[Arquivado] Problemas com vírus...

dre_carbonyc · Abril 10, 2008

Olá a todos...

Estou com esse problema em alguns pcs:

Dois arquivos (arquivos.exe e program.exe) estão infectando alguns pcs que utilizo.

Infectam qualquer mídia removível que eu colocar no pc, e assim vão passando pra outros pcs que utilizo...

No meu esses dois arquivos estão alojados na partição D:\

Já tentei excluí-los de várias formas, inclusive com o KillBox, porém sempre voltam como se nunca tivessem sido apagados.

A única anormalidade no pc que percebi depois de estar infectado é o fato de que, sempre que inicio o sistema, o firewall do Windows XP está desativado!

Segue o log:

Logfile of HijackThis v1.99.1

Scan saved at 00:23:36, on 10/4/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.20733)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\winpos.exe

C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe

C:\Arquivos de programas\Eset\nod32kui.exe

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\system32\VTtrayp.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\vsnpstd.exe

C:\Arquivos de programas\VMware\VMware Player\hqtray.exe

C:\windows\system32\hcvuk.exe

C:\windows\hrzez.exe

C:\windows\system\nvurw.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Windows Sidebar\sidebar_clear.exe

C:\windows\inf\cjjlg.exe

C:\arquivos de programas\arquivos comuns\keqaw.exe

C:\windows\config\amqub.exe

C:\windows\system32\yntib.exe

C:\Arquivos de programas\Windows Sidebar\sidebar_clear.exe

C:\Arquivos de programas\Eset\nod32krn.exe

C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Arquivos comuns\VMware\VMware Virtual Image Editing\vmount2.exe

C:\WINDOWS\system32\vmnat.exe

C:\WINDOWS\system32\vmnetdhcp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

C:\Arquivos de programas\Windows Live\Messenger\usnsvc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\ARQUIV~1\MICROS~1\Office12\GRA8E1~1.DLL

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [winpos] C:\WINDOWS\winpos.exe

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [nod32kui] "C:\Arquivos de programas\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [VMware hqtray] "C:\Arquivos de programas\VMware\VMware Player\hqtray.exe"

O4 - HKLM\..\Run: [tDefault] c:\windows\system32\hcvuk.exe

O4 - HKLM\..\Run: [settings] c:\windows\hrzez.exe

O4 - HKLM\..\Run: [systemT] c:\windows\system\nvurw.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sidebar] C:\Arquivos de programas\Windows Sidebar\sidebar_clear.exe /autoRun

O4 - HKCU\..\Run: [RSetting] c:\windows\inf\cjjlg.exe

O4 - HKCU\..\Run: [userTools] c:\arquivos de programas\arquivos comuns\keqaw.exe

O4 - HKCU\..\Run: [CheckS] c:\windows\config\amqub.exe

O4 - HKCU\..\Run: [DeviceSys] c:\windows\system32\yntib.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~1\Office12\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O11 - Options group: [TABS] Tabbed Browsing

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1205901460296

O17 - HKLM\System\CCS\Services\Tcpip\..\{7B9D5B1D-4A61-42C6-8589-1227E5B0343D}: NameServer = 200.165.132.154 200.149.55.140

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\ARQUIV~1\MICROS~1\Office12\GR99D3~1.DLL

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\ARQUIV~1\ARQUIV~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Arquivos de programas\Eset\nod32krn.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Arquivos de programas\VMware\VMware Player\vmware-authd.exe

O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe

O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Arquivos de programas\Arquivos comuns\VMware\VMware Virtual Image Editing\vmount2.exe

O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

Ajudem por favor!

DigRam · Abril 10, 2008

Boa Tarde! dre_carbonyc

>@< Faça o download do ComboFix.

>@< Baixe-o para o Desktop!

>@< Desabilite as proteções residente de: antivírus,antispywares e Firewall.

>@< Feche todas as janelas e execute a ferramenta!

Caso aconteça a notificação de: Aplicativo Win32 inválido,delete a ferramenta e faça,novamente,o download.
Salve-a no Desktop,renomeada como: Kombo.exe

Ps: Nomeie durante o salvamento,e não após salvá-la!

>@< Abrirá a janela Auto Scan. Aguarde!

>@< Digite a opção para continuar e < Enter >

>@< Aguarde a conclusão! Durante o scan,evite tocar no mouse ou teclado!

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

>@< Poste o relatório: C:\ComboFix.txt,na sua resposta + Log do HJT,atualizado.

Abraços!

dre_carbonyc · Abril 11, 2008

Opa, beleza cara...

Seguem os logs:

ComboFix 08-04-10.7 - ApoLLo 2008-04-10 23:53:00.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.150 [GMT -3:00]

Executando de: C:\Documents and Settings\ApoLLo\Desktop\ComboFix.exe

* Criado um novo ponto de restauro

* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

D:\Autorun.inf

.

((((((((((((((((((((((( Ficheiros criados de 2008-03-11 to 2008-04-11 ))))))))))))))))))))))))))))))))

.

2008-04-10 00:23 . 2008-04-10 00:23 <DIR> d-------- C:\HijackThis

2008-04-06 14:06 . 2008-04-06 14:10 <DIR> d-------- C:\Arquivos de programas\mupen64 0.5

2008-04-05 14:34 . 2008-04-05 14:34 131,072 -r-hs---- C:\WINDOWS\system32\yntib.exe

2008-04-05 14:34 . 2008-04-05 14:34 131,072 -r-hs---- C:\WINDOWS\system32\hcvuk.exe

2008-04-05 14:34 . 2008-04-05 14:34 131,072 -r-hs---- C:\WINDOWS\system\nvurw.exe

2008-04-05 14:34 . 2008-04-05 14:34 131,072 -r-hs---- C:\WINDOWS\hrzez.exe

2008-04-05 14:34 . 2008-04-05 14:34 131,072 -r-hs---- C:\Arquivos de programas\Arquivos comuns\keqaw.exe

2008-03-30 14:25 . 2008-03-30 14:25 <DIR> d-------- C:\Documents and Settings\ApoLLo\Dados de aplicativos\Media Player Classic

2008-03-29 00:36 . 2008-03-29 00:36 230,424 --a------ C:\img1-001.raw

2008-03-26 22:24 . 2008-03-26 22:24 <DIR> d--h----- C:\WINDOWS\PIF

2008-03-24 00:16 . 2008-03-29 15:07 <DIR> d-------- C:\Documents and Settings\ApoLLo\Dados de aplicativos\VMware

2008-03-24 00:14 . 2008-04-10 23:37 <DIR> d-------- C:\Documents and Settings\LocalService\Dados de aplicativos\VMware

2008-03-24 00:12 . 2007-10-08 09:22 436,784 --a------ C:\WINDOWS\system32\vnetlib.dll

2008-03-24 00:12 . 2007-10-08 09:22 150,064 --a------ C:\WINDOWS\system32\vmnat.exe

2008-03-24 00:12 . 2007-10-08 09:22 121,392 --a------ C:\WINDOWS\system32\vmnetdhcp.exe

2008-03-24 00:12 . 2007-10-08 08:31 50,992 -ra------ C:\WINDOWS\system32\vmnetbridge.dll

2008-03-24 00:12 . 2007-10-08 08:31 28,592 -ra------ C:\WINDOWS\system32\drivers\vmnetbridge.sys

2008-03-24 00:12 . 2007-10-08 09:22 25,008 --a------ C:\WINDOWS\system32\drivers\vmnetuserif.sys

2008-03-24 00:12 . 2007-10-08 09:22 20,912 --a------ C:\WINDOWS\system32\drivers\VMkbd.sys

2008-03-24 00:12 . 2007-10-08 08:31 17,712 -ra------ C:\WINDOWS\system32\drivers\vmnet.sys

2008-03-24 00:12 . 2007-10-08 08:31 16,816 -ra------ C:\WINDOWS\system32\drivers\vmnetadapter.sys

2008-03-24 00:12 . 2007-10-08 08:31 13,104 -ra------ C:\WINDOWS\system32\vnetinst.dll

2008-03-24 00:11 . 2008-04-10 23:37 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\VMware

2008-03-24 00:11 . 2008-03-24 00:11 <DIR> d-------- C:\Arquivos de programas\VMware

2008-03-24 00:11 . 2008-03-24 00:11 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\VMware

2008-03-23 13:10 . 2008-03-23 13:10 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Adobe

2008-03-22 11:23 . 2008-03-22 11:23 <DIR> d-------- C:\Arquivos de programas\K-Lite Codec Pack

2008-03-22 11:22 . 2008-03-22 11:22 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Apple Computer

2008-03-22 11:22 . 2008-03-22 11:22 <DIR> d-------- C:\Arquivos de programas\QuickTime Alternative

2008-03-22 11:22 . 2008-01-31 23:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx

2008-03-22 11:22 . 2008-01-31 23:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

2008-03-21 14:20 . 2008-03-21 14:20 <DIR> d-------- C:\Documents and Settings\ApoLLo\Dados de aplicativos\DivX

2008-03-20 20:23 . 2008-03-20 20:23 <DIR> d-------- C:\Arquivos de programas\PluginLetras

2008-03-20 19:37 . 2008-04-10 23:06 116 --a------ C:\WINDOWS\NeroDigital.ini

2008-03-20 18:18 . 2008-03-20 18:18 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\snpstd

2008-03-20 18:18 . 2005-04-20 17:34 61,440 --a------ C:\WINDOWS\system32\rsnpstd.dll

2008-03-20 16:07 . 2005-04-26 14:06 390,784 --a------ C:\WINDOWS\system32\drivers\snpstd.sys

2008-03-20 16:07 . 2004-06-10 13:48 286,720 --a------ C:\WINDOWS\vsnpstd.exe

2008-03-20 16:07 . 2004-02-16 13:59 61,440 --a------ C:\WINDOWS\system32\csnpstd.dll

2008-03-20 16:07 . 2004-05-06 11:22 53,248 --a------ C:\WINDOWS\system32\dsnpstd.dll

2008-03-20 16:07 . 2005-04-20 17:16 36,864 --a------ C:\WINDOWS\system32\vsnpstd.dll

2008-03-20 16:07 . 2005-04-20 16:57 36,864 --a------ C:\WINDOWS\system32\dsnpstd.ax

2008-03-20 16:07 . 2005-02-01 19:29 20,480 --a------ C:\WINDOWS\usnpstd.exe

2008-03-20 16:07 . 2003-01-17 17:34 15,541 --a------ C:\WINDOWS\snpstd.ini

2008-03-20 16:07 . 2003-01-17 17:35 13,023 --a------ C:\WINDOWS\snpstd.src

2008-03-20 16:05 . 2008-03-20 17:47 <DIR> d-------- C:\Arquivos de programas\Windows Sidebar

2008-03-20 15:45 . 2008-03-20 15:45 <DIR> d-------- C:\Arquivos de programas\LizardTech

2008-03-20 15:44 . 1998-10-29 15:45 306,688 --a------ C:\WINDOWS\IsUninst.exe

2008-03-20 15:08 . 2005-06-20 23:09 18,751,488 -ra------ C:\WINDOWS\system32\ALSNDMGR.CPL

2008-03-20 15:08 . 2005-06-20 10:39 9,410,048 -ra------ C:\WINDOWS\system32\RTLCPL.EXE

2008-03-20 15:08 . 2005-06-20 11:08 2,324,480 -ra------ C:\WINDOWS\system32\drivers\ALCXWDM.SYS

2008-03-20 15:08 . 2004-09-07 03:23 156,672 -ra------ C:\WINDOWS\system32\RTLCPAPI.dll

2008-03-20 15:08 . 2002-02-05 02:54 141,016 -ra------ C:\WINDOWS\system32\ALSNDMGR.WAV

2008-03-20 15:08 . 2005-06-20 10:42 77,824 -ra------ C:\WINDOWS\SOUNDMAN.EXE

2008-03-20 14:50 . 2004-12-29 02:57 17,505 -ra------ C:\DBI.EXE

2008-03-20 14:45 . 2008-03-20 14:45 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Nero

2008-03-20 14:44 . 2004-07-09 08:43 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll

2008-03-20 14:44 . 2000-06-26 10:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll

2008-03-20 14:43 . 2004-07-26 16:16 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll

2008-03-20 14:43 . 2004-07-26 16:16 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll

2008-03-20 14:43 . 2004-07-26 16:16 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll

2008-03-20 14:43 . 2004-07-26 16:16 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll

2008-03-20 14:43 . 2001-07-09 10:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe

2008-03-20 14:41 . 2008-03-20 14:41 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Ahead

2008-03-20 14:41 . 2008-03-20 14:44 <DIR> d-------- C:\Arquivos de programas\Ahead

2008-03-20 13:58 . 2008-03-29 00:57 <DIR> d-------- C:\Documents and Settings\ApoLLo\Dados de aplicativos\uTorrent

2008-03-20 13:58 . 2008-03-20 13:58 <DIR> d-------- C:\Arquivos de programas\uTorrent

2008-03-20 13:55 . 2008-03-20 13:55 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Messenger Plus!

2008-03-20 13:48 . 2008-03-20 13:48 <DIR> d-------- C:\Arquivos de programas\Messenger Plus! Live

2008-03-20 13:42 . 2008-03-20 13:42 <DIR> d-------- C:\Arquivos de programas\MessengerPlus! 3

2008-03-20 13:37 . 2008-03-20 13:37 <DIR> d-------- C:\Arquivos de programas\DivX

2008-03-20 13:24 . 2008-03-20 13:24 <DIR> d-------- C:\Arquivos de programas\CCleaner

2008-03-20 13:23 . 2008-03-20 13:23 <DIR> d-------- C:\Documents and Settings\ApoLLo\Dados de aplicativos\Lavasoft

2008-03-20 13:23 . 2008-03-20 13:23 <DIR> d-------- C:\Arquivos de programas\Lavasoft

2008-03-20 12:49 . 2008-04-07 14:03 184 --a------ C:\WINDOWS\LEXSTAT.INI

2008-03-20 12:14 . 2005-11-25 14:39 203,776 --a------ C:\WINDOWS\system32\drivers\vinyl97.sys

2008-03-20 11:46 . 2008-03-20 11:46 <DIR> d-------- C:\Arquivos de programas\AIDA32 - Network System Information

2008-03-20 11:36 . 2006-06-14 05:50 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys

2008-03-20 11:36 . 2006-02-14 21:22 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys

2008-03-20 11:36 . 2006-06-14 06:17 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys

2008-03-20 11:36 . 2004-08-03 23:15 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys

2008-03-20 11:36 . 2001-08-17 22:00 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys

2008-03-20 11:36 . 2004-08-03 23:07 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys

2008-03-20 11:36 . 2006-06-14 05:50 6,272 --a------ C:\WINDOWS\system32\drivers\splitter.sys

2008-03-20 11:36 . 2004-08-03 23:07 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys

2008-03-20 11:35 . 2004-08-03 23:15 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys

2008-03-20 11:35 . 2004-08-03 22:32 84,480 --a------ C:\WINDOWS\system32\drivers\ac97via.sys

2008-03-20 11:35 . 2004-08-03 23:08 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys

2008-03-20 11:24 . 2001-08-17 21:57 16,128 --a------ C:\WINDOWS\system32\drivers\MODEMCSA.sys

2008-03-20 11:05 . 2007-09-02 14:27 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat

2008-03-20 11:05 . 2007-09-02 14:27 1,024,000 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui

2008-03-20 04:57 . 2008-03-20 04:57 1,846,016 --------- C:\WINDOWS\system32\dllcache\win32k.sys

2008-03-19 21:37 . 2004-08-03 23:10 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS

2008-03-19 21:37 . 2004-08-04 00:45 16,384 --a------ C:\WINDOWS\system32\ipsink.ax

2008-03-19 21:37 . 2004-08-03 23:10 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys

2008-03-19 21:37 . 2004-08-03 23:10 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys

2008-03-19 21:37 . 2004-08-03 23:10 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys

2008-03-19 21:37 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys

2008-03-19 21:13 . 2002-07-03 11:44 53,248 --a------ C:\WINDOWS\amcap.exe

2008-03-19 21:07 . 2008-03-20 18:18 <DIR> d--h----- C:\Arquivos de programas\InstallShield Installation Information

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-08 20:54 --------- d-----w C:\Arquivos de programas\eMule

2008-04-05 17:34 131,072 --sh--r C:\WINDOWS\inf\cjjlg.exe

2008-03-20 07:57 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-19 03:33 --------- d-----w C:\Arquivos de programas\Velox

2008-03-19 03:19 --------- d-----w C:\Arquivos de programas\Siemens Subscriber Networks

2008-03-19 03:08 --------- d-----w C:\Arquivos de programas\MSXML 6.0

2008-03-19 03:08 --------- d-----w C:\Arquivos de programas\MSXML 4.0

2008-03-19 03:06 --------- d-----w C:\Arquivos de programas\Serviços on-line

2008-03-19 03:05 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Serviços

2008-03-19 03:04 --------- d-----w C:\Arquivos de programas\Windows Media Connect 2

2008-02-21 02:05 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys

2008-02-21 02:05 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys

2008-02-21 02:05 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe

2008-02-21 02:05 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys

2008-02-21 02:05 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll

2008-02-21 02:05 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll

2008-02-21 02:05 129,784 ------w C:\WINDOWS\system32\pxafs.dll

2008-02-21 02:05 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe

2008-02-21 02:05 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe

2008-02-21 02:05 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll

2008-02-21 02:04 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll

2008-02-21 02:04 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll

2008-02-21 02:04 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll

2008-02-21 02:04 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll

2008-02-21 02:04 682,496 ----a-w C:\WINDOWS\system32\DivX.dll

2008-02-21 02:04 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll

2008-02-21 02:04 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll

2008-02-21 02:04 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll

2008-02-21 02:04 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll

2008-02-21 02:04 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll

2008-02-21 02:04 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll

2008-02-21 02:04 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll

2008-02-21 02:03 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe

2008-02-21 02:03 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll

2008-02-20 18:50 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll

2008-02-20 18:50 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll

2008-02-20 06:53 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll

2008-02-20 06:53 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll

2008-02-20 05:20 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll

2008-01-11 05:54 44,544 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-07-21 18:40 15360]

"Sidebar"="C:\Arquivos de programas\Windows Sidebar\sidebar_clear.exe" [2008-03-20 17:47 1249280]

"RSetting"="c:\windows\inf\cjjlg.exe" [2008-04-05 14:34 131072]

"UserTools"="c:\arquivos de programas\arquivos comuns\keqaw.exe" [2008-04-05 14:34 131072]

"CheckS"="c:\windows\config\amqub.exe" [2008-04-05 14:34 131072]

"DeviceSys"="c:\windows\system32\yntib.exe" [2008-04-05 14:34 131072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"winpos"="C:\WINDOWS\winpos.exe" [2004-08-28 03:41 110592]

"GrooveMonitor"="C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]

"nod32kui"="C:\Arquivos de programas\Eset\nod32kui.exe" [2008-03-19 02:50 949376]

"VTTimer"="VTTimer.exe" [2005-03-07 16:33 53248 C:\WINDOWS\system32\VTTimer.exe]

"VTTrayp"="VTtrayp.exe" [2005-03-11 06:33 147456 C:\WINDOWS\system32\VTTrayp.exe]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]

"SoundMan"="SOUNDMAN.EXE" [2005-06-20 10:42 77824 C:\WINDOWS\SOUNDMAN.EXE]

"snpstd"="C:\WINDOWS\vsnpstd.exe" [2004-06-10 13:48 286720]

"Adobe Reader Speed Launcher"="C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

"VMware hqtray"="C:\Arquivos de programas\VMware\VMware Player\hqtray.exe" [2007-10-08 09:21 55856]

"tDefault"="c:\windows\system32\hcvuk.exe" [2008-04-05 14:34 131072]

"Settings"="c:\windows\hrzez.exe" [2008-04-05 14:34 131072]

"SystemT"="c:\windows\system\nvurw.exe" [2008-04-05 14:34 131072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2007-07-21 18:40 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_2"="regsvr32 /s /n /i:U shell32" []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]

-ra------ 2006-04-05 06:36 565248 C:\WINDOWS\sm56hlpr.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\eMule\\emule.exe"=

"C:\\Arquivos de programas\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"C:\\Arquivos de programas\\Yahoo!\\Messenger\\YServer.exe"=

"C:\\Arquivos de programas\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"C:\\Arquivos de programas\\Microsoft Office\\Office12\\GROOVE.EXE"=

"C:\\Arquivos de programas\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=

"C:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

"C:\\Arquivos de programas\\uTorrent\\utorrent.exe"=

R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);C:\WINDOWS\system32\DRIVERS\RMSPPPOE.SYS [2002-06-10 00:09]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{86bd5b8e-f760-11dc-814a-0013a3525f6c}]

\Shell\Auto\Command - program.exe e

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL program.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a1ecb4d6-0246-11dd-8174-0013a3525f6c}]

\Shell\Auto\Command - G:\program.exe e

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL program.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc71b14d-f60a-11dc-813f-0013a3525f6c}]

\Shell\Auto\Command - G:\program.exe e

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL program.exe e

*Newly Created Service* - CATCHME

.

**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-10 23:54:59

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso

Ficheiros ocultos: 0

**************************************************************************

.

Tempo para conclusão: 2008-04-10 23:55:22

ComboFix-quarantined-files.txt 2008-04-11 02:55:17

Pre-Run: 10,065,473,536 bytes disponíveis

Post-Run: 10,058,104,832 bytes disponíveis

.

2008-04-10 05:12:20 --- E O F ---

________________________________________________________________________________

________________________________

Logfile of HijackThis v1.99.1

Scan saved at 00:04:02, on 11/4/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.20733)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\winpos.exe

C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\system32\VTtrayp.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\vsnpstd.exe

C:\Arquivos de programas\VMware\VMware Player\hqtray.exe

C:\windows\system32\hcvuk.exe

C:\windows\hrzez.exe

C:\windows\system\nvurw.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Windows Sidebar\sidebar_clear.exe

C:\windows\inf\cjjlg.exe

C:\arquivos de programas\arquivos comuns\keqaw.exe

C:\windows\config\amqub.exe

C:\windows\system32\yntib.exe

C:\Arquivos de programas\Windows Sidebar\sidebar_clear.exe

C:\Arquivos de programas\Eset\nod32krn.exe

C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Arquivos comuns\VMware\VMware Virtual Image Editing\vmount2.exe

C:\WINDOWS\system32\vmnat.exe

C:\WINDOWS\system32\vmnetdhcp.exe

C:\Arquivos de programas\VMware\VMware Player\vmware-authd.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Windows Live\Messenger\usnsvc.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe