[Resolvido!] Micro lento demais.

[Lia Sergia 0]

Olha eu de novo pentelhando vocês.

 

Depois de resolvido o vírus anterior e de de aumentar a memória, o micro estava bem. Mas há duas semanas voltou a apresentar lentidão excessiva. Nem o AVG, nem o Spyboot acharam problemas. Mas continuo pensando na possibilidade de ter algum vírus.

Logo abaixo está meu log do HiJackThis.

 

Obrigada!

Lia.

 

Logfile of HijackThis v1.99.1

Scan saved at 13:38, on 2008-07-24

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\Mixer.exe

C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe

C:\ARQUIV~1\AVG\AVG8\avgtray.exe

C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\ctfmon.exe

C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\pctspk.exe

C:\WINDOWS\System32\svchost.exe

C:\ARQUIV~1\AVG\AVG8\avgrsx.exe

C:\ARQUIV~1\AVG\AVG8\avgemc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Java\jre1.6.0_05\bin\jucheck.exe

C:\Meus documentos\Lia\Programas\linha defensiva\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Arquivos de programas\AVG\AVG8\avgssie.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GbPlugin\gbieh.dll

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [googletalk] C:\Arquivos de programas\Google\Google Talk\googletalk.exe /autostart

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\ARQUIV~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [K-Lite Nitro BETA] C:\Arquivos de programas\K-LiteNitro\K-LiteNitro.exe /hide

O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe (file missing)

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1203358348309

O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab

O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://topguard066.dipmap.com/ssi.cgi/cab/...hecker_8198.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{0D210024-2510-4662-B1EE-E3E0DDF43CDC}: NameServer = 200.165.132.154,200.165.132.147

O17 - HKLM\System\CS1\Services\Tcpip\..\{0D210024-2510-4662-B1EE-E3E0DDF43CDC}: NameServer = 200.165.132.154,200.165.132.147

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Arquivos de programas\AVG\AVG8\avgpp.dll

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GbPlugin\gbieh.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\System32\pctspk.exe :!:

[Silas Martins 0]

Baixe o ComboFix e salve na área de trabalho.

 

Feche todos os programas.

Clique duas vezes sobre combofix.exe e tecle (1) logo após aperte Enter para continuar.

O ComboFix irá reiniciar seu computador automaticamente, isto faz parte do processo de remoção.

 

Ao se encerrar, será gerado um log, que vai estar em C:\ComboFix.txt.

 

Atenção:

Não clique em nada enquanto o Combofix estiver rodando, Do contrário seu desktop ficará em branco.

 

Para parar o processo ou sair do ComboFix, tecle "2" e Enter.

 

Aguardo um novo log do HijackThis juntamente com o ComboFix.txt

[Lia Sergia 0]

Oi de novo, Silas. :)

 

Olha, pelo jeito o bichinho aqui está com problemas mesmo e nem sei se é vírus. O AVG deu a louca e eu vou desinstalar e instalar de novo para ver... Mas isso é assunto pra outro forum, não? hehe

 

Seguem os logs abaixo.

 

Lia

 

 

COMBOFIX

 

ComboFix 08-07-24.3 - User 2008-07-25 8:25:29.1 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.363 [GMT -3:00]

Executando de: C:\Documents and Settings\User\Desktop\ComboFix.exe

* Criado um novo ponto de restauro

 

ATENÇAO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!

.

 

 

HIJACKTHIS

 

Logfile of HijackThis v1.99.1

Scan saved at 08:31, on 2008-07-25

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\savedump.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Mixer.exe

C:\ARQUIV~1\AVG\AVG8\avgtray.exe

C:\Arquivos de programas\Java\jre1.5.0_12\bin\jusched.exe

C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\ctfmon.exe

C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\pctspk.exe

C:\WINDOWS\System32\svchost.exe

C:\ARQUIV~1\AVG\AVG8\avgrsx.exe

C:\ARQUIV~1\AVG\AVG8\avgemc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Meus documentos\Lia\Programas\linha defensiva\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Arquivos de programas\AVG\AVG8\avgssie.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_12\bin\ssv.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GbPlugin\gbieh.dll

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\Run: [googletalk] C:\Arquivos de programas\Google\Google Talk\googletalk.exe /autostart

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\ARQUIV~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.5.0_12\bin\jusched.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [K-Lite Nitro BETA] C:\Arquivos de programas\K-LiteNitro\K-LiteNitro.exe /hide

O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_12\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_12\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe (file missing)

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1203358348309

O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab

O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://topguard066.dipmap.com/ssi.cgi/cab/...hecker_8198.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{0D210024-2510-4662-B1EE-E3E0DDF43CDC}: NameServer = 200.165.132.154,200.165.132.147

O17 - HKLM\System\CS1\Services\Tcpip\..\{0D210024-2510-4662-B1EE-E3E0DDF43CDC}: NameServer = 200.165.132.154,200.165.132.147

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Arquivos de programas\AVG\AVG8\avgpp.dll

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GbPlugin\gbieh.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\System32\pctspk.exe

[hgb7 3]

Amigo, aqui neste fórum já tem várias dicas de remoção de virus ^^

 

espero ter ajudado...

[Lia Sergia 0]

Amigo, aqui neste fórum já tem várias dicas de remoção de virus ^^

 

espero ter ajudado...

 

 

Obrigada por sua atenção, mas eu recorro ao pessoal do fórum quando as tentativas comuns não funcionam. Neste caso, especificamente, meus programas não encontram nada, mas o computador continua estranho. Portanto, estou recorrendo a quem realmente entende, para descartar de vez esta possibilidade. OK? ;)

[Laurentino Mello 1]

Amigo, aqui neste fórum já tem várias dicas de remoção de virus ^^

 

espero ter ajudado...

 

 

O que acontece é que nem todo caso é o mesmo caso....

[Silas Martins 0]

Passe o combofix em modo de segurança e com o antivirus desabilitado

[Lia Sergia 0]

Nem me fale neste 'mardito' anti-virus... Deu problema e está sendo o meu calo:

 

http://forum.imasters.com.br/index.php...p;#entry1091573

 

 

Será que um problema está relacionado ao outro?? :blink:

 

Bem, já vou fazer isso e postar o log aqui.

[Lia Sergia 0]

Novo log do Combofix:

 

ComboFix 08-07-24.6 - User 2008-07-25 9:44:03.1 - FAT32x86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.499 [GMT -3:00]

Executando de: C:\Documents and Settings\User\Desktop\ComboFix.exe

 

ATENÇAO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\autorun.inf

C:\WINDOWS\Help\svhost.txt

C:\WINDOWS\sysedir.dat

E:\Autorun.inf

F:\Autorun.inf

 

.

((((((((((((((((((((((( Ficheiros criados de 2008-06-25 to 2008-07-25 ))))))))))))))))))))))))))))))))

.

 

2008-07-24 17:21 . 2007-05-02 04:01 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl

2008-07-23 22:21 . 2008-07-23 22:21 <DIR> d--hs---- C:\FOUND.000

2008-07-14 18:21 . 2008-07-14 18:21 <DIR> d-------- C:\Documents and Settings\User\Dados de aplicativos\skypePM

2008-07-14 18:21 . 2008-07-14 18:21 <DIR> d-------- C:\Documents and Settings\User\Dados de aplicativos\Skype

2008-07-14 18:21 . 2008-07-14 18:22 48 --ah----- C:\WINDOWS\system32\ezsidmv.dat

2008-07-14 18:20 . 2008-07-14 18:20 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Dados de aplicativos\Skype

2008-07-14 18:20 . 2008-07-14 18:20 <DIR> d-------- C:\Arquivos de programas\Skype

2008-07-14 18:20 . 2008-07-14 18:20 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Skype

2008-06-30 13:44 . 2008-06-30 13:44 <DIR> d-------- C:\!KillBox

2008-06-27 21:14 . 2008-06-27 21:14 0 --a------ C:\WINDOWS\nsreg.dat

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-05 13:51 1,901 ----a-w C:\WINDOWS\panose.bin

2008-07-05 12:22 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys

2008-07-05 12:22 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys

2008-07-05 12:22 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll

2008-06-23 15:23 --------- d-----w C:\Arquivos de programas\Lavalys

2008-06-20 23:38 --------- d-----w C:\Arquivos de programas\Haali

2008-06-20 23:38 --------- d-----w C:\Arquivos de programas\CoreCodec

2008-06-20 23:37 21,764 ----a-w C:\WINDOWS\system32\CoreAAC-uninstall.exe

2008-05-25 17:51 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Dados de aplicativos\avg8

2008-05-25 17:51 --------- d-----w C:\Arquivos de programas\AVG

2008-02-18 09:18 375,296 ----a-w C:\Arquivos de programas\mdn.exe

2004-07-28 19:57 271 --sh--w C:\Arquivos de programas\desktop.ini

2004-07-28 19:57 22,040 ---h--w C:\Arquivos de programas\folder.htt

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" [2007-11-07 15:34 3739672]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"googletalk"="C:\Arquivos de programas\Google\Google Talk\googletalk.exe" [2007-01-01 19:54 3735552]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]

"AVG8_TRAY"="C:\ARQUIV~1\AVG\AVG8\avgtray.exe" [2008-07-05 09:22 1232152]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.5.0_12\bin\jusched.exe" [2007-05-02 04:15 75520]

"C-Media Mixer"="Mixer.exe" [2001-06-11 06:05 1110016 C:\WINDOWS\mixer.exe]

"CountrySelection"="pctptt.exe" [2000-01-05 04:41 68096 C:\WINDOWS\system32\pctptt.exe]

 

C:\Documents and Settings\User\Menu Iniciar\Programas\Inicializar\

Adobe Gamma.lnk - C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2004-11-15 20:51:46 113664]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= "C:\ARQUIV~1\GbPlugin\gbieh.dll" [2008-04-15 09:37 378696]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]

2008-04-15 09:37 378696 C:\ARQUIV~1\GbPlugin\gbieh.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=avgrsstx.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.YV12"= yv12vfw.dll

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\Google\\Google Talk\\googletalk.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=

"C:\\Arquivos de programas\\AVG\\AVG8\\avgupd.exe"=

"C:\\Arquivos de programas\\AVG\\AVG8\\avgemc.exe"=

"C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9842:TCP"= 9842:TCP:*:Disabled:SolidNetworkManager

"9842:UDP"= 9842:UDP:*:Disabled:SolidNetworkManager

 

S1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-05 09:22]

S2 avg8emc;AVG8 E-mail Scanner;C:\ARQUIV~1\AVG\AVG8\avgemc.exe [2008-07-05 09:22]

S2 avg8wd;AVG8 WatchDog;C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe [2008-07-05 09:22]

S2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-05 09:22]

S2 Pctspk;W2K PCtel speaker phone;C:\WINDOWS\System32\pctspk.exe [2000-01-19 06:30]

S3 XDva033;XDva033;C:\WINDOWS\system32\XDva033.sys []

S3 XDva074;XDva074;C:\WINDOWS\system32\XDva074.sys []

S3 XDva168;XDva168;C:\WINDOWS\system32\XDva168.sys []

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]

\Shell\AutoRun\command - nlblkhq.com

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

\Shell\AutoRun\command - nlblkhq.com

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

\Shell\AutoRun\command - nlblkhq.com

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63be0f00-a1d0-11dc-9147-0050fcb6eb92}]

\Shell\AutoRun\command - G:\e9ehn1m8.com

\Shell\explore\Command - G:\e9ehn1m8.com

\Shell\open\Command - G:\e9ehn1m8.com

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f8d5120-4dde-11dd-9ca8-0050fcb6eb92}]

\Shell\AutoRun\command - G:\avc14.exe

 

*Newly Created Service* - CATCHME

.

- - - - ORFAOS REMOVIDOS - - - -

 

HKCU-Run-K-Lite Nitro BETA - C:\Arquivos de programas\K-LiteNitro\K-LiteNitro.exe

 

 

.

------- Ccan Suplementar -------

.

R0 -: HKCU-Main,Start Page = hxxp://www.uol.com.br/

O8 -: E&xportar para o Microsoft Excel - C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O17 -: HKLM\CCS\Interface\{0D210024-2510-4662-B1EE-E3E0DDF43CDC}: NameServer = 200.165.132.154,200.165.132.147

 

O16 -: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} - hxxp://topguard066.dipmap.com/ssi.cgi/cab/OCXChecker_8198.cab

C:\WINDOWS\Downloaded Program Files\OCXDownloadChecker.inf

C:\WINDOWS\Downloaded Program Files\OCXDownloadChecker_8198.ocx

 

O16 -: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} - hxxps://www14.bancobrasil.com.br/plugin/GbpDist.cab

C:\WINDOWS\Downloaded Program Files\gbpdist.inf

C:\WINDOWS\Downloaded Program Files\gbpdist.dll

 

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-25 09:46:58

Windows 5.1.2600 Service Pack 2 FAT NTAPI

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

.

--------------------- DLLs Carregadas Sob os Processos em Execuçao ---------------------

 

PROCESSOS: C:\WINDOWS\system32\winlogon.exe

-> C:\WINDOWS\system32\tsd32.dll

.

Tempo para conclusão: 2008-07-25 9:48:14

ComboFix-quarantined-files.txt 2008-07-25 12:48:12

 

Pre-Run: 4,488,986,624 bytes disponíveis

Post-Run: 5,317,787,648 bytes disponíveis

 

135

[Lia Sergia 0]

Novo log do hijackthis (após passar o Combofix em modo de segurança):

 

Logfile of HijackThis v1.99.1

Scan saved at 09:55, on 2008-07-25

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Mixer.exe

C:\ARQUIV~1\AVG\AVG8\avgtray.exe

C:\Arquivos de programas\Java\jre1.5.0_12\bin\jusched.exe

C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\ctfmon.exe

C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\pctspk.exe

C:\WINDOWS\System32\svchost.exe

C:\ARQUIV~1\AVG\AVG8\avgrsx.exe

C:\ARQUIV~1\AVG\AVG8\avgemc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\Meus documentos\Lia\Programas\linha defensiva\HijackThis.exe

C:\Meus documentos\Lia\Programas\linha defensiva\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Arquivos de programas\AVG\AVG8\avgssie.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_12\bin\ssv.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GbPlugin\gbieh.dll

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\Run: [googletalk] C:\Arquivos de programas\Google\Google Talk\googletalk.exe /autostart

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\ARQUIV~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.5.0_12\bin\jusched.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [K-Lite Nitro BETA] C:\Arquivos de programas\K-LiteNitro\K-LiteNitro.exe /hide

O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_12\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_12\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe (file missing)

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1203358348309

O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab

O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://topguard066.dipmap.com/ssi.cgi/cab/...hecker_8198.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{0D210024-2510-4662-B1EE-E3E0DDF43CDC}: NameServer = 200.165.132.154,200.165.132.147

O17 - HKLM\System\CS1\Services\Tcpip\..\{0D210024-2510-4662-B1EE-E3E0DDF43CDC}: NameServer = 200.165.132.154,200.165.132.147

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Arquivos de programas\AVG\AVG8\avgpp.dll

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GbPlugin\gbieh.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\System32\pctspk.exe

O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)

[Silas Martins 0]

Log Limpo

Faça o download do CCleaner

E faça a limpeza de registro exclua os arquivos temporários, desnecessários e entradas inválidas

[Lia Sergia 0]

Eu limpo com o CCleaner todo dia.

 

O que tá me consumindo agora é aquele lance do outro tópico que te mostrei. Ai, ai, ai...

 

Vou lá ver se alguma alma tem uma idéia genial pra me ajudar. (risos)

 

 

Muito obrigada, mais uma vez!!!

;)

[Silas Martins 0]

Caso Resolvido

[PedroN 1]

Opa Lia Sergia seu log contém infencções, por unidades removívies, (MP3, MP4 OU PENDRIVE)

 

Segure a tecla shift, e em seguida, insira sua(s) unidade(s) removíveis, na entrada USB.

Não pode ocorrer autoinicialização, durante este procedimento, para evitar a reinfecção do PC.

Caso você use um pendrive recomendo que você o formate

 

Vamos lá para novas intrunções.

 

Sugiro que imprima ou salve os procedimentos abaixo, e não use a internet até terminado o procedimento.

 

Selecione e copie o texto dentro do QUOTE (caixa cinza) abaixo. Abra o Bloco de notas e cole o que copiou. Salve então, na área de trabalho, com o nome de CFScript.txt.

 

File::

G:\e9ehn1m8.com

G:\avc14.exe

Registry::

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63be0f00-a1d0-11dc-9147-0050fcb6eb92}]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f8d5120-4dde-11dd-9ca8-0050fcb6eb92}]

 

Esse script foi elaborado somente para este computador, de acordo com os arquivos e chaves presentes não use-o em outro computador, pos pode trazer danos.

 

Arraste agora o CFScript.txt para o ComboFix conforme a demonstração abaixo.

 

 

O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção.

 

IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando.

 

Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.

 

Poste-o junto com o novo log do hijackthis

[Lia Sergia 0]

Ai, ai...

 

Será isso que está me impedindo de reinstalar o AVG? Fica dando erro e diz que não é possível criar a chave de registro. :(

 

Ou tem haver com esta mensagem em vermelho que sempre está aparecendo em meus log do ComboFix (ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA)?

 

 

Log ComboFix:

 

ComboFix 08-07-24.6 - User 2008-07-27 9:32:27.1 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.419 [GMT -3:00]

Executando de: C:\Documents and Settings\User\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt

* Criado um novo ponto de restauro

 

ATENÇAO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!

 

FILE ::

G:\avc14.exe

G:\e9ehn1m8.com

.

 

 

 

Log Hijackthis:

 

Logfile of HijackThis v1.99.1

Scan saved at 09:39, on 2008-07-27

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\savedump.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Mixer.exe

C:\Arquivos de programas\Java\jre1.5.0_12\bin\jusched.exe

C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\pctspk.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\Meus documentos\Lia\Programas\linha defensiva\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_12\bin\ssv.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GbPlugin\gbieh.dll

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\Run: [googletalk] C:\Arquivos de programas\Google\Google Talk\googletalk.exe /autostart

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\ARQUIV~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.5.0_12\bin\jusched.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [K-Lite Nitro BETA] C:\Arquivos de programas\K-LiteNitro\K-LiteNitro.exe /hide

O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_12\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_12\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe (file missing)

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1203358348309

O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab

O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://topguard066.dipmap.com/ssi.cgi/cab/...hecker_8198.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{0D210024-2510-4662-B1EE-E3E0DDF43CDC}: NameServer = 200.165.132.154,200.165.132.147

O17 - HKLM\System\CS1\Services\Tcpip\..\{0D210024-2510-4662-B1EE-E3E0DDF43CDC}: NameServer = 200.165.132.154,200.165.132.147

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GbPlugin\gbieh.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - Unknown owner - C:\ARQUIV~1\AVG\AVG8\avgemc.exe (file missing)

O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe (file missing)

O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\System32\pctspk.exe

[PedroN 1]

Opa Lia Sergia,

 

 

• Antes de qualquer medida, faça a instalação do RC!

---------------------------------------

• Vá ao site da Microsoft: < Link >

 

• Selecione o download, que seja adequado, ao seu Sistema Operacional!

 

 

• Faça o download, do arquivo, e salve-o no seu desktop.

• Feche todos os programas, que estejam abertos!

• Feche, também, seus programas de proteção! ( Antivírus,Antispywares e Firewall )

• Arraste o setup, baixado do site da Microsoft, para o interior do ComboFix.exe

• Veja, abaixo, a demonstração!

 

 

• Siga as mensagens que aparecem na tela,para iniciar o ComboFix.

• Aceite o contrato da Microsoft, para instalar o "Console de Recuperação da Microsoft".

• Na próxima mensagem, clique em "Yes", para realizar um scan com o ComboFix.

 

 

• Terminando, poste os relatórios:

 

• C:\ComboFix.txt mais o log do HijackThis, atualizado.

 

Faça o procedimento com o combofix em modo seguro

[Lia Sergia 0]

Opa!! Já vou fazer e posto aqui! Obrigada!

[Lia Sergia 0]

Log do ComboFix:

 

ComboFix 08-07-24.6 - User 2008-07-28 9:28:46.1 - FAT32x86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.498 [GMT -3:00]

Executando de: C:\Documents and Settings\User\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\User\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-PTB.exe

.

 

((((((((((((((((((((((( Ficheiros criados de 2008-06-28 to 2008-07-28 ))))))))))))))))))))))))))))))))

.

 

2008-07-27 01:27 . 2008-07-27 01:27 <DIR> d-------- C:\Arquivos de programas\VS Revo Group

2008-07-24 17:21 . 2007-05-02 04:01 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl

2008-07-23 22:21 . 2008-07-23 22:21 <DIR> d--hs---- C:\FOUND.000

2008-07-14 18:21 . 2008-07-14 18:21 <DIR> d-------- C:\Documents and Settings\User\Dados de aplicativos\skypePM

2008-07-14 18:21 . 2008-07-14 18:21 <DIR> d-------- C:\Documents and Settings\User\Dados de aplicativos\Skype

2008-07-14 18:21 . 2008-07-14 18:22 48 --ah----- C:\WINDOWS\system32\ezsidmv.dat

2008-07-14 18:20 . 2008-07-14 18:20 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Dados de aplicativos\Skype

2008-07-14 18:20 . 2008-07-14 18:20 <DIR> d-------- C:\Arquivos de programas\Skype

2008-07-14 18:20 . 2008-07-14 18:20 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Skype

2008-06-30 13:44 . 2008-06-30 13:44 <DIR> d-------- C:\!KillBox

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-05 13:51 1,901 ----a-w C:\WINDOWS\panose.bin

2008-07-05 12:22 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys

2008-07-05 12:22 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys

2008-07-05 12:22 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll

2008-06-23 15:23 --------- d-----w C:\Arquivos de programas\Lavalys

2008-06-20 23:38 --------- d-----w C:\Arquivos de programas\Haali

2008-06-20 23:38 --------- d-----w C:\Arquivos de programas\CoreCodec

2008-06-20 23:37 21,764 ----a-w C:\WINDOWS\system32\CoreAAC-uninstall.exe

2008-02-18 09:18 375,296 ----a-w C:\Arquivos de programas\mdn.exe

2004-07-28 19:57 271 --sh--w C:\Arquivos de programas\desktop.ini

2004-07-28 19:57 22,040 ---h--w C:\Arquivos de programas\folder.htt

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" [2007-11-07 15:34 3739672]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45 15360]

"K-Lite Nitro BETA"="C:\Arquivos de programas\K-LiteNitro\K-LiteNitro.exe" [bU]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"googletalk"="C:\Arquivos de programas\Google\Google Talk\googletalk.exe" [2007-01-01 19:54 3735552]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.5.0_12\bin\jusched.exe" [2007-05-02 04:15 75520]

"C-Media Mixer"="Mixer.exe" [2001-06-11 06:05 1110016 C:\WINDOWS\mixer.exe]

"CountrySelection"="pctptt.exe" [2000-01-05 04:41 68096 C:\WINDOWS\system32\pctptt.exe]

 

C:\Documents and Settings\User\Menu Iniciar\Programas\Inicializar\

Adobe Gamma.lnk - C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2004-11-15 20:51:46 113664]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= "C:\ARQUIV~1\GbPlugin\gbieh.dll" [2008-04-15 09:37 378696]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]

2008-04-15 09:37 378696 C:\ARQUIV~1\GbPlugin\gbieh.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=avgrsstx.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.YV12"= yv12vfw.dll

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\Google\\Google Talk\\googletalk.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=

"C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9842:TCP"= 9842:TCP:*:Disabled:SolidNetworkManager

"9842:UDP"= 9842:UDP:*:Disabled:SolidNetworkManager

 

S1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-05 09:22]

S2 avg8emc;AVG8 E-mail Scanner;C:\ARQUIV~1\AVG\AVG8\avgemc.exe []

S2 avg8wd;AVG8 WatchDog;C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe []

S2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-05 09:22]

S2 Pctspk;W2K PCtel speaker phone;C:\WINDOWS\System32\pctspk.exe [2000-01-19 06:30]

S3 XDva033;XDva033;C:\WINDOWS\system32\XDva033.sys []

S3 XDva074;XDva074;C:\WINDOWS\system32\XDva074.sys []

S3 XDva168;XDva168;C:\WINDOWS\system32\XDva168.sys []

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63be0f00-a1d0-11dc-9147-0050fcb6eb92}]

\Shell\AutoRun\command - G:\e9ehn1m8.com

\Shell\explore\Command - G:\e9ehn1m8.com

\Shell\open\Command - G:\e9ehn1m8.com

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f8d5120-4dde-11dd-9ca8-0050fcb6eb92}]

\Shell\AutoRun\command - G:\avc14.exe

.

- - - - ORFAOS REMOVIDOS - - - -

 

HKLM-Run-AVG8_TRAY - C:\ARQUIV~1\AVG\AVG8\avgtray.exe

 

 

.

------- Ccan Suplementar -------

.

R0 -: HKCU-Main,Start Page = hxxp://www.uol.com.br/

O8 -: E&xportar para o Microsoft Excel - C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O17 -: HKLM\CCS\Interface\{0D210024-2510-4662-B1EE-E3E0DDF43CDC}: NameServer = 200.165.132.154,200.165.132.147

 

O16 -: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} - hxxp://topguard066.dipmap.com/ssi.cgi/cab/OCXChecker_8198.cab

C:\WINDOWS\Downloaded Program Files\OCXDownloadChecker.inf

C:\WINDOWS\Downloaded Program Files\OCXDownloadChecker_8198.ocx

 

O16 -: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} - hxxps://www14.bancobrasil.com.br/plugin/GbpDist.cab

C:\WINDOWS\Downloaded Program Files\gbpdist.inf

C:\WINDOWS\Downloaded Program Files\gbpdist.dll

 

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-28 09:31:06

Windows 5.1.2600 Service Pack 2 FAT NTAPI

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

.

--------------------- DLLs Carregadas Sob os Processos em Execuçao ---------------------

 

PROCESSOS: C:\WINDOWS\system32\winlogon.exe

-> C:\WINDOWS\system32\tsd32.dll

.

Tempo para conclusão: 2008-07-28 9:32:25

ComboFix-quarantined-files.txt 2008-07-28 12:32:22

ComboFix2.txt 2008-07-25 12:48:18

 

Pre-Run: 5,331,812,352 bytes disponíveis

Post-Run: 5,348,720,640 bytes disponíveis

 

WindowsXP-KB310994-SP2-Pro-BootDisk-PTB.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Professional" /fastdetect

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

 

125

 

 

 

Log do HijackThis:

 

Logfile of HijackThis v1.99.1

Scan saved at 09:37:06, on 28/07/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Mixer.exe

C:\Arquivos de programas\Java\jre1.5.0_12\bin\jusched.exe

C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\pctspk.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Meus documentos\Lia\Programas\linha defensiva\HijackThis.exe

C:\WINDOWS\System32\svchost.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_12\bin\ssv.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GbPlugin\gbieh.dll

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\Run: [googletalk] C:\Arquivos de programas\Google\Google Talk\googletalk.exe /autostart

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.5.0_12\bin\jusched.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [K-Lite Nitro BETA] C:\Arquivos de programas\K-LiteNitro\K-LiteNitro.exe /hide

O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_12\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_12\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe (file missing)

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1203358348309

O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab

O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://topguard066.dipmap.com/ssi.cgi/cab/...hecker_8198.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{0D210024-2510-4662-B1EE-E3E0DDF43CDC}: NameServer = 200.165.132.154,200.165.132.147

O17 - HKLM\System\CS1\Services\Tcpip\..\{0D210024-2510-4662-B1EE-E3E0DDF43CDC}: NameServer = 200.165.132.154,200.165.132.147

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: avgrsstx.dll

O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GbPlugin\gbieh.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - Unknown owner - C:\ARQUIV~1\AVG\AVG8\avgemc.exe (file missing)

O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe (file missing)

O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\System32\pctspk.exe

[PedroN 1]

Sugiro que imprima ou salve os procedimentos abaixo, e não use a internet até terminado o procedimento.

 

Selecione e copie o texto dentro do QUOTE (caixa cinza) abaixo. Abra o Bloco de notas e cole o que copiou. Salve então, na área de trabalho, com o nome de CFScript.txt.

 

File::

G:\e9ehn1m8.com

G:\avc14.exe

Registry::

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63be0f00-a1d0-11dc-9147-0050fcb6eb92}]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f8d5120-4dde-11dd-9ca8-0050fcb6eb92}]

 

Esse script foi elaborado somente para este computador, de acordo com os arquivos e chaves presentes não use-o em outro computador, pos pode trazer danos.

 

Arraste agora o CFScript.txt para o ComboFix conforme a demonstração abaixo.

 

 

O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção.

 

IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando.

 

Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.

 

Poste-o junto com o novo log do hijackthis

 

Esses procedimentos devem ser feito em modo seguro

[Lia Sergia 0]

Ê, caramba... Ô micro que me dá trabalho. hahahaha

 

Mas aqui vai:

 

Log do ComboFix:

 

ComboFix 08-07-24.6 - User 2008-07-28 21:10:20.3 - FAT32x86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.500 [GMT -3:00]

Executando de: C:\Documents and Settings\User\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt

 

FILE ::

G:\avc14.exe

G:\e9ehn1m8.com

.

 

((((((((((((((((((((((( Ficheiros criados de 2008-06-28 to 2008-07-29 ))))))))))))))))))))))))))))))))

.

 

2008-07-28 09:47 . 2008-07-28 09:47 <DIR> d-------- C:\Documents and Settings\User\Dados de aplicativos\AVGTOOLBAR

2008-07-28 09:47 . 2008-07-28 09:47 <DIR> d-------- C:\Arquivos de programas\AVG

2008-07-27 01:27 . 2008-07-27 01:27 <DIR> d-------- C:\Arquivos de programas\VS Revo Group

2008-07-24 17:21 . 2007-05-02 04:01 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl

2008-07-23 22:21 . 2008-07-23 22:21 <DIR> d--hs---- C:\FOUND.000

2008-07-14 18:21 . 2008-07-14 18:21 <DIR> d-------- C:\Documents and Settings\User\Dados de aplicativos\skypePM

2008-07-14 18:21 . 2008-07-14 18:21 <DIR> d-------- C:\Documents and Settings\User\Dados de aplicativos\Skype

2008-07-14 18:21 . 2008-07-14 18:22 48 --ah----- C:\WINDOWS\system32\ezsidmv.dat

2008-07-14 18:20 . 2008-07-14 18:20 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Dados de aplicativos\Skype

2008-07-14 18:20 . 2008-07-14 18:20 <DIR> d-------- C:\Arquivos de programas\Skype

2008-07-14 18:20 . 2008-07-14 18:20 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Skype

2008-06-30 13:44 . 2008-06-30 13:44 <DIR> d-------- C:\!KillBox

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-05 13:51 1,901 ----a-w C:\WINDOWS\panose.bin

2008-07-05 12:22 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys

2008-07-05 12:22 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys

2008-07-05 12:22 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll

2008-06-20 23:38 --------- d-----w C:\Arquivos de programas\Haali

2008-06-20 23:38 --------- d-----w C:\Arquivos de programas\CoreCodec

2008-06-20 23:37 21,764 ----a-w C:\WINDOWS\system32\CoreAAC-uninstall.exe

2008-02-18 09:18 375,296 ----a-w C:\Arquivos de programas\mdn.exe

2004-07-28 19:57 271 --sh--w C:\Arquivos de programas\desktop.ini

2004-07-28 19:57 22,040 ---h--w C:\Arquivos de programas\folder.htt

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" [2007-11-07 15:34 3739672]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45 15360]

"K-Lite Nitro BETA"="C:\Arquivos de programas\K-LiteNitro\K-LiteNitro.exe" [bU]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"googletalk"="C:\Arquivos de programas\Google\Google Talk\googletalk.exe" [2007-01-01 19:54 3735552]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.5.0_12\bin\jusched.exe" [2007-05-02 04:15 75520]

"AVG8_TRAY"="C:\ARQUIV~1\AVG\AVG8\avgtray.exe" [2008-07-28 09:47 1232152]

"C-Media Mixer"="Mixer.exe" [2001-06-11 06:05 1110016 C:\WINDOWS\mixer.exe]

"CountrySelection"="pctptt.exe" [2000-01-05 04:41 68096 C:\WINDOWS\system32\pctptt.exe]

 

C:\Documents and Settings\User\Menu Iniciar\Programas\Inicializar\

Adobe Gamma.lnk - C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2004-11-15 20:51:46 113664]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= "C:\ARQUIV~1\GbPlugin\gbieh.dll" [2008-04-15 09:37 378696]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]

2008-04-15 09:37 378696 C:\ARQUIV~1\GbPlugin\gbieh.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=avgrsstx.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.YV12"= yv12vfw.dll

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\Google\\Google Talk\\googletalk.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=

"C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

"C:\\Arquivos de programas\\AVG\\AVG8\\avgemc.exe"=

"C:\\Arquivos de programas\\AVG\\AVG8\\avgupd.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9842:TCP"= 9842:TCP:*:Disabled:SolidNetworkManager

"9842:UDP"= 9842:UDP:*:Disabled:SolidNetworkManager

 

S1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-05 09:22]

S2 avg8emc;AVG8 E-mail Scanner;C:\ARQUIV~1\AVG\AVG8\avgemc.exe [2008-07-28 09:47]

S2 avg8wd;AVG8 WatchDog;C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe [2008-07-28 09:47]

S2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-05 09:22]

S2 Pctspk;W2K PCtel speaker phone;C:\WINDOWS\System32\pctspk.exe [2000-01-19 06:30]

S3 XDva033;XDva033;C:\WINDOWS\system32\XDva033.sys []

S3 XDva074;XDva074;C:\WINDOWS\system32\XDva074.sys []

S3 XDva168;XDva168;C:\WINDOWS\system32\XDva168.sys []

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63be0f00-a1d0-11dc-9147-0050fcb6eb92}]

\Shell\AutoRun\command - G:\e9ehn1m8.com

\Shell\explore\Command - G:\e9ehn1m8.com

\Shell\open\Command - G:\e9ehn1m8.com

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f8d5120-4dde-11dd-9ca8-0050fcb6eb92}]

\Shell\AutoRun\command - G:\avc14.exe

.

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-28 21:12:43

Windows 5.1.2600 Service Pack 2 FAT NTAPI

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

.

--------------------- DLLs Carregadas Sob os Processos em Execuçao ---------------------

 

PROCESSOS: C:\WINDOWS\system32\winlogon.exe

-> C:\WINDOWS\system32\tsd32.dll

.

Tempo para conclusão: 2008-07-28 21:13:59

ComboFix-quarantined-files.txt 2008-07-29 00:13:56

ComboFix4.txt 2008-07-25 12:48:18

ComboFix3.txt 2008-07-28 12:32:28

ComboFix2.txt 2008-07-28 23:52:30

 

Pre-Run: 5,269,913,600 bytes disponíveis

Post-Run: 5,259,493,376 bytes disponíveis

 

112

 

 

 

 

Log do HijackThis:

 

Logfile of HijackThis v1.99.1

Scan saved at 21:20:23, on 28/07/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Mixer.exe

C:\Arquivos de programas\Java\jre1.5.0_12\bin\jusched.exe

C:\ARQUIV~1\AVG\AVG8\avgtray.exe

C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\ctfmon.exe

C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\pctspk.exe

C:\WINDOWS\System32\svchost.exe

C:\ARQUIV~1\AVG\AVG8\avgrsx.exe

C:\ARQUIV~1\AVG\AVG8\avgemc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Meus documentos\Lia\Programas\linha defensiva\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Arquivos de programas\AVG\AVG8\avgssie.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_12\bin\ssv.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\ARQUIV~1\AVG\AVG8\AVGTOO~1.DLL

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GbPlugin\gbieh.dll

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\ARQUIV~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\Run: [googletalk] C:\Arquivos de programas\Google\Google Talk\googletalk.exe /autostart

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.5.0_12\bin\jusched.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\ARQUIV~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [K-Lite Nitro BETA] C:\Arquivos de programas\K-LiteNitro\K-LiteNitro.exe /hide

O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_12\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_12\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe (file missing)

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1203358348309

O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab

O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://topguard066.dipmap.com/ssi.cgi/cab/...hecker_8198.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{0D210024-2510-4662-B1EE-E3E0DDF43CDC}: NameServer = 200.165.132.154,200.165.132.147

O17 - HKLM\System\CS1\Services\Tcpip\..\{0D210024-2510-4662-B1EE-E3E0DDF43CDC}: NameServer = 200.165.132.154,200.165.132.147

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Arquivos de programas\AVG\AVG8\avgpp.dll

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: avgrsstx.dll

O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GbPlugin\gbieh.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\System32\pctspk.exe

 

 

 

 

 

Tomara que desta vez eu esteja livre do problema. :P

 

Já limpei os pendrives da casa. ;)

 

Obrigada!