[Arquivado] explorer.exe reiniciando

[Ricardo_Olbrich 0]

aew galera espero que possam me ajudar com esse problema chato grin.gif

 

segue logfile do hijackthis

 

Logfile of HijackThis v1.99.1

Scan saved at 18:27:58, on 18/3/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\MSN Messenger\usnsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\WinLogT.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\Hijack\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://br.rd.yahoo.com/customize/ycomp/def...m/info/ie6.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://br.rd.yahoo.com/customize/ycomp/def...://br.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = "http://www.daemon-search.com/startpage

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://br.rd.yahoo.com/customize/ycomp/def...://br.yahoo.com

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O4 - HKLM\..\Run: [WinLogT] C:\WINDOWS\WinLogT.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: MemTurbo.lnk = C:\Arquivos de programas\Memturbo 4\MemTurbo.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - (no file)

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

 

 

agradeço a atenção thumbsup.gif

[jgarcia 1]

Opa Ricardo_Olbrich,

 

Baixe o ComboFix em:

ComboFix

 

1) Desabilite o seu anti-vírus temporariamente;

2) Dê um duplo-clique no combofix.exe e tecle "1" para prosseguir. O processo vai durar, em média, 10 minutos;

3) O ComboFix reiniciará o PC automaticamente, a fim de que o processo de remoção seja finalizado (somente se houver infecção);

4) Quando a varredura acabar, será gerado um log, que estará em C:\ComboFix.txt;

5) Não clique na janela do ComboFix, nem feche clicando no X, enquanto a ferramenta estiver sendo executada, pois isto implicará na desconfiguração de seu desktop (ele ficará todo branco);

6) Para parar ou sair do ComboFix, tecle "N";

7) Reabilite o seu anti-vírus;

8) Preciso que você cole o conteúdo do ComboFix.txt em sua próxima resposta, juntamente com um novo log do HijackThis.

 

Abraços.

[Ricardo_Olbrich 0]

conteúdo combo fix.txt:

 

ComboFix 08-03-23.2 - Ricardo 2008-03-24 12:34:46.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.195 [GMT -3:00]

Executando de: E:\Ricardo\Downloads\Firefox\ComboFix.exe

* Criado um novo ponto de restauro

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\BMab2a160b.xml

C:\WINDOWS\pskt.ini

C:\WINDOWS\system32\awttron.dll

C:\WINDOWS\system32\ayadd.ini

C:\WINDOWS\system32\ayadd.ini2

C:\WINDOWS\system32\ddaya.dll

C:\WINDOWS\system32\ddayx.dll

C:\WINDOWS\system32\ddcyvuu.dll

C:\WINDOWS\system32\fccbxwv.dll

C:\WINDOWS\system32\fccyywv.dll

C:\WINDOWS\system32\gebayvv.dll

C:\WINDOWS\system32\gebbbbx.dll

C:\WINDOWS\system32\gjjlm.ini

C:\WINDOWS\system32\gjjlm.ini2

C:\WINDOWS\system32\iifeedc.dll

C:\WINDOWS\system32\jlkkj.ini

C:\WINDOWS\system32\jlkkj.ini2

C:\WINDOWS\system32\mcrh.tmp

C:\WINDOWS\system32\mljgghf.dll

C:\WINDOWS\system32\mljjg.dll

C:\WINDOWS\system32\nnnkjkk.dll

C:\WINDOWS\system32\packet.dll

C:\WINDOWS\system32\pthreadVC.dll

C:\WINDOWS\system32\rpxwdrfo.dll

C:\WINDOWS\system32\ssqnnnl.dll

C:\WINDOWS\system32\sttss.ini

C:\WINDOWS\system32\sttss.ini2

C:\WINDOWS\system32\ttutv.ini

C:\WINDOWS\system32\ttutv.ini2

C:\WINDOWS\system32\udbhqcoi.ini

C:\WINDOWS\system32\vtutt.dll

C:\WINDOWS\system32\wpcap.dll

C:\WINDOWS\system32\wvusqqp.dll

C:\WINDOWS\system32\xyadd.ini

C:\WINDOWS\system32\xyadd.ini2

C:\WINDOWS\system32\ybadd.ini

C:\WINDOWS\system32\ybadd.ini2

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_NPF

-------\Service_NPF

 

 

((((((((((((((((((((((((( Files Created from 2008-02-24 to 2008-03-24 )))))))))))))))))))))))))))))))

.

 

2008-03-16 12:55 . 2008-03-24 12:30 <DIR> d-------- C:\Hijack

2008-03-16 11:43 . 2008-03-16 11:43 <DIR> d-------- C:\Arquivos de programas\IObit

2008-03-16 11:05 . 2008-03-16 11:05 95,296 --a------ C:\WINDOWS\system32\htmohetc.VIR000

2008-03-16 10:58 . 2008-03-16 10:58 95,296 --a------ C:\WINDOWS\system32\nudsfekt.VIR

2008-03-08 12:00 . 2008-03-08 13:54 1,113 --a------ C:\WINDOWS\wininit.ini

2008-03-08 11:21 . 2008-03-08 11:20 691,545 --a------ C:\WINDOWS\unins000.exe

2008-03-08 11:21 . 2008-03-08 11:21 2,555 --a------ C:\WINDOWS\unins000.dat

2008-03-07 23:38 . 2008-03-08 14:03 <DIR> d-------- C:\WINDOWS\RagnaPROJECT

2008-02-26 23:21 . 2008-03-06 16:15 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-02-26 23:21 . 2008-02-26 23:21 1,409 --a------ C:\WINDOWS\QTFont.for

2008-02-26 23:17 . 2008-02-26 23:17 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Apple Computer

2008-02-26 23:17 . 2008-02-26 23:17 <DIR> d-------- C:\Arquivos de programas\QuickTime Alternative

2008-02-26 23:17 . 2008-01-31 23:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx

2008-02-26 23:17 . 2008-01-31 23:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

2008-02-26 17:42 . 2008-02-26 17:42 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Apple

2008-02-26 17:42 . 2008-02-26 17:43 <DIR> d-------- C:\Arquivos de programas\Apple Software Update

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-24 03:17 --------- d-----w C:\Documents and Settings\Ricardo\Dados de aplicativos\uTorrent

2008-03-23 01:44 --------- d-----w C:\Arquivos de programas\eMule

2008-03-22 20:17 --------- d-----w C:\Arquivos de programas\MegaCubo

2008-03-16 14:16 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2008-03-08 15:01 --------- d-----w C:\Arquivos de programas\AdVantage

2008-03-08 14:25 --------- d-----w C:\Arquivos de programas\Spybot - Search & Destroy

2008-02-25 05:49 --------- d-----w C:\Arquivos de programas\The 7 Deadly Sins

2008-02-21 15:12 --------- d--h--w C:\Arquivos de programas\InstallShield Installation Information

2008-02-21 15:10 --------- d-----w C:\Arquivos de programas\Arquivos comuns\InstallShield

2008-02-20 16:22 --------- d-----w C:\Arquivos de programas\Microsoft.NET

2008-02-20 02:46 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft Help

2008-02-15 22:55 38,400 ----a-w C:\WINDOWS\system32\NTSpool.exe

2008-02-12 22:32 93,248 ----a-w C:\WINDOWS\system32\ralawvex.dll

2008-02-12 18:10 93,248 ----a-w C:\WINDOWS\system32\iantoqra.dll

2008-02-12 15:36 93,248 ----a-w C:\WINDOWS\system32\tgsajqir.dll

2008-02-12 12:10 --------- d-----w C:\Arquivos de programas\DAEMON Tools Lite

2008-02-11 16:11 93,248 ----a-w C:\WINDOWS\system32\jgparigj.dll

2008-02-11 16:01 --------- d-----w C:\Documents and Settings\Ricardo\Dados de aplicativos\iolo

2008-02-11 15:58 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\iolo

2008-02-11 15:57 --------- d-----w C:\Documents and Settings\LocalService\Dados de aplicativos\iolo

2008-02-11 15:56 74,703 ----a-w C:\WINDOWS\system32\mfc45.dll

2008-02-11 15:53 --------- d-----w C:\Documents and Settings\Ricardo\Dados de aplicativos\protejaseudrive

2008-02-11 15:36 93,248 ----a-w C:\WINDOWS\system32\xahmtrum.dll

2008-02-11 15:20 93,248 ----a-w C:\WINDOWS\system32\xddsxvae.dll

2008-02-11 15:17 93,248 ----a-w C:\WINDOWS\system32\olvlocgm.dll

2008-02-11 14:16 93,248 ----a-w C:\WINDOWS\system32\lysymlpa.dll

2008-02-11 05:37 93,248 ----a-w C:\WINDOWS\system32\mbfjqejw.dll

2008-02-11 01:12 93,248 ----a-w C:\WINDOWS\system32\gnsptwjr.dll

2008-02-10 02:43 93,760 ----a-w C:\WINDOWS\system32\cwcjeibb.dll

2008-02-09 20:43 --------- d-----w C:\Documents and Settings\Ricardo\Dados de aplicativos\BSplayer

2008-02-09 15:42 --------- d-----w C:\Documents and Settings\Ricardo\Dados de aplicativos\BSplayer Pro

2008-02-09 15:42 --------- d-----w C:\Arquivos de programas\Webteh

2008-02-09 15:17 --------- d-----w C:\Arquivos de programas\K-Lite Codec Pack

2008-02-09 12:18 93,760 ----a-w C:\WINDOWS\system32\lswrhmth.dll

2008-02-08 21:41 --------- d---a-w C:\Documents and Settings\All Users\Dados de aplicativos\TEMP

2008-02-08 21:25 --------- d-----w C:\Arquivos de programas\VS Revo Group

2008-02-08 16:27 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Avira

2008-02-08 16:27 --------- d-----w C:\Arquivos de programas\Avira

2008-02-08 11:00 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Skype

2008-02-08 04:43 --------- d-----w C:\Arquivos de programas\HP

2008-02-08 04:13 37,888 ----a-w C:\WINDOWS\system32\rar.exe

2008-02-08 02:51 --------- d-----w C:\Arquivos de programas\Marcos Velasco Security

2008-02-07 23:48 --------- d-----w C:\Arquivos de programas\CCleaner

2008-02-05 01:26 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\nView_Profiles

2008-01-31 21:13 --------- d-----w C:\Arquivos de programas\NGONVOD29792

2008-01-27 18:18 --------- d-----w C:\Arquivos de programas\SopCast

2008-01-10 15:16 159,839 ----a-w C:\WINDOWS\system32\xvidvfw.dll

2008-01-10 15:15 755,027 ----a-w C:\WINDOWS\system32\xvidcore.dll

2007-12-24 15:49 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll

2006-11-23 02:27 0 -c--a-w C:\Documents and Settings\Ricardo\iphist.dat

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96effd66-691a-4633-a98e-3057140aeb47}]

2008-02-12 19:32 93248 --a------ C:\WINDOWS\system32\ralawvex.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45 15360]

"MSMSGS"="C:\Arquivos de programas\Messenger\msmsgs.exe" [2004-08-03 23:56 1667584]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WinLogT"="C:\WINDOWS\WinLogT.exe" [2006-03-30 14:45 500224]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-12-21 10:29 7774208]

"avgnt"="C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-08 14:28 249896]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:45 15360]

 

C:\Documents and Settings\Ricardo\Menu Iniciar\Programas\Inicializar\

MemTurbo.lnk - C:\Arquivos de programas\Memturbo 4\MemTurbo.exe [2007-11-03 11:29:39 2341376]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveSearch"= 1 (0x1)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

"Windows Printing Driver"= WinPrint.exe

"NT Security Service"= NTSecurity.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyvuu]

ddcyvuu.dll

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^HP Digital Imaging Monitor.lnk]

backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Software Kodak EasyShare.lnk]

backup=C:\WINDOWS\pss\Software Kodak EasyShare.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Ricardo^Menu Iniciar^Programas^Inicializar^hamachi.lnk]

backup=C:\WINDOWS\pss\hamachi.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a8192597]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdVantage]

--a------ 2007-11-05 11:12 884176 C:\Arquivos de programas\AdVantage\AdVantage.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

--a--c--- 2004-08-04 00:45 15360 C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

--a------ 2007-12-29 09:05 486856 C:\Arquivos de programas\DAEMON Tools Lite\daemon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

--a------ 2003-12-22 08:38 241664 C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

C:\WINDOWS\system32\dumprep 0 -k

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a--c--- 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2006-12-21 10:29 1622016 C:\WINDOWS\system32\nwiz.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSystemAnalyzer]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

-ra------ 2005-06-20 10:42 77824 C:\WINDOWS\SOUNDMAN.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

-rahs---- 2008-01-28 11:43 2097488 C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"E:\\Ricardo\\utorrent.exe"=

"C:\\Arquivos de programas\\uTorrent\\utorrent.exe"=

"C:\\Arquivos de programas\\eMule\\emule.exe"=

"C:\\Arquivos de programas\\The 7 Deadly Sins\\mirc.exe"=

"E:\\Ricardo\\Jogos\\Warcraft\\Warcraft III\\Warcraft III.exe"=

"E:\\Ricardo\\Jogos\\Warcraft\\Warcraft III\\lancraft.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

"C:\\Arquivos de programas\\MegaCubo\\megacubo.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"23687:TCP"= 23687:TCP:BitComet 23687 TCP

"23687:UDP"= 23687:UDP:BitComet 23687 UDP

 

S0 xmasscsi;xmasscsi;C:\WINDOWS\system32\Drivers\xmasscsi.sys []

 

.

Contents of the 'Scheduled Tasks' folder

"2008-03-22 18:35:15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Arquivos de programas\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-24 12:40:43

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2008-03-24 12:43:52 - machine was rebooted

ComboFix-quarantined-files.txt 2008-03-24 15:43:48

.

2008-02-11 16:14:05 --- E O F ---

 

 

 

novo log do HijackThis:

Logfile of HijackThis v1.99.1

Scan saved at 13:02:53, on 24/3/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\WinLogT.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Arquivos de programas\MSN Messenger\usnsvc.exe

C:\Hijack\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = "http://www.daemon-search.com/startpage

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://br.rd.yahoo.com/customize/ycomp/def...://br.yahoo.com

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: {74bea041-7503-e89a-3364-a19666dffe69} - {96effd66-691a-4633-a98e-3057140aeb47} - C:\WINDOWS\system32\ralawvex.dll

O4 - HKLM\..\Run: [WinLogT] C:\WINDOWS\WinLogT.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - Startup: MemTurbo.lnk = C:\Arquivos de programas\Memturbo 4\MemTurbo.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O17 - HKLM\System\CCS\Services\Tcpip\..\{DA6049A6-AD1D-4C0B-8BB6-DEFC8B4ED904}: NameServer = 200.149.55.142 200.165.132.147

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - (no file)

O20 - Winlogon Notify: ddcyvuu - ddcyvuu.dll (file missing)

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[jgarcia 1]

Opa Ricardo_Olbrich,

 

Siga as instruções:

 

1. Abra o Bloco de Notas -> Copie (Control + C) e Cole (Control + V) todo o texto incluído no "Quote":

File::

