[Arquivado] WIN 32 CTX e Trojans

Enirak · Maio 2, 2008

Olá! Infelizmente abri um arquivo de vírus no meu e-mail do hotmail. Foi e-mail pra minha lista toda. Não consigo acesso no orkut, nem no ig, nem no yahoo (mails). O AVG (que eu estava usando) não detectou. Scaneei com alguns antivirus online, mas nada achavam, nem o bitdefender, nem o trend micro housecall. O ActiveScan da Panda nem rodou, fala que a minha versão do IE não é atualizada (mas ela é). Desinstalei o AVG, coloquei o AVAST e ele achou o vírus WIN32 CTX. Exclui três vezes o resultado, mas ele fica voltando.

Da última vez deu que o arquivo C:\system volume information\_restore{0517bcea-5669-4f97-ba59-ffb8971971b2}\rp80\a0026034.dll estava infectado. Coloquei o arquivo em quarentena. A primeira vez que passei o bit defender não deu nada, a segunda deu o log que eu posto abaixo, fiz a correção. Depois scaneei de novo com ele e não deu nada. Já rodei também o bankerfix, não melhorou. Postarei em seguida o log do HiJack This.

Uso o Search and Destroy, mas ele nunca acusa nada de errado.

O Adware V5.0 diz q o meu computador está com o : SPY ARSENAL AIMLHKEY_LOCAL_MACHINE\SYSTEM\CurrRegKey.

O Spydoctor acusa:

Adware.Advertising

Application. Tracking Cookies

Backdoor.Hupigon.MHP

Trojan-PWS.Bancos

Trojan-Spy.Delf.AZQ

Ajudem-me, por favor! Obrigada!!!

-------------------------------------------------------

BitDefender Online Scanner

Scan report generated at: Thu, May 01, 2008 - 14:44:11

Scan path: A:\;C:\;D:\;E:\;F:\;

Statistics

Time

01:02:52

Files

309729

Folders

3225

Boot Sectors

4

Archives

1021

Packed Files

6280

Results

Identified Viruses

1

Infected Files

1

Suspect Files

0

Warnings

0

Disinfected

0

Deleted Files

1

Engines Info

Virus Definitions

1188934

Engine build

AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins

16

Archive plugins

42

Unpack plugins

7

E-mail plugins

6

System plugins

5

Scan Settings

First Action

Disinfect

Second Action

Delete

Heuristics

Yes

Enable Warnings

Yes

Scanned Extensions

*;

Exclude Extensions

Scan Emails

Yes

Scan Archives

Yes

Scan Packed

Yes

Scan Files

Yes

Scan Boot

Yes

Scanned File

Status

C:\System Volume Information\_restore{0517BCEA-5669-4F97-BA59-FFB8971971B2}\RP76\A0024890.dll

Infected with: Generic.Banker.Delf.5A47CC3A

C:\System Volume Information\_restore{0517BCEA-5669-4F97-BA59-FFB8971971B2}\RP76\A0024890.dll

Disinfection failed

C:\System Volume Information\_restore{0517BCEA-5669-4F97-BA59-FFB8971971B2}\RP76\A0024890.dll

Deleted

-------------------------------------------------

Logfile of HijackThis v1.99.1

Scan saved at 19:36:24, on 1/5/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\pctspk.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\WINDOWS\PixArt\PAC207\Monitor.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

C:\Arquivos de programas\MSN Messenger\usnsvc.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Administrador\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\IXP000.TMP\"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: BrOffice.org 2.3.lnk = C:\Arquivos de programas\BrOffice.org 2.3\program\quickstart.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: MyVitalAgent.lnk = C:\Arquivos de programas\INS\VitalAgent\Program\VtlAgent.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1202683304234

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u...ows-i586-jc.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: GbiehAbn - C:\ARQUIV~1\GBPLUG~1\gbiehdst.dll (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

Ajudem-me, por favor! Obrigada!

Silas Martins · Maio 2, 2008

Baixe o ComboFix e salve na área de trabalho.

Feche todos os programas.

Clique duas vezes sobre combofix.exe e tecle (1) logo após aperte Enter para continuar.

O ComboFix irá reiniciar seu computador automaticamente, isto faz parte do processo de remoção.

Ao se encerrar, será gerado um log, que vai estar em C:\ComboFix.txt.

Atenção:

Não clique em nada enquanto o Combofix estiver rodando, Do contrário seu desktop ficará em branco.

Para parar o processo ou sair do ComboFix, tecle "2" e Enter.

Aguardo um novo log do HijackThis juntamente com o ComboFix.txt

Aguardo Retorno

Silas Martins · Maio 2, 2008

deletem o sistema bugou e gerou dois posts.

Enirak · Maio 6, 2008

Olá! Esse é o log do combo fix.

ComboFix 08-05-01.3 - Administrador 2008-05-06 13:36:18.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.47 [GMT -3:00]

Executando de: C:\Documents and Settings\Administrador\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((( Ficheiros criados de 2008-04-06 to 2008-05-06 ))))))))))))))))))))))))))))))))

.

2008-05-01 16:24 . 2008-05-01 17:42 121 --a------ C:\WINDOWS\bdagent.INI

2008-05-01 15:58 . 2008-05-06 00:23 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\NtUser.dat.LOG

2008-04-29 22:12 . 2008-04-29 22:18 <DIR> d-------- C:\LinhaDefensiva

2008-04-29 22:06 . 2008-04-29 22:06 180,719 --a------ C:\Arquivos de programas\bankerfix.exe

2008-04-29 18:17 . 2008-04-29 18:17 <DIR> d-------- C:\Arquivos de programas\Alwil Software

2008-04-29 17:43 . 2008-04-29 17:43 22,330,128 --a------ C:\Arquivos de programas\setuppor.exe

2008-04-29 13:16 . 2008-05-01 18:37 <DIR> d-------- C:\WINDOWS\BDOSCAN8

2008-04-28 23:55 . 2008-04-28 23:53 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys

2008-04-28 23:52 . 2008-04-29 17:04 <DIR> d-------- C:\Documents and Settings\Administrador\.housecall6.6

2008-04-28 23:50 . 2008-04-28 23:50 <DIR> d-------- C:\WINDOWS\Sun

2008-04-28 23:49 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl

2008-04-28 23:47 . 2008-04-28 23:49 <DIR> d-------- C:\Arquivos de programas\Java

2008-04-28 23:39 . 2008-04-28 23:39 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Java

2008-04-27 23:12 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll

2008-04-27 23:11 . 2004-05-14 16:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll

2008-04-27 23:11 . 2004-05-14 16:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll

2008-04-27 23:11 . 2004-05-14 16:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll

2008-04-27 23:11 . 2004-05-14 16:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll

2008-04-27 23:11 . 2004-01-12 02:09 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll

2008-04-27 23:11 . 2004-05-14 16:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll

2008-04-27 23:11 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll

2008-04-26 20:57 . 2008-04-26 20:57 244 --ah----- C:\sqmnoopt09.sqm

2008-04-26 20:57 . 2008-04-26 20:57 232 --ah----- C:\sqmdata09.sqm

2008-04-26 13:08 . 2008-04-26 14:12 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2008-04-26 13:08 . 2008-04-26 13:08 <DIR> d-------- C:\Arquivos de programas\Spybot - Search & Destroy

2008-04-26 13:05 . 2008-04-26 13:05 9,722,720 --a------ C:\Arquivos de programas\spybotsd152.exe

2008-04-25 16:58 . 2008-04-27 23:09 <DIR> dr-h----- C:\$VAULT$.AVG

2008-04-24 20:20 . 2008-04-29 18:49 <DIR> d-------- C:\WINDOWS\system32\ActiveScan

2008-04-24 20:20 . 2008-04-24 20:20 30,590 --a------ C:\WINDOWS\system32\pavas.ico

2008-04-24 20:20 . 2008-04-24 20:20 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico

2008-04-24 20:20 . 2008-04-24 20:20 1,406 --a------ C:\WINDOWS\system32\Help.ico

2008-04-24 17:37 . 2008-04-24 17:45 <DIR> d-------- C:\Arquivos de programas\Panda Security

2008-04-23 06:59 . 2008-04-27 23:09 <DIR> d-------- C:\Arquivos de programas\GbPluggin

2008-04-21 23:58 . 2008-04-21 23:58 <DIR> d-------- C:\Documents and Settings\Luciana\Dados de aplicativos\AVG7

2008-04-21 23:57 . 2005-05-17 23:27 <DIR> d--h----- C:\Documents and Settings\Luciana\Modelos

2008-04-21 23:57 . 2008-04-21 23:58 <DIR> dr------- C:\Documents and Settings\Luciana\Meus documentos

2008-04-21 23:57 . 2005-05-17 20:16 <DIR> dr------- C:\Documents and Settings\Luciana\Menu Iniciar

2008-04-21 23:57 . 2008-04-21 23:58 <DIR> dr------- C:\Documents and Settings\Luciana\Favoritos

2008-04-21 23:57 . 2008-04-21 23:58 <DIR> dr-h----- C:\Documents and Settings\Luciana\Dados de aplicativos

2008-04-21 23:57 . 2008-05-06 13:37 <DIR> d--h----- C:\Documents and Settings\Luciana\Configurações locais

2008-04-21 23:57 . 2005-05-17 20:16 <DIR> d--h----- C:\Documents and Settings\Luciana\Ambiente de rede

2008-04-21 23:57 . 2005-05-17 20:16 <DIR> d--h----- C:\Documents and Settings\Luciana\Ambiente de impressão

2008-04-21 23:57 . 2008-04-29 18:10 <DIR> d-------- C:\Documents and Settings\Luciana

2008-04-21 23:57 . 2008-05-06 00:51 1,024 --ah----- C:\Documents and Settings\Luciana\ntuser.dat.LOG

2008-04-21 20:49 . 2008-04-24 19:18 <DIR> d-------- C:\Arquivos de programas\Marcos Velasco Security

2008-04-21 20:43 . 2008-04-21 20:43 1,415,658 --a------ C:\Arquivos de programas\mvregclean55-br.zip

2008-04-21 20:21 . 2008-05-01 23:28 <DIR> d-a------ C:\Documents and Settings\All Users\Dados de aplicativos\TEMP

2008-04-12 20:40 . 2008-04-12 20:40 244 --ah----- C:\sqmnoopt08.sqm

2008-04-12 20:40 . 2008-04-12 20:40 232 --ah----- C:\sqmdata08.sqm

2008-04-12 19:36 . 2008-04-12 19:36 244 --ah----- C:\sqmnoopt07.sqm

2008-04-12 19:36 . 2008-04-12 19:36 232 --ah----- C:\sqmdata07.sqm

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-06 16:34 --------- d-----w C:\Documents and Settings\Administrador\Dados de aplicativos\BrOffice.org2

2008-04-29 21:14 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\avg7

2008-04-29 11:00 --------- d-----w C:\Documents and Settings\Administrador\Dados de aplicativos\AVG7

2008-04-05 23:09 230,432 ----a-w C:\PA207.DAT

2008-03-31 23:17 --------- d-----w C:\Documents and Settings\LocalService\Dados de aplicativos\AVG7

2008-03-31 22:54 5,445,664 ----a-w C:\Arquivos de programas\ewmamp3.exe

2008-03-31 22:35 1,109,398 ----a-w C:\Arquivos de programas\FreeMP3Converter18.exe

2008-03-28 02:14 --------- d-----w C:\Documents and Settings\Administrador\Dados de aplicativos\uTorrent

2008-03-28 01:59 --------- d-----w C:\Arquivos de programas\Soulseek-Test

2008-03-15 12:11 --------- d-----w C:\Arquivos de programas\BrOffice.org 2.3

2008-03-13 15:55 113,109,566 ----a-w C:\Arquivos de programas\BrOo_2.3.1rc1_20071113_Win32Intel_install_pt-BR.exe

2008-03-12 01:05 --------- d-----w C:\Documents and Settings\Administrador\Dados de aplicativos\Gizmo5

2008-03-08 23:16 --------- d-----w C:\Documents and Settings\Administrador\Dados de aplicativos\Skype

2008-03-08 22:47 --------- d-----w C:\Documents and Settings\Administrador\Dados de aplicativos\skypePM

2008-03-08 20:40 --------- d-----w C:\Arquivos de programas\PC Camera

2008-03-08 20:40 --------- d-----w C:\Arquivos de programas\Arquivos comuns\PAC207

2008-03-08 20:21 --------- d--h--w C:\Arquivos de programas\InstallShield Installation Information

2008-03-08 19:25 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Adobe

2008-03-06 05:21 --------- d-----w C:\Arquivos de programas\CounterPath

2008-03-06 05:21 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Intel

2008-03-06 05:19 --------- d-----w C:\Arquivos de programas\Softphone

2008-03-01 03:25 32 ----a-w C:\Documents and Settings\All Users\Dados de aplicativos\ezsid.dat

2008-02-10 22:40 2,403,344 ----a-w C:\Arquivos de programas\WLinstaller.exe

2008-02-06 01:52 1,450,045 ----a-w C:\Arquivos de programas\vaconsmr.exe

2008-01-20 21:53 32,981,120 ----a-w C:\Arquivos de programas\avg75free_516a1225.exe

2008-01-18 00:34 976,836 ----a-w C:\Arquivos de programas\slsk157test12c.exe

2008-01-18 00:19 22,892,768 ----a-w C:\Arquivos de programas\AdbeRdr810_pt_BR.exe

2001-11-23 04:08 712,704 ----a-r C:\WINDOWS\inf\OTHER\AUDIO3D.DLL

.

((((((((((((((((((((((((((((( snapshot@2008-05-06_ 0.28.13,59 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-05-06 02:01:58 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2008-05-06 16:22:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2008-05-06 16:22:07 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_48c.dat

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45 15360]

"MsnMsgr"="C:\Arquivos de programas\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]

"MSMSGS"="C:\Arquivos de programas\Messenger\msmsgs.exe" [2004-08-04 00:56 1667584]

"SpybotSD TeaTimer"="C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Cmaudio"="cmicnfg.cpl" []

"PCTVOICE"="pctspk.exe" [2004-01-29 21:33 180224 C:\WINDOWS\system32\pctspk.exe]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50 155648]

"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 09:42 176128]

"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2001-07-09 09:50 155648]

"Adobe Reader Speed Launcher"="C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

"Monitor"="C:\WINDOWS\PixArt\PAC207\Monitor.exe" [2006-11-03 11:01 319488]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 15:37 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:45 15360]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\

Microsoft Office.lnk - C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE [2001-02-13 08:01:04 83360]

MyVitalAgent.lnk - C:\Arquivos de programas\INS\VitalAgent\Program\VtlAgent.exe [2008-02-05 22:52:24 30208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbiehAbn]

C:\ARQUIV~1\GBPLUG~1\gbiehdst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

"C:\\Arquivos de programas\\Soulseek-Test\\slsk.exe"=

"C:\\Arquivos de programas\\uTorrent\\uTorrent.exe"=

"C:\\Arquivos de programas\\CounterPath\\X-Lite\\x-lite.exe"=

"C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 15:31]

R2 0VsNdis08;VitalAgent Network Driver 8.1;C:\Arquivos de programas\INS\VitalAgent\Program\VsNdis08.sys [2001-02-07 08:53]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 15:35]

R3 0VsComm12;VitalAgent Serial Port Driver 12.4;C:\Arquivos de programas\INS\VitalAgent\Program\VsComm12.sys [2001-02-07 08:53]

S3 PAC207;PC Camera;C:\WINDOWS\system32\DRIVERS\PFC027.SYS [2007-05-29 13:30]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bdx REG_MULTI_SZ scan

.

**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-06 13:38:11

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso

Ficheiros ocultos: 490

**************************************************************************

.

Tempo para conclusão: 2008-05-06 13:41:40

ComboFix-quarantined-files.txt 2008-05-06 16:41:32

ComboFix2.txt 2008-05-06 03:28:36

Pre-Run: 69,736,968,192 bytes disponíveis

Post-Run: 69,726,265,344 bytes disponíveis

158

..........................

E este é o novo log do Hijackthis

Logfile of HijackThis v1.99.1

Scan saved at 13:43:52, on 6/5/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\pctspk.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\WINDOWS\PixArt\PAC207\Monitor.exe

C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\BrOffice.org 2.3\program\soffice.exe

C:\Arquivos de programas\BrOffice.org 2.3\program\soffice.BIN

C:\WINDOWS\explorer.exe

C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\notepad.exe