[Resolvido!] Meu PC está com o "win32:vundo@dll[trj

[Kabellogt 0]

Boa tarde, sou iniciante e gostaria de uma ajuda, o Avast detecta o vírus e quando eu coloco ele em quarentena o mesmo volta depois de um tempo, por favor confiram o meu log abaixo, obrigado.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:50:15, on 28/05/2008

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Boot mode: Normal

 

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Alwil Software\Avast4\ashDisp.exe

C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe

C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe

C:\HijackThis\HijackThis.exe

C:\Windows\system32\SearchFilterHost.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: 216.107.250.194 nprotect.lineage2.com

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\JM\JMInsIDE.exe

O4 - HKLM\..\Run: [JMB36X Configure] C:\Windows\system32\JMRaidTool.exe boot

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [stormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\tuvTliGa.dll,#1

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O13 - Gopher Prefix:

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/...NPUpldpt-br.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe

O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe

O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe

O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe

O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

 

--

End of file - 6585 bytes

 

 

Obrigado pela atenção.

[Sam Spade 2]

Olá Kabellogt! Baixe o Malwarebytes' Anti-Malware (MBAM) neste link ou neste aqui.

 

Baixe também o ComboFix > salve na área de trabalho

 

Salve ou imprima estas instruções:

 

ETAPA 1

 

Dê um duplo-clique no mbam-setup.exe, escolha a linguagem e na instalação, aceite todas as opções padrão.

 

• Verifique se as caixas Atualizar Malwarebytes Anti-Malware e Executar Malwarebytes Anti-Malware estão marcadas e clique então, em Concluir.
  
• Se houver atualizações a serem feitas, serão baixadas e instaladas.
  
• Ao final da atualização, com o programa aberto, marque Verificação Rápida e clique no botão Verificar.
  
• Começará então o exame. Aguarde, pois pode demorar.
  
• Ao acabar o exame, clique em OK, depois no botão Mostrar Resultados para ver o relatório.
  
• Se houver ítens encontrados, certifique-se de que, estão todos marcados e clique no botão Remover.
  
• Ao final da desinfecção, abrirá o Bloco de notas com um log e poderá aparecer um aviso se quer reiniciar o PC. (Ver Nota abaixo)
  
• O log é automaticamente salvo pelo MBAM e para vê-lo, clique na aba Logs na janela principal do programa.
  
• Ao pedir que poste este log do MBAM, selecione, copie e cole na resposta, todo o seu conteúdo.
  

NOTA: Se o MBAM encontrar arquivos que não consiga remover, poderá ter de reiniciar o PC (talvez mais de uma vez). Faça isso imediatamente, ao ser perguntado se quer reiniciar o PC.

 

 

ETAPA 2

 

• Desative seu antivirus, antispywares e firewall, para não causar conflitos. Mantenha-os desativados até terminar as instruções.
  
• Dê um duplo-clique no combofix.exe, marque 1 e dê o enter para prosseguir o Fix. Aguarde pois é um pouco demorado.
  
• O ComboFix reiniciará o PC automaticamente para completar o processo de remoção. Caso isso não aconteça, reinicie manualmente.
  
• Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.
  
• IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando. Para parar ou sair do ComboFix, tecle "N".
  
• Poste um novo log do HijackThis, juntamente com o log do MBAM e o ComboFix.txt.
   
  OBS: Não rode o ComboFix mais do que uma vez. Isso irá sobreescrever o log e dificultará a remoção do(s) malware(s)
  

[Kabellogt 0]

Bom dia Sam Spade e mais uma vez obrigado pela atenção e rapidez na resposta.

Abaixo segue os Logs.

 

Malwarebytes' Anti-Malware 1.12

Versão do banco de dados: 797

 

Tipo de Verificação: Rápida

Objetos verificados: 39589

Tempo decorrido: 3 minute(s), 15 second(s)

 

Processos da Memória infectados: 0

Módulos de Memória Infectados: 1

Chaves do Registro infectadas: 1

Valores do Registro infectados: 2

Ítens do Registro infectados: 0

Pastas infectadas: 0

Arquivos infectados: 2

 

Processos da Memória infectados:

(Nenhum ítem malicioso foi detectado)

 

Módulos de Memória Infectados:

C:\Windows\System32\yayvSiJC.dll (Trojan.Vundo) -> Unloaded module successfully.

 

Chaves do Registro infectadas:

HKEY_CLASSES_ROOT\CLSID\{522e0112-edd9-413d-a99e-c311a54b6676} (Trojan.Vundo) -> Quarantined and deleted successfully.

 

Valores do Registro infectados:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{522e0112-edd9-413d-a99e-c311a54b6676} (Trojan.Vundo) -> Quarantined and deleted successfully.

 

Ítens do Registro infectados:

(Nenhum ítem malicioso foi detectado)

 

Pastas infectadas:

(Nenhum ítem malicioso foi detectado)

 

Arquivos infectados:

C:\Users\Nishiura\Local Settings\Temporary Internet Files\Content.IE5\BIM4ADPR\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Windows\System32\yayvSiJC.dll (Trojan.Agent) -> Delete on reboot.

 

 

 

 

 

 

ComboFix 08-05-28.4 - Nishiura 2008-05-29 21:35:21.1 - NTFSx86

Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1041.18.2131 [GMT 9:00]

Running from: C:\Users\Nishiura\Desktop\ComboFix.exe

* Created a new restore point

.

 

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))

.

 

2008-05-29 21:14 . 2008-05-29 21:14 <DIR> d-------- C:\Users\Nishiura\AppData\Roaming\Malwarebytes

2008-05-29 21:14 . 2008-05-29 21:14 <DIR> d-------- C:\Users\All Users\Malwarebytes

2008-05-29 21:14 . 2008-05-29 21:14 <DIR> d-------- C:\ProgramData\Malwarebytes

2008-05-29 21:14 . 2008-05-29 21:14 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-05-29 21:14 . 2008-05-05 20:46 27,048 --a------ C:\Windows\System32\drivers\mbamcatchme.sys

2008-05-29 21:14 . 2008-05-05 20:46 15,864 --a------ C:\Windows\System32\drivers\mbam.sys

2008-05-28 21:49 . 2008-05-28 21:50 <DIR> d-------- C:\HijackThis

2008-05-28 21:24 . 2008-05-28 21:25 <DIR> d-------- C:\Hijack

2008-05-28 21:22 . 2008-03-08 11:08 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll

2008-05-28 21:22 . 2008-03-08 13:21 1,695,744 --a------ C:\Windows\System32\gameux.dll

2008-05-27 09:25 . 2008-05-27 09:25 <DIR> d-------- C:\VundoFix Backups

2008-05-15 06:20 . 2008-05-15 06:20 <DIR> d-------- C:\Windows\nvidia icons

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-22 00:16 --------- d-----w C:\Users\Nishiura\AppData\Roaming\BSplayer PRO

2008-05-22 00:16 --------- d-----w C:\Program Files\Webteh

2008-05-18 01:31 --------- d-----w C:\Program Files\Lineage II

2008-05-14 21:22 --------- d-----w C:\ProgramData\NVIDIA

2008-05-14 21:15 --------- d-----w C:\ProgramData\Microsoft Help

2008-05-14 21:15 --------- d-----w C:\Program Files\Windows Mail

2008-04-30 08:27 442,368 ----a-w C:\Windows\System32\nvuninst.exe

2008-04-25 12:36 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf

2008-04-18 01:15 174 --sha-w C:\Program Files\desktop.ini

2008-04-18 01:06 --------- d-----w C:\Program Files\Windows Sidebar

2008-04-18 01:06 --------- d-----w C:\Program Files\Windows Photo Gallery

2008-04-18 01:06 --------- d-----w C:\Program Files\Windows Journal

2008-04-18 01:06 --------- d-----w C:\Program Files\Windows Defender

2008-04-18 01:06 --------- d-----w C:\Program Files\Windows Collaboration

2008-04-18 01:06 --------- d-----w C:\Program Files\Windows Calendar

2008-04-18 00:46 82,432 ----a-w C:\Windows\System32\axaltocm.dll

2008-04-18 00:46 101,888 ----a-w C:\Windows\System32\ifxcardm.dll

2008-04-15 10:57 --------- d-----w C:\Program Files\MP3Gain

2008-03-08 04:19 540,672 ----a-w C:\Windows\AppPatch\AcLayers.dll

2008-03-08 04:19 458,752 ----a-w C:\Windows\AppPatch\AcSpecfc.dll

2008-03-08 04:19 2,153,984 ----a-w C:\Windows\AppPatch\AcGenral.dll

2008-03-08 04:19 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll

2008-03-08 01:58 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll

2008-02-29 07:14 19,000 ----a-w C:\Windows\System32\kd1394.dll

2008-02-29 07:11 988,216 ----a-w C:\Windows\System32\winload.exe

2008-02-29 07:11 927,288 ----a-w C:\Windows\System32\winresume.exe

2008-02-29 06:53 46,592 ----a-w C:\Windows\System32\setbcdlocale.dll

2008-02-29 06:53 40,960 ----a-w C:\Windows\System32\srclient.dll

2008-02-29 06:53 378,368 ----a-w C:\Windows\System32\srcore.dll

2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll

2008-02-29 04:21 2,032,128 ----a-w C:\Windows\System32\win32k.sys

2008-02-29 04:12 318,464 ----a-w C:\Windows\System32\rstrui.exe

2008-02-29 04:12 14,848 ----a-w C:\Windows\System32\srdelayed.exe

2006-06-23 06:48 32,768 ----a-r C:\Windows\inf\UpdateUSB.exe

2007-06-28 12:59 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

2007-06-28 12:59 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

2007-06-28 12:59 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

.

 

------- Sigcheck -------

 

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 16:33 1233920]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"JMB36X IDE Setup"="C:\Windows\JM\JMInsIDE.exe" [2007-06-26 09:31 36864]

"JMB36X Configure"="C:\Windows\system32\JMRaidTool.exe" [2006-06-02 17:45 385024]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 22:00 79224]

"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe" [2005-09-19 17:53 1687552]

"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2005-09-19 17:29 163840]

"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]

"StormCodec_Helper"="C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [2006-11-27 03:30 97357]

"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 21:34 868352]

"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2008-05-02 22:46 13535776]

"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2008-05-02 22:46 92704]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1884762478-808313110-4027144785-1000]

"EnableNotificationsRef"=dword:00000009

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]

"TCP Query User{F24AC48D-637F-4095-A2D9-117E2210B783}D:\\games\\line age 2\\walker\\l2asrv.exe"= UDP:D:\games\line age 2\walker\l2asrv.exe:l2asrv

"UDP Query User{166C8B2E-C3E7-482F-8463-88876948AE35}D:\\games\\line age 2\\walker\\l2asrv.exe"= TCP:D:\games\line age 2\walker\l2asrv.exe:l2asrv

"TCP Query User{A37DA199-5D63-4AEF-A44C-17BA4FB6DB63}H:\\nishi\\games\\line age 2\\walker\\l2asrv.exe"= UDP:H:\nishi\games\line age 2\walker\l2asrv.exe:l2asrv

"UDP Query User{7B33200C-96AB-4BA4-98BF-420E47285551}H:\\nishi\\games\\line age 2\\walker\\l2asrv.exe"= TCP:H:\nishi\games\line age 2\walker\l2asrv.exe:l2asrv

"TCP Query User{D7BF68A0-47DB-452D-9EDF-8D4131231F93}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer

"UDP Query User{ABB73952-706D-4E19-8567-BA8B58F21FC9}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer

"TCP Query User{1CC90F53-22EC-4DFA-95C0-75150D0D3F7E}C:\\tcptunnel\\tcptunnel.exe"= UDP:C:\tcptunnel\tcptunnel.exe:tcptunnel

"UDP Query User{A4AF5B27-2B46-468E-BED6-DCE7D79475C5}C:\\tcptunnel\\tcptunnel.exe"= TCP:C:\tcptunnel\tcptunnel.exe:tcptunnel

"TCP Query User{B5401171-2758-4291-8593-F63B810C8EF5}C:\\tcptunnel\\tcptunnel.exe"= UDP:C:\tcptunnel\tcptunnel.exe:tcptunnel

"UDP Query User{D004C9DC-077F-412A-86A4-ECA56C16BF67}C:\\tcptunnel\\tcptunnel.exe"= TCP:C:\tcptunnel\tcptunnel.exe:tcptunnel

"{80B80A52-3C37-452B-958D-10024ED935F6}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook

"{535D208B-7B2A-4368-B2AD-13D290FCFDC8}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove

"{05B1FA6F-A2E3-430A-8A7A-BDA87914538E}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove

"{2538345B-EC4F-428A-B0A2-3F3E62D66E8F}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

"{A9B52863-843B-4DB8-ADD8-F217806B829C}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

"TCP Query User{5CA240AB-BD88-4C23-8E74-BF3EF4092EEA}C:\\l2divine\\l2divine.exe"= UDP:C:\l2divine\l2divine.exe:L2Divine

"UDP Query User{5D332142-E4E0-4CB2-9770-FDD7F981E78C}C:\\l2divine\\l2divine.exe"= TCP:C:\l2divine\l2divine.exe:L2Divine

"{E1AD6463-1659-442F-8CD0-154A0334635C}"= UDP:C:\Program Files\Lineage II\LineageII.exe:Play Lineage II

"{DFCE44C5-AC8B-4A8A-9739-530A10207C91}"= TCP:C:\Program Files\Lineage II\LineageII.exe:Play Lineage II

"{0C6069B2-2715-40E9-B77C-339C075E6CB9}"= UDP:D:\Games\Line Age 2\Walker\eL2Walker1.92\L2Walker.exe:L2Walker

"{BCB5B023-80D2-470D-AFC8-65F6C3E0533B}"= TCP:D:\Games\Line Age 2\Walker\eL2Walker1.92\L2Walker.exe:L2Walker

"TCP Query User{31968FD8-A342-4D42-9A12-5F4467512677}C:\\program files\\tvuplayer\\tvuplayer.exe"= UDP:C:\program files\tvuplayer\tvuplayer.exe:TVUPlayer Component

"UDP Query User{9E83D222-0F5F-49EF-8D57-2E35EF4F4DA5}C:\\program files\\tvuplayer\\tvuplayer.exe"= TCP:C:\program files\tvuplayer\tvuplayer.exe:TVUPlayer Component

"TCP Query User{CF79E300-FDBA-40ED-A47F-BE3799299107}C:\\program files\\tvuplayer\\tvuplayer.exe"= UDP:C:\program files\tvuplayer\tvuplayer.exe:TVUPlayer Component

"UDP Query User{A01BF0C5-2041-4386-ACC7-8E1FB5C7CA3A}C:\\program files\\tvuplayer\\tvuplayer.exe"= TCP:C:\program files\tvuplayer\tvuplayer.exe:TVUPlayer Component

"{EEEA6285-491E-4A41-98CE-75D2171AB3B9}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

"{9751922B-97AA-4740-8185-9034A2B4AE3A}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

"{5A31E946-BC46-4F44-B27A-673A66733101}"= UDP:C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe:Roxio Upnp Service

"{6DC0FB48-BA8B-4D53-B7B3-66361ECDB751}"= TCP:C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe:Roxio Upnp Service

"{F394DDD1-35CD-4ECC-B358-ABB4B4AA2DD7}"= UDP:C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe:Roxio Upnp Service

"{72A9D62B-A785-440D-98CC-B3F487C84F7E}"= TCP:C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe:Roxio Upnp Service

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]

"EnableFirewall"= 0 (0x0)

 

R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [2007-12-04 23:52]

R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2007-12-06 09:51]

S3 msloop;Microsoft Loopback Adapter Driver;C:\Windows\system32\DRIVERS\loop.sys [2008-01-19 14:55]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c775b1ee-23d6-11dc-82a2-806e6f6e6963}]

\shell\AutoRun\command - E:\install.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d92b5307-2700-11dc-b28a-0017318fda5d}]

\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe

\shell\Open(&0)\command - Recycled\ctfmon.exe

 

*Newly Created Service* - CATCHME

.

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-29 21:38:44

Windows 6.0.6001 Service Pack 1 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-05-29 21:39:35

ComboFix-quarantined-files.txt 2008-05-29 12:39:31

 

Pre-Run: 241,456,271,360 bytes disponíveis

Post-Run: 241,633,075,200 bytes disponíveis

 

144 --- E O F --- 2008-05-28 12:23:56

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:46:59, on 29/05/2008

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Boot mode: Normal

 

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Program Files\Alwil Software\Avast4\ashDisp.exe

C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe

C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe

C:\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: 216.107.250.194 nprotect.lineage2.com

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\JM\JMInsIDE.exe

O4 - HKLM\..\Run: [JMB36X Configure] C:\Windows\system32\JMRaidTool.exe boot

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [stormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O13 - Gopher Prefix:

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/...NPUpldpt-br.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe

O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe

O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe

O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe

O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

 

--

End of file - 5995 bytes

[Sam Spade 2]

Ok, o Vundo foi removido, porém o ComboFix mostrou um vírus que infecta pendrives, drives de mp3/mp4.

 

Baixe: PenClean

 

Salve ou imprima estas instruções, pois vai segui-las desconectado e sem acesso a esta página:

 

1 - Delete a pasta C:\Qoobox (se ela existir), e delete o log anterior do Combofix -> C:\combofix.txt

 

2 - Desative seu antivirus, antispywares e firewall, para não causar conflitos. Mantenha-os desativados até terminar as instruções.

 

3 - Selecione e copie o texto dentro do QUOTE. Abra o Bloco de notas e cole o que copiou. Salve então, na área de trabalho, com o nome de CFScript.txt.

 

Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c775b1ee-23d6-11dc-82a2-806e6f6e6963}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d92b5307-2700-11dc-b28a-0017318fda5d}]

4 - Se tiver um Pendrive ou um drive de MP3 ou MP4, conecte no PC (se tiver mais de um, tem de conectar todos). Não os tire até completar todas as instruções.

 

Reinicie o PC e aperte F8 intermitentemente. No menu escolha: modo seguro.

 

Execute o PenClean. Selecione a opção Verificar o computador e clique no botão Verificar.

<<Aguarde alguns instantes, o exame é bem rápido>>

 

Será informado se algo foi encontrado, se for encontrado será pedido para reiniciar, clique em Sim. O computador será reiniciado.

 

5 - Arraste agora o CFScript.txt para o ComboFix conforme a demonstração abaixo.

 

 

O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção. Se isso não ocorrer, reinicie manualmente.

 

IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando.

 

Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.

 

OBS: Não rode o ComboFix mais do que uma vez. Isso irá sobreescrever o log e dificultará a remoção do(s) malware(s)

 

6 - Remova o Pendrive\MP3\MP4 que tenha conectado.

 

7 - Poste o relatório do PenClean que estará em C:\PenClean\PenClean.txt. Poste também o ComboFix.txt.

 

.

[Kabellogt 0]

Saudações, eu tive um problema em baixar no link do PenClean, mas consegui baixar ele em outra página.

O ComboFix deu mau funcionamento 2 vezes, talvez por causa da janela do modo desegurança que abriu no automático.

Segue os logs abaixo.

Abraços.

 

Iniciando relatório do PenClean 2.0.3

Por Renato Victor Mejias

renatomejias@yahoo.com.br

30/05/2008 21:33:13

-----------------------------------------------------------

Arquivos e chaves excluídos do computador:

 

Malware não detectado no computador!

 

-----------------------------------------------------------

Fim da análise no computador.

 

-----------------------------------------------------------

 

 

ComboFix 08-05-28.4 - Nishiura 2008-05-30 21:36:21.2 - NTFSx86 MINIMAL

Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1041.18.2577 [GMT 9:00]

Running from: C:\Users\Nishiura\Desktop\ComboFix.exe

Command switches used :: C:\Users\Nishiura\Desktop\CFScript.txt

.

 

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-30 )))))))))))))))))))))))))))))))

.

 

No new files created in this timespan

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-29 12:14 --------- d-----w C:\Users\Nishiura\AppData\Roaming\Malwarebytes

2008-05-29 12:14 --------- d-----w C:\ProgramData\Malwarebytes

2008-05-29 12:14 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware

2008-05-22 00:16 --------- d-----w C:\Users\Nishiura\AppData\Roaming\BSplayer PRO

2008-05-22 00:16 --------- d-----w C:\Program Files\Webteh

2008-05-18 01:31 --------- d-----w C:\Program Files\Lineage II

2008-05-14 21:22 --------- d-----w C:\ProgramData\NVIDIA

2008-05-14 21:15 --------- d-----w C:\ProgramData\Microsoft Help

2008-05-14 21:15 --------- d-----w C:\Program Files\Windows Mail

2008-05-05 11:46 27,048 ----a-w C:\Windows\system32\drivers\mbamcatchme.sys

2008-05-05 11:46 15,864 ----a-w C:\Windows\system32\drivers\mbam.sys

2008-04-30 08:27 442,368 ----a-w C:\Windows\System32\nvuninst.exe

2008-04-25 12:36 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf

2008-04-18 01:15 174 --sha-w C:\Program Files\desktop.ini

2008-04-18 01:06 --------- d-----w C:\Program Files\Windows Sidebar

2008-04-18 01:06 --------- d-----w C:\Program Files\Windows Photo Gallery

2008-04-18 01:06 --------- d-----w C:\Program Files\Windows Journal

2008-04-18 01:06 --------- d-----w C:\Program Files\Windows Defender

2008-04-18 01:06 --------- d-----w C:\Program Files\Windows Collaboration

2008-04-18 01:06 --------- d-----w C:\Program Files\Windows Calendar

2008-04-18 00:46 82,432 ----a-w C:\Windows\System32\axaltocm.dll

2008-04-18 00:46 101,888 ----a-w C:\Windows\System32\ifxcardm.dll

2008-04-15 10:57 --------- d-----w C:\Program Files\MP3Gain

2008-03-08 04:21 1,695,744 ----a-w C:\Windows\System32\gameux.dll

2008-03-08 04:19 540,672 ----a-w C:\Windows\AppPatch\AcLayers.dll

2008-03-08 04:19 458,752 ----a-w C:\Windows\AppPatch\AcSpecfc.dll

2008-03-08 04:19 2,153,984 ----a-w C:\Windows\AppPatch\AcGenral.dll

2008-03-08 04:19 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll

2008-03-08 02:08 4,240,384 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll

2008-03-08 01:58 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll

2008-02-29 07:14 19,000 ----a-w C:\Windows\System32\kd1394.dll

2008-02-29 07:11 988,216 ----a-w C:\Windows\System32\winload.exe

2008-02-29 07:11 927,288 ----a-w C:\Windows\System32\winresume.exe

2008-02-29 06:53 46,592 ----a-w C:\Windows\System32\setbcdlocale.dll

2008-02-29 06:53 40,960 ----a-w C:\Windows\System32\srclient.dll

2008-02-29 06:53 378,368 ----a-w C:\Windows\System32\srcore.dll

2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll

2008-02-29 04:21 2,032,128 ----a-w C:\Windows\System32\win32k.sys

2008-02-29 04:12 318,464 ----a-w C:\Windows\System32\rstrui.exe

2008-02-29 04:12 14,848 ----a-w C:\Windows\System32\srdelayed.exe

2008-02-22 05:05 615,992 ----a-w C:\Windows\System32\ci.dll

2008-02-22 05:01 826,880 ----a-w C:\Windows\System32\wininet.dll

2008-02-22 04:57 295,936 ----a-w C:\Windows\System32\gdi32.dll

2008-02-08 13:59 1,171,848 ----a-w C:\Windows\System32\SecureKeyBackupCPL.dll

2006-06-23 06:48 32,768 ----a-r C:\Windows\inf\UpdateUSB.exe

2007-06-28 12:59 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

2007-06-28 12:59 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

2007-06-28 12:59 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

.

 

------- Sigcheck -------

 

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 16:33 1233920]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"JMB36X IDE Setup"="C:\Windows\JM\JMInsIDE.exe" [2007-06-26 09:31 36864]

"JMB36X Configure"="C:\Windows\system32\JMRaidTool.exe" [2006-06-02 17:45 385024]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 22:00 79224]

"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe" [2005-09-19 17:53 1687552]

"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2005-09-19 17:29 163840]

"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]

"StormCodec_Helper"="C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [2006-11-27 03:30 97357]

"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 21:34 868352]

"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2008-05-02 22:46 13535776]

"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2008-05-02 22:46 92704]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"@"="" []

"GrpConv"="grpconv -o" []

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1884762478-808313110-4027144785-1000]

"EnableNotificationsRef"=dword:00000009

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]

"TCP Query User{F24AC48D-637F-4095-A2D9-117E2210B783}D:\\games\\line age 2\\walker\\l2asrv.exe"= UDP:D:\games\line age 2\walker\l2asrv.exe:l2asrv

"UDP Query User{166C8B2E-C3E7-482F-8463-88876948AE35}D:\\games\\line age 2\\walker\\l2asrv.exe"= TCP:D:\games\line age 2\walker\l2asrv.exe:l2asrv

"TCP Query User{A37DA199-5D63-4AEF-A44C-17BA4FB6DB63}H:\\nishi\\games\\line age 2\\walker\\l2asrv.exe"= UDP:H:\nishi\games\line age 2\walker\l2asrv.exe:l2asrv

"UDP Query User{7B33200C-96AB-4BA4-98BF-420E47285551}H:\\nishi\\games\\line age 2\\walker\\l2asrv.exe"= TCP:H:\nishi\games\line age 2\walker\l2asrv.exe:l2asrv

"TCP Query User{D7BF68A0-47DB-452D-9EDF-8D4131231F93}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer

"UDP Query User{ABB73952-706D-4E19-8567-BA8B58F21FC9}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer

"TCP Query User{1CC90F53-22EC-4DFA-95C0-75150D0D3F7E}C:\\tcptunnel\\tcptunnel.exe"= UDP:C:\tcptunnel\tcptunnel.exe:tcptunnel

"UDP Query User{A4AF5B27-2B46-468E-BED6-DCE7D79475C5}C:\\tcptunnel\\tcptunnel.exe"= TCP:C:\tcptunnel\tcptunnel.exe:tcptunnel

"TCP Query User{B5401171-2758-4291-8593-F63B810C8EF5}C:\\tcptunnel\\tcptunnel.exe"= UDP:C:\tcptunnel\tcptunnel.exe:tcptunnel

"UDP Query User{D004C9DC-077F-412A-86A4-ECA56C16BF67}C:\\tcptunnel\\tcptunnel.exe"= TCP:C:\tcptunnel\tcptunnel.exe:tcptunnel

"{80B80A52-3C37-452B-958D-10024ED935F6}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook

"{535D208B-7B2A-4368-B2AD-13D290FCFDC8}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove

"{05B1FA6F-A2E3-430A-8A7A-BDA87914538E}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove

"{2538345B-EC4F-428A-B0A2-3F3E62D66E8F}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

"{A9B52863-843B-4DB8-ADD8-F217806B829C}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

"TCP Query User{5CA240AB-BD88-4C23-8E74-BF3EF4092EEA}C:\\l2divine\\l2divine.exe"= UDP:C:\l2divine\l2divine.exe:L2Divine

"UDP Query User{5D332142-E4E0-4CB2-9770-FDD7F981E78C}C:\\l2divine\\l2divine.exe"= TCP:C:\l2divine\l2divine.exe:L2Divine

"{E1AD6463-1659-442F-8CD0-154A0334635C}"= UDP:C:\Program Files\Lineage II\LineageII.exe:Play Lineage II

"{DFCE44C5-AC8B-4A8A-9739-530A10207C91}"= TCP:C:\Program Files\Lineage II\LineageII.exe:Play Lineage II

"{0C6069B2-2715-40E9-B77C-339C075E6CB9}"= UDP:D:\Games\Line Age 2\Walker\eL2Walker1.92\L2Walker.exe:L2Walker

"{BCB5B023-80D2-470D-AFC8-65F6C3E0533B}"= TCP:D:\Games\Line Age 2\Walker\eL2Walker1.92\L2Walker.exe:L2Walker

"TCP Query User{31968FD8-A342-4D42-9A12-5F4467512677}C:\\program files\\tvuplayer\\tvuplayer.exe"= UDP:C:\program files\tvuplayer\tvuplayer.exe:TVUPlayer Component

"UDP Query User{9E83D222-0F5F-49EF-8D57-2E35EF4F4DA5}C:\\program files\\tvuplayer\\tvuplayer.exe"= TCP:C:\program files\tvuplayer\tvuplayer.exe:TVUPlayer Component

"TCP Query User{CF79E300-FDBA-40ED-A47F-BE3799299107}C:\\program files\\tvuplayer\\tvuplayer.exe"= UDP:C:\program files\tvuplayer\tvuplayer.exe:TVUPlayer Component

"UDP Query User{A01BF0C5-2041-4386-ACC7-8E1FB5C7CA3A}C:\\program files\\tvuplayer\\tvuplayer.exe"= TCP:C:\program files\tvuplayer\tvuplayer.exe:TVUPlayer Component

"{EEEA6285-491E-4A41-98CE-75D2171AB3B9}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

"{9751922B-97AA-4740-8185-9034A2B4AE3A}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

"{5A31E946-BC46-4F44-B27A-673A66733101}"= UDP:C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe:Roxio Upnp Service

"{6DC0FB48-BA8B-4D53-B7B3-66361ECDB751}"= TCP:C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe:Roxio Upnp Service

"{F394DDD1-35CD-4ECC-B358-ABB4B4AA2DD7}"= UDP:C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe:Roxio Upnp Service

"{72A9D62B-A785-440D-98CC-B3F487C84F7E}"= TCP:C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe:Roxio Upnp Service

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]

"EnableFirewall"= 0 (0x0)

 

S2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [2007-12-04 23:52]

S3 msloop;Microsoft Loopback Adapter Driver;C:\Windows\system32\DRIVERS\loop.sys [2008-01-19 14:55]

S3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2007-12-06 09:51]

 

*Newly Created Service* - ECACHE

*Newly Created Service* - PXHELP20

.

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-30 21:40:21

Windows 6.0.6001 Service Pack 1 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-05-30 21:40:47

ComboFix-quarantined-files.txt 2008-05-30 12:40:44

 

O sistema não pode encontrar o texto correspondente à mensagem de número 0x2379 no arquivo de mensagens para Application.

O sistema não pode encontrar o texto correspondente à mensagem de número 0x2379 no arquivo de mensagens para Application.

 

143 --- E O F --- 2008-05-30 12:23:46

[Sam Spade 2]

Ok, o log está limpo.

 

Para finalizar, vá em Iniciar > Executar > digite (ou copie e cole): ComboFix /u

 

Dê o OK. Aguarde, pois isso irá desinstalar o ComboFix, deletar os arquivos e pastas relacionados e apagará pontos da Restauração do sistema que possam estar infectados, criando um ponto limpo.

 

Faça uma limpeza nos temporários e corrija erros no Registro com o CCleaner.

 

Leia estes artigos sobre segurança:

 

Proteja seu PC

Cuidados ao navegar na net.

 

Abraço.

[Kabellogt 0]

Muito obrigado Sam Spade, realmente você me ajudou muito, seguirei os conselhos dados por este fórum.

Abraços.

Atenciosamente, Nishirua(Kabellogt).

[Sam Spade 2]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto é necessário enviar uma Mensagem Privada para um Moderador com um link para o tópico.