[Arquivado] "bagulhinho" no pendrive, ckvo.exe

[cassiano óliver 1]

pessoal, meu pendrive ta infectado com um tal de "ckvo.exe", sei que está no pendrive pois sempre que uso ele, esse "bagulhinho" se instala nos processos do pc...

 

uma dúvida, devo rodar os programinhas hijackthis e combofix com o pendrive conectado?

[PedroN 1]

Olá, rode o hijackthis e poste o log para análise.

 

Abraços

[cassiano óliver 1]

com ou sem o pendrive conectado?

[PedroN 1]

Sem o Pendrive Conectado

[cassiano óliver 1]

log HijackThis

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:27, on 14/07/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Apache Group\Apache\Apache.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

C:\mysql\bin\mysqld-nt.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Apache Group\Apache\Apache.exe

C:\WINDOWS\system32\userinit.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Arquivos de programas\Pilot Group LLC\Save Flash 2.4.20\SaveFlash.dll

O4 - HKLM\..\Run: [AVP] "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Estatísticas do Antivírus da Web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O20 - Winlogon Notify: awtSmJAS - awtSmJAS.dll (file missing)

O20 - Winlogon Notify: wingdm32 - C:\WINDOWS\

O23 - Service: Apache - Unknown owner - C:\Arquivos de programas\Apache Group\Apache\Apache.exe

O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt.exe

 

--

End of file - 4265 bytes

[PedroN 1]

Baixe o Combofix e salve no seu desktop.

 

Feche todas as janelas e programas

Dê um duplo-clique no combofix e tecle "1" em seguida enter para prosseguir com o fix. Vai durar uma média de 10 minutos (seja paciente). O combofix reiniciará o PC automaticamente para completar o processo de remoção.

 

Quando acabar, será gerado um log, que vai estar em C:\ComboFix.txt.

 

Atenção:

Não clique na Janela do ComboFix, nem o feche clicando no X, enquanto estiver rodando, pois senão irá parar e seu desktop ficará em branco.

 

Para parar ou sair do ComboFix, tecle "2" e Enter.

 

Depois gere um novo log com o HijackThis e poste, juntamente com o ComboFix.txt.

[cassiano óliver 1]

log HijackThis atualizado

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:30:37, on 14/7/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Apache Group\Apache\Apache.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

C:\mysql\bin\mysqld-nt.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Apache Group\Apache\Apache.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\explorer.exe

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Arquivos de programas\Pilot Group LLC\Save Flash 2.4.20\SaveFlash.dll

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Estatísticas do Antivírus da Web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O23 - Service: Apache - Unknown owner - C:\Arquivos de programas\Apache Group\Apache\Apache.exe

O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt.exe

 

--

End of file - 3966 bytes

log combofix

ComboFix 08-07-14.2 - Cassiano Designer 2008-07-14 23:22:18.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.1560 [GMT -3:00]

Executando de: C:\Documents and Settings\Cassiano Designer\Desktop\ComboFix.exe

* Criado um novo ponto de restauro

* Resident AV is active

 

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Autorun.inf

C:\DOCUME~1\CASSIA~1\CONFIG~1\Temp\zb5ok.dll

C:\ffojc.com

C:\WINDOWS\system32\ckvo.exe

C:\WINDOWS\system32\ckvo0.dll

C:\WINDOWS\system32\rluyyuoj.exe

D:\Autorun.inf

 

.

((((((((((((((((((((((( Ficheiros criados de 2008-06-15 to 2008-07-15 ))))))))))))))))))))))))))))))))

.

 

2008-07-14 22:22 . 2008-07-14 22:22 <DIR> d-------- C:\HijackThis

2008-07-14 22:19 . 2008-07-14 22:20 118,512 -r-hs---- C:\fi.cmd

2008-07-14 18:40 . 2008-07-14 18:41 2,613,152 --a------ C:\ComboFix.exe

2008-07-13 18:10 . 2008-07-14 22:20 77,312 -r-hs---- C:\WINDOWS\system32\ckvo1.dll

2008-07-10 11:01 . 2008-07-10 11:01 268 --ah----- C:\sqmdata03.sqm

2008-07-10 11:01 . 2008-07-10 11:01 244 --ah----- C:\sqmnoopt03.sqm

2008-07-07 10:26 . 2008-07-07 10:26 <DIR> d-------- C:\Documents and Settings\Cassiano Designer\Dados de aplicativos\Media Player Classic

2008-07-07 10:21 . 2008-07-07 10:27 <DIR> d-------- C:\Arquivos de programas\Essentials Codec Pack

2008-07-07 10:17 . 2008-07-07 10:17 <DIR> d-------- C:\Arquivos de programas\XP Codec Pack

2008-07-04 15:12 . 2008-07-04 15:13 144 --a------ C:\WINDOWS\system32\test.aok

2008-07-04 15:12 . 2008-07-04 15:14 143 --a------ C:\WINDOWS\system32\temp_0000_65-20.aok

2008-07-04 00:18 . 2008-07-04 00:18 <DIR> d-------- C:\Arquivos de programas\Allok Video to FLV Converter

2008-07-04 00:18 . 2002-10-05 07:04 921,600 --a------ C:\WINDOWS\system32\vorbisenc.dll

2008-07-04 00:18 . 2006-10-24 14:16 242,176 --a------ C:\WINDOWS\system32\fixflash.exe

2008-07-04 00:18 . 2002-10-07 02:42 237,568 --a------ C:\WINDOWS\system32\OggDS.dll

2008-07-04 00:18 . 2002-10-05 07:04 188,416 --a------ C:\WINDOWS\system32\vorbis.dll

2008-07-04 00:18 . 2007-04-12 14:19 129,024 --a------ C:\WINDOWS\system32\AVERM.dll

2008-07-04 00:18 . 2002-10-05 07:04 45,056 --a------ C:\WINDOWS\system32\ogg.dll

2008-07-04 00:18 . 2006-09-26 13:57 28,672 --a------ C:\WINDOWS\system32\AVEQT.dll

2008-07-03 20:47 . 2008-07-03 20:47 <DIR> d-------- C:\Arquivos de programas\Daniusoft

2008-06-26 19:11 . 2008-06-26 19:11 <DIR> d-------- C:\Arquivos de programas\Absolute Video Converter

2008-06-26 18:36 . 2008-06-26 18:36 <DIR> d-------- C:\Arquivos de programas\DVD Audio Extractor

2008-06-26 11:53 . 2008-06-26 11:53 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\DVD Shrink

2008-06-26 11:53 . 2008-06-26 11:53 <DIR> d-------- C:\Arquivos de programas\DVD Shrink

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-15 02:27 40,710,688 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat

2008-07-15 01:27 3,202,080 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat

2008-07-15 01:27 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Kaspersky Lab

2008-07-15 01:26 550,568 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx

2008-07-15 01:26 305,420 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx

2008-07-07 13:22 --------- d-----w C:\Arquivos de programas\Apollo 3GP Video Converter

2008-07-07 13:17 --------- d-----w C:\Arquivos de programas\XviD

2008-07-05 01:42 2,516 --sha-w C:\Documents and Settings\All Users\Dados de aplicativos\KGyGaAvL.sys

2008-07-03 23:37 --------- d-----w C:\Arquivos de programas\eMule

2008-07-03 22:25 --------- d-----w C:\Arquivos de programas\Plato FLV Tool Package

2008-07-01 15:20 1,341,338 ----a-w C:\Arquivos de programas\discografia

2008-06-07 01:01 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\ALM

2008-06-06 02:14 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

2008-05-23 17:08 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\FLEXnet

2008-05-15 14:14 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Corel

2008-05-15 14:14 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Protexis

2008-05-15 14:11 --------- d-----w C:\Arquivos de programas\Corel

2008-03-21 00:54 8 --sh--r C:\Documents and Settings\All Users\Dados de aplicativos\AD37252DE5.sys

2008-01-07 01:34 56 --sh--r C:\WINDOWS\system32\E52D2537AD.sys

.

 

((((((((((((((((((((((((((((( snapshot@2008-05-06_22.18.02.87 )))))))))))))))))))))))))))))))))))))))))

.

- 2000-08-31 11:00:00 73,728 ----a-w C:\WINDOWS\fdsv.exe

+ 2000-08-31 11:00:00 89,504 ----a-w C:\WINDOWS\fdsv.exe

- 2008-04-07 13:12:28 86,016 ----a-r C:\WINDOWS\Installer\{1A9DAB4D-46CD-4CBF-A9FC-28D8AA8D2FCF}\ARPPRODUCTICON.exe

+ 2008-05-15 14:14:36 86,016 ----a-r C:\WINDOWS\Installer\{1A9DAB4D-46CD-4CBF-A9FC-28D8AA8D2FCF}\ARPPRODUCTICON.exe

- 2008-04-07 13:10:48 335,872 ----a-r C:\WINDOWS\Installer\{44A27085-0616-4181-A0C3-81C7ECA17F73}\NewShortcut4.exe

+ 2008-05-15 14:12:43 335,872 ----a-r C:\WINDOWS\Installer\{44A27085-0616-4181-A0C3-81C7ECA17F73}\NewShortcut4.exe

- 2008-04-07 13:10:48 335,872 ----a-r C:\WINDOWS\Installer\{44A27085-0616-4181-A0C3-81C7ECA17F73}\NewShortcut5.exe

+ 2008-05-15 14:12:43 335,872 ----a-r C:\WINDOWS\Installer\{44A27085-0616-4181-A0C3-81C7ECA17F73}\NewShortcut5.exe

- 2008-04-07 13:10:59 10,134 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF010}\ARPPRODUCTICON.exe

+ 2008-05-15 14:12:53 10,134 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF010}\ARPPRODUCTICON.exe

- 2008-04-07 13:11:02 22,758 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF012}\ARPPRODUCTICON.exe

+ 2008-05-15 14:12:56 22,758 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF012}\ARPPRODUCTICON.exe

- 2008-04-07 13:11:02 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF012}\NewShortcut8.exe

+ 2008-05-15 14:12:56 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF012}\NewShortcut8.exe

- 2008-04-07 13:11:20 22,758 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF013}\ARPPRODUCTICON.exe

+ 2008-05-15 14:13:16 22,758 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF013}\ARPPRODUCTICON.exe

- 2008-04-07 13:11:20 86,016 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF013}\NewShortcut1.exe

+ 2008-05-15 14:13:16 86,016 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF013}\NewShortcut1.exe

- 2008-04-07 13:11:27 22,758 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF014}\ARPPRODUCTICON.exe

+ 2008-05-15 14:13:22 22,758 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF014}\ARPPRODUCTICON.exe

- 2008-04-07 13:11:28 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF014}\NewShortcut2.exe

+ 2008-05-15 14:13:22 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF014}\NewShortcut2.exe

- 2008-04-07 13:11:47 22,758 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF016}\ARPPRODUCTICON.exe

+ 2008-05-15 14:13:44 22,758 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF016}\ARPPRODUCTICON.exe

- 2008-04-07 13:11:53 10,134 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF017}\ARPPRODUCTICON.exe

+ 2008-05-15 14:13:50 10,134 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF017}\ARPPRODUCTICON.exe

- 2008-04-07 13:12:48 86,016 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\ARPPRODUCTICON.exe

+ 2008-05-15 14:14:57 86,016 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\ARPPRODUCTICON.exe

- 2008-04-07 13:12:48 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\NewShortcut9_1.exe

+ 2008-05-15 14:14:57 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\NewShortcut9_1.exe

- 2008-04-07 13:12:48 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\NewShortcut90.exe

+ 2008-05-15 14:14:57 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\NewShortcut90.exe

- 2008-04-07 13:12:48 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\NewShortcut900.exe

+ 2008-05-15 14:14:57 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\NewShortcut900.exe

- 2008-04-07 13:12:48 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\NewShortcut9000.exe

+ 2008-05-15 14:14:57 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\NewShortcut9000.exe

- 2008-04-07 13:12:48 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\NewShortcut9001.exe

+ 2008-05-15 14:14:57 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\NewShortcut9001.exe

- 2008-04-07 13:12:48 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\NewShortcut901.exe

+ 2008-05-15 14:14:57 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\NewShortcut901.exe

- 2008-04-07 13:12:48 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\NewShortcut902.exe

+ 2008-05-15 14:14:57 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\NewShortcut902.exe

- 2008-04-07 13:12:48 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\NewShortcut903_CC5820041A9C446BB9018F9ECF582DD1.exe

+ 2008-05-15 14:14:58 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\NewShortcut903_CC5820041A9C446BB9018F9ECF582DD1.exe

- 2008-04-07 13:12:48 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\NewShortcut91.exe

+ 2008-05-15 14:14:57 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\NewShortcut91.exe

- 2008-04-07 13:12:48 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\NewShortcut910.exe

+ 2008-05-15 14:14:57 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\NewShortcut910.exe

- 2008-04-07 13:12:48 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\NewShortcut9100.exe

+ 2008-05-15 14:14:57 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\NewShortcut9100.exe

- 2008-04-07 13:12:48 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\NewShortcut9101.exe

+ 2008-05-15 14:14:57 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\NewShortcut9101.exe

- 2008-04-07 13:12:48 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\NewShortcut911.exe

+ 2008-05-15 14:14:57 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\NewShortcut911.exe

- 2008-04-07 13:12:48 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\NewShortcut912.exe

+ 2008-05-15 14:14:57 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\NewShortcut912.exe

- 2008-04-07 13:12:48 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\NewShortcut913_CC5820041A9C446BB9018F9ECF582DD1.exe

+ 2008-05-15 14:14:57 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\NewShortcut913_CC5820041A9C446BB9018F9ECF582DD1.exe

- 2008-04-07 13:12:48 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\NewShortcut92_CC5820041A9C446BB9018F9ECF582DD1.exe

+ 2008-05-15 14:14:58 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\NewShortcut92_CC5820041A9C446BB9018F9ECF582DD1.exe

- 2008-04-07 13:12:48 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\NewShortcut93_CC5820041A9C446BB9018F9ECF582DD1.exe

+ 2008-05-15 14:14:57 335,872 ----a-r C:\WINDOWS\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF019}\NewShortcut93_CC5820041A9C446BB9018F9ECF582DD1.exe

- 2008-04-07 13:12:41 10,134 ----a-r C:\WINDOWS\Installer\{9D0798D0-AF6C-4E62-94B1-AEBF1A43E00A}\ARPPRODUCTICON.exe

+ 2008-05-15 14:14:50 10,134 ----a-r C:\WINDOWS\Installer\{9D0798D0-AF6C-4E62-94B1-AEBF1A43E00A}\ARPPRODUCTICON.exe

- 2008-04-07 13:13:04 135,168 ----a-r C:\WINDOWS\Installer\{B61D21B6-469D-4423-B161-62DB20B8A70E}\misc.exe

+ 2008-05-15 14:15:13 135,168 ----a-r C:\WINDOWS\Installer\{B61D21B6-469D-4423-B161-62DB20B8A70E}\misc.exe

- 2008-04-07 13:12:53 86,016 ----a-r C:\WINDOWS\Installer\{BF439B41-0252-48DE-8B8B-0430CB26A181}\ARPPRODUCTICON.exe

+ 2008-05-15 14:15:02 86,016 ----a-r C:\WINDOWS\Installer\{BF439B41-0252-48DE-8B8B-0430CB26A181}\ARPPRODUCTICON.exe

- 2008-04-07 13:12:56 10,134 ----a-r C:\WINDOWS\Installer\{CE2DA11A-917F-4CF5-AB55-755EC115DD10}\ARPPRODUCTICON.exe

+ 2008-05-15 14:15:04 10,134 ----a-r C:\WINDOWS\Installer\{CE2DA11A-917F-4CF5-AB55-755EC115DD10}\ARPPRODUCTICON.exe

- 2008-04-07 13:12:59 135,168 ----a-r C:\WINDOWS\Installer\{DB81779E-7CC5-4630-BCFC-754004956444}\misc.exe

+ 2008-05-15 14:15:08 135,168 ----a-r C:\WINDOWS\Installer\{DB81779E-7CC5-4630-BCFC-754004956444}\misc.exe

- 2000-08-31 11:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe

+ 2000-08-31 11:00:00 28,672 ----a-w C:\WINDOWS\Nircmd.exe

- 2008-01-07 17:28:45 85,860 ----a-w C:\WINDOWS\system32\drivers\klick.dat

+ 2008-05-09 22:19:31 87,941 ----a-w C:\WINDOWS\system32\drivers\klick.dat

- 2008-04-02 12:29:21 91,700 ----a-w C:\WINDOWS\system32\drivers\klin.dat

+ 2008-05-09 22:19:31 96,645 ----a-w C:\WINDOWS\system32\drivers\klin.dat

- 2008-04-07 18:23:27 1,985,800 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT

+ 2008-05-15 19:25:55 1,985,800 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT

+ 2006-08-01 17:01:08 438,272 ----a-w C:\WINDOWS\system32\SkinCrafter.dll

+ 2007-03-09 12:37:54 139,264 ----a-w C:\WINDOWS\system32\viscomqtde.dll

+ 2007-03-09 12:36:48 81,920 ----a-w C:\WINDOWS\system32\viscomwave.dll

- 2005-12-30 22:10:30 761,856 ----a-w C:\WINDOWS\system32\xvidcore.dll

+ 2005-12-30 23:10:30 761,856 ----a-w C:\WINDOWS\system32\xvidcore.dll

- 2005-12-30 22:18:26 180,224 ----a-w C:\WINDOWS\system32\xvidvfw.dll

+ 2005-12-30 23:18:26 180,224 ----a-w C:\WINDOWS\system32\xvidvfw.dll

.

-- Snapshot reset to current date --

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:45 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-03 23:45 159744]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:45 15360]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.ffds"= ffdshow.ax

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^AutoCAD Startup Accelerator.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\AutoCAD Startup Accelerator.lnk

backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Register Mask Pro 3.0.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Register Mask Pro 3.0.lnk

backup=C:\WINDOWS\pss\Register Mask Pro 3.0.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Register Mask Pro 4.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Register Mask Pro 4.lnk

backup=C:\WINDOWS\pss\Register Mask Pro 4.lnkCommon Startup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kamsoft

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]

--a------ 2005-05-19 10:47 57344 C:\Arquivos de programas\SlySoft\CloneCD\CloneCDTray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2004-08-03 23:45 15360 C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]

--a------ 2006-10-26 18:48 434528 C:\ARQUIV~1\ARQUIV~1\MICROS~1\DW\DWTRIG20.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

--a------ 2005-08-11 15:30 249856 c:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\ISUSPM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

--a------ 2005-08-11 15:30 81920 C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]

--a------ 2007-02-07 15:21 54832 C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2004-08-03 23:56 1667584 C:\Arquivos de programas\Messenger\msmsgs.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

--a------ 2008-02-26 17:03 5724184 C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--a------ 2007-01-23 22:38 7700480 C:\WINDOWS\system32\nvcpl.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

--a------ 2007-01-23 22:38 86016 C:\WINDOWS\system32\nvmctray.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

--------- 2007-02-07 15:24 71216 C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snpstd]

--a------ 2004-06-10 12:48 286720 C:\WINDOWS\vsnpstd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

-ra------ 2005-05-03 07:43 69632 C:\WINDOWS\ALCMTR.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2007-01-23 22:38 1622016 C:\WINDOWS\system32\nwiz.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

-ra------ 2006-04-17 04:34 16143872 C:\WINDOWS\RTHDCPL.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"odserv"=3 (0x3)

"ose"=3 (0x3)

"RichVideo"=2 (0x2)

"usnjsvc"=3 (0x3)

"WLSetupSvc"=3 (0x3)

"NVSvc"=2 (0x2)

"FLEXnet Licensing Service"=3 (0x3)

"Bonjour Service"=2 (0x2)

"WMPNetworkSvc"=3 (0x3)

"Autodesk Licensing Service"=3 (0x3)

"PSI_SVC_2"=2 (0x2)

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"=

"C:\\Arquivos de programas\\CyberLink\\PowerDVD\\PowerDVD.exe"=

"C:\\WINDOWS\\system32\\rtcshare.exe"=

"C:\\Arquivos de programas\\NetMeeting\\conf.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=

"C:\\Documents and Settings\\Cassiano Designer\\Dados de aplicativos\\Thinstall\\{BF06C1DB-62A4-4504-B2E9-3AFC754752F5}\\40000096200002i\\phpDesigner2008.exe"=

"C:\\Arquivos de programas\\eMule\\emule.exe"=

"C:\\Arquivos de programas\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=

 

R0 mv614x;mv614x;C:\WINDOWS\system32\DRIVERS\mv614x.sys [2006-05-18 10:34]

R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Arquivos de programas\CyberLink\PowerDVD\000.fcl [2006-11-02 15:51]

S3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\atl01_2k.sys [2006-05-12 04:15]

S4 PSI_SVC_2;Protexis Licensing V2;c:\Arquivos de programas\Arquivos comuns\Protexis\License Service\PsiService_2.exe [2007-07-24 11:15]

 

*Newly Created Service* - CATCHME

.

- - - - ORPHANS REMOVED - - - -

 

HKCU-Run-kamsoft - C:\WINDOWS\system32\ckvo.exe

Notify-awtSmJAS - awtSmJAS.dll

Notify-wingdm32 - (no file)

MSConfigStartUp-BMe77f48e5 - C:\WINDOWS\system32\lbwbghvu.dll

MSConfigStartUp-e44c7b79 - C:\WINDOWS\system32\degphvcn.dll

MSConfigStartUp-Media Codec Update Service - C:\Arquivos de programas\Essentials Codec Pack\update.exe

MSConfigStartUp-UIUCU - C:\DOCUME~1\CASSIA~1\CONFIG~1\Temp\UIUCU.EXE

 

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-14 23:26:45

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros ocultos ...

 

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\MySQL]

"ImagePath"="C:\mysql\bin\mysqld-nt MySQL"

 

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]

"ImagePath"="\??\C:\Arquivos de programas\CyberLink\PowerDVD\000.fcl"

.

Tempo para conclusão: 2008-07-14 23:29:19

ComboFix-quarantined-files.txt 2008-07-15 02:28:17

ComboFix2.txt 2008-05-07 01:19:23

 

Pre-Run: 22,372,831,232 bytes disponíveis

Post-Run: 22,592,229,376 bytes disponíveis

 

272 --- E O F --- 2008-02-22 12:59:41

[PedroN 1]

Olá cassiano óliver

 

• Antes de qualquer medida, faça a instalação do RC!

---------------------------------------

• Vá ao site da Microsoft: < Link >

 

• Selecione o download, que seja adequado, ao seu Sistema Operacional!

 

 

• Faça o download, do arquivo, e salve-o no seu desktop.

• Feche todos os programas, que estejam abertos!

• Feche, também, seus programas de proteção! ( Antivírus,Antispywares e Firewall )

• Arraste o setup, baixado do site da Microsoft, para o interior do ComboFix.exe

• Veja, abaixo, a demonstração!

 

 

• Siga as mensagens que aparecem na tela,para iniciar o ComboFix.

• Aceite o contrato da Microsoft, para instalar o "Console de Recuperação da Microsoft".

• Na próxima mensagem, clique em "Yes", para realizar um scan com o ComboFix.

 

 

• Terminando, poste os relatórios:

 

• C:\ComboFix.txt mais o log do HijackThis, atualizado.

 

Abraços

[cassiano óliver 1]

ah. olhando o msconfig após reiniciar o pc, apareceu agora 3 processos....

 

ntuser.dat, ntuser.dat.log e ntuser.ini

 

que faça com eles?

[PedroN 1]

ah. olhando o msconfig após reiniciar o pc, apareceu agora 3 processos....

 

ntuser.dat, ntuser.dat.log e ntuser.ini

 

que faça com eles?

 

Não desabite esses programas, pos terá problemas no carregamento do windows.

 

por favor siga as intruções do Post #8.

 

Abraços

[cassiano óliver 1]

• Antes de qualquer medida, faça a instalação do RC!

o que é o RC?

 

outra dúvida...

• Antes de qualquer medida, faça a instalação do RC!

devo instalá-lo antes de arrastar para o combofix?

[cassiano óliver 1]

log HijackThis atualizado

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:43:25, on 15/7/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Apache Group\Apache\Apache.exe

C:\mysql\bin\mysqld-nt.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Apache Group\Apache\Apache.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\explorer.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Arquivos de programas\Pilot Group LLC\Save Flash 2.4.20\SaveFlash.dll

O4 - HKLM\..\Run: [AVP] "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"

O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Estatísticas do Antivírus da Web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{7BBE3B9E-AB3F-4DB1-B64C-FA0CFC742A5D}: NameServer = 200.222.0.34 200.202.193.75

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Apache - Unknown owner - C:\Arquivos de programas\Apache Group\Apache\Apache.exe

O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt.exe

 

--

End of file - 4350 bytes

log combofix atualizado

 

ComboFix 08-07-14.2 - Cassiano Designer 2008-07-15 13:29:01.5 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.1645 [GMT -3:00]

Executando de: C:\Documents and Settings\Cassiano Designer\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Cassiano Designer\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-PTB.exe

* Criado um novo ponto de restauro

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

D:\Autorun.inf

.

---- Previous Run -------

.

C:\autorun.inf

C:\WINDOWS\system32\ckvo.exe

 

.

((((((((((((((((((((((( Ficheiros criados de 2008-06-15 to 2008-07-15 ))))))))))))))))))))))))))))))))

.

 

2008-07-15 11:25 . 2008-07-15 11:24 116,862 -r-hs---- C:\k.com

2008-07-15 11:05 . 2008-07-15 11:06 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Lavasoft

2008-07-15 11:05 . 2008-07-15 11:05 <DIR> d-------- C:\Arquivos de programas\Lavasoft

2008-07-15 11:04 . 2008-07-15 11:04 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Wise Installation Wizard

2008-07-14 23:55 . 2008-07-15 00:05 <DIR> d-------- C:\My Documents

2008-07-14 22:22 . 2008-07-14 22:22 <DIR> d-------- C:\HijackThis

2008-07-14 22:19 . 2008-07-14 22:20 118,512 -r-hs---- C:\fi.cmd

2008-07-13 18:10 . 2008-07-15 11:24 77,312 -r-hs---- C:\WINDOWS\system32\ckvo1.dll

2008-07-10 11:01 . 2008-07-10 11:01 268 --ah----- C:\sqmdata03.sqm

2008-07-10 11:01 . 2008-07-10 11:01 244 --ah----- C:\sqmnoopt03.sqm

2008-07-07 10:26 . 2008-07-07 10:26 <DIR> d-------- C:\Documents and Settings\Cassiano Designer\Dados de aplicativos\Media Player Classic

2008-07-07 10:21 . 2008-07-07 10:27 <DIR> d-------- C:\Arquivos de programas\Essentials Codec Pack

2008-07-07 10:17 . 2008-07-07 10:17 <DIR> d-------- C:\Arquivos de programas\XP Codec Pack

2008-07-04 15:12 . 2008-07-04 15:13 144 --a------ C:\WINDOWS\system32\test.aok

2008-07-04 15:12 . 2008-07-04 15:14 143 --a------ C:\WINDOWS\system32\temp_0000_65-20.aok

2008-07-04 00:18 . 2008-07-04 00:18 <DIR> d-------- C:\Arquivos de programas\Allok Video to FLV Converter

2008-07-04 00:18 . 2002-10-05 07:04 921,600 --a------ C:\WINDOWS\system32\vorbisenc.dll

2008-07-04 00:18 . 2006-10-24 14:16 242,176 --a------ C:\WINDOWS\system32\fixflash.exe

2008-07-04 00:18 . 2002-10-07 02:42 237,568 --a------ C:\WINDOWS\system32\OggDS.dll

2008-07-04 00:18 . 2002-10-05 07:04 188,416 --a------ C:\WINDOWS\system32\vorbis.dll

2008-07-04 00:18 . 2007-04-12 14:19 129,024 --a------ C:\WINDOWS\system32\AVERM.dll

2008-07-04 00:18 . 2002-10-05 07:04 45,056 --a------ C:\WINDOWS\system32\ogg.dll

2008-07-04 00:18 . 2006-09-26 13:57 28,672 --a------ C:\WINDOWS\system32\AVEQT.dll

2008-07-03 20:47 . 2008-07-03 20:47 <DIR> d-------- C:\Arquivos de programas\Daniusoft

2008-06-26 19:11 . 2008-06-26 19:11 <DIR> d-------- C:\Arquivos de programas\Absolute Video Converter

2008-06-26 18:36 . 2008-06-26 18:36 <DIR> d-------- C:\Arquivos de programas\DVD Audio Extractor

2008-06-26 11:53 . 2008-06-26 11:53 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\DVD Shrink

2008-06-26 11:53 . 2008-06-26 11:53 <DIR> d-------- C:\Arquivos de programas\DVD Shrink

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-15 16:31 41,547,552 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat

2008-07-15 16:30 3,210,784 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat

2008-07-15 16:26 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Kaspersky Lab

2008-07-15 16:23 562,304 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx

2008-07-15 16:23 305,948 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx

2008-07-07 13:22 --------- d-----w C:\Arquivos de programas\Apollo 3GP Video Converter

2008-07-07 13:17 --------- d-----w C:\Arquivos de programas\XviD

2008-07-05 01:42 2,516 --sha-w C:\Documents and Settings\All Users\Dados de aplicativos\KGyGaAvL.sys

2008-07-03 23:37 --------- d-----w C:\Arquivos de programas\eMule

2008-07-03 22:25 --------- d-----w C:\Arquivos de programas\Plato FLV Tool Package

2008-07-01 15:20 1,341,338 ----a-w C:\Arquivos de programas\discografia

2008-06-07 01:01 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\ALM

2008-06-06 02:14 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

2008-05-23 17:08 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\FLEXnet

2008-05-15 14:14 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Corel

2008-05-15 14:14 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Protexis

2008-05-15 14:11 --------- d-----w C:\Arquivos de programas\Corel

2008-03-21 00:54 8 --sh--r C:\Documents and Settings\All Users\Dados de aplicativos\AD37252DE5.sys

2008-01-07 01:34 56 --sh--r C:\WINDOWS\system32\E52D2537AD.sys

.

 

((((((((((((((((((((((((((((( snapshot_2008-07-14_23.28.01.50 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-07-15 14:06:13 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe

+ 2008-07-15 14:06:13 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe

+ 2008-07-15 14:06:13 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe

+ 2008-07-15 14:06:13 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe

+ 2007-07-11 17:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys

+ 2007-08-07 16:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys

+ 2007-08-07 16:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys

- 2008-05-15 19:25:55 1,985,800 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT

+ 2008-07-15 14:03:25 1,985,832 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT

+ 2007-12-14 15:32:52 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"kamsoft"="C:\WINDOWS\system32\ckvo.exe" [bU]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:45 15360]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:45 15360]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.ffds"= ffdshow.ax

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^AutoCAD Startup Accelerator.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\AutoCAD Startup Accelerator.lnk

backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Register Mask Pro 3.0.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Register Mask Pro 3.0.lnk

backup=C:\WINDOWS\pss\Register Mask Pro 3.0.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Register Mask Pro 4.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Register Mask Pro 4.lnk

backup=C:\WINDOWS\pss\Register Mask Pro 4.lnkCommon Startup

 

[HKLM\~\startupfolder\^ntuser.dat]

path=\ntuser.dat

backup=C:\WINDOWS\pss\ntuser.datCommon Startup

 

[HKLM\~\startupfolder\^ntuser.dat.LOG]

path=\ntuser.dat.LOG

backup=C:\WINDOWS\pss\ntuser.dat.LOGCommon Startup

 

[HKLM\~\startupfolder\^ntuser.ini]

path=\ntuser.ini

backup=C:\WINDOWS\pss\ntuser.iniCommon Startup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kamsoft

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]

--a------ 2005-05-19 10:47 57344 C:\Arquivos de programas\SlySoft\CloneCD\CloneCDTray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2004-08-03 23:45 15360 C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]

--a------ 2006-10-26 18:48 434528 C:\ARQUIV~1\ARQUIV~1\MICROS~1\DW\DWTRIG20.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

--a------ 2005-08-11 15:30 249856 c:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\ISUSPM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

--a------ 2005-08-11 15:30 81920 C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]

--a------ 2007-02-07 15:21 54832 C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2004-08-03 23:56 1667584 C:\Arquivos de programas\Messenger\msmsgs.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

--a------ 2008-02-26 17:03 5724184 C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--a------ 2007-01-23 22:38 7700480 C:\WINDOWS\system32\nvcpl.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

--a------ 2007-01-23 22:38 86016 C:\WINDOWS\system32\nvmctray.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

--------- 2007-02-07 15:24 71216 C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snpstd]

--a------ 2004-06-10 12:48 286720 C:\WINDOWS\vsnpstd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

-ra------ 2005-05-03 07:43 69632 C:\WINDOWS\ALCMTR.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2007-01-23 22:38 1622016 C:\WINDOWS\system32\nwiz.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

-ra------ 2006-04-17 04:34 16143872 C:\WINDOWS\RTHDCPL.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"odserv"=3 (0x3)

"ose"=3 (0x3)

"RichVideo"=2 (0x2)

"usnjsvc"=3 (0x3)

"WLSetupSvc"=3 (0x3)

"NVSvc"=2 (0x2)

"FLEXnet Licensing Service"=3 (0x3)

"Bonjour Service"=2 (0x2)

"WMPNetworkSvc"=3 (0x3)

"Autodesk Licensing Service"=3 (0x3)

"PSI_SVC_2"=2 (0x2)

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"=

"C:\\Arquivos de programas\\CyberLink\\PowerDVD\\PowerDVD.exe"=

"C:\\WINDOWS\\system32\\rtcshare.exe"=

"C:\\Arquivos de programas\\NetMeeting\\conf.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=

"C:\\Documents and Settings\\Cassiano Designer\\Dados de aplicativos\\Thinstall\\{BF06C1DB-62A4-4504-B2E9-3AFC754752F5}\\40000096200002i\\phpDesigner2008.exe"=

"C:\\Arquivos de programas\\eMule\\emule.exe"=

"C:\\Arquivos de programas\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=

 

R0 mv614x;mv614x;C:\WINDOWS\system32\DRIVERS\mv614x.sys [2006-05-18 10:34]

R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Arquivos de programas\CyberLink\PowerDVD\000.fcl [2006-11-02 15:51]

S3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\atl01_2k.sys [2006-05-12 04:15]

S4 PSI_SVC_2;Protexis Licensing V2;c:\Arquivos de programas\Arquivos comuns\Protexis\License Service\PsiService_2.exe [2007-07-24 11:15]

 

.

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-15 13:31:00

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros ocultos ...

 

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\MySQL]

"ImagePath"="C:\mysql\bin\mysqld-nt MySQL"

 

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]

"ImagePath"="\??\C:\Arquivos de programas\CyberLink\PowerDVD\000.fcl"

.

Tempo para conclusão: 2008-07-15 13:37:58

ComboFix-quarantined-files.txt 2008-07-15 16:36:55

ComboFix2.txt 2008-07-15 02:29:20

ComboFix3.txt 2008-05-07 01:19:23

 

Pre-Run: 22,943,895,552 bytes disponíveis

Post-Run: 22,913,785,856 bytes disponíveis

 

WindowsXP-KB310994-SP2-Pro-BootDisk-PTB.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

 

202 --- E O F --- 2008-02-22 12:59:41

[PedroN 1]

Concete seu Pendrive

 

Sugiro que imprima ou salve os procedimentos abaixo, e não use a internet até terminado o procedimento.

 

Selecione e copie o texto dentro do QUOTE (caixa cinza) abaixo. Abra o Bloco de notas e cole o que copiou. Salve então, na área de trabalho, com o nome de CFScript.txt.

 

File::

C:\WINDOWS\system32\ckvo1.dll

C:\k.com

C:\fi.cmd

Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"kamsoft"="

 

Esse script foi elaborado somente para este computador, de acordo com os arquivos e chaves presentes não use-o em outro computador, pos pode trazer danos.

 

Arraste agora o CFScript.txt para o ComboFix conforme a demonstração abaixo.

 

 

O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção.

 

IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando.

 

Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.

 

Poste-o junto com o novo log do hijackthis

[cassiano óliver 1]

hijackthis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:50:56, on 15/7/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Apache Group\Apache\Apache.exe

C:\mysql\bin\mysqld-nt.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Apache Group\Apache\Apache.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\explorer.exe

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Arquivos de programas\Pilot Group LLC\Save Flash 2.4.20\SaveFlash.dll

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Estatísticas do Antivírus da Web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Apache - Unknown owner - C:\Arquivos de programas\Apache Group\Apache\Apache.exe

O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt.exe

 

--

End of file - 3948 bytes

 

combofix

ComboFix 08-07-14.2 - Cassiano Designer 2008-07-15 18:39:19.6 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.1628 [GMT -3:00]

Executando de: C:\Documents and Settings\Cassiano Designer\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Cassiano Designer\Desktop\CFScript.txt

* Criado um novo ponto de restauro

 

FILE ::

C:\fi.cmd

C:\k.com

C:\WINDOWS\system32\ckvo1.dll

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\fi.cmd

C:\k.com

C:\WINDOWS\system32\ckvo1.dll

 

.

((((((((((((((((((((((( Ficheiros criados de 2008-06-15 to 2008-07-15 ))))))))))))))))))))))))))))))))

.

 

2008-07-15 11:05 . 2008-07-15 11:06 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Lavasoft

2008-07-15 11:05 . 2008-07-15 11:05 <DIR> d-------- C:\Arquivos de programas\Lavasoft

2008-07-15 11:04 . 2008-07-15 11:04 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Wise Installation Wizard

2008-07-14 23:55 . 2008-07-15 00:05 <DIR> d-------- C:\My Documents

2008-07-14 22:22 . 2008-07-14 22:22 <DIR> d-------- C:\HijackThis

2008-07-10 11:01 . 2008-07-10 11:01 268 --ah----- C:\sqmdata03.sqm

2008-07-10 11:01 . 2008-07-10 11:01 244 --ah----- C:\sqmnoopt03.sqm

2008-07-07 10:26 . 2008-07-07 10:26 <DIR> d-------- C:\Documents and Settings\Cassiano Designer\Dados de aplicativos\Media Player Classic

2008-07-07 10:21 . 2008-07-07 10:27 <DIR> d-------- C:\Arquivos de programas\Essentials Codec Pack

2008-07-07 10:17 . 2008-07-07 10:17 <DIR> d-------- C:\Arquivos de programas\XP Codec Pack

2008-07-04 15:12 . 2008-07-04 15:13 144 --a------ C:\WINDOWS\system32\test.aok

2008-07-04 15:12 . 2008-07-04 15:14 143 --a------ C:\WINDOWS\system32\temp_0000_65-20.aok

2008-07-04 00:18 . 2008-07-04 00:18 <DIR> d-------- C:\Arquivos de programas\Allok Video to FLV Converter

2008-07-04 00:18 . 2002-10-05 07:04 921,600 --a------ C:\WINDOWS\system32\vorbisenc.dll

2008-07-04 00:18 . 2006-10-24 14:16 242,176 --a------ C:\WINDOWS\system32\fixflash.exe

2008-07-04 00:18 . 2002-10-07 02:42 237,568 --a------ C:\WINDOWS\system32\OggDS.dll

2008-07-04 00:18 . 2002-10-05 07:04 188,416 --a------ C:\WINDOWS\system32\vorbis.dll

2008-07-04 00:18 . 2007-04-12 14:19 129,024 --a------ C:\WINDOWS\system32\AVERM.dll

2008-07-04 00:18 . 2002-10-05 07:04 45,056 --a------ C:\WINDOWS\system32\ogg.dll

2008-07-04 00:18 . 2006-09-26 13:57 28,672 --a------ C:\WINDOWS\system32\AVEQT.dll

2008-07-03 20:47 . 2008-07-03 20:47 <DIR> d-------- C:\Arquivos de programas\Daniusoft

2008-06-26 19:11 . 2008-06-26 19:11 <DIR> d-------- C:\Arquivos de programas\Absolute Video Converter

2008-06-26 18:36 . 2008-06-26 18:36 <DIR> d-------- C:\Arquivos de programas\DVD Audio Extractor

2008-06-26 11:53 . 2008-06-26 11:53 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\DVD Shrink

2008-06-26 11:53 . 2008-06-26 11:53 <DIR> d-------- C:\Arquivos de programas\DVD Shrink

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-15 21:41 41,586,976 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat

2008-07-15 21:41 3,214,368 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat

2008-07-15 21:27 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Kaspersky Lab

2008-07-15 16:46 562,880 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx

2008-07-15 16:46 306,332 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx

2008-07-07 13:22 --------- d-----w C:\Arquivos de programas\Apollo 3GP Video Converter

2008-07-07 13:17 --------- d-----w C:\Arquivos de programas\XviD

2008-07-05 01:42 2,516 --sha-w C:\Documents and Settings\All Users\Dados de aplicativos\KGyGaAvL.sys

2008-07-03 23:37 --------- d-----w C:\Arquivos de programas\eMule

2008-07-03 22:25 --------- d-----w C:\Arquivos de programas\Plato FLV Tool Package

2008-07-01 15:20 1,341,338 ----a-w C:\Arquivos de programas\discografia

2008-06-07 01:01 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\ALM

2008-06-06 02:14 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

2008-05-23 17:08 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\FLEXnet

2008-05-15 14:14 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Corel

2008-05-15 14:14 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Protexis

2008-05-15 14:11 --------- d-----w C:\Arquivos de programas\Corel

2008-03-21 00:54 8 --sh--r C:\Documents and Settings\All Users\Dados de aplicativos\AD37252DE5.sys

2008-01-07 01:34 56 --sh--r C:\WINDOWS\system32\E52D2537AD.sys

.

 

((((((((((((((((((((((((((((( snapshot_2008-07-14_23.28.01.50 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-07-15 14:06:13 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe

+ 2008-07-15 14:06:13 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe

+ 2008-07-15 14:06:13 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe

+ 2008-07-15 14:06:13 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe

+ 2007-07-11 17:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys

+ 2007-08-07 16:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys

+ 2007-08-07 16:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys

- 2008-05-15 19:25:55 1,985,800 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT

+ 2008-07-15 14:03:25 1,985,832 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT

+ 2007-12-14 15:32:52 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"kamsoft"="C:\WINDOWS\system32\ckvo.exe" [bU]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-03 23:45 159744]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:45 15360]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.ffds"= ffdshow.ax

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^AutoCAD Startup Accelerator.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\AutoCAD Startup Accelerator.lnk

backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Register Mask Pro 3.0.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Register Mask Pro 3.0.lnk

backup=C:\WINDOWS\pss\Register Mask Pro 3.0.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Register Mask Pro 4.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Register Mask Pro 4.lnk

backup=C:\WINDOWS\pss\Register Mask Pro 4.lnkCommon Startup

 

[HKLM\~\startupfolder\^ntuser.dat]

path=\ntuser.dat

backup=C:\WINDOWS\pss\ntuser.datCommon Startup

 

[HKLM\~\startupfolder\^ntuser.dat.LOG]

path=\ntuser.dat.LOG

backup=C:\WINDOWS\pss\ntuser.dat.LOGCommon Startup

 

[HKLM\~\startupfolder\^ntuser.ini]

path=\ntuser.ini

backup=C:\WINDOWS\pss\ntuser.iniCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]

--a------ 2005-05-19 10:47 57344 C:\Arquivos de programas\SlySoft\CloneCD\CloneCDTray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2004-08-03 23:45 15360 C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]

--a------ 2006-10-26 18:48 434528 C:\ARQUIV~1\ARQUIV~1\MICROS~1\DW\DWTRIG20.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

--a------ 2005-08-11 15:30 249856 c:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\ISUSPM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

--a------ 2005-08-11 15:30 81920 C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]

--a------ 2007-02-07 15:21 54832 C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2004-08-03 23:56 1667584 C:\Arquivos de programas\Messenger\msmsgs.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

--a------ 2008-02-26 17:03 5724184 C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--a------ 2007-01-23 22:38 7700480 C:\WINDOWS\system32\nvcpl.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

--a------ 2007-01-23 22:38 86016 C:\WINDOWS\system32\nvmctray.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

--------- 2007-02-07 15:24 71216 C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snpstd]

--a------ 2004-06-10 12:48 286720 C:\WINDOWS\vsnpstd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

-ra------ 2005-05-03 07:43 69632 C:\WINDOWS\ALCMTR.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2007-01-23 22:38 1622016 C:\WINDOWS\system32\nwiz.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

-ra------ 2006-04-17 04:34 16143872 C:\WINDOWS\RTHDCPL.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"odserv"=3 (0x3)

"ose"=3 (0x3)

"RichVideo"=2 (0x2)

"usnjsvc"=3 (0x3)

"WLSetupSvc"=3 (0x3)

"NVSvc"=2 (0x2)

"FLEXnet Licensing Service"=3 (0x3)

"Bonjour Service"=2 (0x2)

"WMPNetworkSvc"=3 (0x3)

"Autodesk Licensing Service"=3 (0x3)

"PSI_SVC_2"=2 (0x2)

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"=

"C:\\Arquivos de programas\\CyberLink\\PowerDVD\\PowerDVD.exe"=

"C:\\WINDOWS\\system32\\rtcshare.exe"=

"C:\\Arquivos de programas\\NetMeeting\\conf.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=

"C:\\Documents and Settings\\Cassiano Designer\\Dados de aplicativos\\Thinstall\\{BF06C1DB-62A4-4504-B2E9-3AFC754752F5}\\40000096200002i\\phpDesigner2008.exe"=

"C:\\Arquivos de programas\\eMule\\emule.exe"=

"C:\\Arquivos de programas\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=

 

R0 mv614x;mv614x;C:\WINDOWS\system32\DRIVERS\mv614x.sys [2006-05-18 10:34]

R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Arquivos de programas\CyberLink\PowerDVD\000.fcl [2006-11-02 15:51]

S3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\atl01_2k.sys [2006-05-12 04:15]

S4 PSI_SVC_2;Protexis Licensing V2;c:\Arquivos de programas\Arquivos comuns\Protexis\License Service\PsiService_2.exe [2007-07-24 11:15]

 

*Newly Created Service* - MV614X

.

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-15 18:41:27

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\MySQL]

"ImagePath"="C:\mysql\bin\mysqld-nt MySQL"

 

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]

"ImagePath"="\??\C:\Arquivos de programas\CyberLink\PowerDVD\000.fcl"

.

Tempo para conclusão: 2008-07-15 18:49:40

ComboFix-quarantined-files.txt 2008-07-15 21:48:50

ComboFix2.txt 2008-07-15 16:37:59

ComboFix3.txt 2008-07-15 02:29:20

ComboFix4.txt 2008-05-07 01:19:23

 

Pre-Run: 22,964,322,304 bytes disponíveis

Post-Run: 22,951,014,400 bytes disponíveis

 

197 --- E O F --- 2008-02-22 12:59:41

 

* Após esses procedimentos, apareceram vários itens novos ocultos no c:\...

VEJA

[PedroN 1]

Opa, desculpe a demora ;)

 

Apague todos os arquivos sqm que estão em C:

 

Baixe o PenClean de um dos links abaixo:

 

http://www.dicasweb.com.br/forum/index.php...mp;showfile=147

 

http://rmejias.100webspace.net/PenClean/PenClean.rar

 

Abra o PenClean

 

Marque a opção Verificar unidade e depois coloque que apresenta problemas na caixa de seleção. Clique no botão Verificar. Será pedido para reiniciar, clique em Não.

[cassiano óliver 1]

Opa, desculpe a demora

que isso, sem problemas...

[Mário Monteiro 179]

Tópico Arquivado

 

Como o autor não respondeu por mais de 30 dias, o tópico foi arquivado.

 

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura.