[Arquivado] Meu desktop sumiu

grilo13 · Novembro 9, 2008

Boa tarde!!

Já fiz de tudo, inclusive li em outros fóruns o que fazer...mas continuo com meu desktop inativo, apenas tenho o plano de fundo sem os atalhos!!

Tinha 6 trojans no meu pc, sendo que meu AVG não os detectou, e baixei o Avira..

Só consigo acessar os arquivos no CTRL ALT DEL, nova tarefa..

Procurei até o que seria o hijack this, porém não entendi muita coisa.

Acabei baixando vários programas e nada está dando certo...

Estou com receio de ter que formatar o meu pc...por favor me ajudem! Não sei o que fazer..

Agradeço desde já..

Logfile of HijackThis v1.99.1

Scan saved at 12:50:06, on 9/11/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Running processes:

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Avira\Avira Premium Security Suite\sched.exe

C:\Arquivos de programas\Avira\Avira Premium Security Suite\avfwsvc.exe

C:\Arquivos de programas\Avira\Avira Premium Security Suite\avguard.exe

C:\Arquivos de programas\Avira\Avira Premium Security Suite\avesvc.exe

C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe

C:\ARQUIV~1\AVG\AVG8\avgam.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\ARQUIV~1\AVG\AVG8\avgrsx.exe

C:\ARQUIV~1\AVG\AVG8\avgnsx.exe

C:\Arquivos de programas\Spyware Doctor\pctsAuxs.exe

C:\Arquivos de programas\Spyware Doctor\pctsSvc.exe

C:\Arquivos de programas\Avira\Avira Premium Security Suite\avmailc.exe

C:\Arquivos de programas\Spyware Doctor\pctsTray.exe

C:\Arquivos de programas\Avira\Avira Premium Security Suite\AVWEBGRD.EXE

C:\ARQUIV~1\AVG\AVG8\avgemc.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

C:\Arquivos de programas\Windows Live\Contacts\wlcomm.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\ARQUIV~1\FREEDO~1\fdm.exe

C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Arquivos de programas\WinRAR\WinRAR.exe

C:\DOCUME~1\Usuario\CONFIG~1\Temp\Rar$EX03.469\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsxlive.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [AVG8_TRAY] C:\ARQUIV~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [itch ford four knob] C:\Documents and Settings\All Users\Dados de aplicativos\third lies itch ford\Settings support.exe

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\Avira Premium Security Suite\avgnt.exe" /min

O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdbpa.exe] C:\WINDOWS\system32\kdbpa.exe

O4 - HKLM\..\Run: [iSTray] "C:\Arquivos de programas\Spyware Doctor\pctsTray.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [TransBar] C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe /s

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Free Download Manager] "C:\Arquivos de programas\Free Download Manager\fdm.exe" -autorun

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [Extra Road] C:\DOCUME~1\Usuario\DADOSD~1\coolregshole\Five Plan.exe

O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe

O4 - Startup: TransBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe

O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe

O4 - Startup: Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe

O8 - Extra context menu item: Baixar com o FDM - file://C:\Arquivos de programas\Free Download Manager\dllink.htm

O8 - Extra context menu item: Baixar tudo com o FDM - file://C:\Arquivos de programas\Free Download Manager\dlall.htm

O8 - Extra context menu item: Download selecionado pelo FDM - file://C:\Arquivos de programas\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dlfvideo.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O10 - Broken Internet access because of LSP provider 'avsda.dll' missing

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1212149070812

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C0D38D15-F917-48CB-AE7E-8F0AAFF0455B}: NameServer = 85.255.112.132;85.255.112.12

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Arquivos de programas\AVG\AVG8\avgpp.dll

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\msgrapp.14.0.5027.0908.dll

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\msgrapp.14.0.5027.0908.dll

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\ARQUIV~1\ARQUIV~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O20 - AppInit_DLLs: avgrsstx.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Avira Premium Security Suite Firewall (AntiVirFirewallService) - Avira GmbH - C:\Arquivos de programas\Avira\Avira Premium Security Suite\avfwsvc.exe

O23 - Service: Avira Premium Security Suite MailGuard (AntiVirMailService) - Avira GmbH - C:\Arquivos de programas\Avira\Avira Premium Security Suite\avmailc.exe

O23 - Service: Avira Premium Security Suite Scheduler (AntiVirScheduler) - Avira GmbH - C:\Arquivos de programas\Avira\Avira Premium Security Suite\sched.exe

O23 - Service: Avira Premium Security Suite Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\Avira Premium Security Suite\avguard.exe

O23 - Service: Avira Premium Security Suite WebGuard (antivirwebservice) - Avira GmbH - C:\Arquivos de programas\Avira\Avira Premium Security Suite\AVWEBGRD.EXE

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exe

O23 - Service: Avira Premium Security Suite MailGuard helper service (AVEService) - Avira GmbH - C:\Arquivos de programas\Avira\Avira Premium Security Suite\avesvc.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsSvc.exe

O23 - Service: ServiceLayer - Nokia. - C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

PedroN · Novembro 9, 2008

- Baixe: < ComboFix.exe >

- Salve-o no Desktop!

- Desabilite as proteções residente de: antivírus,antispywares e firewall. ( Menos o do Windows! )

- Feche todas as janelas e execute a ferramenta!

- Na solicitação: "Negação de garantia de software" --> Clique em Sim!

- Não possuindo o "Console de Recuperação",aceite optar pela instalação do mesmo!

-- Caso aconteça a notificação de: Aplicativo Win32 inválido,delete a ferramenta e faça,novamente,o download.
-- Salve-a no desktop,renomeada como: Kombo.exe

-- Ps: Nomeie durante o salvamento,e não após salvá-la!

-- Ps: Surgindo alguma mensagem de erro,rode o ComboFix.exe em Modo de Segurança.

-- Ps: Para completar as remoções,talvez haja necessidade da ferramenta reiniciar o computador. <-- Aguarde!

-- Ps: Evite executar,voluntariamente,esta ferramenta!Siga,àcima,todas as recomendações propostas.

- Abrir-se-á a janela Auto Scan. --> Aguarde!

- Àfim de completar as remoções,o ComboFix poderá reiniciar o computador.

- Se houver necessidade,digite a opção para continuar! --> ( 1 ) --> Aperte Enter.

- Aguarde a conclusão!

- Durante o scan,evite manusear o mouse ou teclado! <-- Importante!

- Para parar ou sair do ComboFix,tecle "N" --> Enter.

----------------------

- Terminando,poste os relatórios: C:\ComboFix.txt + HijackThis,atualizado.

grilo13 · Novembro 15, 2008

Segue abaixo..

Muito obrigado pela sua ajuda!!

ComboFix 08-11-13.01 - Usuario 2008-11-15 12:18:32.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1046.18.675 [GMT -3:00]

Executando de: d:\meus documentos\Downloads\ComboFix.exe

* Criado um novo ponto de restauro

ATENÇAO - ESTA MAQUINA NAO TEM O CONSOLE DE RECUPERAÇÃO INSTALADA !!

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr1.dat

C:\resycled

c:\windows\msvrc20.dll

c:\windows\system32\mcrh.tmp

c:\windows\system32\pAGhgMoq.ini

c:\windows\system32\pAGhgMoq.ini2

c:\windows\system32\qoMghGAp.dll

----- BITS: Sites possivelmente infetados -----

hxxp://www.securityenchancement.com

.

(((((((((((((((( Arquivos/Ficheiros criados de 2008-10-15 to 2008-11-15 ))))))))))))))))))))))))))))

.

2008-11-15 10:51 . 2008-11-15 10:51 <DIR> d-------- c:\arquivos de programas\Avira

2008-11-15 09:14 . 2008-11-15 09:14 <DIR> d-------- c:\arquivos de programas\Alwil Software

2008-11-15 09:02 . 2008-11-15 09:02 27,904 --a------ c:\windows\system32\drivers\ndisprot.sys

2008-11-15 08:24 . 2008-11-15 08:41 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Norton

2008-11-15 08:16 . 2008-11-15 08:16 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\NortonInstaller

2008-11-15 03:13 . 2008-11-15 03:13 <DIR> d-------- c:\documents and settings\Usuario\Dados de aplicativos\AVGTOOLBAR

2008-11-14 22:03 . 2008-11-14 22:03 4,096 --a------ c:\windows\d3dx.dat

2008-11-09 11:22 . 2008-11-15 10:51 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Avira

2008-11-09 11:20 . 2008-11-09 13:11 344 --ahs---- c:\windows\system32\Xxxadfii.ini

2008-11-08 18:24 . 2008-11-08 18:30 <DIR> d-------- c:\documents and settings\Usuario\Dados de aplicativos\MXPLAY

2008-11-08 18:24 . 2008-11-08 18:24 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\MXPLAY

2008-11-08 18:18 . 2008-11-08 18:32 <DIR> d-------- c:\arquivos de programas\MXPLAY

2008-11-04 14:28 . 2008-11-04 14:28 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Messenger Plus!

2008-11-04 12:33 . 2008-11-15 09:44 <DIR> d-------- c:\documents and settings\Usuario\Dados de aplicativos\coolregshole

2008-11-04 12:33 . 2008-11-04 12:33 <DIR> d-------- c:\arquivos de programas\coolregshole

2008-11-04 12:32 . 2008-11-04 12:32 <DIR> d-------- c:\arquivos de programas\Messenger Plus! Live

2008-11-04 12:32 . 2008-11-15 09:35 <DIR> d-------- c:\arquivos de programas\Circle Developement

2008-10-27 18:15 . 2008-10-27 18:19 <DIR> d-------- c:\arquivos de programas\Accent OFFICE Password Recovery

2008-10-27 18:03 . 2008-10-27 18:25 1,780 --a------ c:\windows\aopr.ini

2008-10-27 11:07 . 2008-11-10 15:04 <DIR> d-------- c:\arquivos de programas\GTA

2008-10-26 19:15 . 2008-10-27 20:07 <DIR> d-------- c:\arquivos de programas\ElcomSoft

2008-10-24 13:44 . 2008-11-10 15:04 45,056 --a------ c:\windows\NCUNINST.EXE

2008-10-24 13:41 . 2008-10-24 13:41 <DIR> d-------- c:\arquivos de programas\Arquivos comuns\SWF Studio

2008-10-24 07:54 . 2008-10-15 13:36 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll

2008-10-19 10:49 . 2008-10-19 10:49 <DIR> d-------- c:\documents and settings\Usuario\Dados de aplicativos\Zylom

2008-10-19 10:49 . 2008-10-19 10:49 <DIR> d-------- c:\documents and settings\Usuario\Dados de aplicativos\PlayFirst

2008-10-19 10:49 . 2008-10-19 10:49 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\PlayFirst

2008-10-19 10:48 . 2008-10-19 10:48 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Zylom

2008-10-19 10:48 . 2008-10-26 21:07 <DIR> d-------- c:\arquivos de programas\Zylom Games

2008-10-16 22:07 . 2008-10-16 22:07 <DIR> d-------- c:\documents and settings\Usuario\Dados de aplicativos\CursorArts

2008-10-15 19:14 . 2008-11-15 10:36 <DIR> d-------- c:\arquivos de programas\Mozilla Firefox 3.1 Beta 1

2008-10-15 16:14 . 2008-08-14 10:24 2,193,408 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe

2008-10-15 16:14 . 2008-08-14 10:24 2,149,376 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe

2008-10-15 16:14 . 2008-08-14 10:24 2,070,272 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe

2008-10-15 16:14 . 2008-08-14 10:24 2,028,032 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe

2008-10-15 15:54 . 2008-09-08 07:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys

2008-10-15 15:53 . 2008-09-15 12:26 1,846,528 -----c--- c:\windows\system32\dllcache\win32k.sys

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-15 15:17 --------- d-----w c:\documents and settings\Usuario\Dados de aplicativos\Free Download Manager

2008-11-15 14:15 --------- d-----w c:\arquivos de programas\AdVantage

2008-11-15 12:18 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\third lies itch ford

2008-11-15 11:24 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Avg8

2008-11-15 01:22 --------- d-----w c:\documents and settings\Usuario\Dados de aplicativos\Azureus

2008-11-09 16:16 --------- d---a-w c:\documents and settings\All Users\Dados de aplicativos\TEMP

2008-11-08 04:01 --------- d--h--w c:\arquivos de programas\InstallShield Installation Information

2008-11-02 04:25 --------- d-----w c:\arquivos de programas\AIMP2

2008-11-01 20:27 --------- d-----w c:\arquivos de programas\Opera

2008-10-29 17:11 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Microsoft Help

2008-10-25 13:53 --------- d-----w c:\arquivos de programas\Azureus

2008-10-21 20:38 --------- d-----w c:\arquivos de programas\TuneUp Utilities 2008

2008-10-01 21:48 --------- d-----w c:\arquivos de programas\Winamp

2008-10-01 10:56 --------- d-----w c:\arquivos de programas\Free Download Manager

2008-09-27 20:12 --------- d-----w c:\arquivos de programas\Free Audio Pack

2008-09-27 20:04 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\River Past G5

2008-09-27 20:04 --------- d-----w c:\arquivos de programas\MediaCoder

2008-09-27 20:02 --------- d-----w c:\documents and settings\Usuario\Dados de aplicativos\River Past G5

2008-09-21 21:39 --------- d-----w c:\arquivos de programas\Windows Live

2008-09-21 00:45 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\WLInstaller

2008-09-20 21:52 --------- d-----w c:\arquivos de programas\Microsoft

2008-09-20 21:30 --------- d-----w c:\documents and settings\Usuario\Dados de aplicativos\BSplayer

2008-09-20 21:18 --------- d-----w c:\arquivos de programas\Arquivos comuns\Windows Live

2008-09-20 16:02 --------- d-----w c:\documents and settings\Usuario\Dados de aplicativos\Corel

2008-09-18 00:37 --------- d-----w c:\arquivos de programas\Mario Forever

2008-07-05 11:42 32,768 --sha-w c:\windows\system32\config\systemprofile\Configurações locais\Histórico\History.IE5\MSHist012008070520080706\index.dat

.

------- Sigcheck -------

2008-04-13 19:21 977920 732946eeaa1d8ee2a4fc24370827617b c:\windows\explorer.exe

2007-06-13 10:10 1035264 45d521506825a10b80833b4e9621ccf6 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

2007-06-13 10:21 977408 e2af4bc9e7859fdbbe6626c2b648b6bc c:\windows\$NtServicePackUninstall$\explorer.exe

2004-08-04 00:45 976384 3dc2adebb0cc234b58d6680129e24d26 c:\windows\$NtUninstallKB938828$\explorer.exe

2008-04-13 19:21 977920 732946eeaa1d8ee2a4fc24370827617b c:\windows\ServicePackFiles\i386\explorer.exe

2008-04-13 19:21 1035776 064ec7ff5f58b928c3e119402977fa6d c:\windows\system32\VITrans\explorer.exe

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"TransBar"="c:\windows\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe" [2005-06-01 65536]

"msnmsgr"="c:\arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" [2008-09-09 3513344]

"Free Download Manager"="c:\arquivos de programas\Free Download Manager\fdm.exe" [2008-05-20 2474031]

"Google Update"="c:\documents and settings\Usuario\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" [2008-11-01 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-29 81920]

"GrooveMonitor"="c:\arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

"avgnt"="c:\arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"nwiz"="nwiz.exe" [2007-06-29 c:\windows\system32\nwiz.exe]

c:\documents and settings\Usuario\Menu Iniciar\Programas\Inicializar\

RocketDock.lnk - c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-18 630784]

TransBar.lnk - c:\windows\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe [2005-06-01 65536]

UberIcon.lnk - c:\windows\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-05-21 180224]

Y'z Shadow.lnk - c:\windows\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe [2006-05-21 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveSearch"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 01000000

"NoLogoff"= 01000000

"NoBandCustomize"= 0 (0x0)

"NoMovingBands"= 0 (0x0)

"NoCloseDragDropBands"= 0 (0x0)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Gamma Loader.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-01-11 22:16 39792 c:\arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2008-04-13 19:20 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]

--------- 2006-04-13 11:09 49152 c:\arquivos de programas\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

--------- 2005-12-07 22:57 30208 c:\arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2008-02-22 04:25 144784 c:\arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]

-ra------ 2005-06-30 02:16 88203 c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

--a------ 2006-01-11 15:08 577536 c:\windows\soundman.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"Azureus"=c:\arquivos de programas\Azureus\Azureus.exe

"ares"="c:\arquivos de programas\Ares\Ares.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"WinLogT"=c:\windows\WinLogT.exe

"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

"NBKeyScan"="c:\arquivos de programas\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

"NSLauncher"=c:\arquivos de programas\Nokia\Nokia Software Launcher\NSLauncher.exe /startup

"PWRISOVM.EXE"=c:\arquivos de programas\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Azureus\\Azureus.exe"=

"c:\\Arquivos de programas\\Ares\\Ares.exe"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Arquivos de programas\\Arquivos comuns\\Nero\\Nero Web\\SetupX.exe"=

"c:\\Arquivos de programas\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=

"c:\\Arquivos de programas\\Arquivos comuns\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=

"c:\\Documents and Settings\\All Users\\Dados de aplicativos\\NexonUS\\NGM\\NGM.exe"=

"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe

"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe

"c:\\Nexon\\Combat Arms\\NMService.exe"=

"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

R2 UxTuneUp;TuneUp Theme Extension;c:\windows\System32\svchost.exe [2008-04-13 14336]

R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\DRIVERS\RMSPPPOE.SYS [2002-06-10 31232]

S3 cpuz129;cpuz129;c:\docume~1\Usuario\CONFIG~1\Temp\Rar$EX00.453\pcwiz32.sys [ ]

S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\Ndisprot.sys [2008-11-15 27904]

S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2008-02-01 138112]

S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2008-02-01 8320]

S3 TuneUp.Defrag;TuneUp Drive Defrag Service;c:\windows\System32\TuneUpDefragService.exe [2008-07-23 355584]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

\Shell\AutoRun\command - G:\laucher.exe

.

Conteúdo da pasta 'Tarefas Agendadas'

2008-11-15 c:\windows\Tasks\1-Click Maintenance.job

- c:\arquivos de programas\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 09:09]

2008-11-15 c:\windows\Tasks\GoogleUpdateTaskUser.job

- c:\documents and settings\Usuario\Configura []

.

- - - - ORFÃOS REMOVIDOS - - - -

BHO-{47080957-7903-41FC-B655-CEBA0A65E64A} - c:\windows\system32\rqRLdEXn.dll

BHO-{865A8AF3-2CEF-413B-99E3-09A96038B792} - c:\windows\system32\qoMghGAp.dll

HKLM-Run-c:\windows\system32\kdbpa.exe - c:\windows\system32\kdbpa.exe

ShellExecuteHooks-{47080957-7903-41FC-B655-CEBA0A65E64A} - c:\windows\system32\rqRLdEXn.dll

Notify-rqRLdEXn - rqRLdEXn.dll

.

------- Scan Suplementar -------

.

FireFox -: Profile - c:\documents and settings\Usuario\Dados de aplicativos\Mozilla\Firefox\Profiles\bs7ygwk3.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.orkut.com.br/Home.aspx

FF -: plugin - c:\arquivos de programas\Mozilla Firefox 3.1 Beta 1\plugins\npnul32.dll

FF -: plugin - c:\arquivos de programas\Mozilla Firefox 3.1 Beta 1\plugins\npzylomgamesplayer.dll

FF -: plugin - c:\documents and settings\All Users\Dados de aplicativos\NexonUS\NGM\npNxGameUS.dll

FF -: plugin - c:\documents and settings\All Users\Dados de aplicativos\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll

FF -: plugin - c:\documents and settings\Usuario\ConfiguraÃ§Ãµes locais\Dados de aplicativos\Google\Update\1.2.131.27\npGoogleOneClick6.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-15 12:21:15

Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

**************************************************************************

.

------------------------ Outros Processos em Execução ------------------------

.

c:\arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe

c:\arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

c:\arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

c:\arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\rundll32.exe

.

**************************************************************************

.

Tempo para conclusão: 2008-11-15 12:22:58 - Máquina reiniciou

ComboFix-quarantined-files.txt 2008-11-15 15:22:55

Pré-execução: 18 pasta(s) 15.092.584.448 bytes disponíveis

Pós execução: 17 pasta(s) 14,949,462,016 bytes disponíveis

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe

236 --- E O F --- 2008-10-24 11:17:16

Hijack This:

Logfile of HijackThis v1.99.1

Scan saved at 12:27:43, on 15/11/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe

C:\Arquivos de programas\Free Download Manager\fdm.exe

C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe

C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe

C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe

C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe

C:\WINDOWS\system32\notepad.exe

C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\WinRAR\WinRAR.exe

C:\DOCUME~1\Usuario\CONFIG~1\Temp\Rar$EX00.766\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsxlive.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Arquivos de programas\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Arquivos de programas\Windows Live\Messenger\wlchtc.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Arquivos de programas\Free Download Manager\iefdm2.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min