}"= C:\Arquivos de programas\GbPlugin\gbiehCef.dll [2007-11-29 11:41 337992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginCef]

C:\Arquivos de programas\GbPlugin\gbiehCef.dll 2007-11-29 11:41 337992 C:\Arquivos de programas\GbPlugin\gbiehCef.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginUni]

C:\Arquivos de programas\GbPlugin\gbiehuni.dll 2008-01-29 16:34 345504 C:\Arquivos de programas\GbPlugin\gbiehuni.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Administrador^Menu Iniciar^Programas^Inicializar^MBM 5.lnk]

path=C:\Documents and Settings\Administrador\Menu Iniciar\Programas\Inicializar\MBM 5.lnk

backup=C:\WINDOWS\pss\MBM 5.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioDeck]

-ra------ 2007-08-09 15:48 528384 C:\Arquivos de programas\VIA\VIAudioi\SBADeck\ADeck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

--a------ 2005-08-11 16:30 249856 C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

--a------ 2005-08-11 16:30 81920 C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

--a------ 1998-08-05 17:35 35328 C:\TBridge\FLATBED.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]

--a------ 2006-04-26 08:29 237568 C:\ARQUIV~1\Nokia\NOKIAP~1\LAUNCH~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2006-07-29 11:15 155648 C:\Arquivos de programas\QuickTime\qttask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\eMule\\emule.exe"=

"C:\\Arquivos de programas\\Messenger\\MSMSGS.EXE"=

"C:\\Arquivos de programas\\FTP Commander\\Ftpcomm.exe"=

"C:\\Alexandre\\RPG Script\\RPG Script.exe"=

"C:\\Arquivos de programas\\Kazaa Lite K++\\KazaaLite.kpp"=

"C:\\Alexandre\\VirtualScript\\mirc.exe"=

"C:\\Arquivos de programas\\WM Recorder\\WMR90.exe"=

"C:\\Arquivos de programas\\Windows Media Player\\wmplayer.exe"=

"C:\\Alexandre\\Quake\\qwsv.exe"=

"C:\\Alexandre\\Quake\\fuhquake-gl.exe"=

"C:\\Documents and Settings\\Administrador\\Desktop\\mplayerc.exe"=

"C:\\JaburSat\\Versao.exe"=

"C:\\Arquivos de programas\\InterVideo\\WinDVD4PR\\WinDVD.exe"=

"C:\\Alexandre\\Quake\\fuhquake.exe"=

"C:\\Alexandre\\Quake\\qwcl.exe"=

"C:\\Arquivos de programas\\ICQLite\\ICQLite.exe"=

"C:\\Alexandre\\Quake\\eqwcl-win32.exe"=

"C:\\Alexandre\\Quake\\eglqwcl-win32.exe"=

"C:\\Alexandre\\Quake\\kl33n3x.exe"=

"C:\\Alexandre\\Quake\\glqwre11.exe"=

"C:\\Alexandre\\Quake\\qw-client-wgl.exe"=

"C:\\Alexandre\\Quake\\mqwcl\\bin\\win32\\gl.exe"=

"C:\\Alexandre\\Quake\\mqwcl\\bin\\win32\\soft2.exe"=

"C:\\Alexandre\\Quake\\mqwcl\\bin\\win32\\soft.exe"=

"C:\\WINDOWS\\System32\\mmc.exe"=

"C:\\Arquivos de programas\\eMule\\eMule_ionix.exe"=

"C:\\Arquivos de programas\\Internet Explorer\\iexplore.exe"=

"C:\\Arquivos de programas\\eMule\\KETAMINE.EXE"=

"C:\\Arquivos de programas\\NetMeeting\\conf.exe"=

"C:\\Arquivos de programas\\Webcam\\Webcam123\\Wsrv.exe"=

"C:\\Arquivos de programas\\Webcam\\Webcam123\\WEBCAM.EXE"=

"C:\\Arquivos de programas\\SnapStream Media\\Beyond TV 3\\WTLPVSApp.exe"=

"C:\\Arquivos de programas\\eMule\\emule_morphx_kad.exe"=

"C:\\Arquivos de programas\\eMule\\emule_sivka.exe"=

"C:\\Program Files\\Ultima Online\\client.exe"=

"C:\\Arquivos de programas\\Azureus\\Azureus.exe"=

"C:\\Arquivos de programas\\Trillian\\trillian.exe"=

"C:\\Arquivos de programas\\eMule\\emule_Viper5.0.exe"=

"C:\\Arquivos de programas\\eMule\\emule_Viper4.exe"=

"C:\\Arquivos de programas\\tvants\\Tvants.exe"=

"C:\\Arquivos de programas\\PPLive TV\\PPPlayer.exe"=

"C:\\Arquivos de programas\\Arquivos comuns\\Synacast\\SynaLive\\PE.exe"=

"C:\\WINDOWS\\System32\\ftp.exe"=

"C:\\Scoop2004\\mirc.exe"=

"C:\\Arquivos de programas\\Grisoft\\AVG7\\avginet.exe"=

"C:\\Arquivos de programas\\Grisoft\\AVG7\\avgamsvr.exe"=

"C:\\Arquivos de programas\\Grisoft\\AVG7\\avgcc.exe"=

"C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

"C:\\Alexandre\\Quake III Arena\\Quake3\\quake3.exe"=

"C:\\Arquivos de programas\\GameSpy Arcade\\Aphex.exe"=

"C:\\Arquivos de programas\\WS_FTP\\WS_FTP95.exe"=

"C:\\Arquivos de programas\\PowerChallenge\\PowerFootball\\PowerFootball-OpenGL.exe"=

"C:\\Arquivos de programas\\PowerChallenge\\PowerFootball\\PowerFootball-D3D9.exe"=

"C:\\WINDOWS\\System32\\javaw.exe"=

"C:\\Arquivos de programas\\Shareaza\\Shareaza.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5472:TCP"= 5472:TCP:ppLive

"7388:UDP"= 7388:UDP:ppLive

R2 DK2DRV;DK2 WindowsNT Driver;C:\WINDOWS\system32\Drivers\DK2DRV.SYS [2002-01-24 07:40]

R2 FLE5WNNT;FLE-5 WindowsNT Driver;C:\WINDOWS\System32\Drivers\fle5wnnt.sys [2004-07-27 14:37]

R2 FLSIFACE;FLSIface;C:\WINDOWS\System32\Drivers\flsiface.sys [2004-07-27 14:38]

R2 FLSPAR;FLSPar;C:\WINDOWS\System32\Drivers\flspar.sys [2004-07-27 14:39]

R2 FLSSER;FLSSer;C:\WINDOWS\System32\Drivers\flsser.sys [2003-10-16 14:02]

R2 FLSVCOM;FLSVCom;C:\WINDOWS\System32\Drivers\flsvcom.sys [2004-08-11 11:47]

R2 ppsio;PrmxPPDev;C:\WINDOWS\system32\drivers\ppsio.sys [1998-02-25 21:27]

R2 ppsio2;PPDevice;C:\WINDOWS\system32\drivers\ppsio2.sys [1998-07-30 13:44]

R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2005-10-08 08:50]

R2 taskmon;taskmon;C:\Arquivos de programas\uICE\taskmon.sys [2002-11-16 19:58]

S1 amdtools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\amdtools.sys []

S2 BT878;BtCap, WDM Video Capture;C:\WINDOWS\system32\drivers\BT878.SYS [2004-02-16 17:28]

S2 BTTUNER;BtTuner, WDM TV Tuner;C:\WINDOWS\system32\drivers\BTTUNER.SYS [2004-02-16 17:28]

S2 BTXBAR;BtXBar, WDM Crossbar;C:\WINDOWS\system32\drivers\BTXBAR.SYS [2004-02-16 17:28]

S3 CoachUsb;Coach Digital Camera on USB;C:\WINDOWS\system32\DRIVERS\CoachUsb.sys [2003-06-26 17:56]

S3 dcddrv;dcddrv;C:\Arquivos de programas\uICE\devices\dcddrv.sys [2002-11-16 20:13]

S3 dTVdrvNT;dTVdrvNT;C:\Arquivos de programas\ChrisTV\dTVdrvNT.sys []

S3 hid7906;hid7906;C:\WINDOWS\system32\drivers\hid7906.sys [2006-07-04 17:17]

S3 SBExtigyIR;SBExtigyIR;C:\WINDOWS\system32\drivers\sbextigy.sys [2002-11-17 19:35]

S3 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe [2004-08-04 00:45]

S3 Tomcat6;Apache Tomcat;"C:\Arquivos de programas\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe" [2007-05-04 22:42]

S3 VICHW00;VICHW00;C:\WINDOWS\SYSTEM32\DRIVERS\VICHW00.SYS []

S3 Webcam Corp. Service Starter;Webcam Corp. Service Starter;C:\Arquivos de programas\Webcam\Webcam123\dogsvc.exe [2004-08-26 06:38]

.

Conte£do da pasta 'Tarefas Agendadas'

"2008-02-28 11:00:00 C:\WINDOWS\Tasks\backupemule.job"

- C:\Alexandre\htdocs\backupemule.bat

"2008-02-28 23:29:48 C:\WINDOWS\Tasks\MP Scheduled Scan.job"

- C:\Arquivos de programas\Windows Defender\MpCmdRun.exe

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-02-28 20:27:38

Windows 5.1.2600 Service Pack 2 FAT NTAPI

Procurando processos ocultos ...

Procurando entradas auto inicializ veis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso

Ficheiros ocultos: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Arquivos de programas\Windows Defender\MsMpEng.exe

C:\Arquivos de programas\GbPlugin\GbpSv.exe

C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

.

**************************************************************************

.

Tempo para conclusÆo: 2008-02-28 20:31:18 - machine was rebooted

ComboFix-quarantined-files.txt 2008-02-28 23:31:10

.

2007-11-14 05:01:41 --- E O F ---

----------------------------

HJT;

Logfile of HijackThis v1.99.1

Scan saved at 20:35:12, on 28/02/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZONELABS\vsmon.exe

C:\Arquivos de programas\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\WINDOWS\system32\DNHlp32.exe

C:\WINDOWS\vsnpstd3.exe

C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe

C:\Arquivos de programas\Windows Defender\MSASCui.exe

C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe

C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe

C:\arquivos de programas\Asus\Asus Prob\AsusProb.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\explorer.exe