C:\WINDOWS\system32\htmohetc.VIR000

C:\WINDOWS\system32\nudsfekt.VIR

C:\WINDOWS\system32\NTSpool.exe

C:\WINDOWS\system32\NTSecurity.exe

C:\WINDOWS\system32\WinPrint.exe

C:\WINDOWS\system32\rar.exe

C:\WINDOWS\system32\ralawvex.dll

C:\WINDOWS\system32\iantoqra.dll

C:\WINDOWS\system32\tgsajqir.dll

C:\WINDOWS\system32\jgparigj.dll

C:\WINDOWS\system32\xahmtrum.dll

C:\WINDOWS\system32\xddsxvae.dll

C:\WINDOWS\system32\olvlocgm.dll

C:\WINDOWS\system32\lysymlpa.dll

C:\WINDOWS\system32\mbfjqejw.dll

C:\WINDOWS\system32\gnsptwjr.dll

C:\WINDOWS\system32\cwcjeibb.dll

C:\WINDOWS\system32\lswrhmth.dll

C:\WINDOWS\system32\ddcyvuu.dll

C:\Documents and Settings\Ricardo\iphist.dat

Registry::

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

"Windows Printing Driver"=-

"NT Security Service"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyvuu]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96effd66-691a-4633-a98e-3057140aeb47}]

ATENÇÃO: O script acima foi elaborado especificamente para a infecção contida neste computador. Utilizá-lo em outra máquina poderá originar graves problemas ao usuário.

• 2. Salve o arquivo como CFScript.txt;
   
  3. Tal como exemplificado na foto abaixo, arraste o arquivo CFScript.txt para o ComboFix.exe.
  
   
  4. Ao término do processo a ferramenta irá gerar um log. Poste-o (C:\ComboFix.txt) em sua próxima resposta.
  

Abraços.

[Ricardo_Olbrich 0]

segue o log do combo fix :)

 

ComboFix 08-03-23.2 - Ricardo 2008-03-29 20:18:26.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.204 [GMT -3:00]

Executando de: E:\Ricardo\ComboFix.exe

Command switches used :: E:\Ricardo\CFScript.txt

* Criado um novo ponto de restauro

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

 

FILE ::

C:\Documents and Settings\Ricardo\iphist.dat

C:\WINDOWS\system32\cwcjeibb.dll

C:\WINDOWS\system32\ddcyvuu.dll

C:\WINDOWS\system32\gnsptwjr.dll

C:\WINDOWS\system32\htmohetc.VIR000

C:\WINDOWS\system32\iantoqra.dll

C:\WINDOWS\system32\jgparigj.dll

C:\WINDOWS\system32\lswrhmth.dll

C:\WINDOWS\system32\lysymlpa.dll

C:\WINDOWS\system32\mbfjqejw.dll

C:\WINDOWS\system32\NTSecurity.exe

C:\WINDOWS\system32\NTSpool.exe

C:\WINDOWS\system32\nudsfekt.VIR

C:\WINDOWS\system32\olvlocgm.dll

C:\WINDOWS\system32\ralawvex.dll

C:\WINDOWS\system32\rar.exe

C:\WINDOWS\system32\tgsajqir.dll

C:\WINDOWS\system32\WinPrint.exe

C:\WINDOWS\system32\xahmtrum.dll

C:\WINDOWS\system32\xddsxvae.dll

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\Ricardo\iphist.dat

C:\WINDOWS\system32\cwcjeibb.dll

C:\WINDOWS\system32\gnsptwjr.dll

C:\WINDOWS\system32\htmohetc.VIR000

C:\WINDOWS\system32\iantoqra.dll

C:\WINDOWS\system32\jgparigj.dll

C:\WINDOWS\system32\lswrhmth.dll

C:\WINDOWS\system32\lysymlpa.dll

C:\WINDOWS\system32\mbfjqejw.dll

C:\WINDOWS\system32\NTSpool.exe

C:\WINDOWS\system32\nudsfekt.VIR

C:\WINDOWS\system32\olvlocgm.dll

C:\WINDOWS\system32\ralawvex.dll

C:\WINDOWS\system32\rar.exe

C:\WINDOWS\system32\tgsajqir.dll

C:\WINDOWS\system32\xahmtrum.dll

C:\WINDOWS\system32\xddsxvae.dll

 

.

((((((((((((((((((((((( Ficheiros criados de 2008-02-28 to 2008-03-29 ))))))))))))))))))))))))))))))))

.

 

2008-03-29 00:07 . 2008-03-29 00:07 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Vbox

2008-03-27 14:05 . 2008-03-27 14:05 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\DFX

2008-03-27 14:05 . 2008-03-27 14:05 <DIR> d-------- C:\Arquivos de programas\DFX

2008-03-27 14:04 . 2008-03-27 14:04 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Wise Installation Wizard

2008-03-24 15:05 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl

2008-03-24 15:03 . 2008-03-24 15:05 <DIR> d-------- C:\Arquivos de programas\Java

2008-03-24 15:01 . 2008-03-24 15:01 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Java

2008-03-24 14:54 . 2008-03-24 14:54 <DIR> d-------- C:\Arquivos de programas\Programas RFB

2008-03-24 12:43 . 2008-03-24 12:43 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Configuraþ§es locais

2008-03-24 12:43 . 2008-03-24 12:43 <DIR> d-------- C:\Documents and Settings\Ricardo\Configuraþ§es locais

2008-03-24 12:43 . 2008-03-24 12:43 <DIR> d-------- C:\Documents and Settings\NetworkService\Configuraþ§es locais

2008-03-24 12:43 . 2008-03-24 12:43 <DIR> d-------- C:\Documents and Settings\LocalService\Configuraþ§es locais

2008-03-16 12:55 . 2008-03-24 13:02 <DIR> d-------- C:\Hijack

2008-03-16 11:43 . 2008-03-16 11:43 <DIR> d-------- C:\Arquivos de programas\IObit

2008-03-08 12:00 . 2008-03-08 13:54 1,113 --a------ C:\WINDOWS\wininit.ini

2008-03-08 11:21 . 2008-03-08 11:20 691,545 --a------ C:\WINDOWS\unins000.exe

2008-03-08 11:21 . 2008-03-08 11:21 2,555 --a------ C:\WINDOWS\unins000.dat

2008-03-07 23:38 . 2008-03-08 14:03 <DIR> d-------- C:\WINDOWS\RagnaPROJECT

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-29 18:07 --------- d-----w C:\Arquivos de programas\eMule

2008-03-28 16:33 --------- d-----w C:\Documents and Settings\Ricardo\Dados de aplicativos\uTorrent

2008-03-22 20:17 --------- d-----w C:\Arquivos de programas\MegaCubo

2008-03-16 14:16 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2008-03-08 15:01 --------- d-----w C:\Arquivos de programas\AdVantage

2008-03-08 14:25 --------- d-----w C:\Arquivos de programas\Spybot - Search & Destroy

2008-02-27 02:17 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Apple Computer

2008-02-27 02:17 --------- d-----w C:\Arquivos de programas\QuickTime Alternative

2008-02-26 20:43 --------- d-----w C:\Arquivos de programas\Apple Software Update

2008-02-26 20:42 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Apple

2008-02-25 05:49 --------- d-----w C:\Arquivos de programas\The 7 Deadly Sins

2008-02-21 15:12 --------- d--h--w C:\Arquivos de programas\InstallShield Installation Information

2008-02-21 15:10 --------- d-----w C:\Arquivos de programas\Arquivos comuns\InstallShield

2008-02-20 16:22 --------- d-----w C:\Arquivos de programas\Microsoft.NET

2008-02-20 02:46 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft Help

2008-02-12 12:10 --------- d-----w C:\Arquivos de programas\DAEMON Tools Lite

2008-02-11 16:01 --------- d-----w C:\Documents and Settings\Ricardo\Dados de aplicativos\iolo

2008-02-11 15:58 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\iolo

2008-02-11 15:57 --------- d-----w C:\Documents and Settings\LocalService\Dados de aplicativos\iolo

2008-02-11 15:56 74,703 ----a-w C:\WINDOWS\system32\mfc45.dll

2008-02-11 15:53 --------- d-----w C:\Documents and Settings\Ricardo\Dados de aplicativos\protejaseudrive

2008-02-09 20:43 --------- d-----w C:\Documents and Settings\Ricardo\Dados de aplicativos\BSplayer

2008-02-09 15:42 --------- d-----w C:\Documents and Settings\Ricardo\Dados de aplicativos\BSplayer Pro

2008-02-09 15:42 --------- d-----w C:\Arquivos de programas\Webteh

2008-02-09 15:17 --------- d-----w C:\Arquivos de programas\K-Lite Codec Pack

2008-02-08 21:41 --------- d---a-w C:\Documents and Settings\All Users\Dados de aplicativos\TEMP

2008-02-08 21:25 --------- d-----w C:\Arquivos de programas\VS Revo Group

2008-02-08 16:27 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Avira

2008-02-08 16:27 --------- d-----w C:\Arquivos de programas\Avira

2008-02-08 11:00 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Skype

2008-02-08 04:43 --------- d-----w C:\Arquivos de programas\HP

2008-02-08 02:51 --------- d-----w C:\Arquivos de programas\Marcos Velasco Security

2008-02-07 23:48 --------- d-----w C:\Arquivos de programas\CCleaner

2008-02-05 01:26 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\nView_Profiles

2008-01-31 21:13 --------- d-----w C:\Arquivos de programas\NGONVOD29792

2008-01-10 15:16 159,839 ----a-w C:\WINDOWS\system32\xvidvfw.dll

2008-01-10 15:15 755,027 ----a-w C:\WINDOWS\system32\xvidcore.dll

.

 

((((((((((((((((((((((((((((( snapshot@2008-03-24_12.43.36.25 )))))))))))))))))))))))))))))))))))))))))

.

- 2006-10-19 02:45:48 40,960 -c--a-r C:\WINDOWS\Installer\{8220C40F-AA38-4752-978F-6198328B1C20}\NewShortcut2_8220C40FAA384752978F6198328B1C20.exe

+ 2008-03-29 03:07:54 40,960 ----a-r C:\WINDOWS\Installer\{8220C40F-AA38-4752-978F-6198328B1C20}\NewShortcut2_8220C40FAA384752978F6198328B1C20.exe

- 2006-10-19 02:45:48 40,960 -c--a-r C:\WINDOWS\Installer\{8220C40F-AA38-4752-978F-6198328B1C20}\NewShortcut3_8220C40FAA384752978F6198328B1C20.exe

+ 2008-03-29 03:07:54 40,960 ----a-r C:\WINDOWS\Installer\{8220C40F-AA38-4752-978F-6198328B1C20}\NewShortcut3_8220C40FAA384752978F6198328B1C20.exe

+ 2008-02-22 04:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe

+ 2008-02-22 04:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe

+ 2008-02-22 05:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45 15360]

"MSMSGS"="C:\Arquivos de programas\Messenger\msmsgs.exe" [2004-08-03 23:56 1667584]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WinLogT"="C:\WINDOWS\WinLogT.exe" [2006-03-30 14:45 500224]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-12-21 10:29 7774208]

"avgnt"="C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-08 14:28 249896]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:45 15360]

 

C:\Documents and Settings\Ricardo\Menu Iniciar\Programas\Inicializar\

MemTurbo.lnk - C:\Arquivos de programas\Memturbo 4\MemTurbo.exe [2007-11-03 11:29:39 2341376]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveSearch"= 1 (0x1)

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^HP Digital Imaging Monitor.lnk]

backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Software Kodak EasyShare.lnk]

backup=C:\WINDOWS\pss\Software Kodak EasyShare.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Ricardo^Menu Iniciar^Programas^Inicializar^hamachi.lnk]

backup=C:\WINDOWS\pss\hamachi.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a8192597]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdVantage]

--a------ 2007-11-05 11:12 884176 C:\Arquivos de programas\AdVantage\AdVantage.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

--a--c--- 2004-08-04 00:45 15360 C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

--a------ 2007-12-29 09:05 486856 C:\Arquivos de programas\DAEMON Tools Lite\daemon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

--a------ 2003-12-22 08:38 241664 C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

C:\WINDOWS\system32\dumprep 0 -k

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a--c--- 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2006-12-21 10:29 1622016 C:\WINDOWS\system32\nwiz.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSystemAnalyzer]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

-ra------ 2005-06-20 10:42 77824 C:\WINDOWS\SOUNDMAN.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

-rahs---- 2008-01-28 11:43 2097488 C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"E:\\Ricardo\\utorrent.exe"=

"C:\\Arquivos de programas\\uTorrent\\utorrent.exe"=

"C:\\Arquivos de programas\\eMule\\emule.exe"=

"C:\\Arquivos de programas\\The 7 Deadly Sins\\mirc.exe"=

"E:\\Ricardo\\Jogos\\Warcraft\\Warcraft III\\Warcraft III.exe"=

"E:\\Ricardo\\Jogos\\Warcraft\\Warcraft III\\lancraft.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

"C:\\Arquivos de programas\\MegaCubo\\megacubo.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"23687:TCP"= 23687:TCP:BitComet 23687 TCP

"23687:UDP"= 23687:UDP:BitComet 23687 UDP

 

S0 xmasscsi;xmasscsi;C:\WINDOWS\system32\Drivers\xmasscsi.sys []

 

*Newly Created Service* - NPKCRYPT

.

Conteúdo da pasta 'Tarefas Agendadas'

"2008-03-29 18:35:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Arquivos de programas\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-29 20:20:36

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

.

Tempo para conclusão: 2008-03-29 20:21:12

ComboFix-quarantined-files.txt 2008-03-29 23:20:55

ComboFix2.txt 2008-03-24 15:43:52

.

2008-02-11 16:14:05 --- E O F ---

[jgarcia 1]

Opa Ricardo_Olbrich,

 

Submeta os arquivos abaixo, um a um, ao site da Jotti:

 

C:\WINDOWS\system32\java.exe

C:\WINDOWS\system32\javaw.exe

C:\WINDOWS\system32\javaws.exe

 

... e retorne com os resultados.

 

Abraços.

[Ricardo_Olbrich 0]

Não foi detectado nada em nenhum dos arquivos.

[jgarcia 1]

Opa Ricardo_Olbrich,

 

* Baixe o VundoFix.

 

* Dê duplo-clique sobre VundoFix.exe para iniciá-lo;

 

* Quando o VundoFix abrir clique em Scan for Vundo. Aguarde o término do scan que pode demorar algum tempo. Seja paciente;

 

* Terminado o scan clique em Remove Vundo;

 

* Você receberá um alerta perguntando se deseja remover os arquivos. Clique em YES. O seu desktop irá apagar (isto é normal);

 

* Para completar o scan será necessário reinicializar a máquina. Clique em OK;

 

* Favor postar o log do VundoFix (C:\vundofix.txt) em sua próxima resposta, juntamente com novos do ComboFix e HijackThis.

 

Abraços.

[Mário Monteiro 179]

Tópico Arquivado

 

Como o autor não respondeu por mais de 20 dias, o tópico foi arquivado.

 

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura.