[Resolvido!] Malware CiD

[ptonella 0]

Oi.

O tal do CID também anda me infernizando, toda hora abre uma pop-up de ringtones, mercado livre...

Ajuda, por favor!

 

O Hijackthis me mostrou essa mensagem antes de fazer dar o log:

 

An unexpected error has occurred at procedure: modMain_CheckOther1Item()

Error #75 - Path/File access error

 

Please email me at merijn@spywareinfo.com, reporting the following:

* What you were trying to fix when the error occurred, if applicable

* How you can reproduce the error

* A complete HijackThis scan log, if possible

 

Windows version: Windows NT 6.00.1904

MSIE version: 7.0.6000.16711

HijackThis version: 1.99.1

 

This message has been copied to your clipboard.

Click OK to continue the rest of the scan.

 

 

 

 

 

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 19:47:34, on 08/09/2008

Platform: Unknown Windows (WinNT 6.00.1904)

MSIE: Internet Explorer v7.00 (7.00.6000.16711)

 

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Java\jre1.6.0\bin\jusched.exe

C:\Windows\sttray.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Mx One\mogtr.exe

C:\Program Files\Panda Security\Panda Antivirus 2008\ApVxdWin.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Panda Security\Panda Antivirus 2008\WebProxy.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\iTunes\iTunes.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Users\Pati\Desktop\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.la.dell.com/content/default.as...;l=pt&s=gen

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer fornecido por Dell

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "c:\Program Files\Java\jre1.6.0\bin\jusched.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe

O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\BR\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=052607 serial=DR12CRS-1736730-ynq lang=BP

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Mx_One_Guardian_Tiempo_Real] C:\Program Files\Mx One\mogtr.exe

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" /s

O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [uTorrent] "C:\Users\Pati\Program Files\uTorrent\uTorrent.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [proc drive] "C:\ProgramData\draw dumb dumb.rdplk"

O4 - HKCU\..\Run: [Army browse cdrom vga] "C:\ProgramData\Owns Blah Mix.ljvqyep"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll

O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O11 - Options group: [iNTERNATIONAL] International*

O13 - Gopher Prefix:

O15 - Trusted Zone: http://s4.travian.pt

O16 - DPF: {18506D80-9B80-11D4-82C2-0080C8D7ED4A} (GameDesire Roulette) - http://67.15.101.33/g_bin/eng/roulette_2_0_0_27.cab

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.atrativa.com.br/games/applets/g...bugs/axhost.cab

O16 - DPF: {A9ED6AA2-D9D4-4D71-9586-E293E2E3580B} (GameDesire Marbles&Diamonds&Runes) - http://67.15.101.33/g_bin/eng/marbles_2_0_0_32.cab

O16 - DPF: {AC120B1D-9411-4111-AF52-118052D85D45} (GameDesire Darts Games) - http://67.15.101.33/g_bin/eng/darts_2_0_0_42.cab

O16 - DPF: {BFA1F11D-3121-AFE1-4112-894323212DAC} (GameDesire Word Games) - http://67.15.101.33/g_bin/eng/words_2_0_0_51.cab

O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game06.zylom.com/activex/zylomgamesplayer.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.atrativa.com.br/games/applets/p...opcaploader.cab

O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O20 - Winlogon Notify: avldr - C:\Windows\SYSTEM32\avldr.dll

O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxdev.dll

O23 - Service: McAfee Application Installer Cleanup (0270271192582006) (0270271192582006mcinstcleanup) - Unknown owner - C:\Users\Pati\AppData\Local\Temp\027027~1.EXE (file missing)

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Serviço iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe

O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrvx86.exe

O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe

O23 - Service: Panda PSK service (PskSvcRetail) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PskSvc.exe

O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)

O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)

O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

[jgarcia 1]

Opa ptonella,

 

Baixe o ComboFix em:

ComboFix

 

1) Desabilite o seu anti-vírus temporariamente;

2) Dê um duplo-clique no combofix.exe e tecle "1" para prosseguir. O processo vai durar, em média, 10 minutos;

3) O ComboFix reiniciará o PC automaticamente, a fim de que o processo de remoção seja finalizado (somente se houver infecção);

4) Quando a varredura acabar, será gerado um log, que estará em C:\ComboFix.txt;

5) Não clique na janela do ComboFix, nem feche clicando no X, enquanto a ferramenta estiver sendo executada, pois isto implicará na desconfiguração de seu desktop (ele ficará todo branco);

6) Para parar ou sair do ComboFix, tecle "N";

7) Reabilite o seu anti-vírus;

8) Preciso que você cole o conteúdo do ComboFix.txt em sua próxima resposta.

 

Abraços.

[ptonella 0]

Olá.

Correu tudo certo, até o momento que o ComboFix gerou o log... depois disso ele parou de funcionar, se fechou, a única coisa que aparececia era o bloco de notas com as informações do escaneamento. Fechei o bloco de notas, e a tela estava toda preta. Dei crtl+alt+del e reiniciei o computador.

 

Quando o computador reiniciou, apareceu na tela esse arquivo:

"draw dumb dumb.rdplk" e o windows me perguntou como eu gostaria de abri-lo, com algum programa que eu já possuo, ou procurando na net...

 

E o SpyBot me pediu várias autorizações, tive que desliga-lo...

 

:wacko:

 

 

 

ComboFix 08-09-05.10 - Pati 2008-09-08 22:34:37.1 - NTFSx86

Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1046.18.318 [GMT -3:00]

Executando de: C:\Users\Pati\Desktop\ComboFix.exe

* Criado um novo ponto de restauro

 

ATENÇAO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat

C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat

C:\Windows\system32\x64

 

----- BITS: Sites possivelmente infetados -----

 

http://au.download.winj+|Cv+@J:NGD_DQ{zZOmOezO@WU Client DownloadS-1-5-18@x`l@\???? 6VwoQZCDHM6VwoQZCDHMXu r0 r0 r0000oWvZOmOGD_DQ{zGD_DQ{zGD_DQ{z+@J:Nj+|Cvte.com

.

((((((((((((((((((((((( Ficheiros criados de 2008-08-09 to 2008-09-09 ))))))))))))))))))))))))))))))))

.

 

Nenhum ficheiro/arquivo criado durante este período

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-09 00:57 --------- d-----w C:\Program Files\Mx One

2008-09-09 00:20 --------- d-----w C:\Users\Pati\AppData\Roaming\uTorrent

2008-09-08 23:28 --------- d-----w C:\ProgramData\Spybot - Search & Destroy

2008-09-08 23:18 --------- d-----w C:\Program Files\CCleaner

2008-09-08 22:40 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-09-08 22:38 --------- d-----w C:\Users\Pati\AppData\Roaming\Skype

2008-09-08 19:03 --------- d-----w C:\Users\Pati\AppData\Roaming\skypePM

2008-09-08 02:24 --------- d-----w C:\Program Files\Megacubo

2008-09-07 23:35 --------- d-----w C:\Users\Pati\AppData\Roaming\Megacubo

2008-09-07 22:12 --------- d-----w C:\Program Files\Microsoft Silverlight

2008-09-07 20:18 --------- d-----w C:\Program Files\Windows Live

2008-09-07 20:14 --------- d-----w C:\ProgramData\WLInstaller

2008-09-06 01:00 --------- d-----w C:\Program Files\Spybot - Search & Destroy

2008-09-06 00:46 --------- d-----w C:\Program Files\Panda Security

2008-09-05 17:12 --------- d-----w C:\ProgramData\Avira

2008-09-05 02:18 --------- d-----w C:\ProgramData\sentinel

2008-09-04 23:46 --------- d-----w C:\Program Files\Common Files\Panda Software

2008-09-04 02:02 --------- d-----w C:\Program Files\Microsoft Windows OneCare Live

2008-09-04 01:26 --------- d-----w C:\ProgramData\bird online bind

2008-09-03 02:34 --------- d-----w C:\Program Files\Common Files\PX Storage Engine

2008-09-03 01:52 --------- d-----w C:\Program Files\IObit

2008-09-03 01:23 --------- d-----w C:\ProgramData\Mfcd upload army browse

2008-08-31 15:58 --------- d-----w C:\Users\Pati\AppData\Roaming\NCH Swift Sound

2008-08-31 15:58 --------- d-----w C:\Program Files\NCH Swift Sound

2008-08-30 18:05 --------- d-----w C:\ProgramData\NCH Swift Sound

2008-08-30 18:04 --------- d-----w C:\Users\Pati\AppData\Roaming\Recordpad

2008-08-30 18:04 --------- d-----w C:\Program Files\NCH Software

2008-08-28 02:39 --------- d-----w C:\Program Files\SopCast

2008-08-23 21:36 --------- d-----w C:\Program Files\Encore DEMO

2008-08-20 02:22 56 ---ha-w C:\Users\All Users\ezsidmv.dat

2008-08-20 02:22 56 ---ha-w C:\ProgramData\ezsidmv.dat

2008-08-20 02:19 --------- d-----w C:\ProgramData\Skype

2008-08-20 02:19 --------- d-----w C:\Program Files\Skype

2008-08-20 02:19 --------- d-----w C:\Program Files\Common Files\Skype

2008-08-16 18:24 --------- d-----w C:\ProgramData\Nero

2008-08-16 18:24 --------- d-----w C:\Program Files\Common Files\Nero

2008-08-15 13:32 --------- d-----w C:\ProgramData\Microsoft Help

2008-08-15 13:28 --------- d-----w C:\Program Files\Windows Mail

2008-08-08 01:33 --------- d-----w C:\Users\Pati\AppData\Roaming\NCH Software

2008-07-28 02:16 --------- d-----w C:\Users\Pati\AppData\Roaming\Nero

2008-07-28 02:11 --------- d-----w C:\Program Files\Nero

2008-07-27 18:30 --------- d-----w C:\Program Files\Common Files\Adobe

2008-07-27 18:30 --------- d-----w C:\Program Files\Bonjour

2008-07-27 18:12 --------- d-----w C:\Program Files\Common Files\Macrovision Shared

2008-07-27 16:57 --------- d-----w C:\Program Files\Google

2008-07-27 16:52 --------- d-----w C:\Program Files\Photo Recovery Wizard

2008-07-27 16:34 --------- d-----w C:\Users\Pati\AppData\Roaming\LimeWire

2008-07-25 00:14 --------- d-----w C:\Program Files\Apple Software Update

2008-07-19 05:10 53,448 ----a-w C:\Windows\System32\wuauclt.exe

2008-07-19 05:10 45,768 ----a-w C:\Windows\System32\wups2.dll

2008-07-19 05:10 36,552 ----a-w C:\Windows\System32\wups.dll

2008-07-19 05:09 563,912 ----a-w C:\Windows\System32\wuapi.dll

2008-07-19 05:09 1,811,656 ----a-w C:\Windows\System32\wuaueng.dll

2008-07-19 03:44 83,456 ----a-w C:\Windows\System32\wudriver.dll

2008-07-19 03:44 1,524,736 ----a-w C:\Windows\System32\wucltux.dll

2008-07-19 01:08 163,904 ----a-w C:\Windows\System32\wuwebv.dll

2008-07-18 23:44 31,232 ----a-w C:\Windows\System32\wuapp.exe

2008-07-15 23:48 2,048 ----a-w C:\Windows\System32\tzres.dll

2008-07-10 12:20 174 --sha-w C:\Program Files\desktop.ini

2008-06-27 03:54 826,368 ----a-w C:\Windows\System32\wininet.dll

2008-06-27 03:54 56,320 ----a-w C:\Windows\System32\iesetup.dll

2008-06-27 03:54 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll

2008-06-27 03:54 26,624 ----a-w C:\Windows\System32\ieUnatt.exe

2008-06-26 00:34 7,964,672 ----a-w C:\Windows\System32\NlsLexicons0024.dll

2008-06-26 00:33 9,892,864 ----a-w C:\Windows\System32\NlsLexicons000a.dll

2008-06-19 03:25 61,440 ----a-w C:\Windows\System32\winipsec.dll

2008-06-19 03:25 361,984 ----a-w C:\Windows\System32\IPSECSVC.DLL

2008-06-19 03:25 28,672 ----a-w C:\Windows\System32\FwRemoteSvr.dll

2008-06-19 03:25 272,896 ----a-w C:\Windows\System32\polstore.dll

2008-03-14 23:28 32 ----a-w C:\Users\All Users\ezsid.dat

2008-03-14 23:28 32 ----a-w C:\ProgramData\ezsid.dat

2007-05-06 18:13 0 ----a-w C:\Users\Pati\AppData\Roaming\wklnhst.dat

2008-04-24 12:43 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

2008-04-24 12:43 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

2008-04-24 12:43 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias & legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"proc drive"="C:\ProgramData\draw dumb dumb.rdplk" [X]

"Army browse cdrom vga"="C:\ProgramData\Owns Blah Mix.ljvqyep" [X]

"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-16 167368]

"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-14 1232896]

"uTorrent"="C:\Users\Pati\Program Files\uTorrent\uTorrent.exe" [2008-08-15 267056]

"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-08-11 21741864]

"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Shockwave Updater"="C:\Windows\System32\Adobe\Shockwave 11\SwHelper_1100429.exe" [2008-03-19 439736]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2007-02-09 98304]

"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2007-02-09 106496]

"Persistence"="C:\Windows\system32\igfxpers.exe" [2007-02-09 81920]

"SunJavaUpdateSched"="c:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-05-02 77824]

"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]

"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]

"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]

"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

"CorelDRAW Graphics Suite 11b"="C:\Program Files\Corel\Corel Graphics 12\Languages\BR\Programs\Registration.exe" [2003-11-28 729088]

"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 385024]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 267048]

"Mx_One_Guardian_Tiempo_Real"="C:\Program Files\Mx One\mogtr.exe" [2008-07-29 32768]

"APVXDWIN"="C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" [2007-10-04 455984]

"SigmatelSysTrayApp"="sttray.exe" [2007-02-08 C:\Windows\sttray.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]

2007-02-15 19:02 50736 C:\Windows\System32\avldr.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PskSvcRetail]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]

@="IEEE 1394 Bus host controllers"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]

@="SBP2 IEEE 1394 Devices"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]

@="SecurityDevices"

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]

"DisableMonitoring"=dword:00000001

 

R0 CLFS;Common Log (CLFS);C:\Windows\system32\CLFS.sys [2008-02-14 224824]

R0 Ecache;ReadyBoost Caching Driver;C:\Windows\system32\drivers\ecache.sys [2006-11-02 132200]

R0 FileInfo;File Information FS MiniFilter;C:\Windows\system32\drivers\fileinfo.sys [2006-11-02 56424]

R0 msisadrv;Driver de Classe ISA/EISA;C:\Windows\system32\drivers\msisadrv.sys [2007-05-02 13928]

R0 pavboot;pavboot;C:\Windows\system32\drivers\pavboot.sys [2008-06-19 28544]

R0 spldr;Security Processor Loader Driver;C:\Windows\system32\drivers\spldr.sys [2006-11-02 18536]

R0 volmgr;Volume Manager Driver;C:\Windows\system32\drivers\volmgr.sys [2007-05-02 50280]

R0 volmgrx;Dynamic Volume Manager;C:\Windows\system32\drivers\volmgrx.sys [2006-11-02 290408]

R1 DfsC;Dfs Client Driver;C:\Windows\system32\Drivers\dfsc.sys [2006-11-02 74752]

R1 nsiproxy;NSI proxy service;C:\Windows\system32\drivers\nsiproxy.sys [2006-11-02 16384]

R1 RDPENCDD;RDP Encoder Mirror Driver;C:\Windows\system32\drivers\rdpencdd.sys [2006-11-02 6144]

R1 ShldDrv;Panda File Shield Driver;C:\Windows\system32\DRIVERS\ShlDrv51.sys [2007-05-23 38968]

R1 Smb;Protocolos TCP/IP e TCP/IPv6 Orientados a Mensagens (sessão SMB);C:\Windows\system32\DRIVERS\smb.sys [2006-11-02 66048]

R1 tdx;Driver de Suporte a TDI Herdado de NetIO;C:\Windows\system32\DRIVERS\tdx.sys [2006-11-02 68096]

R1 Wanarpv6;Remote Access IPv6 ARP Driver;C:\Windows\system32\DRIVERS\wanarp.sys [2008-01-14 61952]

R2 AmFSM;AmFSM;C:\Windows\system32\DRIVERS\amm8660.sys [2007-09-28 46648]

R2 AudioEndpointBuilder;Construtor de Pontos de Extremidade de Áudio do Windows;C:\Windows\System32\svchost.exe [2006-11-02 22016]

R2 BFE;Mecanismo de Filtragem Básica;C:\Windows\system32\svchost.exe [2006-11-02 22016]

R2 DPS;Serviço de Diretiva de Diagnóstico;C:\Windows\System32\svchost.exe [2006-11-02 22016]

R2 FDResPub;Publicação de Recursos de Descoberta de Função;C:\Windows\system32\svchost.exe [2006-11-02 22016]

R2 gpsvc;Cliente da Diretiva de Grupo;C:\Windows\system32\svchost.exe [2006-11-02 22016]

R2 IAANTMON;Intel® Matrix Storage Event Monitor;C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe [2006-09-29 81920]

R2 IKEEXT;Módulos de Criação de Chaves IKE e AuthIP do IPSec;C:\Windows\system32\svchost.exe [2006-11-02 22016]

R2 iphlpsvc;Auxiliar de IP;C:\Windows\System32\svchost.exe [2006-11-02 22016]

R2 KtmRm;KtmRm para Coordenador de Transações Distribuídas;C:\Windows\System32\svchost.exe [2006-11-02 22016]

R2 lltdio;Link-Layer Topology Discovery Mapper I/O Driver;C:\Windows\system32\DRIVERS\lltdio.sys [2006-11-02 47104]

R2 luafv;UAC File Virtualization;C:\Windows\system32\drivers\luafv.sys [2006-11-02 83456]

R2 MMCSS;Agendador de Classes de Multimídia;C:\Windows\system32\svchost.exe [2006-11-02 22016]

R2 MpsSvc;Firewall do Windows;C:\Windows\system32\svchost.exe [2006-11-02 22016]

R2 netprofm;Serviço da Lista de Redes;C:\Windows\System32\svchost.exe [2006-11-02 22016]

R2 NlaSvc;Reconhecimento de Locais de Rede;C:\Windows\System32\svchost.exe [2006-11-02 22016]

R2 nsi;Serviço de Interface de Armazenamento de Rede;C:\Windows\system32\svchost.exe [2006-11-02 22016]

R2 PavProc;Panda Process Protection Driver;C:\Windows\system32\DRIVERS\PavProc.sys [2007-07-12 178872]

R2 PcaSvc;Serviço Auxiliar de Compatibilidade de Programas;C:\Windows\system32\svchost.exe [2006-11-02 22016]

R2 PEAUTH;PEAUTH;C:\Windows\system32\drivers\peauth.sys [2006-11-02 878080]

R2 ProfSvc;Serviço de Perfil de Usuário;C:\Windows\system32\svchost.exe [2006-11-02 22016]

R2 PskSvcRetail;Panda PSK service;C:\Program Files\Panda Security\Panda Antivirus 2008\PskSvc.exe [2007-03-21 27696]

R2 slsvc;Licenciamento de Software;C:\Windows\system32\SLsvc.exe [2008-01-14 2605568]

R2 SysMain;Superfetch;C:\Windows\system32\svchost.exe [2006-11-02 22016]

R2 TabletInputService;Serviço de Entrada de Tablet PC;C:\Windows\System32\svchost.exe [2006-11-02 22016]

R2 tcpipreg;TCP/IP Registry Compatibility;C:\Windows\system32\drivers\tcpipreg.sys [2006-11-02 27648]

R2 UxSms;Gerenciador de Sessão do Gerenciador de Janelas da Área de Trabalho;C:\Windows\System32\svchost.exe [2006-11-02 22016]

R2 WerSvc;Serviço de Relatórios de Erro do Windows;C:\Windows\System32\svchost.exe [2006-11-02 22016]

R3 Appinfo;Informações sobre Aplicativos;C:\Windows\system32\svchost.exe [2006-11-02 22016]

R3 bowser;Bowser;C:\Windows\system32\DRIVERS\bowser.sys [2006-11-02 69632]

R3 DXGKrnl;LDDM Graphics Subsystem;C:\Windows\system32\drivers\dxgkrnl.sys [2008-01-14 619008]

R3 iScsiPrt;Driver iScsiPort;C:\Windows\system32\DRIVERS\msiscsi.sys [2006-11-02 168552]

R3 monitor;Microsoft Monitor Class Function Driver Service;C:\Windows\system32\DRIVERS\monitor.sys [2007-12-16 41984]

R3 mpsdrv;Driver de Autorização do Firewall do Windows;C:\Windows\system32\drivers\mpsdrv.sys [2008-01-14 63488]

R3 mrxsmb10;SMB 1.x MiniRedirector;C:\Windows\system32\DRIVERS\mrxsmb10.sys [2006-11-02 211456]

R3 mrxsmb20;SMB 2.0 MiniRedirector;C:\Windows\system32\DRIVERS\mrxsmb20.sys [2008-01-14 58368]

R3 srv2;srv2;C:\Windows\system32\DRIVERS\srv2.sys [2008-01-14 130048]

R3 srvnet;srvnet;C:\Windows\system32\DRIVERS\srvnet.sys [2008-01-14 84992]

R3 tunnel;Driver do Adaptador de Miniporta de Encapsulamento do Microsoft IPv6;C:\Windows\system32\DRIVERS\tunnel.sys [2008-01-14 23040]

R3 umbus;Driver de Enumerador UMBus;C:\Windows\system32\DRIVERS\umbus.sys [2006-11-02 34816]

R3 WdiSystemHost;Host do Sistema de Diagnósticos;C:\Windows\System32\svchost.exe [2006-11-02 22016]

S2 0270271192582006mcinstcleanup;McAfee Application Installer Cleanup (0270271192582006);C:\Users\Pati\AppData\Local\Temp\027027~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini [ ]

S2 EMDMgmt;ReadyBoost;C:\Windows\system32\svchost.exe [2006-11-02 22016]

S3 BrFiltLo;Brother USB Mass-Storage Lower Filter Driver;C:\Windows\system32\drivers\brfiltlo.sys [2006-11-02 13568]

S3 BrFiltUp;Brother USB Mass-Storage Upper Filter Driver;C:\Windows\system32\drivers\brfiltup.sys [2006-11-02 5248]

S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\Windows\system32\drivers\brusbser.sys [2006-11-02 11904]

S3 DFSR;Replicação DFS;C:\Windows\system32\DFSR.exe [2006-11-02 2089984]

S3 E1G60;Intel® PRO/1000 NDIS 6 Adapter Driver;C:\Windows\system32\DRIVERS\E1G60I32.sys [2006-11-02 117760]

S3 fdPHost;Host de Provedor da Descoberta de Função;C:\Windows\system32\svchost.exe [2006-11-02 22016]

S3 Filetrace;FileTrace;C:\Windows\system32\drivers\filetrace.sys [2006-11-02 27648]

S3 IPBusEnum;Enumerador de Barramento PnP-X IP;C:\Windows\system32\svchost.exe [2006-11-02 22016]

S3 KeyIso;Isolamento de Chave CNG;C:\Windows\system32\lsass.exe [2006-11-02 7680]

S3 lltdsvc;Mapeador da Descoberta de Topologia da Camada de Link;C:\Windows\System32\svchost.exe [2006-11-02 22016]

S3 MSiSCSI;Serviço Iniciador Microsoft iSCSI;C:\Windows\system32\svchost.exe [2006-11-02 22016]

S3 MsRPC;MsRPC;C:\Windows\system32\drivers\MsRPC.sys [2006-11-02 160872]

S3 NativeWifiP;NativeWiFi Filter;C:\Windows\system32\DRIVERS\nwifi.sys [2008-02-14 154624]

S3 p2pimsvc;Gerenciador de Identidades de Mesmo Nível da Microsoft;C:\Windows\System32\svchost.exe [2006-11-02 22016]

S3 p2psvc;Agrupamento de Rede de Mesmo Nível;C:\Windows\System32\svchost.exe [2006-11-02 22016]

S3 pla;Logs e alertas de desempenho;C:\Windows\System32\svchost.exe [2006-11-02 22016]

S3 PNRPAutoReg;Serviço de Publicação de Nome de Computador do PNRP;C:\Windows\System32\svchost.exe [2006-11-02 22016]

S3 PNRPsvc;Protocolo de resolução de nomes de mesmo nível;C:\Windows\System32\svchost.exe [2006-11-02 22016]

S3 QWAVE;Quality Windows Audio Video Experience;C:\Windows\system32\svchost.exe [2006-11-02 22016]

S3 SDRSVC;Backup do Windows;C:\Windows\system32\svchost.exe [2006-11-02 22016]

S3 SessionEnv;Configuração dos serviços de terminal;C:\Windows\System32\svchost.exe [2006-11-02 22016]

S3 sffp_mmc;SFF Storage Protocol Driver for MMC;C:\Windows\system32\drivers\sffp_mmc.sys [2006-11-02 12800]

S3 SLUINotify;Serviço de Notificação da Interface de Usuário do Licenciamento de Software;C:\Windows\system32\svchost.exe [2006-11-02 22016]

S3 TBS;Serviços Base de TPM;C:\Windows\System32\svchost.exe [2006-11-02 22016]

S3 THREADORDER;Servidor de Ordem de Thread;C:\Windows\system32\svchost.exe [2006-11-02 22016]

S3 TrustedInstaller;Instalador de Módulos do Windows;C:\Windows\servicing\TrustedInstaller.exe [2008-02-14 27136]

S3 tssecsrv;Terminal Services Security Filter Driver;C:\Windows\system32\DRIVERS\tssecsrv.sys [2006-11-02 23552]

S3 UI0Detect;Detecção de Serviços Interativos;C:\Windows\system32\UI0Detect.exe [2006-11-02 35840]

S3 uliagpkx;Uli AGP Bus Filter;C:\Windows\system32\drivers\uliagpkx.sys [2007-05-02 58472]

S3 wcncsvc;Conexão Fácil do Windows - Registrador de Configuração;C:\Windows\System32\svchost.exe [2006-11-02 22016]

S3 WcsPlugInService;Sistema de Cores do Windows;C:\Windows\system32\svchost.exe [2006-11-02 22016]

S3 WdiServiceHost;Host do Serviço de Diagnóstico;C:\Windows\System32\svchost.exe [2006-11-02 22016]

S3 Wecsvc;Coletor de Eventos do Windows;C:\Windows\system32\svchost.exe [2006-11-02 22016]

S3 wercplsupport;Suporte do Painel de Controle Relatórios de Problemas e Soluções;C:\Windows\System32\svchost.exe [2006-11-02 22016]

S3 Wlansvc;Configuração Automática de WLAN;C:\Windows\system32\svchost.exe [2006-11-02 22016]

S3 WPCSvc;Controle dos Pais;C:\Windows\system32\svchost.exe [2006-11-02 22016]

S4 adp94xx;adp94xx;C:\Windows\system32\drivers\adp94xx.sys [2006-11-02 420968]

S4 adpahci;adpahci;C:\Windows\system32\drivers\adpahci.sys [2006-11-02 297576]

S4 arcsas;arcsas;C:\Windows\system32\drivers\arcsas.sys [2006-11-02 67688]

S4 Brserid;Brother MFC Serial Port Interface Driver (WDM);C:\Windows\system32\drivers\brserid.sys [2006-11-02 71808]

S4 BrSerWdm;Brother WDM Serial driver;C:\Windows\system32\drivers\brserwdm.sys [2006-11-02 62336]

S4 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\Windows\system32\drivers\brusbmdm.sys [2006-11-02 12160]

S4 CertPropSvc;Propagação de Certificado;C:\Windows\system32\svchost.exe [2006-11-02 22016]

S4 circlass;Consumer IR Devices;C:\Windows\system32\drivers\circlass.sys [2006-11-02 35328]

S4 Crusoe;Transmeta Crusoe Processor Driver;C:\Windows\system32\drivers\crusoe.sys [2006-11-02 38912]

S4 elxstor;elxstor;C:\Windows\system32\drivers\elxstor.sys [2006-11-02 316520]

S4 HpCISSs;HpCISSs;C:\Windows\system32\drivers\hpcisss.sys [2006-11-02 37480]

S4 iaStorV;Intel RAID Controller Vista;C:\Windows\system32\drivers\iastorv.sys [2006-11-02 232040]

S4 IPMIDRV;IPMIDRV;C:\Windows\system32\drivers\ipmidrv.sys [2006-11-02 65536]

S4 iteraid;ITERAID_Service_Install;C:\Windows\system32\drivers\iteraid.sys [2006-11-02 35944]

S4 LSI_FC;LSI_FC;C:\Windows\system32\drivers\lsi_fc.sys [2006-11-02 65640]

S4 LSI_SAS;LSI_SAS;C:\Windows\system32\drivers\lsi_sas.sys [2006-11-02 65640]

S4 LSI_SCSI;LSI_SCSI;C:\Windows\system32\drivers\lsi_scsi.sys [2006-11-02 65640]

S4 megasas;megasas;C:\Windows\system32\drivers\megasas.sys [2006-11-02 28776]

S4 mpio;Microsoft Multi-Path Bus Driver;C:\Windows\system32\drivers\mpio.sys [2006-11-02 78952]

S4 msahci;msahci;C:\Windows\system32\drivers\msahci.sys [2007-05-02 25784]

S4 msdsm;Microsoft Multi-Path Device Specific Module;C:\Windows\system32\drivers\msdsm.sys [2006-11-02 80488]

S4 nfrd960;nfrd960;C:\Windows\system32\drivers\nfrd960.sys [2006-11-02 45160]

S4 ntrigdigi;N-trig HID Tablet Driver;C:\Windows\system32\drivers\ntrigdigi.sys [2006-11-02 20608]

S4 nvstor;nvstor;C:\Windows\system32\drivers\nvstor.sys [2006-11-02 40040]

S4 ql2300;QLogic Fibre Channel Miniport Driver;C:\Windows\system32\drivers\ql2300.sys [2006-11-02 900712]

S4 ql40xx;QLogic iSCSI Miniport Driver;C:\Windows\system32\drivers\ql40xx.sys [2006-11-02 106088]

S4 SCPolicySvc;Diretiva de Remoção de Cartão Inteligente;C:\Windows\system32\svchost.exe [2006-11-02 22016]

S4 SiSRaid4;SiSRaid4;C:\Windows\system32\drivers\sisraid4.sys [2006-11-02 71784]

S4 uliahci;uliahci;C:\Windows\system32\drivers\uliahci.sys [2006-11-02 235112]

S4 ulsata2;ulsata2;C:\Windows\system32\drivers\ulsata2.sys [2006-11-02 115816]

S4 usbcir;eHome Infrared Receiver (USBCIR);C:\Windows\system32\drivers\usbcir.sys [2006-11-02 68608]

S4 ViaC7;VIA C7 Processor Driver;C:\Windows\system32\drivers\viac7.sys [2006-11-02 39424]

S4 vsmraid;vsmraid;C:\Windows\system32\drivers\vsmraid.sys [2006-11-02 112232]

S4 WacomPen;Wacom Serial Pen HID Driver;C:\Windows\system32\drivers\wacompen.sys [2006-11-02 20608]

S4 Wd;Microsoft Watchdog Timer Driver;C:\Windows\system32\drivers\wd.sys [2006-11-02 19560]

S4 WinRM;Windows Remote Management (WS-Management);C:\Windows\System32\svchost.exe [2006-11-02 22016]

S4 WPDBusEnum;Serviço Enumerador de Dispositivos Portáteis;C:\Windows\system32\svchost.exe [2006-11-02 22016]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

NetworkServiceNetworkRestricted REG_MULTI_SZ PolicyAgent

LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

WerSvcGroup REG_MULTI_SZ wersvc

swprv REG_MULTI_SZ swprv

regsvc REG_MULTI_SZ RemoteRegistry

wcssvc REG_MULTI_SZ WcsPlugInService

DcomLaunch REG_MULTI_SZ PlugPlay DcomLaunch

wdisvc REG_MULTI_SZ WdiServiceHost

sdrsvc REG_MULTI_SZ sdrsvc

secsvcs REG_MULTI_SZ WinDefend

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

AeLookupSvc

wercplsupport

Themes

CertPropSvc

SCPolicySvc

lanmanserver

gpsvc

IKEEXT

AudioSrv

FastUserSwitchingCompatibility

Nla

NWCWorkstation

SRService

Wmi

WmdmPmSp

TermService

wuauserv

BITS

ShellHWDetection

LogonHours

PCAudit

helpsvc

uploadmgr

iphlpsvc

seclogon

AppInfo

msiscsi

MMCSS

ProfSvc

EapHost

winmgmt

schedule

SessionEnv

browser

hkmsvc

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b383ec79-e460-11dc-8802-0015c536e6bb}]

\shell\auto\command - Knight.exe open

\shell\find\command - Knight.exe open

\shell\install\command - Knight.exe open

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbc47966-fe6e-11dc-8802-0015c536e6bb}]

\shell\auto\command - G:\Knight.exe open

\shell\find\command - G:\Knight.exe open

\shell\install\command - G:\Knight.exe open

 

*Newly Created Service* - CATCHME

*Newly Created Service* - PROCEXP90

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]

C:\Windows\system32\unregmp2.exe /ShowWMP

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]

%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

.

Conteúdo da pasta 'Tarefas Agendadas'

.

.

------- Ccan Suplementar -------

.

FireFox -: Profile - C:\Users\Pati\AppData\Roaming\Mozilla\Firefox\Profiles\3avcd5bf.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com.br/

FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll

FF -: plugin - c:\Program Files\Java\jre1.6.0\bin\npjava11.dll

FF -: plugin - c:\Program Files\Java\jre1.6.0\bin\npjava12.dll

FF -: plugin - c:\Program Files\Java\jre1.6.0\bin\npjava13.dll

FF -: plugin - c:\Program Files\Java\jre1.6.0\bin\npjava14.dll

FF -: plugin - c:\Program Files\Java\jre1.6.0\bin\npjava32.dll

FF -: plugin - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll

FF -: plugin - c:\Program Files\Java\jre1.6.0\bin\npoji610.dll

FF -: plugin - C:\Program Files\VistaCodecPack\rm\browser\plugins\nppl3260.dll

FF -: plugin - C:\Program Files\VistaCodecPack\rm\browser\plugins\nprpjplug.dll

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-08 22:44:00

Windows 6.0.6000 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

.

Tempo para conclusão: 2008-09-08 22:55:43

ComboFix-quarantined-files.txt 2008-09-09 01:55:38

 

Pre-Run: O sistema não pode encontrar o texto correspondente à mensagem de número 0x2379 no arquivo de mensagens para Application.

Post-Run: 98,857,799,680 bytes disponíveis

 

393 --- E O F --- 2008-09-07 22:13:47

[jgarcia 1]

Opa ptonella,

 

Siga as instruções:

 

1. Abra o Bloco de Notas -> Copie (Control + C) e Cole (Control + V) todo o texto incluído no "Quote":

File::

C:\Users\Pati\AppData\Roaming\wklnhst.dat

C:\Users\All Users\ezsidmv.dat

C:\Users\All Users\ezsid.dat

C:\ProgramData\draw dumb dumb.rdplk

C:\ProgramData\Owns Blah Mix.ljvqyep

C:\ProgramData\ezsidmv.dat

C:\ProgramData\ezsid.dat

C:\Program Files\desktop.ini

G:\Knight.exe

Folder::

C:\ProgramData\bird online bind

C:\ProgramData\Mfcd upload army browse

Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"proc drive"=-

"Army browse cdrom vga"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]

"DisableMonitoring"=dword:00000000

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b383ec79-e460-11dc-8802-0015c536e6bb}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbc47966-fe6e-11dc-8802-0015c536e6bb}]

ATENÇÃO: O script acima foi elaborado especificamente para a infecção contida neste computador. Utilizá-lo em outra máquina poderá originar graves problemas ao usuário.

• 2. Salve o arquivo como CFScript.txt;
   
  3. Tal como exemplificado na foto abaixo, arraste o arquivo CFScript.txt para o ComboFix.exe.
  
   
  4. Ao término do processo a ferramenta irá gerar um log. Poste-o (C:\ComboFix.txt) em sua próxima resposta, juntamente com um novo log do HijackThis.
  

Abraços.

 

PS.: Execute a ação com o seu pendrive conectado ao PC.

[ptonella 0]

Olá.

 

Segue logo do ComboFix e do HijackThis:

 

 

 

ComboFix 08-09-05.10 - Pati 2008-09-09 21:57:00.2 - NTFSx86

Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1046.18.370 [GMT -3:00]

Executando de: C:\Users\Pati\Desktop\ComboFix.exe

Command switches used :: C:\Users\Pati\Desktop\CFScript.txt

* Criado um novo ponto de restauro

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Program Files\desktop.ini

C:\ProgramData\bird online bind

C:\ProgramData\bird online bind\fcvmijbb.exe

C:\ProgramData\draw dumb dumb.rdplk

C:\ProgramData\ezsid.dat

C:\ProgramData\ezsidmv.dat

C:\ProgramData\Mfcd upload army browse

C:\ProgramData\Mfcd upload army browse\Heart Body.exe

C:\ProgramData\Owns Blah Mix.ljvqyep

C:\Users\All Users\ezsid.dat

C:\Users\All Users\ezsidmv.dat

C:\Users\Pati\AppData\Roaming\wklnhst.dat

G:\autorun.inf

 

.

((((((((((((((((((((((( Ficheiros criados de 2008-08-10 to 2008-09-10 ))))))))))))))))))))))))))))))))

.

 

Nenhum ficheiro/arquivo criado durante este período

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-09 22:10 --------- d-----w C:\Users\Pati\AppData\Roaming\uTorrent

2008-09-09 22:10 --------- d-----w C:\Users\Pati\AppData\Roaming\Skype

2008-09-09 19:08 --------- d-----w C:\Users\Pati\AppData\Roaming\skypePM

2008-09-09 03:14 --------- d-----w C:\ProgramData\Spybot - Search & Destroy

2008-09-09 02:31 --------- d-----w C:\Program Files\Mx One

2008-09-08 23:18 --------- d-----w C:\Program Files\CCleaner

2008-09-08 22:40 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-09-08 02:24 --------- d-----w C:\Program Files\Megacubo

2008-09-07 23:35 --------- d-----w C:\Users\Pati\AppData\Roaming\Megacubo

2008-09-07 22:12 --------- d-----w C:\Program Files\Microsoft Silverlight

2008-09-07 20:18 --------- d-----w C:\Program Files\Windows Live

2008-09-07 20:14 --------- d-----w C:\ProgramData\WLInstaller

2008-09-06 01:00 --------- d-----w C:\Program Files\Spybot - Search & Destroy

2008-09-06 00:46 --------- d-----w C:\Program Files\Panda Security

2008-09-05 17:12 --------- d-----w C:\ProgramData\Avira

2008-09-05 02:18 --------- d-----w C:\ProgramData\sentinel

2008-09-04 23:46 --------- d-----w C:\Program Files\Common Files\Panda Software

2008-09-04 02:02 --------- d-----w C:\Program Files\Microsoft Windows OneCare Live

2008-09-03 02:34 --------- d-----w C:\Program Files\Common Files\PX Storage Engine

2008-09-03 01:52 --------- d-----w C:\Program Files\IObit

2008-08-31 15:58 --------- d-----w C:\Users\Pati\AppData\Roaming\NCH Swift Sound

2008-08-31 15:58 --------- d-----w C:\Program Files\NCH Swift Sound

2008-08-30 18:05 --------- d-----w C:\ProgramData\NCH Swift Sound

2008-08-30 18:04 --------- d-----w C:\Users\Pati\AppData\Roaming\Recordpad

2008-08-30 18:04 --------- d-----w C:\Program Files\NCH Software

2008-08-28 02:39 --------- d-----w C:\Program Files\SopCast

2008-08-20 02:19 --------- d-----w C:\ProgramData\Skype

2008-08-20 02:19 --------- d-----w C:\Program Files\Skype

2008-08-20 02:19 --------- d-----w C:\Program Files\Common Files\Skype

2008-08-16 18:24 --------- d-----w C:\ProgramData\Nero

2008-08-16 18:24 --------- d-----w C:\Program Files\Common Files\Nero

2008-08-15 13:32 --------- d-----w C:\ProgramData\Microsoft Help

2008-08-15 13:28 --------- d-----w C:\Program Files\Windows Mail

2008-08-08 01:33 --------- d-----w C:\Users\Pati\AppData\Roaming\NCH Software

2008-07-28 02:16 --------- d-----w C:\Users\Pati\AppData\Roaming\Nero

2008-07-28 02:11 --------- d-----w C:\Program Files\Nero

2008-07-27 18:30 --------- d-----w C:\Program Files\Common Files\Adobe

2008-07-27 18:30 --------- d-----w C:\Program Files\Bonjour

2008-07-27 18:12 --------- d-----w C:\Program Files\Common Files\Macrovision Shared

2008-07-27 16:57 --------- d-----w C:\Program Files\Google

2008-07-27 16:52 --------- d-----w C:\Program Files\Photo Recovery Wizard

2008-07-27 16:34 --------- d-----w C:\Users\Pati\AppData\Roaming\LimeWire

2008-07-25 00:14 --------- d-----w C:\Program Files\Apple Software Update

2008-07-19 05:10 53,448 ----a-w C:\Windows\System32\wuauclt.exe

2008-07-19 05:10 45,768 ----a-w C:\Windows\System32\wups2.dll

2008-07-19 05:10 36,552 ----a-w C:\Windows\System32\wups.dll

2008-07-19 05:09 563,912 ----a-w C:\Windows\System32\wuapi.dll

2008-07-19 05:09 1,811,656 ----a-w C:\Windows\System32\wuaueng.dll

2008-07-19 03:44 83,456 ----a-w C:\Windows\System32\wudriver.dll

2008-07-19 03:44 1,524,736 ----a-w C:\Windows\System32\wucltux.dll

2008-07-19 01:08 163,904 ----a-w C:\Windows\System32\wuwebv.dll

2008-07-18 23:44 31,232 ----a-w C:\Windows\System32\wuapp.exe

2008-07-15 23:48 2,048 ----a-w C:\Windows\System32\tzres.dll

2008-06-27 03:54 826,368 ----a-w C:\Windows\System32\wininet.dll

2008-06-27 03:54 56,320 ----a-w C:\Windows\System32\iesetup.dll

2008-06-27 03:54 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll

2008-06-27 03:54 26,624 ----a-w C:\Windows\System32\ieUnatt.exe

2008-06-26 00:34 7,964,672 ----a-w C:\Windows\System32\NlsLexicons0024.dll

2008-06-26 00:33 9,892,864 ----a-w C:\Windows\System32\NlsLexicons000a.dll

2008-06-19 03:25 61,440 ----a-w C:\Windows\System32\winipsec.dll

2008-06-19 03:25 361,984 ----a-w C:\Windows\System32\IPSECSVC.DLL

2008-06-19 03:25 28,672 ----a-w C:\Windows\System32\FwRemoteSvr.dll

2008-06-19 03:25 272,896 ----a-w C:\Windows\System32\polstore.dll

2008-04-24 12:43 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

2008-04-24 12:43 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

2008-04-24 12:43 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias & legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-16 167368]

"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-14 1232896]

"uTorrent"="C:\Users\Pati\Program Files\uTorrent\uTorrent.exe" [2008-08-15 267056]

"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-08-11 21741864]

"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Shockwave Updater"="C:\Windows\System32\Adobe\Shockwave 11\SwHelper_1100429.exe" [2008-03-19 439736]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2007-02-09 98304]

"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2007-02-09 106496]

"Persistence"="C:\Windows\system32\igfxpers.exe" [2007-02-09 81920]

"SunJavaUpdateSched"="c:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-05-02 77824]

"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]

"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]

"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]

"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

"CorelDRAW Graphics Suite 11b"="C:\Program Files\Corel\Corel Graphics 12\Languages\BR\Programs\Registration.exe" [2003-11-28 729088]

"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 385024]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 267048]

"Mx_One_Guardian_Tiempo_Real"="C:\Program Files\Mx One\mogtr.exe" [2008-07-29 32768]

"APVXDWIN"="C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" [2007-10-04 455984]

"SigmatelSysTrayApp"="sttray.exe" [2007-02-08 C:\Windows\sttray.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]

2007-02-15 19:02 50736 C:\Windows\System32\avldr.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PskSvcRetail]

@="Service"

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]

"{C08B6B21-2E6E-415B-8A1C-3040E12BDB89}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook

"{516E6E94-90F7-4BD6-8A50-92BF795276F9}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove

"{230CA207-D885-467E-AAA0-AFBA77F5376D}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove

"{5922AD61-1AA4-4E20-A508-23270CCACB15}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

"{A9743C0B-2EAF-4B11-9737-6D3471698546}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

"{E777EA9E-E4AE-4C76-8BF7-281BA8B5F91C}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

"{CF34D940-5E86-4B9C-A91E-04A4E3FBA614}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

"{1ADB9172-ABF0-4F5A-BC03-3E23D8B401B3}"= C:\Program Files\Windows Live\Messenger\wlcsdk.exe:Windows Live Messenger (Phone)

"{A1B3F0F2-DF94-40AE-AFF7-DB7ABFD1D798}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent

"{5CE2BB61-BE43-40FD-986C-56373370BACE}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent

"{9A8B0A05-490D-4271-AA7A-43468031D1BA}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

"TCP Query User{67A7B22B-4772-4ED1-9F59-8FFC56474541}C:\\users\\pati\\program files\\utorrent\\utorrent.exe"= UDP:C:\users\pati\program files\utorrent\utorrent.exe:utorrent.exe

"UDP Query User{BAFE329C-B44C-4C11-84C3-FC2572BFB16F}C:\\users\\pati\\program files\\utorrent\\utorrent.exe"= TCP:C:\users\pati\program files\utorrent\utorrent.exe:utorrent.exe

"{0662BB25-A760-4A5D-A270-442C40475D18}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

"TCP Query User{60B6E13A-13DA-4607-8FF0-19B84DF0639C}C:\\program files\\skype\\phone\\skype.exe"= UDP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath

"UDP Query User{CC2DB8F2-18EF-4010-883E-90B2E46F2B57}C:\\program files\\skype\\phone\\skype.exe"= TCP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath

"TCP Query User{FA525358-F76D-4FBF-A8C6-211B650969F4}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer

"UDP Query User{93FBF3B8-B0C8-40A2-ACAA-36A2ADACC3BF}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer

"{7EEB6189-594B-429F-A7F9-A7CB50A3E5F4}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

"{768B8F0C-91E4-45BB-AFA2-2FE04CD38FF0}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes

"{B52435A1-8495-4D37-8B10-BB0C3F27AD3D}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

"{FC55054B-64EC-40D8-86DA-A5491EE0349A}"= UDP:C:\Users\Pati\Program Files\uTorrent\uTorrent.exe:µTorrent (TCP-In)

"{6041CD68-4F57-4A19-9D2F-85B5F8F0065A}"= TCP:C:\Users\Pati\Program Files\uTorrent\uTorrent.exe:µTorrent (UDP-In)

"{7291CBB9-8672-40C6-8311-BAAF89514EA6}"= C:\Program Files\Skype\Phone\Skype.exe:Skype

"{6694A281-BA57-48B8-8B8E-246AED133AA9}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

"{EE741006-F982-4400-8935-4E6290014A0C}"= UDP:C:\Program Files\Megacubo\megacubo.exe:MegaCubo

"{6585B1C3-83FC-4256-9899-D77F73722DFD}"= TCP:C:\Program Files\Megacubo\megacubo.exe:MegaCubo

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]

"DoNotAllowExceptions"= 1 (0x1)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]

"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

 

R0 pavboot;pavboot;C:\Windows\system32\drivers\pavboot.sys [2008-06-19 28544]

R1 ShldDrv;Panda File Shield Driver;C:\Windows\system32\DRIVERS\ShlDrv51.sys [2007-05-23 38968]

R2 AmFSM;AmFSM;C:\Windows\system32\DRIVERS\amm8660.sys [2007-09-28 46648]

R2 PavProc;Panda Process Protection Driver;C:\Windows\system32\DRIVERS\PavProc.sys [2007-07-12 178872]

R2 PskSvcRetail;Panda PSK service;C:\Program Files\Panda Security\Panda Antivirus 2008\PskSvc.exe [2007-03-21 27696]

S2 0270271192582006mcinstcleanup;McAfee Application Installer Cleanup (0270271192582006);C:\Users\Pati\AppData\Local\Temp\027027~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini [ ]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

.

Conteúdo da pasta 'Tarefas Agendadas'

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-09 22:01:19

Windows 6.0.6000 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

.

Tempo para conclusão: 2008-09-09 22:03:52

ComboFix-quarantined-files.txt 2008-09-10 01:03:38

ComboFix2.txt 2008-09-09 01:55:44

 

Pre-Run: O sistema não pode encontrar o texto correspondente à mensagem de número 0x2379 no arquivo de mensagens para Application.

Post-Run: 97,862,762,496 bytes disponíveis

 

193 --- E O F --- 2008-09-07 22:13:47

 

 

 

 

 

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 22:06:15, on 09/09/2008

Platform: Unknown Windows (WinNT 6.00.1904)

MSIE: Internet Explorer v7.00 (7.00.6000.16711)

 

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Java\jre1.6.0\bin\jusched.exe

C:\Windows\sttray.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Windows\System32\Adobe\Shockwave 11\SwHelper_1100429.exe

C:\Windows\System32\Adobe\Shockwave 11\SwHelper_1100429.exe

C:\Windows\System32\Adobe\Shockwave 11\SwHelper_1100429.exe

C:\Windows\Explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Users\Pati\Desktop\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.la.dell.com/content/default.as...;l=pt&s=gen

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "c:\Program Files\Java\jre1.6.0\bin\jusched.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe

O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\BR\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=052607 serial=DR12CRS-1736730-ynq lang=BP

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Mx_One_Guardian_Tiempo_Real] C:\Program Files\Mx One\mogtr.exe

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" /s

O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [uTorrent] "C:\Users\Pati\Program Files\uTorrent\uTorrent.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll

O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O11 - Options group: [iNTERNATIONAL] International*

O13 - Gopher Prefix:

O15 - Trusted Zone: http://s4.travian.pt

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O20 - Winlogon Notify: avldr - C:\Windows\SYSTEM32\avldr.dll

O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxdev.dll

O23 - Service: McAfee Application Installer Cleanup (0270271192582006) (0270271192582006mcinstcleanup) - Unknown owner - C:\Users\Pati\AppData\Local\Temp\027027~1.EXE (file missing)

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Serviço iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe

O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrvx86.exe

O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe

O23 - Service: Panda PSK service (PskSvcRetail) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PskSvc.exe

O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)

O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)

O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

[jgarcia 1]

Opa ptonella,

 

O Malwarebytes AntiMalware é um produto relativamente novo, porém com grande eficácia na remoção de infecções comuns. O programa é pequeno, gratuito e em português.

 

A sua instalação é o primeiro passo para a limpeza de um sistema operacional infectado.

 

Neste tutorial você aprenderá a instalá-lo e executá-lo.

 

1) Primeiramente faça o download do programa:

http://www.malwarebytes.org/mbam/program/mbam-setup.exe

 

2) Agora proceda a instalação do programa, conforme segue:

 

Execute o programa de instalação:

 

Logo após a execução do arquivo de instalação, será exibida a seguinte tela:

 

Agora, clique em Instalar para concluir:

 

Ao término da instalação deixe marcadas as opções de Atualização e Execução:

 

Será exibida então a tela de atualização do programa:

 

3) Essa é a tela inicial do programa. Marque a opção Verificação Completa e clique no botão Verificar.

 

Aguarde até o final da verificação:

 

Ao concluir a verificação, será exibida essa mensagem:

 

O resultado da verificação será exibido, com o nome dos arquivos e malwares encontrados.

Para efetivar a limpeza, clique em Remover selecionados:

 

Para concluir a limpeza haverá a necessidade da reinicialização do computador:

 

O programa guarda os logs das verificações feitas na pasta C:\Documents and Settings\Seu nome de Usuario\Dados de aplicativos\Malwarebytes\Malwarebytes' Anti-Malware\Logs, que também pode ser acessados na aba Logs, dentro do programa.

 

Retorne com o resultado da varredura.

 

Créditos: Fabio Assolini.

 

Link para a postagem original: aqui.

[ptonella 0]

Segue log:

 

Malwarebytes' Anti-Malware 1.27

Versão do banco de dados: 1134

Windows 6.0.6000

 

10/09/2008 00:40:35

mbam-log-2008-09-10 (00-40-35).txt

 

Tipo de Verificação: Completa (C:\|D:\|E:\|F:\|G:\|)

Objetos verificados: 167290

Tempo decorrido: 1 hour(s), 40 minute(s), 10 second(s)

 

Processos da Memória infectados: 0

Módulos de Memória Infectados: 0

Chaves do Registro infectadas: 3

Valores do Registro infectados: 0

Ítens do Registro infectados: 0

Pastas infectadas: 0

Arquivos infectados: 0

 

Processos da Memória infectados:

(Nenhum ítem malicioso foi detectado)

 

Módulos de Memória Infectados:

(Nenhum ítem malicioso foi detectado)

 

Chaves do Registro infectadas:

HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.

 

Valores do Registro infectados:

(Nenhum ítem malicioso foi detectado)

 

Ítens do Registro infectados:

(Nenhum ítem malicioso foi detectado)

 

Pastas infectadas:

(Nenhum ítem malicioso foi detectado)

 

Arquivos infectados:

(Nenhum ítem malicioso foi detectado)

[jgarcia 1]

Opa ptonella,

 

1. Baixe o BankerFix 3.0.

 

2. Desative o seu anti-vírus temporariamente.

 

3. Dê um duplo-clique sobre o bankerfix.exe. A janela do Banker Fix 3.0 abrir-se-á com a seguinte pergunta Instalar o BankerFix 3.0 / Install BankerFix 3.0 ? >> clique em SIM.

 

4. Uma janela informando que o BankerFix 3.0 será baixado via internet abrir-se-á >> clique sobre OK e aguarde. Na próxima janela clique em OK mais uma vez, a fim de que o BankerFix 3.0 seja iniciado.

 

5. Pressione qualquer tecla para dar continuidade ao processo e aguarde até que a varredura se complete. Tenha paciência, pois ela pode demorar alguns minutos.

 

6. Terminado o scan, leia a mensagem na tela e aperte Enter.

 

7. Habilite o seu anti-vírus.

 

8. Retorne com o relatorio.txt do BankerFix (ele estará em C:\LinhaDefensiva\).

 

9. Depois de postar a sua resposta você poderá deletar a pasta LinhaDefensiva contida no C.

 

Abraços.

[ptonella 0]

Olá.

 

Segue log:

 

 

 

BankerFix 3.0 VALKYRIE {beta} - Removedor de Bankers

Linha Defensiva | http://www.linhadefensiva.org

http://www.linhadefensiva.org/bankerfix/

-------------------------------------------------------

Data: 2008-09-12 - 19:16

-------------------------------------------------------

Lista de Definição: 2008-09-07-1 | CORE: 2008-09-07-1

=======================================================

 

 

 

----- Fim -------------------------

[jgarcia 1]

Opa ptonella,

 

Poste um novo log do ComboFix.

 

Abraços.

[ptonella 0]

Olá.

 

Segue log:

 

 

 

 

ComboFix 08-09-16.05 - Pati 2008-09-17 23:18:25.2 - NTFSx86

Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1046.18.243 [GMT -3:00]

Executando de: C:\Users\Pati\Desktop\ComboFix.exe

* Criado um novo ponto de restauro

.

 

((((((((((((((((((((((( Ficheiros criados de 2008-08-18 to 2008-09-18 ))))))))))))))))))))))))))))))))

.

 

Nenhum ficheiro/arquivo criado durante este período

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-18 02:01 --------- d-----w C:\Users\Pati\AppData\Roaming\Skype

2008-09-17 19:06 --------- d-----w C:\Users\Pati\AppData\Roaming\skypePM

2008-09-17 13:08 --------- d-----w C:\Users\Pati\AppData\Roaming\uTorrent

2008-09-12 23:52 --------- d-----w C:\PROGRA~2\Spybot - Search & Destroy

2008-09-12 01:24 --------- d-----w C:\Program Files\Megacubo

2008-09-11 22:14 --------- d-----w C:\Program Files\Mx One

2008-09-11 12:36 --------- d-----w C:\PROGRA~2\Microsoft Help

2008-09-11 12:27 --------- d-----w C:\Program Files\Microsoft Works

2008-09-11 01:03 --------- d-----w C:\Program Files\DAEMON Tools

2008-09-10 22:40 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware

2008-09-10 03:46 56 ---ha-w C:\Users\All Users\ezsidmv.dat

2008-09-10 03:46 56 ---ha-w C:\PROGRA~2\ezsidmv.dat

2008-09-10 03:04 38,528 ----a-w C:\Windows\system32\drivers\mbamswissarmy.sys

2008-09-10 03:03 17,200 ----a-w C:\Windows\system32\drivers\mbam.sys

2008-09-10 01:44 --------- d-----w C:\Users\Pati\AppData\Roaming\Malwarebytes

2008-09-10 01:44 --------- d-----w C:\PROGRA~2\Malwarebytes

2008-09-08 23:18 --------- d-----w C:\Program Files\CCleaner

2008-09-08 22:40 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-09-07 23:35 --------- d-----w C:\Users\Pati\AppData\Roaming\Megacubo

2008-09-07 22:12 --------- d-----w C:\Program Files\Microsoft Silverlight

2008-09-07 20:18 --------- d-----w C:\Program Files\Windows Live

2008-09-07 20:14 --------- d-----w C:\PROGRA~2\WLInstaller

2008-09-06 01:00 --------- d-----w C:\Program Files\Spybot - Search & Destroy

2008-09-06 00:46 --------- d-----w C:\Program Files\Panda Security

2008-09-05 17:12 --------- d-----w C:\PROGRA~2\Avira

2008-09-05 02:18 --------- d-----w C:\PROGRA~2\sentinel

2008-09-04 23:46 --------- d-----w C:\Program Files\Common Files\Panda Software

2008-09-04 02:02 --------- d-----w C:\Program Files\Microsoft Windows OneCare Live

2008-09-03 02:34 --------- d-----w C:\Program Files\Common Files\PX Storage Engine

2008-09-03 01:52 --------- d-----w C:\Program Files\IObit

2008-08-31 15:58 --------- d-----w C:\Users\Pati\AppData\Roaming\NCH Swift Sound

2008-08-31 15:58 --------- d-----w C:\Program Files\NCH Swift Sound

2008-08-30 18:05 --------- d-----w C:\PROGRA~2\NCH Swift Sound

2008-08-30 18:04 --------- d-----w C:\Users\Pati\AppData\Roaming\Recordpad

2008-08-30 18:04 --------- d-----w C:\Program Files\NCH Software

2008-08-28 02:39 --------- d-----w C:\Program Files\SopCast

2008-08-20 02:19 --------- d-----w C:\Program Files\Skype

2008-08-20 02:19 --------- d-----w C:\Program Files\Common Files\Skype

2008-08-20 02:19 --------- d-----w C:\PROGRA~2\Skype

2008-08-16 18:24 --------- d-----w C:\Program Files\Common Files\Nero

2008-08-16 18:24 --------- d-----w C:\PROGRA~2\Nero

2008-08-15 13:28 --------- d-----w C:\Program Files\Windows Mail

2008-08-08 01:33 --------- d-----w C:\Users\Pati\AppData\Roaming\NCH Software

2008-07-31 03:34 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll

2008-07-31 03:34 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll

2008-07-31 03:34 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll

2008-07-31 03:34 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll

2008-07-30 23:32 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll

2008-07-28 02:16 --------- d-----w C:\Users\Pati\AppData\Roaming\Nero

2008-07-28 02:11 --------- d-----w C:\Program Files\Nero

2008-07-27 18:30 --------- d-----w C:\Program Files\Common Files\Adobe

2008-07-27 18:30 --------- d-----w C:\Program Files\Bonjour

2008-07-27 18:12 --------- d-----w C:\Program Files\Common Files\Macrovision Shared

2008-07-27 16:57 --------- d-----w C:\Program Files\Google

2008-07-27 16:52 --------- d-----w C:\Program Files\Photo Recovery Wizard

2008-07-27 16:34 --------- d-----w C:\Users\Pati\AppData\Roaming\LimeWire

2008-07-25 00:14 --------- d-----w C:\Program Files\Apple Software Update

2008-06-27 03:54 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll

2008-04-24 12:43 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

2008-04-24 12:43 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

2008-04-24 12:43 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias & legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"uTorrent"="C:\Users\Pati\Program Files\uTorrent\uTorrent.exe" [2008-08-15 267056]

"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-08-11 21741864]

"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2007-02-09 98304]

"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2007-02-09 106496]

"Persistence"="C:\Windows\system32\igfxpers.exe" [2007-02-09 81920]

"SunJavaUpdateSched"="c:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-05-02 77824]

"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]

"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]

"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]

"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

"CorelDRAW Graphics Suite 11b"="C:\Program Files\Corel\Corel Graphics 12\Languages\BR\Programs\Registration.exe" [2003-11-28 729088]

"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 385024]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 267048]

"Mx_One_Guardian_Tiempo_Real"="C:\Program Files\Mx One\mogtr.exe" [2008-07-29 32768]

"APVXDWIN"="C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" [2007-10-04 455984]

"SigmatelSysTrayApp"="sttray.exe" [2007-02-08 C:\Windows\sttray.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]

2007-02-15 19:02 50736 C:\Windows\System32\avldr.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PskSvcRetail]

@="Service"

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]

"{C08B6B21-2E6E-415B-8A1C-3040E12BDB89}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook

"{516E6E94-90F7-4BD6-8A50-92BF795276F9}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove

"{230CA207-D885-467E-AAA0-AFBA77F5376D}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove

"{5922AD61-1AA4-4E20-A508-23270CCACB15}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

"{A9743C0B-2EAF-4B11-9737-6D3471698546}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

"{E777EA9E-E4AE-4C76-8BF7-281BA8B5F91C}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

"{CF34D940-5E86-4B9C-A91E-04A4E3FBA614}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

"{1ADB9172-ABF0-4F5A-BC03-3E23D8B401B3}"= C:\Program Files\Windows Live\Messenger\wlcsdk.exe:Windows Live Messenger (Phone)

"{A1B3F0F2-DF94-40AE-AFF7-DB7ABFD1D798}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent

"{5CE2BB61-BE43-40FD-986C-56373370BACE}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent

"{9A8B0A05-490D-4271-AA7A-43468031D1BA}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

"TCP Query User{67A7B22B-4772-4ED1-9F59-8FFC56474541}C:\\users\\pati\\program files\\utorrent\\utorrent.exe"= UDP:C:\users\pati\program files\utorrent\utorrent.exe:utorrent.exe

"UDP Query User{BAFE329C-B44C-4C11-84C3-FC2572BFB16F}C:\\users\\pati\\program files\\utorrent\\utorrent.exe"= TCP:C:\users\pati\program files\utorrent\utorrent.exe:utorrent.exe

"{0662BB25-A760-4A5D-A270-442C40475D18}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

"TCP Query User{60B6E13A-13DA-4607-8FF0-19B84DF0639C}C:\\program files\\skype\\phone\\skype.exe"= UDP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath

"UDP Query User{CC2DB8F2-18EF-4010-883E-90B2E46F2B57}C:\\program files\\skype\\phone\\skype.exe"= TCP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath

"TCP Query User{FA525358-F76D-4FBF-A8C6-211B650969F4}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer

"UDP Query User{93FBF3B8-B0C8-40A2-ACAA-36A2ADACC3BF}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer

"{7EEB6189-594B-429F-A7F9-A7CB50A3E5F4}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

"{768B8F0C-91E4-45BB-AFA2-2FE04CD38FF0}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes

"{B52435A1-8495-4D37-8B10-BB0C3F27AD3D}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

"{FC55054B-64EC-40D8-86DA-A5491EE0349A}"= UDP:C:\Users\Pati\Program Files\uTorrent\uTorrent.exe:µTorrent (TCP-In)

"{6041CD68-4F57-4A19-9D2F-85B5F8F0065A}"= TCP:C:\Users\Pati\Program Files\uTorrent\uTorrent.exe:µTorrent (UDP-In)

"{7291CBB9-8672-40C6-8311-BAAF89514EA6}"= C:\Program Files\Skype\Phone\Skype.exe:Skype

"{6694A281-BA57-48B8-8B8E-246AED133AA9}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

"{EE741006-F982-4400-8935-4E6290014A0C}"= UDP:C:\Program Files\Megacubo\megacubo.exe:MegaCubo

"{6585B1C3-83FC-4256-9899-D77F73722DFD}"= TCP:C:\Program Files\Megacubo\megacubo.exe:MegaCubo

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]

"DoNotAllowExceptions"= 1 (0x1)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]

"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

 

R0 pavboot;pavboot;C:\Windows\system32\drivers\pavboot.sys [2008-06-19 28544]

R1 ShldDrv;Panda File Shield Driver;C:\Windows\system32\DRIVERS\ShlDrv51.sys [2007-05-23 38968]

R2 AmFSM;AmFSM;C:\Windows\system32\DRIVERS\amm8660.sys [2007-09-28 46648]

R2 PavProc;Panda Process Protection Driver;C:\Windows\system32\DRIVERS\PavProc.sys [2007-07-12 178872]

R2 PskSvcRetail;Panda PSK service;C:\Program Files\Panda Security\Panda Antivirus 2008\PskSvc.exe [2007-03-21 27696]

S2 0270271192582006mcinstcleanup;McAfee Application Installer Cleanup (0270271192582006);C:\Users\Pati\AppData\Local\Temp\027027~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini [ ]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

.

.

------- Ccan Suplementar -------

.

FireFox -: Profile - C:\Users\Pati\AppData\Roaming\Mozilla\Firefox\Profiles\3avcd5bf.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com.br/

FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll

FF -: plugin - c:\Program Files\Java\jre1.6.0\bin\npjava11.dll

FF -: plugin - c:\Program Files\Java\jre1.6.0\bin\npjava12.dll

FF -: plugin - c:\Program Files\Java\jre1.6.0\bin\npjava13.dll

FF -: plugin - c:\Program Files\Java\jre1.6.0\bin\npjava14.dll

FF -: plugin - c:\Program Files\Java\jre1.6.0\bin\npjava32.dll

FF -: plugin - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll

FF -: plugin - c:\Program Files\Java\jre1.6.0\bin\npoji610.dll

FF -: plugin - C:\Program Files\VistaCodecPack\rm\browser\plugins\nppl3260.dll

FF -: plugin - C:\Program Files\VistaCodecPack\rm\browser\plugins\nprpjplug.dll

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-17 23:24:05

Windows 6.0.6000 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

.

Tempo para conclusão: 2008-09-17 23:29:11

ComboFix-quarantined-files.txt 2008-09-18 02:29:00

ComboFix2.txt 2008-09-10 01:03:53

ComboFix3.txt 2008-09-09 01:55:44

 

Pre-Run: O sistema não pode encontrar o texto correspondente à mensagem de número 0x2379 no arquivo de mensagens para Application.

Post-Run: 83,419,041,792 bytes disponíveis

 

182 --- E O F --- 2008-09-11 12:38:42

[jgarcia 1]

Opa ptonella,

 

O seu log já não apresenta qualquer entrada anormal. Os problemas persistem?

[ptonella 0]

Olá.

 

Na verdade, as pop-ups pararam de aparecer, mas agora o computador está lento, e reinicia sozinho a toda hora. Os programas que tem atalho na barra de ferramentas sumiram, quando eu clico neles o windows tem que reinstalar... :wacko: vou postar novamente o log do combofix:

 

 

ComboFix 08-09-16.05 - Pati 2008-09-22 12:26:34.2 - NTFSx86 MINIMAL

Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1046.18.660 [GMT -3:00]

Executando de: C:\Users\Pati\Desktop\ComboFix.exe

.

 

((((((((((((((((((((((( Ficheiros criados de 2008-08-22 to 2008-09-22 ))))))))))))))))))))))))))))))))

.

 

Nenhum ficheiro/arquivo criado durante este período

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-22 15:22 --------- d-----w C:\Users\Pati\AppData\Roaming\Skype

2008-09-22 15:18 --------- d-----w C:\Users\Pati\AppData\Roaming\uTorrent

2008-09-22 13:32 --------- d-----w C:\Program Files\Mx One

2008-09-22 11:08 --------- d-----w C:\Users\Pati\AppData\Roaming\skypePM

2008-09-20 02:31 --------- d-----w C:\Program Files\Common Files\Adobe

2008-09-20 02:12 --------- d-----w C:\PROGRA~2\Spybot - Search & Destroy

2008-09-20 01:29 --------- d-----w C:\Program Files\Megacubo

2008-09-19 12:39 --------- d-----w C:\Program Files\Common Files\Panda Software

2008-09-19 00:56 --------- d-----w C:\Program Files\Avira

2008-09-19 00:56 --------- d-----w C:\PROGRA~2\Avira

2008-09-18 23:12 --------- d-----w C:\PROGRA~2\FLEXnet

2008-09-11 12:36 --------- d-----w C:\PROGRA~2\Microsoft Help

2008-09-11 12:27 --------- d-----w C:\Program Files\Microsoft Works

2008-09-11 01:03 --------- d-----w C:\Program Files\DAEMON Tools

2008-09-10 22:40 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware

2008-09-10 03:46 56 ---ha-w C:\Users\All Users\ezsidmv.dat

2008-09-10 03:46 56 ---ha-w C:\PROGRA~2\ezsidmv.dat

2008-09-10 03:04 38,528 ----a-w C:\Windows\system32\drivers\mbamswissarmy.sys

2008-09-10 03:03 17,200 ----a-w C:\Windows\system32\drivers\mbam.sys

2008-09-10 01:44 --------- d-----w C:\Users\Pati\AppData\Roaming\Malwarebytes

2008-09-10 01:44 --------- d-----w C:\PROGRA~2\Malwarebytes

2008-09-08 23:18 --------- d-----w C:\Program Files\CCleaner

2008-09-08 22:40 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-09-07 23:35 --------- d-----w C:\Users\Pati\AppData\Roaming\Megacubo

2008-09-07 22:12 --------- d-----w C:\Program Files\Microsoft Silverlight

2008-09-07 20:18 --------- d-----w C:\Program Files\Windows Live

2008-09-07 20:14 --------- d-----w C:\PROGRA~2\WLInstaller

2008-09-06 01:00 --------- d-----w C:\Program Files\Spybot - Search & Destroy

2008-09-05 02:18 --------- d-----w C:\PROGRA~2\sentinel

2008-09-04 02:02 --------- d-----w C:\Program Files\Microsoft Windows OneCare Live

2008-09-03 02:34 --------- d-----w C:\Program Files\Common Files\PX Storage Engine

2008-09-03 01:52 --------- d-----w C:\Program Files\IObit

2008-08-31 15:58 --------- d-----w C:\Users\Pati\AppData\Roaming\NCH Swift Sound

2008-08-31 15:58 --------- d-----w C:\Program Files\NCH Swift Sound

2008-08-30 18:05 --------- d-----w C:\PROGRA~2\NCH Swift Sound

2008-08-30 18:04 --------- d-----w C:\Users\Pati\AppData\Roaming\Recordpad

2008-08-30 18:04 --------- d-----w C:\Program Files\NCH Software

2008-08-28 02:39 --------- d-----w C:\Program Files\SopCast

2008-08-20 02:19 --------- d-----w C:\Program Files\Skype

2008-08-20 02:19 --------- d-----w C:\Program Files\Common Files\Skype

2008-08-20 02:19 --------- d-----w C:\PROGRA~2\Skype

2008-08-16 18:24 --------- d-----w C:\Program Files\Common Files\Nero

2008-08-16 18:24 --------- d-----w C:\PROGRA~2\Nero

2008-08-15 13:28 --------- d-----w C:\Program Files\Windows Mail

2008-08-08 01:33 --------- d-----w C:\Users\Pati\AppData\Roaming\NCH Software

2008-07-31 03:34 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll

2008-07-31 03:34 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll

2008-07-31 03:34 28,160 ----a-w C:\Windows\System32\Apphlpdm.dll

2008-07-31 03:34 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll

2008-07-31 03:34 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll

2008-07-31 03:34 1,686,528 ----a-w C:\Windows\System32\gameux.dll

2008-07-30 23:47 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll

2008-07-30 23:32 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll

2008-07-28 02:16 --------- d-----w C:\Users\Pati\AppData\Roaming\Nero

2008-07-28 02:11 --------- d-----w C:\Program Files\Nero

2008-07-27 18:12 --------- d-----w C:\Program Files\Common Files\Macrovision Shared

2008-07-27 16:57 --------- d-----w C:\Program Files\Google

2008-07-27 16:52 --------- d-----w C:\Program Files\Photo Recovery Wizard

2008-07-27 16:34 --------- d-----w C:\Users\Pati\AppData\Roaming\LimeWire

2008-07-25 00:14 --------- d-----w C:\Program Files\Apple Software Update

2008-07-19 05:10 53,448 ----a-w C:\Windows\System32\wuauclt.exe

2008-07-19 05:10 45,768 ----a-w C:\Windows\System32\wups2.dll

2008-07-19 05:10 36,552 ----a-w C:\Windows\System32\wups.dll

2008-07-19 05:09 563,912 ----a-w C:\Windows\System32\wuapi.dll

2008-07-19 05:09 1,811,656 ----a-w C:\Windows\System32\wuaueng.dll

2008-07-19 03:44 83,456 ----a-w C:\Windows\System32\wudriver.dll

2008-07-19 03:44 1,524,736 ----a-w C:\Windows\System32\wucltux.dll

2008-07-19 01:08 163,904 ----a-w C:\Windows\System32\wuwebv.dll

2008-07-18 23:44 31,232 ----a-w C:\Windows\System32\wuapp.exe

2008-07-15 23:48 2,048 ----a-w C:\Windows\System32\tzres.dll

2008-06-27 03:54 826,368 ----a-w C:\Windows\System32\wininet.dll

2008-06-27 03:54 56,320 ----a-w C:\Windows\System32\iesetup.dll

2008-06-27 03:54 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll

2008-06-27 03:54 26,624 ----a-w C:\Windows\System32\ieUnatt.exe

2008-06-26 00:34 7,964,672 ----a-w C:\Windows\System32\NlsLexicons0024.dll

2008-06-26 00:33 9,892,864 ----a-w C:\Windows\System32\NlsLexicons000a.dll

2008-04-24 12:43 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

2008-04-24 12:43 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

2008-04-24 12:43 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias & legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"uTorrent"="C:\Users\Pati\Program Files\uTorrent\uTorrent.exe" [2008-08-15 267056]

"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-08-11 21741864]

"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2007-02-09 98304]

"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2007-02-09 106496]

"Persistence"="C:\Windows\system32\igfxpers.exe" [2007-02-09 81920]

"SunJavaUpdateSched"="c:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-05-02 77824]

"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]

"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]

"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]

"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

"CorelDRAW Graphics Suite 11b"="C:\Program Files\Corel\Corel Graphics 12\Languages\BR\Programs\Registration.exe" [2003-11-28 729088]

"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 385024]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 267048]

"Mx_One_Guardian_Tiempo_Real"="C:\Program Files\Mx One\mogtr.exe" [2008-07-29 32768]

"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"SigmatelSysTrayApp"="sttray.exe" [2007-02-08 C:\Windows\sttray.exe]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"GrpConv"="grpconv -o" [X]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]

@="Service"

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]

"{C08B6B21-2E6E-415B-8A1C-3040E12BDB89}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook

"{516E6E94-90F7-4BD6-8A50-92BF795276F9}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove

"{230CA207-D885-467E-AAA0-AFBA77F5376D}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove

"{5922AD61-1AA4-4E20-A508-23270CCACB15}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

"{A9743C0B-2EAF-4B11-9737-6D3471698546}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

"{E777EA9E-E4AE-4C76-8BF7-281BA8B5F91C}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

"{CF34D940-5E86-4B9C-A91E-04A4E3FBA614}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

"{1ADB9172-ABF0-4F5A-BC03-3E23D8B401B3}"= C:\Program Files\Windows Live\Messenger\wlcsdk.exe:Windows Live Messenger (Phone)

"{A1B3F0F2-DF94-40AE-AFF7-DB7ABFD1D798}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent

"{5CE2BB61-BE43-40FD-986C-56373370BACE}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent

"{9A8B0A05-490D-4271-AA7A-43468031D1BA}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

"TCP Query User{67A7B22B-4772-4ED1-9F59-8FFC56474541}C:\\users\\pati\\program files\\utorrent\\utorrent.exe"= UDP:C:\users\pati\program files\utorrent\utorrent.exe:utorrent.exe

"UDP Query User{BAFE329C-B44C-4C11-84C3-FC2572BFB16F}C:\\users\\pati\\program files\\utorrent\\utorrent.exe"= TCP:C:\users\pati\program files\utorrent\utorrent.exe:utorrent.exe

"{0662BB25-A760-4A5D-A270-442C40475D18}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

"TCP Query User{60B6E13A-13DA-4607-8FF0-19B84DF0639C}C:\\program files\\skype\\phone\\skype.exe"= UDP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath

"UDP Query User{CC2DB8F2-18EF-4010-883E-90B2E46F2B57}C:\\program files\\skype\\phone\\skype.exe"= TCP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath

"TCP Query User{FA525358-F76D-4FBF-A8C6-211B650969F4}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer

"UDP Query User{93FBF3B8-B0C8-40A2-ACAA-36A2ADACC3BF}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer

"{7EEB6189-594B-429F-A7F9-A7CB50A3E5F4}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

"{FC55054B-64EC-40D8-86DA-A5491EE0349A}"= UDP:C:\Users\Pati\Program Files\uTorrent\uTorrent.exe:µTorrent (TCP-In)

"{6041CD68-4F57-4A19-9D2F-85B5F8F0065A}"= TCP:C:\Users\Pati\Program Files\uTorrent\uTorrent.exe:µTorrent (UDP-In)

"{7291CBB9-8672-40C6-8311-BAAF89514EA6}"= C:\Program Files\Skype\Phone\Skype.exe:Skype

"{6694A281-BA57-48B8-8B8E-246AED133AA9}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

"{EE741006-F982-4400-8935-4E6290014A0C}"= UDP:C:\Program Files\Megacubo\megacubo.exe:MegaCubo

"{6585B1C3-83FC-4256-9899-D77F73722DFD}"= TCP:C:\Program Files\Megacubo\megacubo.exe:MegaCubo

"{E86C2808-3AA5-4982-A660-93A488810258}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes

"{0D5DE259-5C1D-46DE-9AF5-D275EF65F705}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]

"DoNotAllowExceptions"= 1 (0x1)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]

"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

 

S2 0270271192582006mcinstcleanup;McAfee Application Installer Cleanup (0270271192582006);C:\Users\Pati\AppData\Local\Temp\027027~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini [ ]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

 

*Newly Created Service* - ECACHE

.

- - - - ORFAOS REMOVIDOS - - - -

 

HKLM-RunOnce-<NO NAME> - (no file)

 

 

.

------- Ccan Suplementar -------

.

FireFox -: Profile - C:\Users\Pati\AppData\Roaming\Mozilla\Firefox\Profiles\3avcd5bf.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com.br/

FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll

FF -: plugin - c:\Program Files\Java\jre1.6.0\bin\npjava11.dll

FF -: plugin - c:\Program Files\Java\jre1.6.0\bin\npjava12.dll

FF -: plugin - c:\Program Files\Java\jre1.6.0\bin\npjava13.dll

FF -: plugin - c:\Program Files\Java\jre1.6.0\bin\npjava14.dll

FF -: plugin - c:\Program Files\Java\jre1.6.0\bin\npjava32.dll

FF -: plugin - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll

FF -: plugin - c:\Program Files\Java\jre1.6.0\bin\npoji610.dll

FF -: plugin - C:\Program Files\VistaCodecPack\rm\browser\plugins\nppl3260.dll

FF -: plugin - C:\Program Files\VistaCodecPack\rm\browser\plugins\nprpjplug.dll

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-22 12:32:30

Windows 6.0.6000 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros ocultos ...

 

 

**************************************************************************

.

Tempo para conclusão: 2008-09-22 12:35:29

ComboFix-quarantined-files.txt 2008-09-22 15:33:57

ComboFix2.txt 2008-09-18 23:26:24

ComboFix3.txt 2008-09-18 02:29:12

ComboFix4.txt 2008-09-10 01:03:53

ComboFix5.txt 2008-09-22 15:26:19

 

Pre-Run: O sistema não pode encontrar o texto correspondente à mensagem de número 0x2379 no arquivo de mensagens para Application.

Post-Run: 79,660,793,856 bytes disponíveis

 

195 --- E O F --- 2008-09-11 12:38:42

[jgarcia 1]

Opa ptonella,

 

Vamos tentar resolver o problema remanescente por meio do CCleaner -> baixe-o clicando aqui.

 

1. Para efetivar a limpeza basta marcar a opção Limpeza – no alto e à esquerda – e clicar em Executar Limpeza – abaixo e à direita. Neste caso você poderá optar pela limpeza do Windows, de Programas ou de ambos;

 

2. Para a correção de erros basta escolher a opção Registro – no alto e à esquerda – clicar em Procurar erros – abaixo e à esquerda – e depois em Corrigir Erros Selecionados – abaixo e à direita (por padrão todos serão selecionados);

 

3. Em Ferramentas – no alto e à esquerda – você poderá efetivar a desinstalação de programas (os mesmos contidos em Adicionar / Remover programas) ou ainda remover processos de programas contidos na inicialização (somente para usuários experientes);

 

4. Em Opções encontram-se os dispositivos de configuração do CCleaner, os quais sugiro que permaneçam inalterados.

 

Execute as ações acima (apenas 1. e 2.) e verifique se a performance do PC voltou ao normal.

 

Abraços.

[ptonella 0]

Olá!

 

Eu já tinha o Ccleaner no pc, mas passei ele novamente, mas o computador continua reiniciando sozinho... e agora o msn não funciona, e não desinstala...

SOCORRO!!!!!

[jgarcia 1]

Opa ptonella,

 

Baixe o SilentRunners.

 

Extraia o arquivo SilentRunners.vbs para o C. Dê duplo clique sobre o arquivo para executá-lo.

 

Após executá-lo aguarde até que seja gerado um documento denominado Startup Programs (USUÁRIO) data. Copie o conteúdo deste documento e cole em sua próxima resposta.

 

Abraços.

 

Obs.: Caso o seu AV detecte o arquivo como sendo um script malicioso não se preocupe e autorize a execução.

[ptonella 0]

Segue log:

 

 

 

"Silent Runners.vbs", revision 58, http://www.silentrunners.org/

Operating System: Windows Vista

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"uTorrent" = ""C:\Users\Pati\Program Files\uTorrent\uTorrent.exe"" ["BitTorrent, Inc."]

"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"IgfxTray" = "C:\Windows\system32\igfxtray.exe" ["Intel Corporation"]

"HotKeysCmds" = "C:\Windows\system32\hkcmd.exe" ["Intel Corporation"]

"Persistence" = "C:\Windows\system32\igfxpers.exe" ["Intel Corporation"]

"SunJavaUpdateSched" = ""c:\Program Files\Java\jre1.6.0\bin\jusched.exe"" ["Sun Microsystems, Inc."]

"IAAnotif" = ""C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"" ["Intel Corporation"]

"ISUSScheduler" = ""C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start" ["Macrovision Corporation"]

"PDVDDXSrv" = ""C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"" ["CyberLink Corp."]

"GrooveMonitor" = ""C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"" [MS]

"ISUSPM Startup" = "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup" ["Macrovision Corporation"]

"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]

"QuickTime Task" = ""C:\Program Files\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."]

"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Inc."]

"Mx_One_Guardian_Tiempo_Real" = "C:\Program Files\Mx One\mogtr.exe" [null data]

"avgnt" = ""C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]

"SigmatelSysTrayApp" = "sttray.exe" ["SigmaTel, Inc."]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Facilitador de Leitor de Link Adobe PDF"

\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{22BF413B-C6D2-4d91-82A9-A0F997BA588C}\(Default) = "Skype add-on (mastermind)"

-> {HKLM...CLSID} = "Skype add-on (mastermind)"

\InProcServer32\(Default) = "C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."]

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Spybot-S&D IE Protection"

\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]

{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Groove GFS Browser Helper"

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

-> {HKLM...CLSID} = "SSVHelper Class"

\InProcServer32\(Default) = "c:\Program Files\Java\jre1.6.0\bin\ssv.dll" ["Sun Microsystems, Inc."]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{00020d75-0000-0000-c000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

-> {HKLM...CLSID} = "Microsoft Office Outlook"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\MLSHEXT.DLL" [MS]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}" = "Groove GFS Browser Helper"

-> {HKLM...CLSID} = "Groove GFS Browser Helper"

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}" = "Groove GFS Explorer Bar"

-> {HKLM...CLSID} = "Groove Folder Synchronization"

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{A449600E-1DC6-4232-B948-9BD794D62056}" = "Groove GFS Stub Icon Handler"

-> {HKLM...CLSID} = "Groove GFS Stub Icon Handler"

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"

-> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{6C467336-8281-4E60-8204-430CED96822D}" = "Groove GFS Context Menu Handler"

-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{387E725D-DC16-4D76-B310-2C93ED4752A0}" = "Groove XML Icon Handler"

-> {HKLM...CLSID} = "Groove XML Icon Handler"

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{16F3DD56-1AF5-4347-846D-7C10C4192619}" = "Groove Explorer Icon Overlay 3 (GFS Folder)"

-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 3 (GFS Folder)"

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}" = "Groove Explorer Icon Overlay 2 (GFS Stub)"

-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2 (GFS Stub)"

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}" = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"

-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{99FD978C-D287-4F50-827F-B2C658EDA8E7}" = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"

-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{920E6DB1-9907-4370-B3A0-BAFC03D81399}" = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"

-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

-> {HKLM...CLSID} = "Outlook File Icon Extension"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\OLKFSTUB.DLL" [MS]

"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"

-> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\ONFILTER.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]

"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"

-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"

-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{327669A0-59A7-4be9-B99E-1C9F3A57611A}" = "Haali Matroska Thumbnail Exctractor"

-> {HKLM...CLSID} = "Haali Matroska Thumbnail Extractor"

\InProcServer32\(Default) = "C:\Program Files\VistaCodecPack\filters\mmfinfo.dll" [null data]

"{5574006C-28F5-4a65-A28C-74DE6BFBE0BB}" = "Haali Matroska Shell Property Page"

-> {HKLM...CLSID} = "Haali Matroska Shell Property Page"

\InProcServer32\(Default) = "C:\Program Files\VistaCodecPack\filters\mmfinfo.dll" [null data]

"{0561EC90-CE54-4f0c-9C55-E226110A740C}" = "Haali Column Provider"

-> {HKLM...CLSID} = "Haali Column Provider"

\InProcServer32\(Default) = "C:\Program Files\VistaCodecPack\filters\mmfinfo.dll" [null data]

"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"

-> {HKLM...CLSID} = "Shell Extension for Malware scanning"

\InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]

"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"

-> {HKLM...CLSID} = "iTunes"

\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]

"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"

-> {HKLM...CLSID} = "Minhas Pastas de Compartilhamento"

\InProcServer32\(Default) = "C:\Program Files\Windows Live\Messenger\fsshext.8.5.1302.1018.dll" [MS]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<<!>> "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"

-> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

 

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\

<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"

-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"

\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

 

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{0561EC90-CE54-4f0c-9C55-E226110A740C}\(Default) = "Haali Column Provider"

-> {HKLM...CLSID} = "Haali Column Provider"

\InProcServer32\(Default) = "C:\Program Files\VistaCodecPack\filters\mmfinfo.dll" [null data]

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

-> {HKLM...CLSID} = "PDF Shell Extension"

\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

 

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"

-> {HKLM...CLSID} = "Shell Extension for Malware scanning"

\InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"

-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

 

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"

-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

 

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"

-> {HKLM...CLSID} = "MBAMShlExt Class"

\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]

Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"

-> {HKLM...CLSID} = "Shell Extension for Malware scanning"

\InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"

-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

 

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"

-> {HKLM...CLSID} = "MBAMShlExt Class"

\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"

-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

 

 

Default executables:

--------------------

 

<<!>> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"

 

 

Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------

 

Note: detected settings may not have any effect.

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

 

"NoDrives" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

 

"NoDrives" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

 

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"HideStartupScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

 

"ConsentPromptBehaviorAdmin" = (REG_DWORD) dword:0x00000002

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode}

 

"ConsentPromptBehaviorUser" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

User Account Control: Behavior Of The Elevation Prompt For Standard Users}

 

"EnableInstallerDetection" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

User Account Control: Detect Application Installations And Prompt For Elevation}

 

"EnableSecureUIAPaths" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

User Account Control: Only elevate UIAccess applications that are installed in secure locations}

 

"EnableVirtualization" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

User Account Control: Virtualize file and registry write failures to per-user locations}

 

"PromptOnSecureDesktop" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

User Account Control: Switch to the secure desktop when prompting for elevation}

 

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

 

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

 

"FilterAdministratorToken" = (REG_DWORD) dword:0x00000000

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

User Account Control: Admin Approval Mode for the Built-in Administrator Account}

 

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"HideStartupScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"EnableUIADesktopToggle" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows Photo Gallery\Papel de Parede da Galeria de Fotos do Windows.jpg"

 

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Users\Pati\AppData\Roaming\Microsoft\Windows Photo Gallery\Papel de Parede da Galeria de Fotos do Windows.jpg"

 

 

Windows Portable Device AutoPlay Handlers

-----------------------------------------

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

 

BridgeCS3ImportMediaOnArrival\

"Provider" = "Adobe Bridge CS3"

"InvokeProgID" = "Adobe.adobebridge"

"InvokeVerb" = "launch"

HKLM\SOFTWARE\Classes\Adobe.adobebridge\shell\launch\command\(Default) = "C:\Program Files\Adobe\Adobe Bridge CS3\bridgeproxy.exe -v %1" ["Adobe Systems, Inc."]

 

BSplayerCDDA\

"Provider" = "BSplayer multimedia player"

"InvokeProgID" = "BSP.plist"

"InvokeVerb" = "play"

HKCU\Software\Classes\BSP.plist\shell\play\command\(Default) = "C:\Program Files\Webteh\BSplayer\bsplayer.exe "%L"" ["Webteh"]

 

iTunesBurnCDOnArrival\

"Provider" = "iTunes"

"InvokeProgID" = "iTunes.BurnCD"

"InvokeVerb" = "burn"

HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Inc."]

 

iTunesImportSongsOnArrival\

"Provider" = "iTunes"

"InvokeProgID" = "iTunes.ImportSongsOnCD"

"InvokeVerb" = "import"

HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Inc."]

 

iTunesPlaySongsOnArrival\

"Provider" = "iTunes"

"InvokeProgID" = "iTunes.PlaySongsOnCD"

"InvokeVerb" = "play"

HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /playCD "%L"" ["Apple Inc."]

 

iTunesShowSongsOnArrival\

"Provider" = "iTunes"

"InvokeProgID" = "iTunes.ShowSongsOnCD"

"InvokeVerb" = "showsongs"

HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Inc."]

 

PDVD7DXPlayDVDMovieOnArrival\

"Provider" = "PowerDVD"

"InvokeProgID" = "DVD"

"InvokeVerb" = "PlayWithPDVDDX"

HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPDVDDX\Command\(Default) = ""C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe" AUTOPLAY MOVIE "%L"" ["CyberLink Corp."]

 

PDVD7DXPlayVideoCDMovieOnArrival\

"Provider" = "PowerDVD"

"InvokeProgID" = "VCD"

"InvokeVerb" = "PlayWithPDVDDX"

HKLM\SOFTWARE\Classes\VCD\shell\PlayWithPDVDDX\Command\(Default) = ""C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe" AUTOPLAY MOVIE "%L"" ["CyberLink Corp."]

 

WIA_{31CCC8A0-1C22-4ECF-9C2D-E376EAAA628B}\

"Provider" = "Photoshop"

"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"

"InitCmdLine" = "/WiaCmd;C:\Users\Pati\Desktop\Filmes\Adobe CS3 crack\Adobe CS3 crack\Photoshop.exe /StiDevice:%1 /StiEvent:%2;"

-> {HKLM...CLSID} = "WPDShextAutoplay"

\LocalServer32\(Default) = "C:\Windows\system32\WPDShextAutoplay.exe" [MS]

 

WIA_{4FDDB3E3-612D-47C7-89AB-BD19B4944891}\

"Provider" = "Picasa2"

"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"

"InitCmdLine" = "/WiaCmd;C:\Program Files\Picasa2\PicasaMediaDetector.exe /StiDevice:%1 /StiEvent:%2;"

-> {HKLM...CLSID} = "WPDShextAutoplay"

\LocalServer32\(Default) = "C:\Windows\system32\WPDShextAutoplay.exe" [MS]

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\system32\NLAapi.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]

000000000004\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]

000000000005\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000006\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

 

Transport Service Providers

 

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 18

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Explorer Bars

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

 

HKLM\SOFTWARE\Classes\CLSID\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\(Default) = "Groove Folder Synchronization"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

 

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Pesquisar"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL" [MS]

 

Extensions (Tools menu items, main toolbar menu buttons)

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC}"

-> {HKLM...CLSID} = "Java Plug-in 1.6.0"

\InProcServer32\(Default) = "c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll" ["Sun Microsystems, Inc."]

 

{2670000A-7350-4F3C-8081-5663EE0C6C49}\

"ButtonText" = "Enviar para o OneNote"

"MenuText" = "&Enviar para o OneNote"

"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"

-> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll" [MS]

 

{77BF5300-1474-4EC7-9980-D32B190E9B07}\

"ButtonText" = "Skype"

"CLSIDExtension" = "{77BF5300-1474-4EC7-9980-D32B190E9B07}"

-> {HKLM...CLSID} = "Skype add-on (button)"

\InProcServer32\(Default) = "C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."]

 

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Research"

 

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\

"MenuText" = "Spybot - Search && Destroy Configuration"

"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"

-> {HKLM...CLSID} = "Spybot-S&D IE Protection"

\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]

 

 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

 

Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]

Assistente de aquisição de imagens do Windows (WIA), stisvc, "C:\Windows\system32\svchost.exe -k imgsvc" {"C:\Windows\System32\wiaservc.dll" [MS]}

Avira AntiVir Personal - Free Antivirus Guard, AntiVirService, ""C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe"" ["Avira GmbH"]

Avira AntiVir Personal - Free Antivirus Scheduler, AntiVirScheduler, ""C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe"" ["Avira GmbH"]

Intel® Matrix Storage Event Monitor, IAANTMON, "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe" ["Intel Corporation"]

Serviço iPod, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Inc."]

Serviço SSTP, SstpSvc, "C:\Windows\system32\svchost.exe -k LocalService" {"C:\Windows\system32\sstpsvc.dll" [MS]}

Windows Driver Foundation - Estrutura do Driver de Modo de Usuário, wudfsvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\WUDFSvc.dll" [MS]}

 

 

Print Monitors:

---------------

 

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\

Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]

 

 

---------- (launch time: 2008-09-22 20:40:48)

<<!>>: Suspicious data at a malware launch point.

 

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

DLL launch points, use the -supp parameter or answer "No" at the

first message box and "Yes" at the second message box.

---------- (total run time: 89 seconds, including 18 seconds for message boxes)

[ptonella 0]

Nenhum programa funciona mais... estão todos desinstalados!

 

E se eu tento desinstalar algum, não consigo!

 

:unsure:

[ptonella 0]

Nenhum programa funciona mais... estão todos desinstalados!

 

E se eu tento desinstalar algum, não consigo!

 

:unsure:

[jgarcia 1]

Opa ptonella,

 

Não há, em seu log, entradas que justifiquem os fatos relatados. Decididamente, o problema não possui relação com malwares.

 

Infelizmente o problema deve estar relacionado ao SO e/ou a partes físicas (memória, placa-mãe...). Sugiro que procure um técnico de confiança para efetivar as correções necessárias em sua máquina. :(

 

Abraços.