[Resolvido!] IE não fecha!

[Pablo3322 0]

Mesmo finalizando o IE no ctrl+alt+del, ele volta!!

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 08:00 PABLO, on 8/3/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\WinZip\WZQKPICK.EXE

C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

C:\Arquivos de programas\MessengerDiscovery\MessengerDiscovery Live.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\rundll32.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Spybot - Search & Destroy\SpybotSD.exe

C:\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...ER}&ar=home

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0.:80

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: ADSTechnology module - {831CBAC0-8283-4653-9D81-FEB9F3F6E47C} - C:\Arquivos de programas\ADSTechnology\ADSTechnology.dll

O2 - BHO: ActivationManager module - {86A44EF7-78FC-4e18-A564-B18F806F7F56} - C:\Arquivos de programas\ActivationManager\ActivationManager.dll (file missing)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll

O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Arquivos de programas\TGTSoft\StyleXP\TGT_BHO.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll

O2 - BHO: Class - {FC9BCC0B-5745-21E7-F5A2-5A6E55758E50} - C:\WINDOWS\axybn1.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar2.dll

O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\ARQUIV~1\TEXTAL~1\TAForIE.dll

O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [file wave user bat] C:\Documents and Settings\All Users\Dados de aplicativos\Mail For File Wave\draw bash.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [CS Update] copy /Y "C:\Arquivos de programas\ActivationManager\ActivationManager.dll.upd" "C:\Arquivos de programas\ActivationManager\ActivationManager.dll"

O4 - HKCU\..\Run: [DLD.EXE] C:\Arquivos de programas\Download Direct\DLD.exe

O4 - HKCU\..\Run: [sTYLEXP] C:\Arquivos de programas\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - HKCU\..\Run: [CopyBat] C:\WINDOWS\APPLIC~1\SIGNTW~1\biasmail.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Arquivos de programas\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Arquivos de programas\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {6FC19219-C47E-4880-9A79-D218A1C374F9} (NMJTransX Control) - http://www.netmarble.jp/_common/cab/NMJTransX.cab

O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://200.212.184.212/g_bin/eng/poker_2_0_0_45.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/wi...rInstall_br.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://200.212.184.212/g_bin/eng/billard8_2_0_0_28.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WB - C:\Arquivos de programas\AlienGUIse\fastload.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[Sam Spade 2]

Olá Pablo3322! O log mostra várias infecções, com malwares que redirecionam o IE, como o ADSTechnology e o adware Lop, que foi instalado junto com o Messenger Plus, ao aceitar o patrocínio. Mesmo desinstalando o Plus, o Lop pode permanecer. Baixe:

 

KillBox

FindLop > Extraia os arquivos para uma pasta própria mas não use ainda.

 

Salve ou imprima estas instruções:

 

ETAPA 1

 

Faça o download do Lop Uninstaller

http://lop.com/new_uninstall.exe

 

Se ao tentar efetuar o Download, aparecer alguma mensagem de restrição, siga os seguintes passos:

• Abra o Internet Explorer, clique em Ferramentas em seguida Opções da Internet, clique na guia Segurança clique em Sites Confiaveis e em seguida clique em Sites, no campo Adicionar este site à zona coloque:
  http://lop.com e clique em Adicionar
   
  
• Desmarque a opção: Exigir Verificação do Servidor(https)
   
  
• Clique em Ok em todas as janelas e tente realizar o download novamente.
  

Se o seu antivírus detectar algum problema no arquivo, ignore. O arquivo é seguro.

 

Desabilite seu antivírus e qualquer antispyware. Rode-o. Coloque os números e confirme.

• Abra novamente o Internet Explorer, clique em Ferramentas em seguida Opções da Internet, clique na guia Segurança clique em Sites Confiaveis em seguida clique em Sites.
   
  
• Clique em: http://lop.com e clique em Remover.
   
  
• Clique em Ok em todas as janelas.
  

 

ETAPA 2

 

Rode o KillBox, marque Delete on Reboot e depois Unregister .dll Before Deleting. Coloque em Full Path of File to Delete:

 

C:\Arquivos de programas\ADSTechnology\ADSTechnology.dll

 

Clique no botão . Responda Sim à pergunta.

 

Haverá uma contagem regressiva e o PC irá reiniciar.

 

Após carregar novamente o SO, faça um scan com o HijackThis e salve o log.

 

Rode o findlop.bat e depois localize o findlop.txt em C:\

 

Ative novamente o anti vírus e os anti spywares.

 

Poste:

 

Log do HijackThis

findlop.txt

 

OBS: ainda teremos outra etapa após ter o resultado destes logs que pedi.

 

.

[Pablo3322 0]

Olá Sam, muito obrigado pela ajuda!!

 

 

Logfile of HijackThis v1.99.1

Scan saved at 09:28 PABLO, on 8/3/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\TGTSoft\StyleXP\StyleXP.exe

C:\Arquivos de programas\WinZip\WZQKPICK.EXE

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...ER}&ar=home

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0.:80

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: ADSTechnology module - {831CBAC0-8283-4653-9D81-FEB9F3F6E47C} - C:\Arquivos de programas\ADSTechnology\ADSTechnology.dll (file missing)

O2 - BHO: ActivationManager module - {86A44EF7-78FC-4e18-A564-B18F806F7F56} - C:\Arquivos de programas\ActivationManager\ActivationManager.dll (file missing)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll

O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Arquivos de programas\TGTSoft\StyleXP\TGT_BHO.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll

O2 - BHO: Class - {FC9BCC0B-5745-21E7-F5A2-5A6E55758E50} - C:\WINDOWS\axybn1.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar2.dll

O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\ARQUIV~1\TEXTAL~1\TAForIE.dll

O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [file wave user bat] C:\Documents and Settings\All Users\Dados de aplicativos\Mail For File Wave\draw bash.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [CS Update] copy /Y "C:\Arquivos de programas\ActivationManager\ActivationManager.dll.upd" "C:\Arquivos de programas\ActivationManager\ActivationManager.dll"

O4 - HKCU\..\Run: [DLD.EXE] C:\Arquivos de programas\Download Direct\DLD.exe

O4 - HKCU\..\Run: [sTYLEXP] C:\Arquivos de programas\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - HKCU\..\Run: [CopyBat] C:\WINDOWS\APPLIC~1\SIGNTW~1\biasmail.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Arquivos de programas\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Arquivos de programas\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {6FC19219-C47E-4880-9A79-D218A1C374F9} (NMJTransX Control) - http://www.netmarble.jp/_common/cab/NMJTransX.cab

O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://200.212.184.212/g_bin/eng/poker_2_0_0_45.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/wi...rInstall_br.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://200.212.184.212/g_bin/eng/billard8_2_0_0_28.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WB - C:\Arquivos de programas\AlienGUIse\fastload.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

 

 

 

 

[TRACE] Enumerating jobs and queues

[TRACE] Activating job 'MP Scheduled Scan.job'

[TRACE] Printing all job properties

 

ApplicationName: 'C:\Arquivos de programas\Windows Defender\MpCmdRun.exe'

Parameters: 'Scan -RestrictPrivileges'

WorkingDirectory: ''

Comment: 'Scheduled Scan'

Creator: 'SYSTEM'

Priority: NORMAL

MaxRunTime: 259200000 (3d 0:00:00)

IdleWait: 10

IdleDeadline: 60

MostRecentRun: 03/08/2008 2:14:00

NextRun: 03/09/2008 2:14:00

StartError: S_OK

ExitCode: 0

Status: SCHED_S_TASK_READY

ScheduledWorkItem Flags:

DeleteWhenDone = 0

Suspend = 0

StartOnlyIfIdle = 0

KillOnIdleEnd = 0

RestartOnIdleResume = 0

DontStartIfOnBatteries = 1

KillIfGoingOnBatteries = 0

RunOnlyIfLoggedOn = 0

SystemRequired = 0

Hidden = 1

TaskFlags: 0

 

1 Trigger

 

Trigger 0:

Type: Daily

DaysInterval: 1

StartDate: 12/31/2001

EndDate: 00/00/0000

StartTime: 02:14

MinutesDuration: 0

MinutesInterval: 0

Flags:

HasEndDate = 0

KillAtDuration = 0

Disabled = 0

 

 

[TRACE] Activating job 'A944EF35918B66A5.job'

[TRACE] Printing all job properties

 

ApplicationName: 'c:\windows\applic~1\signtw~1\Roamheck16.exe'

Parameters: ''

WorkingDirectory: ''

Comment: ''

Creator: 'Particular'

Priority: NORMAL

MaxRunTime: 259200000 (3d 0:00:00)

IdleWait: 10

IdleDeadline: 60

MostRecentRun: 03/08/2008 9:00:00

NextRun: 03/08/2008 10:00:00

StartError: S_OK

ExitCode: 0

Status: SCHED_S_TASK_READY

ScheduledWorkItem Flags:

DeleteWhenDone = 0

Suspend = 0

StartOnlyIfIdle = 0

KillOnIdleEnd = 0

RestartOnIdleResume = 0

DontStartIfOnBatteries = 0

KillIfGoingOnBatteries = 0

RunOnlyIfLoggedOn = 1

SystemRequired = 0

Hidden = 1

TaskFlags: 0

 

1 Trigger

 

Trigger 0:

Type: Daily

DaysInterval: 1

StartDate: 10/06/2001

EndDate: 00/00/0000

StartTime: 00:00

MinutesDuration: 1440

MinutesInterval: 60

Flags:

HasEndDate = 0

KillAtDuration = 0

Disabled = 0

[Sam Spade 2]

Ok, copie e salve no Bloco de notas este texto em azul:

 

C:\WINDOWS\Tasks\A944EF35918B66A5.job

C:\WINDOWS\APPLIC~1\SIGNTW~1\biasmail.exe

C:\WINDOWS\APPLIC~1\SIGNTW~1\Roamheck16.exe

C:\Documents and Settings\All Users\Dados de aplicativos\Mail For File Wave\draw bash.exe

 

Salve ou imprima estas instruções, pois vai segui-las desconectado e sem acesso a esta página:

 

1 - Copie o texto que salvou no bloco de notas. Rode o KillBox e marque Delete on Reboot, no menu File clique em Paste from Clipboard.

Depois clique no botão All Files.

 

Clique no botão . Responda Sim à pergunta.

 

Ao reiniciar o PC, aperte F8 intermitentemente. No menu escolha: modo seguro.

 

2 - Abra o HijackThis e clique em Do a system scan only. Aguarde o exame acabar.

 

Cada entrada tem uma caixa do lado esquerdo. Marque apenas as caixas das entradas abaixo, que ainda encontrar:

 

O2 - BHO: ADSTechnology module - {831CBAC0-8283-4653-9D81-FEB9F3F6E47C} - C:\Arquivos de programas\ADSTechnology\ADSTechnology.dll (file missing)

 

O2 - BHO: ActivationManager module - {86A44EF7-78FC-4e18-A564-B18F806F7F56} - C:\Arquivos de programas\ActivationManager\ActivationManager.dll (file missing)

 

O2 - BHO: Class - {FC9BCC0B-5745-21E7-F5A2-5A6E55758E50} - C:\WINDOWS\axybn1.dll (file missing)

 

O4 - HKLM\..\Run: [file wave user bat] C:\Documents and Settings\All Users\Dados de aplicativos\Mail For File Wave\draw bash.exe

 

O4 - HKCU\..\Run: [CS Update] copy /Y "C:\Arquivos de programas\ActivationManager\ActivationManager.dll.upd" "C:\Arquivos de programas\ActivationManager\ActivationManager.dll"

 

O4 - HKCU\..\Run: [CopyBat] C:\WINDOWS\APPLIC~1\SIGNTW~1\biasmail.exe

 

O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/wi...rInstall_br.cab

 

Ficará com um sinal V dentro de cada caixa.

 

Clique então em . Dê o Ok para a pergunta e depois feche o HijackThis.

 

3 - Para o log ser analisado, não pode haver ítens desabilitados da inicialização, pois não aparecem. Siga estas instruções:

 

Vá em Iniciar > Executar > digite msconfig

 

Na aba Geral marque: Inicialização normal - Carregar todos os drivers de dispositivo e serviços.

 

Aplicar > Ok

 

Reinicie o PC em modo normal, gere um novo log e poste.

[Pablo3322 0]

Logfile of HijackThis v1.99.1

Scan saved at 23:37 PABLO, on 9/3/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\TGTSoft\StyleXP\StyleXPService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\ewido anti-spyware 4.0\guard.exe

C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\UltraVNC\WinVNC.exe

C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe

C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

C:\Arquivos de programas\QuickTime\qttask.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\alg.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Winco\Cliente DDNS\ipcagent.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\Arquivos de programas\WinZip\WZQKPICK.EXE

C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\WINDOWS\system32\rundll32.exe

C:\Arquivos de programas\Java\jre1.6.0_03\bin\jucheck.exe

C:\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...ER}&ar=home

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0.:80

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar2.dll

O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\ARQUIV~1\TEXTAL~1\TAForIE.dll

O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [YMSF Agent] C:\WINDOWS\system32\28463\YMSF.exe

O4 - HKLM\..\Run: [WinVNC] "C:\Arquivos de programas\UltraVNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [Windows Defender] "C:\Arquivos de programas\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [googletalk] C:\Arquivos de programas\Google\Google Talk\googletalk.exe /autostart

O4 - HKLM\..\Run: [file wave user bat] C:\Documents and Settings\All Users\Dados de aplicativos\Mail For File Wave\Send This.exe

O4 - HKLM\..\Run: [csrss.exe] C:\WINDOWS\csrss.exe

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [DLD.EXE] C:\Arquivos de programas\Download Direct\DLD.exe

O4 - HKCU\..\Run: [sTYLEXP] C:\Arquivos de programas\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Arquivos de programas\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4

O4 - HKCU\..\Run: [TerraVOIP] C:\Arquivos de programas\Terra VOIP\TerraVOIP.exe

O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [Free Download Manager] C:\Arquivos de programas\Free Download Manager\fdm.exe -autorun

O4 - HKCU\..\Run: [ddns_agent] C:\Arquivos de programas\Winco\Cliente DDNS\ipcagent.exe

O4 - HKCU\..\Run: [CopyBat] C:\WINDOWS\APPLIC~1\SIGNTW~1\biasmail.exe

O4 - Startup: hamachi.lnk = C:\Arquivos de programas\Hamachi\hamachi.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Arquivos de programas\WinZip\WZQKPICK.EXE

O4 - Global Startup: Google Updater.lnk = C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe

O4 - Global Startup: Administrador de servicios.lnk = C:\Arquivos de programas\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Arquivos de programas\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {6FC19219-C47E-4880-9A79-D218A1C374F9} (NMJTransX Control) - http://www.netmarble.jp/_common/cab/NMJTransX.cab

O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://200.212.184.212/g_bin/eng/poker_2_0_0_45.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://200.212.184.212/g_bin/eng/billard8_2_0_0_28.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Arquivos de programas\ewido anti-spyware 4.0\guard.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: StyleXPService - Unknown owner - C:\Arquivos de programas\TGTSoft\StyleXP\StyleXPService.exe

O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Arquivos de programas\UltraVNC\WinVNC.exe" -service (file missing)

O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

[Sam Spade 2]

Ok, apareceram mais entradas que não tinha antes depois que habilitou todos os ítens. Preciso que faça uma análise de alguns arquivos:

 

Acesse http://virusscan.jotti.org/

 

No site, na caixa Procurar, cole esta linha abaixo:

 

C:\WINDOWS\system32\28463\YMSF.exe

 

Clique em Submit, aguarde o resultado da análise aparecer e salve.

 

Faça o mesmo com esse:

 

C:\WINDOWS\csrss.exe

 

Poste os resultados das análises, para podermos prosseguir.

[Pablo3322 0]

Olá Sam, nos dois deus essa mensagen:

 

"The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"

[Sam Spade 2]

Houve algum problema ao usar o KillBox, pois entradas que não deveriam mais estar no log continuam?

 

Se não acertou usar, explique o que houve para podermos resolver.

[Pablo3322 0]

Olá Sam,

fiz tudo como você escreveu acima, mas quando coloquei estas linhas no site, apareceu esta mensagem que te falei.

"The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"

 

Tentei repetir o processo anterior, mas não consigo mais entrar no modo seguro!

 

Abração!

[Sam Spade 2]

Olá, não é sobre a análise e sim os arquivos que pedi para deletar com o KillBox. Houve algum problema ou não acertou usar o KillBox?

[Pablo3322 0]

Olá Sam, obrigado pela resposta, e desculpe-me pela demora.

 

Bom, eu não vi nenhum erro..

Eu tava vendo , e parece que o IE fechou, pois ele não está mais aparecendo nos processos do gerenciador de tarefas!

Será que o problema foi resolvido?

 

Abraço!

[Sam Spade 2]

Olá, poste um novo log do HijackThis, pois o anterior já está defasado.

[Pablo3322 0]

Logfile of HijackThis v1.99.1

Scan saved at 08:34 PABLO, on 1/1/2002

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe

C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\TGTSoft\StyleXP\StyleXP.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\WinZip\WZQKPICK.EXE

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...ER}&ar=home

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0.:80

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {12A6AB00-7C8C-46AA-8426-8825F3F0927C} - C:\WINDOWS\system32\geedd.dll (file missing)

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll

O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Arquivos de programas\TGTSoft\StyleXP\TGT_BHO.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll

O2 - BHO: (no name) - {F501C2AB-834A-4B9D-A86B-A1EADA760B00} - C:\WINDOWS\system32\gebxyyx.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar2.dll

O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\ARQUIV~1\TEXTAL~1\TAForIE.dll

O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [YMSF Agent] C:\WINDOWS\system32\28463\YMSF.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [file wave user bat] C:\Documents and Settings\All Users\Dados de aplicativos\Mail For File Wave\Send This.exe

O4 - HKLM\..\Run: [csrss.exe] C:\WINDOWS\csrss.exe

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [WinVNC] "C:\Arquivos de programas\UltraVNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [Windows Defender] "C:\Arquivos de programas\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [googletalk] C:\Arquivos de programas\Google\Google Talk\googletalk.exe /autostart

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [DLD.EXE] C:\Arquivos de programas\Download Direct\DLD.exe

O4 - HKCU\..\Run: [TerraVOIP] C:\Arquivos de programas\Terra VOIP\TerraVOIP.exe

O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Arquivos de programas\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4

O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [sTYLEXP] C:\Arquivos de programas\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - HKCU\..\Run: [Free Download Manager] C:\Arquivos de programas\Free Download Manager\fdm.exe -autorun

O4 - HKCU\..\Run: [ddns_agent] C:\Arquivos de programas\Winco\Cliente DDNS\ipcagent.exe

O4 - HKCU\..\Run: [CopyBat] C:\WINDOWS\APPLIC~1\SIGNTW~1\biasmail.exe

O4 - HKCU\..\Run: [ADPHONE] C:\Arquivos de programas\ADPHONE3\ADPHONE.EXE /STARTUP

O4 - Startup: hamachi.lnk = C:\Arquivos de programas\Hamachi\hamachi.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Arquivos de programas\WinZip\WZQKPICK.EXE

O4 - Global Startup: Administrador de servicios.lnk = C:\Arquivos de programas\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O4 - Global Startup: Google Updater.lnk = C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\arquivos de programas\bonjour\mdnsnsp.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Arquivos de programas\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {6FC19219-C47E-4880-9A79-D218A1C374F9} (NMJTransX Control) - http://www.netmarble.jp/_common/cab/NMJTransX.cab

O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://200.212.184.212/g_bin/eng/poker_2_0_0_45.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://200.212.184.212/g_bin/eng/billard8_2_0_0_28.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O20 - Winlogon Notify: gebxyyx - gebxyyx.dll (file missing)

O20 - Winlogon Notify: WB - C:\Arquivos de programas\AlienGUIse\fastload.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[Sam Spade 2]

Olá, para o log ser analisado, não pode haver ítens desabilitados da inicialização, pois não aparecem. Siga estas instruções:

 

Vá em Iniciar > Executar > digite msconfig

 

Na aba Geral marque: Inicialização normal - Carregar todos os drivers de dispositivo e serviços.

 

Aplicar > Ok

 

Reinicie o PC, gere um novo log e poste.

[Pablo3322 0]

Logfile of HijackThis v1.99.1

Scan saved at 01:26 PABLO, on 1/1/2002

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\TGTSoft\StyleXP\StyleXPService.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\Arquivos de programas\ewido anti-spyware 4.0\guard.exe

C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\UltraVNC\WinVNC.exe

C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\Rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe

C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

C:\Arquivos de programas\QuickTime\qttask.exe

C:\Arquivos de programas\Google\Google Talk\googletalk.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\TGTSoft\StyleXP\StyleXP.exe

C:\Arquivos de programas\Winco\Cliente DDNS\ipcagent.exe

C:\Arquivos de programas\ADPHONE3\ADPHONE.EXE

C:\Arquivos de programas\WinZip\WZQKPICK.EXE

C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe

C:\Arquivos de programas\Hamachi\hamachi.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\WINDOWS\explorer.exe

C:\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...ER}&ar=home

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0.:80

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar2.dll

O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\ARQUIV~1\TEXTAL~1\TAForIE.dll

O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [YMSF Agent] C:\WINDOWS\system32\28463\YMSF.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [file wave user bat] C:\Documents and Settings\All Users\Dados de aplicativos\Mail For File Wave\Send This.exe

O4 - HKLM\..\Run: [csrss.exe] C:\WINDOWS\csrss.exe

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Arquivos de programas\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [0d6b155d] rundll32.exe "C:\WINDOWS\system32\bfuqwxvw.dll",b

O4 - HKLM\..\Run: [WinVNC] "C:\Arquivos de programas\UltraVNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [googletalk] C:\Arquivos de programas\Google\Google Talk\googletalk.exe /autostart

O4 - HKLM\..\Run: [bM0e5826c1] Rundll32.exe "C:\WINDOWS\system32\pwwcufgk.dll",s

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Arquivos de programas\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4

O4 - HKCU\..\Run: [TerraVOIP] C:\Arquivos de programas\Terra VOIP\TerraVOIP.exe

O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [sTYLEXP] C:\Arquivos de programas\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - HKCU\..\Run: [Free Download Manager] C:\Arquivos de programas\Free Download Manager\fdm.exe -autorun

O4 - HKCU\..\Run: [DWQueuedReporting] "C:\ARQUIV~1\ARQUIV~1\MICROS~1\DW\dwtrig20.exe" -t

O4 - HKCU\..\Run: [DLD.EXE] C:\Arquivos de programas\Download Direct\DLD.exe

O4 - HKCU\..\Run: [ddns_agent] C:\Arquivos de programas\Winco\Cliente DDNS\ipcagent.exe

O4 - HKCU\..\Run: [CopyBat] C:\WINDOWS\APPLIC~1\SIGNTW~1\biasmail.exe

O4 - HKCU\..\Run: [ADPHONE] C:\Arquivos de programas\ADPHONE3\ADPHONE.EXE /STARTUP

O4 - Startup: hamachi.lnk = C:\Arquivos de programas\Hamachi\hamachi.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Arquivos de programas\WinZip\WZQKPICK.EXE

O4 - Global Startup: Google Updater.lnk = C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe

O4 - Global Startup: Administrador de servicios.lnk = C:\Arquivos de programas\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\arquivos de programas\bonjour\mdnsnsp.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Arquivos de programas\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {6FC19219-C47E-4880-9A79-D218A1C374F9} (NMJTransX Control) - http://www.netmarble.jp/_common/cab/NMJTransX.cab

O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://200.212.184.212/g_bin/eng/poker_2_0_0_45.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://200.212.184.212/g_bin/eng/billard8_2_0_0_28.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Arquivos de programas\ewido anti-spyware 4.0\guard.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: StyleXPService - Unknown owner - C:\Arquivos de programas\TGTSoft\StyleXP\StyleXPService.exe

O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Arquivos de programas\UltraVNC\WinVNC.exe" -service (file missing)

O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

[Sam Spade 2]

Olá, seu log mostra uma infecção nova pelo trojan Vundo (adware Virtumonde), malware de difícil remoção. Baixe: ComboFix > salve na área de trabalho

• Desative seu antivirus, antispywares e firewall, para não causar conflitos. Mantenha-os desativados até terminar as instruções.
  
• Dê um duplo-clique no combofix.exe, marque 1 e dê o enter para prosseguir o Fix. Aguarde pois é um pouco demorado.
  
• O ComboFix reiniciará o PC automaticamente para completar o processo de remoção. Caso isso não aconteça, reinicie manualmente.
  
• Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.
  
• IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando. Para parar ou sair do ComboFix, tecle "N".
  
• Poste um novo log do HijackThis.
  
• Selecione, copie e cole o conteúdo doComboFix.txt na sua próxima resposta.
   
  OBS: Não rode o ComboFix mais do que uma vez. Isso irá sobreescrever o log e dificultará a remoção do(s) malware(s)
  

[Pablo3322 0]

Olá Sam, muito obrigado!

 

ComboFix 08-04-14.2 - Particular 2008-04-15 2:23:56.3 - FAT32x86

Executando de: C:\Documents and Settings\Particular\Desktop\ComboFix.exe

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\pskt.ini

C:\WINDOWS\system32\aijenglm.dll

C:\WINDOWS\system32\budvjudu.dll

C:\WINDOWS\SYSTEM32\DKjPonmp.ini

C:\WINDOWS\SYSTEM32\DKjPonmp.ini2

C:\WINDOWS\system32\gaenuppo.dll

C:\WINDOWS\system32\iifcBqOh.dll

C:\WINDOWS\SYSTEM32\oppuneag.ini

 

.

((((((((((((((((((((((( Ficheiros criados de 2008-03-14 to 2008-04-14 ))))))))))))))))))))))))))))))))

.

 

2008-04-15 02:16 . 2008-04-15 02:16 3,648 --a------ C:\WINDOWS\SYSTEM32\inotcmeu.dll

2008-04-15 02:14 . 2008-04-15 02:14 3,648 --a------ C:\WINDOWS\SYSTEM32\odyfbajn.dll

2008-04-15 01:40 . 2008-04-15 01:40 3,648 --a------ C:\WINDOWS\SYSTEM32\agkfjoef.dll

2008-04-15 01:33 . 2008-04-15 01:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\config\systemprofile\Configurações locais

2008-04-15 01:33 . 2008-04-15 01:33 <DIR> d-------- C:\Documents and Settings\Particular\Configurações locais

2008-04-15 01:33 . 2008-04-15 01:33 <DIR> d-------- C:\Documents and Settings\NetworkService\Configurações locais

2008-04-15 01:33 . 2008-04-15 01:33 <DIR> d-------- C:\Documents and Settings\LocalService\Configurações locais

2008-04-11 23:03 . 2008-04-11 23:03 <DIR> d-------- C:\Arquivos de programas\Opera

2008-04-11 22:39 . 2002-01-01 00:04 708,714 ---hs---- C:\WINDOWS\SYSTEM32\iqqmhasy.ini

2008-04-11 22:33 . 2008-04-11 22:33 3,648 --a------ C:\WINDOWS\SYSTEM32\roneprhh.dll

2008-04-05 23:01 . 2002-01-01 00:03 720,831 ---hs---- C:\WINDOWS\SYSTEM32\rsxexkue.ini

2008-04-05 22:55 . 2008-04-05 22:55 3,648 --a------ C:\WINDOWS\SYSTEM32\ohdvqdyi.dll

2008-04-02 23:04 . 2008-04-02 23:04 <DIR> d--hs---- C:\FOUND.002

2008-03-25 04:35 . 2008-03-25 04:35 1,434,504 ---hs---- C:\WINDOWS\SYSTEM32\xyfiebcl.ini

2008-03-24 19:24 . 2008-03-25 04:35 1,343,480 ---hs---- C:\WINDOWS\SYSTEM32\hmrowbpc.ini

2008-03-22 00:11 . 2002-01-01 00:04 1,253,150 ---hs---- C:\WINDOWS\SYSTEM32\kjpsmukh.ini

2008-03-21 23:44 . 2008-03-21 23:44 127 --a------ C:\WINDOWS\SYSTEM32\MRT.INI

2008-03-20 20:44 . 2002-01-01 00:04 1,255,686 ---hs---- C:\WINDOWS\SYSTEM32\dahnpbbq.ini

2008-03-19 19:34 . 2002-01-01 00:08 1,389,816 ---hs---- C:\WINDOWS\SYSTEM32\iytggvqa.ini

2008-03-18 19:48 . 2002-01-01 00:03 1,321,257 ---hs---- C:\WINDOWS\SYSTEM32\qjqtnaib.ini

2008-03-17 20:54 . 2008-03-18 18:39 2,105,720 ---hs---- C:\WINDOWS\SYSTEM32\qnkfloue.ini

2008-03-17 20:45 . 2008-03-17 20:54 1,359,967 ---hs---- C:\WINDOWS\SYSTEM32\txjuawxw.ini

2008-03-16 23:38 . 2002-01-01 00:06 1,355,340 ---hs---- C:\WINDOWS\SYSTEM32\ksuukrhv.ini

2008-03-15 14:35 . 2008-03-15 14:35 33,824 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\oreans32.sys

2008-03-15 13:03 . 2001-01-01 00:05 1,367,163 ---hs---- C:\WINDOWS\SYSTEM32\rsdtpdjn.ini

2008-03-15 00:21 . 2002-01-01 00:04 1,366,983 ---hs---- C:\WINDOWS\SYSTEM32\wubgcppt.ini

2008-03-14 23:51 . 2008-03-14 23:52 1,366,863 ---hs---- C:\WINDOWS\SYSTEM32\mgihrvqu.ini

 

.

((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-29 18:45 1,146,232 ----a-w C:\WINDOWS\SYSTEM32\aswBoot.exe

2008-03-29 18:35 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys

2008-03-29 18:35 20,560 ----a-w C:\WINDOWS\system32\drivers\aswFsBlk.sys

2008-03-29 18:31 75,856 ----a-w C:\WINDOWS\system32\drivers\aswSP.sys

2008-03-29 18:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys

2008-03-29 18:27 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys

2008-03-29 18:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys

2008-03-29 18:23 95,608 ----a-w C:\WINDOWS\SYSTEM32\AVASTSS.scr

2008-03-11 15:01 --------- d-----w C:\WINDOWS\Application Data\ADPHONE

2008-03-11 15:01 --------- d-----w C:\Arquivos de programas\ADPHONE3

2008-03-10 14:16 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\FLEXnet

2008-03-10 14:14 37,888 ----a-w C:\WINDOWS\SYSTEM32\rar.exe

2008-03-10 14:03 --------- d-----w C:\Arquivos de programas\Bonjour

2008-03-10 13:45 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Macrovision Shared

2008-03-07 18:01 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\TEMP

2008-02-26 16:30 --------- d-----w C:\Arquivos de programas\ArtMoney

2008-02-21 22:15 --------- d-sh--w C:\Arquivos de programas\Arquivos comuns\WindowsLiveInstaller

2008-02-15 17:54 90,112 ----a-w C:\WINDOWS\Cuninst.exe

2008-02-11 11:05 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE

2008-02-11 11:05 311,296 ------w C:\WINDOWS\Setup1.exe

2008-01-17 17:33 42,128 ----a-w C:\WINDOWS\Application Data\GDIPFONTCACHEV1.DAT

2007-10-08 19:53 87,608 ----a-w C:\WINDOWS\Application Data\inst.exe

2007-10-08 19:53 47,360 ----a-w C:\WINDOWS\Application Data\pcouffin.sys

2007-08-08 19:11 169 ----a-w C:\Documents and Settings\Particular\lixeira.reg

2006-04-22 15:06 12 ----a-w C:\Documents and Settings\Particular\aruivo.bat

2005-05-07 19:16 2,376 ----a-w C:\Arquivos de programas\musica.MTP

2004-07-23 10:42 266 --sh--w C:\Arquivos de programas\desktop.ini

2004-07-23 10:42 11,280 ---h--w C:\Arquivos de programas\folder.htt

2002-01-01 10:03 901 ----a-w C:\Documents and Settings\Particular\restore.reg

2006-05-24 12:38 233,472 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\CrazyTalk4Native.dll

2006-05-18 13:00 204,895 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\ctdomemhelper.dll

2005-09-29 10:41 77,824 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\ctframeplayerobject.dll

2006-05-18 12:59 426,081 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\ctplayerobject.dll

2005-02-02 08:19 458,752 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\imagickrt.dll

2006-04-10 14:35 139,264 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\rlcontentclass.dll

2005-11-09 07:10 204,800 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\RLMusicPacker.dll

2005-11-09 07:42 106,496 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\RLMusicUnpacker.dll

2006-01-04 07:22 212,992 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\RLVoicePacker.dll

2006-01-04 07:21 167,936 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\RLVoiceUnpacker.dll

2005-05-01 07:19 14 --sh--w C:\WINDOWS\dpwtpdxp.dll

2005-05-08 15:53 19 --sh--w C:\WINDOWS\dpwtddxp.dll

2005-02-11 07:44 56 --sh--r C:\WINDOWS\SYSTEM32\08E6EFE77D.sys

2005-07-25 17:51 12 --sh--w C:\WINDOWS\SYSTEM32\spwtpaxp.dll

2005-05-01 07:19 14 --sh--w C:\WINDOWS\SYSTEM32\dpwtpaxp.dll

2005-05-01 07:19 19 --sh--w C:\WINDOWS\SYSTEM32\dpwtdaxp.dll

.

 

((((((((((((((((((((((((((((( snapshot@2008-04-15_ 1.30.10.87 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-04-14 21:04:44 11,368 ----a-w C:\WINDOWS\Application Data\Mozilla\Firefox\pluginreg.dat

+ 2008-04-14 22:17:02 11,368 ----a-w C:\WINDOWS\Application Data\Mozilla\Firefox\pluginreg.dat

- 2008-04-14 21:19:44 72,004 ----a-w C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\lnzl9y3d.default\history.dat

+ 2008-04-14 22:31:04 64,724 ----a-w C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\lnzl9y3d.default\history.dat

- 2008-04-14 21:21:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2008-04-14 22:32:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2008-04-14 22:32:48 16,384 ----a-w C:\WINDOWS\temp\Perflib_Perfdata_608.dat

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{12A6AB00-7C8C-46AA-8426-8825F3F0927C}]

C:\WINDOWS\system32\geedd.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24E9519B-3F70-429B-99BC-4B2B49B96F66}]

2002-01-01 00:03 36864 --a------ C:\WINDOWS\system32\awtsPHYp.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E96408F4-C4C1-46E3-BAA2-21D5D69AD1D0}]

2002-01-01 00:09 269824 --a------ C:\WINDOWS\system32\pmnoPjKD.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]

@={7D688A77-C613-11D0-999B-00C04FD655E1}

 

[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]

2007-10-25 20:43 8489984 --a------ C:\WINDOWS\SYSTEM32\SHELL32.DLL

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45 15360]

"DWQueuedReporting"="C:\ARQUIV~1\ARQUIV~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]

"Windows Registry Repair Pro"="C:\Arquivos de programas\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe" [ ]

"TerraVOIP"="C:\Arquivos de programas\Terra VOIP\TerraVOIP.exe" [ ]

"swg"="C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-27 21:09 68856]

"STYLEXP"="C:\Arquivos de programas\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 22:31 1372160]

"Free Download Manager"="C:\Arquivos de programas\Free Download Manager\fdm.exe" [ ]

"DLD.EXE"="C:\Arquivos de programas\Download Direct\DLD.exe" [ ]

"ddns_agent"="C:\Arquivos de programas\Winco\Cliente DDNS\ipcagent.exe" [2005-06-03 09:21 631296]

"CopyBat"="C:\WINDOWS\APPLIC~1\SIGNTW~1\biasmail.exe" [ ]

"ADPHONE"="C:\Arquivos de programas\ADPHONE3\ADPHONE.exe" [2008-03-06 13:28 1261568]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 14:16 5058560]

"YMSF Agent"="C:\WINDOWS\system32\28463\YMSF.exe" [ ]

"nwiz"="nwiz.exe" [2003-10-06 14:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe]

"file wave user bat"="C:\Documents and Settings\All Users\Dados de aplicativos\Mail For File Wave\Send This.exe" [ ]

"csrss.exe"="C:\WINDOWS\csrss.exe" [ ]

"WinVNC"="C:\Arquivos de programas\UltraVNC\WinVNC.exe" [2006-06-18 14:56 712704]

"Windows Defender"="C:\Arquivos de programas\Windows Defender\MSASCui.exe" [2006-04-03 18:12 777424]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

"RemoteControl"="C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]

"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [2005-11-12 13:46 155648]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]

"googletalk"="C:\Arquivos de programas\Google\Google Talk\googletalk.exe" [2007-01-02 03:54 3735552]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:45 15360]

 

C:\WINDOWS\Menu Iniciar\Programas\Iniciar\

hamachi.lnk - C:\Arquivos de programas\Hamachi\hamachi.exe [2007-09-17 23:01:34 PABLO 619048]

 

C:\WINDOWS\All Users\Menu Iniciar\Programas\Iniciar\

Microsoft Office.lnk - C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE [2001-02-13 09:01:04 PABLO 83360]

WinZip Quick Pick.lnk - C:\Arquivos de programas\WinZip\WZQKPICK.EXE [2004-07-23 16:51:24 PABLO 106560]

Administrador de servicios.lnk - C:\Arquivos de programas\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2007-06-19 20:19:08 PABLO 69632]

Google Updater.lnk - C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe [2008-01-01 12:02:34 PABLO 124400]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"Shell"= c:explorer1.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"RestrictRun"= 0 (0x0)

"NoViewOnDrive"= 0 (0x0)

"NoBandCustomize"= 0 (0x0)

"NoMovingBands"= 0 (0x0)

"NoCloseDragDropBands"= 0 (0x0)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

"Windows Printing Driver"= WinSpooler.exe

"WinUpdating"= WinUpdating.exe

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"RestrictRun"= 0 (0x0)

"NoViewOnDrive"= 0 (0x0)

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\WINDOWS\Downloaded Program Files\gbieh.dll [2006-03-27 10:52 201256]

"{24E9519B-3F70-429B-99BC-4B2B49B96F66}"= C:\WINDOWS\system32\awtsPHYp.dll [2002-01-01 00:03 36864]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsPHYp]

awtsPHYp.dll 2002-01-01 00:03 36864 C:\WINDOWS\SYSTEM32\awtsPHYp.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebxyyx]

gebxyyx.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]

C:\Arquivos de programas\AlienGUIse\fastload.dll 2001-12-20 23:34 24576 C:\Arquivos de programas\AlienGUIse\FASTLOAD.DLL

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=wbsys.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

Notification Packages REG_MULTI_SZ :\WINDOWS\system32\srrstr.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]

"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\MessengerDiscovery\\MessengerDiscovery Live.exe"=

"C:\\Arquivos de programas\\Windows Media Player\\WMPLAYER.EXE"=

"C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

"C:\\Arquivos de programas\\Internet Explorer\\iexplore.exe"=

"C:\\Arquivos de programas\\jlgsolera\\OnLineLiveSetup\\OnLineLive.exe"=

"C:\\Sierra\\Counter-Strike\\cstrike.exe"=

"C:\\Arquivos de programas\\K-LiteNitro\\giFT\\giFTl.exe"=

"\\\\10.1.1.20\\c\\Muserver1\\CS\\CS.exe"=

"C:\\Arquivos de programas\\Winco\\Cliente DDNS\\wizard.exe"=

"\\\\10.1.1.20\\Sharing Folders\\pbbinho@hotmail.com\\LieroX v0.56 Pack 1.9\\LieroX.exe"=

"\\\\10.1.1.20\\c\\Muserver\\GameServer\\GameServer.exe"=

"C:\\Arquivos de programas\\RealVNC\\VNC4\\winvnc4.exe"=

"D:\\MuServer\\GameServer\\GameServer.exe"=

"D:\\MuServer\\DataServer1\\Dataserver.exe"=

"D:\\MuServer\\DataServer2\\Dataserver.exe"=

"D:\\MuServer\\CS\\CS.exe"=

"D:\\MuServer\\JoinServer\\JoinServer.exe"=

"D:\\MuServer\\RankingServer\\DevilSqure_EventServer.exe"=

"D:\\MuServer\\ExDB\\Exdb.exe"=

"D:\\MuServer\\MU2003_EVENT_SERVER\\WZ_MU2003_EVENT_SERVER.exe"=

"C:\\Muserver\\JoinServer\\JoinServer.exe"=

"C:\\Muserver\\CS\\CS.EXE"=

"C:\\Muserver\\DataServer1\\Dataserver.exe"=

"C:\\Muserver\\DataServer2\\Dataserver.exe"=

"C:\\MuServer99b+\\DataServer1\\Dataserver.exe"=

"C:\\MuServer99b+\\DataServer2\\Dataserver.exe"=

"C:\\MuServer99b+\\cs\\cs.exe"=

"C:\\MuServer99b+\\JoinServer\\JoinServer.exe"=

"C:\\Arquivos de programas\\Google\\Google Talk\\googletalk.exe"=

"C:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"=

"C:\\Arquivos de programas\\Darkeden\\darkeden.exe"=

"C:\\Documents and Settings\\Particular\\Desktop\\Dark Eden\\dk2.exe"=

"C:\\Arquivos de programas\\Valve\\hl.exe"=

"C:\\Arquivos de programas\\Ares\\Ares.exe"=

"C:\\Arquivos de programas\\MegaCubo\\megacubo.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Arquivos de programas\\ADPHONE3\\ADPHONE.exe"=

"C:\\Documents and Settings\\Particular\\Desktop\\Nova pasta (4)\\Dark Eden\\dk2.exe"=

 

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 22:31]

R1 NPPTNT;NPPTNT;C:\WINDOWS\System32\npptNT.sys [2003-07-22 03:14]

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2008-03-15 14:35]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 22:35]

R2 vnccom;vnccom;C:\WINDOWS\system32\Drivers\vnccom.SYS [2004-06-26 13:22]

S3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\system32\DRIVERS\loop.sys [2001-08-17 21:53]

S3 SPCA508A;11043 Ver1.3;C:\WINDOWS\system32\DRIVERS\SP508PIX.SYS []

S3 XDva009;XDva009;C:\WINDOWS\system32\XDva009.sys []

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##Pablo#pablo ©]

\Shell\AutoRun\command - setup.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]

\Shell\AutoRun\command - setup.exe

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA851-CC51-11CF-AAFA-00AA00B6015C}]

rundll32.exeadvpack.dll

.

Conte£do da pasta 'Tarefas Agendadas'

"2008-04-14 22:14:28 C:\WINDOWS\Tasks\MP Scheduled Scan.job"

- C:\Arquivos de programas\Windows Defender\MpCmdRun.exe

.

**************************************************************************

 

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-15 02:36:34

Windows 5.1.2600 Service Pack 2 FAT NTAPI

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializ veis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

PROCESS: C:\WINDOWS\system32\winlogon.exe

-> C:\WINDOWS\system32\tsd32.dll

-> C:\WINDOWS\system32\awtsPHYp.dll

 

PROCESS: C:\WINDOWS\explorer.exe

-> C:\WINDOWS\system32\byXRHyvw.dll

.

------------------------ Other Running Processes ------------------------

.

C:\ARQUIVOS DE PROGRAMAS\TGTSOFT\STYLEXP\STYLEXPSERVICE.EXE

C:\ARQUIVOS DE PROGRAMAS\ALWIL SOFTWARE\AVAST4\ASWUPDSV.EXE

C:\ARQUIVOS DE PROGRAMAS\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE

C:\ARQUIVOS DE PROGRAMAS\BONJOUR\MDNSRESPONDER.EXE

C:\ARQUIVOS DE PROGRAMAS\EWIDO ANTI-SPYWARE 4.0\GUARD.EXE

C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\ARQUIVOS DE PROGRAMAS\ARQUIVOS COMUNS\MICROSOFT SHARED\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\SYSTEM32\WSCNTFY.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Arquivos de programas\Java\jre1.6.0_03\bin\jucheck.exe

.

**************************************************************************

.

Tempo para conclusÆo: 2008-04-15 2:43:15 - machine was rebooted

ComboFix-quarantined-files.txt 2008-04-14 22:42:42

ComboFix2.txt 2008-04-14 21:32:58

 

Pre-Run: 6,011,387,904 bytes disponíveis

Post-Run: 5,989,924,864 bytes dispon¡veis

.

2001-12-31 21:49:06 --- E O F ---

 

 

________________________________________________________________________________

____________________________________

________________________________________________________________________________

____________________________________

 

 

Logfile of HijackThis v1.99.1

Scan saved at 00:26 PABLO, on 1/1/2002

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\TGTSoft\StyleXP\StyleXPService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\Arquivos de programas\ewido anti-spyware 4.0\guard.exe

C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\UltraVNC\WinVNC.exe

C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe

C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

C:\Arquivos de programas\QuickTime\qttask.exe

C:\Arquivos de programas\Google\Google Talk\googletalk.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\TGTSoft\StyleXP\StyleXP.exe

C:\Arquivos de programas\Winco\Cliente DDNS\ipcagent.exe

C:\Arquivos de programas\ADPHONE3\ADPHONE.EXE

C:\Arquivos de programas\WinZip\WZQKPICK.EXE

C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe

C:\Arquivos de programas\Hamachi\hamachi.exe

C:\Arquivos de programas\Java\jre1.6.0_03\bin\jucheck.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...ER}&ar=home

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0.:80

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar2.dll

O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\ARQUIV~1\TEXTAL~1\TAForIE.dll

O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [YMSF Agent] C:\WINDOWS\system32\28463\YMSF.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [file wave user bat] C:\Documents and Settings\All Users\Dados de aplicativos\Mail For File Wave\Send This.exe

O4 - HKLM\..\Run: [csrss.exe] C:\WINDOWS\csrss.exe

O4 - HKLM\..\Run: [WinVNC] "C:\Arquivos de programas\UltraVNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [Windows Defender] "C:\Arquivos de programas\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [googletalk] C:\Arquivos de programas\Google\Google Talk\googletalk.exe /autostart

O4 - HKLM\..\Run: [bM0e5826c1] Rundll32.exe "C:\WINDOWS\system32\goojlbks.dll",s

O4 - HKLM\..\Run: [0d6b155d] rundll32.exe "C:\WINDOWS\system32\vwdqlmfa.dll",b

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [DWQueuedReporting] "C:\ARQUIV~1\ARQUIV~1\MICROS~1\DW\dwtrig20.exe" -t

O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Arquivos de programas\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4

O4 - HKCU\..\Run: [TerraVOIP] C:\Arquivos de programas\Terra VOIP\TerraVOIP.exe

O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [sTYLEXP] C:\Arquivos de programas\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - HKCU\..\Run: [Free Download Manager] C:\Arquivos de programas\Free Download Manager\fdm.exe -autorun

O4 - HKCU\..\Run: [DLD.EXE] C:\Arquivos de programas\Download Direct\DLD.exe

O4 - HKCU\..\Run: [ddns_agent] C:\Arquivos de programas\Winco\Cliente DDNS\ipcagent.exe

O4 - HKCU\..\Run: [CopyBat] C:\WINDOWS\APPLIC~1\SIGNTW~1\biasmail.exe

O4 - HKCU\..\Run: [ADPHONE] C:\Arquivos de programas\ADPHONE3\ADPHONE.EXE /STARTUP

O4 - Startup: hamachi.lnk = C:\Arquivos de programas\Hamachi\hamachi.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Arquivos de programas\WinZip\WZQKPICK.EXE

O4 - Global Startup: Administrador de servicios.lnk = C:\Arquivos de programas\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O4 - Global Startup: Google Updater.lnk = C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\arquivos de programas\bonjour\mdnsnsp.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Arquivos de programas\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {6FC19219-C47E-4880-9A79-D218A1C374F9} (NMJTransX Control) - http://www.netmarble.jp/_common/cab/NMJTransX.cab

O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://200.212.184.212/g_bin/eng/poker_2_0_0_45.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://200.212.184.212/g_bin/eng/billard8_2_0_0_28.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Arquivos de programas\ewido anti-spyware 4.0\guard.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: StyleXPService - Unknown owner - C:\Arquivos de programas\TGTSoft\StyleXP\StyleXPService.exe

O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Arquivos de programas\UltraVNC\WinVNC.exe" -service (file missing)

O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

[Sam Spade 2]

Salve ou imprima estas instruções, pois vai segui-las desconectado e sem acesso a esta página:

 

1 - Delete a pasta C:\Qoobox (se ela existir), e delete o log anterior do Combofix -> C:\combofix.txt

 

2 - Desative seu antivirus, antispywares e firewall, para não causar conflitos. Mantenha-os desativados até terminar as instruções.

 

3 - Selecione e copie o texto dentro do QUOTE. Abra o Bloco de notas e cole o que copiou. Salve então, na área de trabalho, com o nome de CFScript.txt.

 

File::

C:\WINDOWS\SYSTEM32\inotcmeu.dll

C:\WINDOWS\SYSTEM32\odyfbajn.dll

C:\WINDOWS\SYSTEM32\agkfjoef.dll

C:\WINDOWS\SYSTEM32\iqqmhasy.ini

C:\WINDOWS\SYSTEM32\roneprhh.dll

C:\WINDOWS\SYSTEM32\rsxexkue.ini

C:\WINDOWS\SYSTEM32\ohdvqdyi.dll

C:\WINDOWS\SYSTEM32\xyfiebcl.ini

C:\WINDOWS\SYSTEM32\hmrowbpc.ini

C:\WINDOWS\SYSTEM32\kjpsmukh.ini

C:\WINDOWS\SYSTEM32\dahnpbbq.ini

C:\WINDOWS\SYSTEM32\iytggvqa.ini

C:\WINDOWS\SYSTEM32\qjqtnaib.ini

C:\WINDOWS\SYSTEM32\qnkfloue.ini

C:\WINDOWS\SYSTEM32\txjuawxw.ini

C:\WINDOWS\SYSTEM32\ksuukrhv.ini

C:\WINDOWS\SYSTEM32\rsdtpdjn.ini

C:\WINDOWS\SYSTEM32\wubgcppt.ini

C:\WINDOWS\SYSTEM32\mgihrvqu.ini

C:\WINDOWS\system32\geedd.dll

C:\WINDOWS\system32\awtsPHYp.dll

C:\WINDOWS\system32\pmnoPjKD.dll

C:\WINDOWS\system32\WinSpooler.exe

C:\WINDOWS\system32\WinUpdating.exe

C:\WINDOWS\system32\byXRHyvw.dll

C:\WINDOWS\system32\goojlbks.dll

C:\WINDOWS\system32\vwdqlmfa.dll

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{12A6AB00-7C8C-46AA-8426-8825F3F0927C}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24E9519B-3F70-429B-99BC-4B2B49B96F66}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E96408F4-C4C1-46E3-BAA2-21D5D69AD1D0}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

CopyBat"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"YMSF Agent"=-

"file wave user bat"=-

"csrss.exe"=-

"BM0e5826c1"=-

"0d6b155d"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"Shell"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

"Windows Printing Driver"=-

"WinUpdating"=-

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{24E9519B-3F70-429B-99BC-4B2B49B96F66}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsPHYp]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebxyyx]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##Pablo#pablo ©]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]

4 - Arraste agora o CFScript.txt para o ComboFix conforme a demonstração abaixo.

 

 

O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção.

 

IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando.

 

Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.

 

OBS: Não rode o ComboFix mais do que uma vez. Isso irá sobreescrever o log e dificultará a remoção do(s) malware(s)

 

5 - Acesse http://virusscan.jotti.org/

 

No site, na caixa Procurar, cole esta linha abaixo:

 

C:\WINDOWS\system32\tsd32.dll

 

Clique em Submit, aguarde o resultado da análise aparecer e salve.

 

6 - Poste um novo log do HijackThis. Selecione, copie e cole o conteúdo doComboFix.txt na sua próxima resposta. Poste também o resultado do Jotti.

[Pablo3322 0]

Olá Sam, desculpe pela demora!

Logfile of HijackThis v1.99.1

Scan saved at 20:01 PABLO, on 29/4/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\TGTSoft\StyleXP\StyleXPService.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\Arquivos de programas\ewido anti-spyware 4.0\guard.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\UltraVNC\WinVNC.exe

C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe

C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

C:\Arquivos de programas\QuickTime\qttask.exe

C:\Arquivos de programas\Google\Google Talk\googletalk.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\TGTSoft\StyleXP\StyleXP.exe

C:\Arquivos de programas\Winco\Cliente DDNS\ipcagent.exe

C:\Arquivos de programas\WinZip\WZQKPICK.EXE

C:\Arquivos de programas\Hamachi\hamachi.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Arquivos de programas\K-Meleon\k-meleon.exe

C:\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...ER}&ar=home

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0.:80

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll

O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Arquivos de programas\TGTSoft\StyleXP\TGT_BHO.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar2.dll

O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\ARQUIV~1\TEXTAL~1\TAForIE.dll

O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [WinVNC] "C:\Arquivos de programas\UltraVNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [Windows Defender] "C:\Arquivos de programas\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [googletalk] C:\Arquivos de programas\Google\Google Talk\googletalk.exe /autostart

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [ADPHONE] C:\Arquivos de programas\ADPHONE3\ADPHONE.EXE /STARTUP

O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Arquivos de programas\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4

O4 - HKCU\..\Run: [TerraVOIP] C:\Arquivos de programas\Terra VOIP\TerraVOIP.exe

O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [sTYLEXP] C:\Arquivos de programas\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - HKCU\..\Run: [Free Download Manager] C:\Arquivos de programas\Free Download Manager\fdm.exe -autorun

O4 - HKCU\..\Run: [DLD.EXE] C:\Arquivos de programas\Download Direct\DLD.exe

O4 - HKCU\..\Run: [ddns_agent] C:\Arquivos de programas\Winco\Cliente DDNS\ipcagent.exe

O4 - HKCU\..\Run: [CopyBat] C:\WINDOWS\APPLIC~1\SIGNTW~1\biasmail.exe

O4 - Startup: hamachi.lnk = C:\Arquivos de programas\Hamachi\hamachi.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Arquivos de programas\WinZip\WZQKPICK.EXE

O4 - Global Startup: Google Updater.lnk = C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe

O4 - Global Startup: Administrador de servicios.lnk = C:\Arquivos de programas\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\arquivos de programas\bonjour\mdnsnsp.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Arquivos de programas\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {6FC19219-C47E-4880-9A79-D218A1C374F9} (NMJTransX Control) - http://www.netmarble.jp/_common/cab/NMJTransX.cab

O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://200.212.184.212/g_bin/eng/poker_2_0_0_45.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://200.212.184.212/g_bin/eng/billard8_2_0_0_28.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WB - C:\Arquivos de programas\AlienGUIse\fastload.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Arquivos de programas\ewido anti-spyware 4.0\guard.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: StyleXPService - Unknown owner - C:\Arquivos de programas\TGTSoft\StyleXP\StyleXPService.exe

O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Arquivos de programas\UltraVNC\WinVNC.exe" -service (file missing)

O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

 

 

 

________________________________________________________________________________

___________________________________

 

 

 

 

ComboFix 08-04-28.2 - Particular 2008-04-29 18:09:21.5 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.57 [GMT 4:00]

Executando de: C:\Documents and Settings\Particular\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Particular\Desktop\CFScript.txt

* Criado um novo ponto de restauro

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

 

FILE ::

C:\WINDOWS\SYSTEM32\agkfjoef.dll

C:\WINDOWS\system32\awtsPHYp.dll

C:\WINDOWS\system32\byXRHyvw.dll

C:\WINDOWS\SYSTEM32\dahnpbbq.ini

C:\WINDOWS\system32\geedd.dll

C:\WINDOWS\system32\goojlbks.dll

C:\WINDOWS\SYSTEM32\hmrowbpc.ini

C:\WINDOWS\SYSTEM32\inotcmeu.dll

C:\WINDOWS\SYSTEM32\iqqmhasy.ini

C:\WINDOWS\SYSTEM32\iytggvqa.ini

C:\WINDOWS\SYSTEM32\kjpsmukh.ini

C:\WINDOWS\SYSTEM32\ksuukrhv.ini

C:\WINDOWS\SYSTEM32\mgihrvqu.ini

C:\WINDOWS\SYSTEM32\odyfbajn.dll

C:\WINDOWS\SYSTEM32\ohdvqdyi.dll

C:\WINDOWS\system32\pmnoPjKD.dll

C:\WINDOWS\SYSTEM32\qjqtnaib.ini

C:\WINDOWS\SYSTEM32\qnkfloue.ini

C:\WINDOWS\SYSTEM32\roneprhh.dll

C:\WINDOWS\SYSTEM32\rsdtpdjn.ini

C:\WINDOWS\SYSTEM32\rsxexkue.ini

C:\WINDOWS\SYSTEM32\txjuawxw.ini

C:\WINDOWS\system32\vwdqlmfa.dll

C:\WINDOWS\system32\WinSpooler.exe

C:\WINDOWS\system32\WinUpdating.exe

C:\WINDOWS\SYSTEM32\wubgcppt.ini

C:\WINDOWS\SYSTEM32\xyfiebcl.ini

.

 

((((((((((((((((((((((( Ficheiros criados de 2008-03-28 to 2008-04-29 ))))))))))))))))))))))))))))))))

.

 

2008-07-31 10:00 . 2008-07-31 10:00 <DIR> d--hs---- C:\FOUND.000

2008-04-18 01:05 . 2008-04-18 01:05 <DIR> d-------- C:\WINDOWS\Application Data\K-Meleon

2008-04-18 01:04 . 2008-04-18 01:04 <DIR> d-------- C:\Arquivos de programas\K-Meleon

2008-04-15 01:33 . 2008-04-15 01:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\config\systemprofile\Configurações locais

2008-04-15 01:33 . 2008-04-15 01:33 <DIR> d-------- C:\Documents and Settings\Particular\Configurações locais

2008-04-15 01:33 . 2008-04-15 01:33 <DIR> d-------- C:\Documents and Settings\NetworkService\Configurações locais

2008-04-15 01:33 . 2008-04-15 01:33 <DIR> d-------- C:\Documents and Settings\LocalService\Configurações locais

2008-04-11 23:03 . 2008-04-11 23:03 <DIR> d-------- C:\Arquivos de programas\Opera

2008-04-02 23:04 . 2008-04-02 23:04 <DIR> d--hs---- C:\FOUND.002

 

.

((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-20 08:09 1,845,376 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys

2008-03-20 08:09 1,845,376 ------w C:\WINDOWS\SYSTEM32\dllcache\win32k.sys

2008-03-15 10:35 33,824 ----a-w C:\WINDOWS\system32\drivers\oreans32.sys

2008-03-11 15:01 --------- d-----w C:\WINDOWS\Application Data\ADPHONE

2008-03-11 15:01 --------- d-----w C:\Arquivos de programas\ADPHONE3

2008-03-10 14:16 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\FLEXnet

2008-03-10 14:14 37,888 ----a-w C:\WINDOWS\SYSTEM32\rar.exe

2008-03-10 14:03 --------- d-----w C:\Arquivos de programas\Bonjour

2008-03-10 13:45 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Macrovision Shared

2008-03-07 18:01 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\TEMP

2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll

2008-02-20 06:51 282,624 ------w C:\WINDOWS\SYSTEM32\dllcache\gdi32.dll

2008-02-20 05:38 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll

2008-02-20 05:38 45,568 ------w C:\WINDOWS\SYSTEM32\dllcache\dnsrslvr.dll

2008-02-20 05:38 148,992 ------w C:\WINDOWS\SYSTEM32\dllcache\dnsapi.dll

2008-02-16 22:33 3,080,704 ------w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll

2008-02-15 17:54 90,112 ----a-w C:\WINDOWS\Cuninst.exe

2008-02-15 09:23 18,432 ------w C:\WINDOWS\SYSTEM32\dllcache\iedw.exe

2008-02-11 11:05 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE

2008-02-11 11:05 311,296 ------w C:\WINDOWS\Setup1.exe

2008-01-17 17:33 42,128 ----a-w C:\WINDOWS\Application Data\GDIPFONTCACHEV1.DAT

2007-10-08 19:53 87,608 ----a-w C:\WINDOWS\Application Data\inst.exe

2007-10-08 19:53 47,360 ----a-w C:\WINDOWS\Application Data\pcouffin.sys

2007-08-08 19:11 169 ----a-w C:\Documents and Settings\Particular\lixeira.reg

2006-04-22 15:06 12 ----a-w C:\Documents and Settings\Particular\aruivo.bat

2005-05-07 19:16 2,376 ----a-w C:\Arquivos de programas\musica.MTP

2004-07-23 10:42 266 --sh--w C:\Arquivos de programas\desktop.ini

2004-07-23 10:42 11,280 ---h--w C:\Arquivos de programas\folder.htt

2002-01-01 10:03 901 ----a-w C:\Documents and Settings\Particular\restore.reg

2006-05-24 12:38 233,472 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\CrazyTalk4Native.dll

2006-05-18 13:00 204,895 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\ctdomemhelper.dll

2005-09-29 10:41 77,824 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\ctframeplayerobject.dll

2006-05-18 12:59 426,081 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\ctplayerobject.dll

2005-02-02 08:19 458,752 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\imagickrt.dll

2006-04-10 14:35 139,264 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\rlcontentclass.dll

2005-11-09 07:10 204,800 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\RLMusicPacker.dll

2005-11-09 07:42 106,496 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\RLMusicUnpacker.dll

2006-01-04 07:22 212,992 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\RLVoicePacker.dll

2006-01-04 07:21 167,936 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\RLVoiceUnpacker.dll

2005-05-01 07:19 14 --sh--w C:\WINDOWS\dpwtpdxp.dll

2005-05-08 15:53 19 --sh--w C:\WINDOWS\dpwtddxp.dll

2005-02-11 07:44 56 --sh--r C:\WINDOWS\SYSTEM32\08E6EFE77D.sys

2005-07-25 17:51 12 --sh--w C:\WINDOWS\SYSTEM32\spwtpaxp.dll

2005-05-01 07:19 14 --sh--w C:\WINDOWS\SYSTEM32\dpwtpaxp.dll

2005-05-01 07:19 19 --sh--w C:\WINDOWS\SYSTEM32\dpwtdaxp.dll

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]

@={7D688A77-C613-11D0-999B-00C04FD655E1}

 

[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]

2007-10-25 20:43 8489984 --a------ C:\WINDOWS\SYSTEM32\SHELL32.DLL

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45 15360]

"ADPHONE"="C:\Arquivos de programas\ADPHONE3\ADPHONE.exe" [2008-03-06 13:28 1261568]

"Windows Registry Repair Pro"="C:\Arquivos de programas\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe" [ ]

"TerraVOIP"="C:\Arquivos de programas\Terra VOIP\TerraVOIP.exe" [ ]

"swg"="C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-27 21:09 68856]

"STYLEXP"="C:\Arquivos de programas\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 22:31 1372160]

"Free Download Manager"="C:\Arquivos de programas\Free Download Manager\fdm.exe" [ ]

"DLD.EXE"="C:\Arquivos de programas\Download Direct\DLD.exe" [ ]

"ddns_agent"="C:\Arquivos de programas\Winco\Cliente DDNS\ipcagent.exe" [2005-06-03 09:21 631296]

"CopyBat"="C:\WINDOWS\APPLIC~1\SIGNTW~1\biasmail.exe" [ ]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 14:16 5058560]

"nwiz"="nwiz.exe" [2003-10-06 14:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe]

"WinVNC"="C:\Arquivos de programas\UltraVNC\WinVNC.exe" [2006-06-18 14:56 712704]

"Windows Defender"="C:\Arquivos de programas\Windows Defender\MSASCui.exe" [2006-04-03 18:12 777424]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

"RemoteControl"="C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]

"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [2005-11-12 13:46 155648]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]

"googletalk"="C:\Arquivos de programas\Google\Google Talk\googletalk.exe" [2007-01-02 03:54 3735552]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:45 15360]

 

C:\WINDOWS\Menu Iniciar\Programas\Iniciar\

hamachi.lnk - C:\Arquivos de programas\Hamachi\hamachi.exe [2007-09-17 23:01:34 PABLO 619048]

 

C:\WINDOWS\All Users\Menu Iniciar\Programas\Iniciar\

Microsoft Office.lnk - C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE [2001-02-13 09:01:04 PABLO 83360]

WinZip Quick Pick.lnk - C:\Arquivos de programas\WinZip\WZQKPICK.EXE [2004-07-23 16:51:24 PABLO 106560]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"RestrictRun"= 0 (0x0)

"NoViewOnDrive"= 0 (0x0)

"NoBandCustomize"= 0 (0x0)

"NoMovingBands"= 0 (0x0)

"NoCloseDragDropBands"= 0 (0x0)

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"RestrictRun"= 0 (0x0)

"NoViewOnDrive"= 0 (0x0)

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\WINDOWS\Downloaded Program Files\gbieh.dll [2006-03-27 10:52 201256]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]

C:\Arquivos de programas\AlienGUIse\fastload.dll 2001-12-20 23:34 24576 C:\Arquivos de programas\AlienGUIse\FASTLOAD.DLL

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=wbsys.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"MSACM.MSNAUDIO"= msnaudio.acm

"vidc.yv12"= yv12vfw.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]

"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\MessengerDiscovery\\MessengerDiscovery Live.exe"=

"C:\\Arquivos de programas\\Windows Media Player\\WMPLAYER.EXE"=

"C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

"C:\\Arquivos de programas\\Internet Explorer\\iexplore.exe"=

"C:\\Arquivos de programas\\jlgsolera\\OnLineLiveSetup\\OnLineLive.exe"=

"C:\\Sierra\\Counter-Strike\\cstrike.exe"=

"C:\\Arquivos de programas\\K-LiteNitro\\giFT\\giFTl.exe"=

"\\\\10.1.1.20\\c\\Muserver1\\CS\\CS.exe"=

"C:\\Arquivos de programas\\Winco\\Cliente DDNS\\wizard.exe"=

"\\\\10.1.1.20\\Sharing Folders\\pbbinho@hotmail.com\\LieroX v0.56 Pack 1.9\\LieroX.exe"=

"\\\\10.1.1.20\\c\\Muserver\\GameServer\\GameServer.exe"=

"C:\\Arquivos de programas\\RealVNC\\VNC4\\winvnc4.exe"=

"D:\\MuServer\\GameServer\\GameServer.exe"=

"D:\\MuServer\\DataServer1\\Dataserver.exe"=

"D:\\MuServer\\DataServer2\\Dataserver.exe"=

"D:\\MuServer\\CS\\CS.exe"=

"D:\\MuServer\\JoinServer\\JoinServer.exe"=

"D:\\MuServer\\RankingServer\\DevilSqure_EventServer.exe"=

"D:\\MuServer\\ExDB\\Exdb.exe"=

"D:\\MuServer\\MU2003_EVENT_SERVER\\WZ_MU2003_EVENT_SERVER.exe"=

"C:\\Muserver\\JoinServer\\JoinServer.exe"=

"C:\\Muserver\\CS\\CS.EXE"=

"C:\\Muserver\\DataServer1\\Dataserver.exe"=

"C:\\Muserver\\DataServer2\\Dataserver.exe"=

"C:\\MuServer99b+\\DataServer1\\Dataserver.exe"=

"C:\\MuServer99b+\\DataServer2\\Dataserver.exe"=

"C:\\MuServer99b+\\cs\\cs.exe"=

"C:\\MuServer99b+\\JoinServer\\JoinServer.exe"=

"C:\\Arquivos de programas\\Google\\Google Talk\\googletalk.exe"=

"C:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"=

"C:\\Arquivos de programas\\Darkeden\\darkeden.exe"=

"C:\\Documents and Settings\\Particular\\Desktop\\Dark Eden\\dk2.exe"=

"C:\\Arquivos de programas\\Valve\\hl.exe"=

"C:\\Arquivos de programas\\Ares\\Ares.exe"=

"C:\\Arquivos de programas\\MegaCubo\\megacubo.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Arquivos de programas\\ADPHONE3\\ADPHONE.exe"=

"C:\\Documents and Settings\\Particular\\Desktop\\Nova pasta (4)\\Dark Eden\\dk2.exe"=

 

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 22:31]

R1 NPPTNT;NPPTNT;C:\WINDOWS\System32\npptNT.sys [2003-07-22 03:14]

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2008-03-15 14:35]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 22:35]

R2 vnccom;vnccom;C:\WINDOWS\system32\Drivers\vnccom.SYS [2004-06-26 13:22]

S3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\system32\DRIVERS\loop.sys [2001-08-17 21:53]

S3 SPCA508A;11043 Ver1.3;C:\WINDOWS\system32\DRIVERS\SP508PIX.SYS []

S3 XDva009;XDva009;C:\WINDOWS\system32\XDva009.sys []

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##Pablo#pablo ©]

\Shell\AutoRun\command - setup.exe

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA851-CC51-11CF-AAFA-00AA00B6015C}]

rundll32.exeadvpack.dll

.

Conte£do da pasta 'Tarefas Agendadas'

"2001-12-31 22:14:08 C:\WINDOWS\Tasks\MP Scheduled Scan.job"

- C:\Arquivos de programas\Windows Defender\MpCmdRun.exe

.

**************************************************************************

 

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-29 18:20:24

Windows 5.1.2600 Service Pack 2 FAT NTAPI

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializ veis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

PROCESS: C:\WINDOWS\system32\winlogon.exe

-> C:\WINDOWS\system32\tsd32.dll

.

------------------------ Other Running Processes ------------------------

.

C:\ARQUIVOS DE PROGRAMAS\TGTSOFT\STYLEXP\STYLEXPSERVICE.EXE

C:\ARQUIVOS DE PROGRAMAS\ALWIL SOFTWARE\AVAST4\ASWUPDSV.EXE

C:\ARQUIVOS DE PROGRAMAS\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE

C:\ARQUIVOS DE PROGRAMAS\BONJOUR\MDNSRESPONDER.EXE

C:\ARQUIVOS DE PROGRAMAS\EWIDO ANTI-SPYWARE 4.0\GUARD.EXE

C:\ARQUIVOS DE PROGRAMAS\ARQUIVOS COMUNS\MICROSOFT SHARED\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\Arquivos de programas\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

.

**************************************************************************

.

Tempo para conclusÆo: 2008-04-29 18:24:54 - machine was rebooted [Particular]

ComboFix-quarantined-files.txt 2008-04-29 14:24:40

 

Pre-Run: 5,678,301,184 bytes disponíveis

Post-Run: 5,651,365,888 bytes dispon¡veis

 

248 --- E O F --- 2008-04-16 21:39:39

 

 

 

________________________________________________________________________________

___________________________________

 

Scanner results

Scan taken on 29 Apr 2008 22:49:32 (GMT)

A-Squared

Found nothing

AntiVir

Found nothing

ArcaVir

Found nothing

Avast

Found nothing

AVG Antivirus

Found nothing

BitDefender

Found nothing

ClamAV

Found nothing

CPsecure

Found nothing

Dr.Web

Found nothing

F-Prot Antivirus

Found nothing

F-Secure Anti-Virus

Found nothing

Fortinet

Found nothing

Ikarus

Found nothing

Kaspersky Anti-Virus

Found nothing

NOD32

Found nothing

Norman Virus Control

Found nothing

Panda Antivirus

Found nothing

Sophos Antivirus

Found nothing

VirusBuster

Found nothing

VBA32

Found nothing

[Sam Spade 2]

Siga estas instruções:

 

• Abra o HijackThis e clique em Do a system scan only
  Aguarde o exame acabar.
  Cada entrada tem uma caixa do lado esquerdo.
  Marque apenas a caixa da entrada abaixo:
   
  O4 - HKCU\..\Run: [CopyBat] C:\WINDOWS\APPLIC~1\SIGNTW~1\biasmail.exe
   
  Ficará com um sinal V dentro da caixa.
   
  Clique então em . Dê o Ok para a pergunta e depois gere um novo log com o HijackThis e poste.