[Resolvido!]Kavo / Tavo

Leocarlos · Abril 12, 2008

Olá,

Como eu faço para excluir os malwares Tavo e Kavo do meu pc?

Meu LOG é:

Logfile of HijackThis v1.99.1

Scan saved at 17:57:33, on 12/4/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Intel\Wireless\Bin\EvtEng.exe

C:\Arquivos de programas\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\Arquivos de programas\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe

C:\Arquivos de programas\Intel\Wireless\Bin\RegSrvc.exe

C:\Arquivos de programas\CyberLink\Shared files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Windows Media Player\WMPNetwk.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\Arquivos de programas\Windows Media Player\WMPNSCFG.exe

C:\WINDOWS\System32\alg.exe

C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

C:\Arquivos de programas\Windows Live\Messenger\usnsvc.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.20.18.1:3128

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GbPlugin\gbieh.dll

O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\ARQUIV~1\GbPlugin\gbiehabn.dll

O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Arquivos de programas\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Arquivos de programas\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe

O4 - HKCU\..\Run: [tava] C:\WINDOWS\system32\tavo.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Arquivos de programas\Windows Media Player\WMPNSCFG.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O20 - Winlogon Notify: GbPluginAbn - C:\Arquivos de programas\GbPlugin\gbiehabn.dll

O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GbPlugin\gbieh.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: __GbPluginAbn - C:\Arquivos de programas\GbPlugin\gbiehabn.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Arquivos de programas\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Arquivos de programas\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared files\RichVideo.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Arquivos de programas\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Valeu!

DigRam · Abril 14, 2008

Bom Dia! Leocarlos

>@< Faça o download do ComboFix.

>@< Baixe-o para o Desktop!

>@< Desabilite as proteções residente de: antivírus,antispywares e Firewall.

>@< Feche todas as janelas e execute a ferramenta!

Caso aconteça a notificação de: Aplicativo Win32 inválido,delete a ferramenta e faça,novamente,o download.
Salve-a no Desktop,renomeada como: Kombo.exe

Ps: Nomeie durante o salvamento,e não após salvá-la!

>@< Abrirá a janela Auto Scan. Aguarde!

>@< Digite a opção para continuar e < Enter >

>@< Aguarde a conclusão! Durante o scan,evite tocar no mouse ou teclado!

-------------------------------------

>@< Poste o relatório: C:\ComboFix.txt,na sua resposta + Log do HJT,atualizado.

Abraços!

Leocarlos · Abril 15, 2008

Fiz o que você disse e não deu certo. O programa roda normalmente, porém ao invés de criar um arquivo chamado ComboFix.txt no meu c:\ ele criou duas pastas com os nomes de QooBox e ComboFix. Dentro da pasta ComboFix até tem uma arquivo chamado ComboFix.txt, porém o log que aparece lá é esse:

ComboFix 08-04-13.3 - Leocarlos Cosendey 2008-04-14 18:53:23.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1046.18.599 [GMT -3:00]

Executando de: C:\Documents and Settings\Leocarlos Cosendey\Desktop\Kombo.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

e nada mais. O que está acontecendo?

DigRam · Abril 15, 2008

Fiz o que você disse e não deu certo. O programa roda normalmente, porém ao invés de criar um arquivo chamado ComboFix.txt no meu c:\ ele criou duas pastas com os nomes de QooBox e ComboFix. Dentro da pasta ComboFix até tem uma arquivo chamado ComboFix.txt, porém o log que aparece lá é esse:

ComboFix 08-04-13.3 - Leocarlos Cosendey 2008-04-14 18:53:23.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1046.18.599 [GMT -3:00]

Executando de: C:\Documents and Settings\Leocarlos Cosendey\Desktop\Kombo.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

e nada mais. O que está acontecendo?

---------------------------------------

Opa! Leocarlos

>@< Delete: C:\Qoobox

---------------------------------------

>@< Mova o ComboFix.exe,para o Disco Local-C. >> Eis o caminho: C:\ComboFix.exe

>@< Reinicie o computador,em Modo de Segurança.

>@< Execute o ComboFix.exe,e poste o relatório. ( ComboFix.txt )

Abraços!

Leocarlos · Abril 16, 2008

Consegui. O Log é o seguinte:

ComboFix 08-04-15.1 - Leocarlos Cosendey 2008-04-15 21:50:07.1 - NTFSx86 MINIMAL

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1046.18.808 [GMT -3:00]

Executando de: C:\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Autorun.inf

C:\WINDOWS\system32\kavo.exe

C:\WINDOWS\system32\kavo1.dll

C:\WINDOWS\system32\tavo.exe

C:\WINDOWS\system32\tavo0.dll

C:\WINDOWS\system32\tavo1.dll

.

((((((((((((((((((((((( Ficheiros criados de 2008-03-16 to 2008-04-16 ))))))))))))))))))))))))))))))))

.

2008-04-15 21:37 . 2008-04-15 21:37 1,770,165 --a------ C:\ComboFix.exe

2008-04-15 21:12 . 2008-04-15 21:43 117,642 -r-hs---- C:\c.com

2008-04-12 01:03 . 2008-04-13 22:47 <DIR> d-------- C:\Hijackthis

2008-04-12 00:40 . 2008-04-13 21:01 118,971 -r-hs---- C:\30ed3.exe

2008-04-11 19:38 . 2008-04-09 09:00 117,637 -r-hs---- C:\i.bat

2008-04-10 23:51 . 2008-04-10 23:51 <DIR> d-------- C:\Arquivos de programas\Programas RFB

2008-04-05 18:14 . 2008-04-06 10:58 42 --a------ C:\WINDOWS\webica.ini

2008-04-05 14:39 . 2008-04-05 14:39 <DIR> d-------- C:\WINDOWS\system32\Resource

2008-04-05 14:38 . 2008-04-05 14:38 <DIR> d-------- C:\Arquivos de programas\Citrix

2008-04-05 13:27 . 2008-04-05 13:35 <DIR> d-------- C:\Arquivos de programas\Windows Live Safety Center

2008-04-04 17:09 . 2008-03-29 15:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys

2008-04-04 17:09 . 2008-03-29 15:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys

2008-04-03 20:23 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll

2008-04-03 20:23 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll

2008-04-03 20:23 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui

2008-04-02 21:13 . 2008-04-02 21:13 <DIR> d-------- C:\Documents and Settings\Leocarlos Cosendey\Dados de aplicativos\Citrix

2008-04-02 21:11 . 2008-04-05 14:40 <DIR> d-------- C:\Documents and Settings\Leocarlos Cosendey\Dados de aplicativos\ICAClient

2008-04-02 20:11 . 2008-04-02 20:11 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\WLInstaller

2008-04-02 20:11 . 2008-04-02 20:12 <DIR> d-------- C:\Arquivos de programas\Windows Live

2008-04-02 20:11 . 2008-04-02 20:11 <DIR> d--hsc--- C:\Arquivos de programas\Arquivos comuns\WindowsLiveInstaller

2008-03-30 14:31 . 2004-08-04 00:45 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll

2008-03-30 14:31 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys

2008-03-30 14:31 . 2001-09-05 23:50 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll

2008-03-20 05:09 . 2008-03-20 05:09 1,845,376 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-16 00:46 148,100 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx

2008-04-16 00:46 12,603,424 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat

2008-04-16 00:40 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\GbPlugin

2008-04-16 00:40 --------- d-----w C:\Arquivos de programas\GbPlugin

2008-04-13 02:05 --------- d-----w C:\Arquivos de programas\eMule

2008-04-06 04:55 --------- d-----w C:\Documents and Settings\Leocarlos Cosendey\Dados de aplicativos\Skype

2008-04-02 23:13 --------- d-----w C:\Arquivos de programas\MSN Messenger

2008-03-29 18:45 1,146,232 ----a-w C:\WINDOWS\system32\aswBoot.exe

2008-03-29 18:35 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys

2008-03-29 18:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys

2008-03-29 18:27 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys

2008-03-29 18:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys

2008-03-29 18:23 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr

2008-03-20 08:09 1,845,376 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-11 23:29 --------- d-----w C:\Arquivos de programas\Unity

2008-03-01 13:02 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll

2008-02-20 05:37 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll

2008-01-20 12:49 1,916,416 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp

2008-01-03 23:19 1,897,984 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp

2007-11-14 02:01 618,496 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp

2007-10-11 16:44 20,794,624 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_10_08_12_07_10_full.dmp.zip

2007-10-07 07:56 3,713,536 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp

2007-10-07 07:51 1,769,472 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp

2007-10-01 23:55 2,751,966 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip

2007-05-01 05:30 1,378,816 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp

2007-05-01 05:27 1,378,816 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp

2007-04-03 21:21 61,376 ----a-w C:\Documents and Settings\Leocarlos Cosendey\Dados de aplicativos\GDIPFONTCACHEV1.DAT

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]

2007-12-20 19:36 262144 --a------ C:\Arquivos de programas\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Arquivos de programas\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2007-12-20 19:36 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Arquivos de programas\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2007-12-20 19:36 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="C:\Arquivos de programas\Messenger\msmsgs.exe" [2004-10-13 13:24 1694208]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:00 15360]

"WMPNSCFG"="C:\Arquivos de programas\Windows Media Player\WMPNSCFG.exe" [2006-11-02 22:32 204288]

"updateMgr"="C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ZoneAlarm Client"="C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 15:05 919016]

"SynTPLpr"="C:\Arquivos de programas\Synaptics\SynTP\SynTPLpr.exe" [2004-05-06 18:49 98304]

"SynTPEnh"="C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe" [2004-05-06 18:49 536576]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]

"SMSERIAL"="sm56hlpr.exe" [2005-12-01 12:16 557056 C:\WINDOWS\sm56hlpr.exe]

"Silent Mode"="C:\Arquivos de programas\Silent Mode\SilentMode.exe" [2006-04-20 10:50 151552]

"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 07:49 15691264 C:\WINDOWS\RTHDCPL.EXE]

"RoxioDragToDisc"="C:\Arquivos de programas\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2004-09-25 00:37 1691648]

"RemoteControl"="C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 21:57 30208]

"LanguageShortcut"="C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 10:09 49152]

"IntelZeroConfig"="C:\Arquivos de programas\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 11:55 667718]

"IntelWireless"="C:\Arquivos de programas\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 11:56 602182]

"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-02-07 11:39 94208]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-02-07 11:40 118784]

"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-02-07 11:36 77824]

"EOUApp"="C:\Arquivos de programas\Intel\Wireless\Bin\EOUWiz.exe" [2005-12-28 12:00 569413]

"AVGINST"="C:\sw_util\avg70\instala.exe" [2004-12-16 14:51 24576]

"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 15:37 79224]

"Apoint"="C:\Arquivos de programas\Apoint2K\Apoint.exe" [2003-12-03 19:22 159744]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\

Adobe Gamma Loader.lnk - C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-26 21:59:07 113664]

Adobe Reader Speed Launch.lnk - C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]

AutoCAD Startup Accelerator.lnk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\acstart17.exe [2006-03-05 03:43:54 11000]

Microsoft Office.lnk - C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE [2001-02-13 08:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399007}"= C:\ARQUIV~1\GbPlugin\gbiehabn.dll [2008-03-31 14:01 367016]

"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\ARQUIV~1\GbPlugin\gbieh.dll [2007-12-03 15:30 347976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginAbn]

C:\Arquivos de programas\GbPlugin\gbiehabn.dll 2008-03-31 14:01 367016 C:\Arquivos de programas\GbPlugin\gbiehabn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]

C:\ARQUIV~1\GbPlugin\gbieh.dll 2007-12-03 15:30 347976 C:\ARQUIV~1\GbPlugin\gbieh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__GbPluginAbn]

C:\Arquivos de programas\GbPlugin\gbiehabn.dll 2008-03-31 14:01 367016 C:\Arquivos de programas\GbPlugin\gbiehabn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\eMule\\emule.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=

"C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

R3 EKBfltr;ENE Keyboard Controller;C:\WINDOWS\system32\DRIVERS\EKBfltr.sys [2005-01-13 09:22]

S1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 15:31]

S2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 15:35]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d8ab0f0-bea1-11dc-905e-001302442ea4}]

\Shell\AutoRun\command - E:\EXPLORER.EXE

\Shell\explore\Command - E:\EXPLORER.EXE

\Shell\open\Command - E:\EXPLORER.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a2b3f06-0815-11dd-90e1-001302442ea4}]

\Shell\AutoRun\command - E:\i.bat

\Shell\explore\Command - E:\i.bat

\Shell\open\Command - E:\i.bat

*Newly Created Service* - CATCHME

.

**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-15 22:00:27

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso

Ficheiros ocultos: 0

**************************************************************************

.

Tempo para conclusão: 2008-04-15 22:01:42

ComboFix-quarantined-files.txt 2008-04-16 01:01:37

Pre-Run: 36,244,930,560 bytes disponíveis

Post-Run: 38,388,948,992 bytes disponíveis

.

2008-04-12 17:24:27 --- E O F ---

Abraços,

Consegui. O Log criado foi: