[Arquivado] I.E Abrindo sozinho e sugando a CPU

[japxz 0]

I.E Abrindo sozinho e sugando a CPU, segue abaixo o log do hijackthis

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 09:31, on 2008-11-21

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\system32\bndmss.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Documents and Settings\Administrador\Desktop\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: (no name) - - (no file)

R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Arquivos de programas\ICQ6Toolbar\ICQToolBar.dll

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll

F2 - REG:system.ini: Shell=Explorer.exe csrcs.exe

O1 - Hosts: .1 www.sophos.com

O2 - BHO: Yahoo! Toolbar Helper - {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: BHO Class - {15421b84-3488-49a7-ad18-cbf84a3efaf6} - C:\Arquivos de programas\Webtools\webtools.dll

O2 - BHO: AVG Safe Search - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Arquivos de programas\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: Click-to-Call BHO - {5c255c8a-e604-49b4-9d64-90988571cecb} - C:\Arquivos de programas\Windows Live\Messenger\wlchtc.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\ARQUIV~1\MICROS~1\Office12\GRA8E1~1.DLL

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Notifier BHO - {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll

O2 - BHO: FDMIECookiesBHO Class - {cc59e0f9-7e43-44fa-9faa-8377850bf205} - C:\Arquivos de programas\Free Download Manager\iefdmcks.dll

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Arquivos de programas\ICQ6Toolbar\ICQToolBar.dll

O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [iSUSPM Startup] C:\ARQUIV~1\ARQUIV~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [GLDStart] C:\Arquivos de programas\GLDirect\gldirect.exe -filterstart

O4 - HKLM\..\Run: [RAM Idle Professional] C:\Arquivos de programas\RAM Idle LE\RAM_XP.exe

O4 - HKLM\..\Run: [Microsoft WinUpdate] C:\WINDOWS\system32\msupdte.exe

O4 - HKLM\..\Run: [uSBFW] C:\Program Files\Net Studio\USB FireWall\USB FireWall.exe

O4 - HKLM\..\Run: [C:\WINDOWS\SYSTEM32\kdiox.exe] C:\WINDOWS\SYSTEM32\kdiox.exe

O4 - HKLM\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe

O4 - HKLM\..\Run: [AVP] "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"

O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdaiz.exe] C:\WINDOWS\system32\kdaiz.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [speedRunner] C:\Documents and Settings\Administrador\Dados de aplicativos\SpeedRunner\SpeedRunner.exe

O4 - HKCU\..\Run: [sfKg6wIP] C:\Documents and Settings\Administrador\Dados de aplicativos\Microsoft\Windows\bmspac.exe

O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\Administrador\Dados de aplicativos\gadcom\gadcom.exe" 61A847B5BBF72813349330466188719AB689201522886B092CBD44BD8689220221DD3257

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_02] rundll32 advpack.dll,DelNodeRunDLL32 "%SystemRoot%\System32\dllcache" (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_06] cmd.exe /c md "%USERPROFILE%\Configurações locais\Temp" (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_08] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_09] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_02] rundll32 advpack.dll,DelNodeRunDLL32 "%SystemRoot%\System32\dllcache" (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Recorte de tela e Iniciador do OneNote 2007.lnk = C:\Arquivos de programas\Microsoft Office\Office12\ONENOTEM.EXE

O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: RagnaOne.lnk = C:\Arquivos de programas\Gravity\Ragnarok Online\RagnaONE.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra button: Estatísticas do Antivírus da Web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll

O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~1\Office12\REFIEBAR.DLL

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=www.propheta.com.br

O15 - Trusted Zone: http://*.mcafee.com

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Arquivos de programas\Yahoo!\Common\Yinsthelper200711281.dll

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} - https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{4D6ABA02-67F2-4B89-B0AD-24315A678565}: NameServer = 85.255.112.207;85.255.112.68

O17 - HKLM\System\CCS\Services\Tcpip\..\{D2859381-0B90-4EC6-8499-0B55F9B2ACBC}: NameServer = 85.255.112.207;85.255.112.68

O17 - HKLM\System\CS1\Services\Tcpip\..\{4D6ABA02-67F2-4B89-B0AD-24315A678565}: NameServer = 85.255.112.207;85.255.112.68

O17 - HKLM\System\CS2\Services\Tcpip\..\{4D6ABA02-67F2-4B89-B0AD-24315A678565}: NameServer = 85.255.112.207;85.255.112.68

O17 - HKLM\System\CS3\Services\Tcpip\..\{4D6ABA02-67F2-4B89-B0AD-24315A678565}: NameServer = 85.255.112.207;85.255.112.68

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\ARQUIV~1\MICROS~1\Office12\GR99D3~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: GbPluginBb - C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll

O20 - Winlogon Notify: zgfvqu - C:\WINDOWS\SYSTEM32\zgfvqu.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exe

O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)

O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

O23 - Service: Windows Network Data Management System Service (BNDMSS) - Unknown owner - C:\WINDOWS\system32\bndmss.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe

O23 - Service: CbEvtSvc (cbevtsvc) - Unknown owner - C:\WINDOWS\System32\CbEvtSvc.exe

O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\icf.exe.exe:ext.exe (file missing)

O23 - Service: ICQ Service - Unknown owner - C:\Arquivos de programas\ICQ6Toolbar\ICQ Service.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Serviço iPod (iPod Service) - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Arquivos de programas\Arquivos comuns\Protexis\License Service\PsiService_2.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared files\RichVideo.exe

 

--

End of file - 12659 bytes

[japxz 0]

Me Desculpe pelo Flood... mas é que estava dando erro na hora de enviar o Tópico.

[MGuitar 11]

Siga as instruções das etapas abaixo.

 

1ª Etapa

 

- Faça o download do HostsXpert e salve-o no desktop;

- Extraia o arquivo para seu desktop e execute o HostsXpert.exe;

- Clique no botão Restore MS Hosts Files e feche o programa.

 

 

2ª Etapa

 

Sugiro que salve ou imprima estas instruções abaixo.

 

- Faça o download do SDFix e salve no desktop;

 

● Dê um duplo clique no SDFix.exe e a ferramenta será instalada em C:\SDFix. Mas não o execute ainda;

● Reinicie seu computador seu computador em Modo de Segurança (segurando a tecla F8 durante a inicialização do sistema e escolhendo a opção Modo Seguro);

● Entre na pasta do SDFix que foi instalada no seu computador e dê um duplo clique no arquivo RunThis.bat;

● Tecle Y para que a ferramenta inicie o processo de remoção;

● Quando tudo terminar, você verá um aviso dizendo para apertar qualquer tecla para continuar. Então pressione qualquer. Seu computador será reiniciado automaticamente;

● Após reiniciar, a ferramenta ainda será executada novamente e irá terminar o seu trabalho e a palavra Finished irá aparecer. Pressione qualquer tecla novamente;

● Uma janela com o relatório do SDFix irá aparecer;

● O log abrirá automaticamente para você. Estará salvo na pasta do SDFix com o nome Report.txt;

 

Faça um novo log do HijackThis e cole na sua próxima resposta, juntamente com o log do SDFix.

 

 

3ª Etapa

 

- Faça o download do ComboFix e salve-o na área de trabalho;

 

● Desative temporariamente o seu antivirus para não detectar a ferramenta como vírus;

● Duplo clique no ícone combofix.exe para iniciar o scan;

● Leia o contrato que aparecerá e clique em Sim para continuar;

● Abrirá uma janela do Console de Recuperação, clique em Sim para instalar. Se aparecer outra janela do Console, clique em OK > Sim;

● Aguarde enquanto o ComboFix faz o scan;

● Se ocorrer algum problema durante o scan, reinicie seu computador em Modo de Segurança e repita o procedimento;

● Não clique na janela do ComboFix e procure não utilizar o teclado também, para não atrapalhar a varredura da ferramenta;

● Se quiser sair ou parar o ComboFix, tecle N;

● Quando terminar seu micro será reiniciado. Após o reinicio, a ferramenta executará novamente, aguarde;

● Será gerado um log em C:\ComboFix.txt.

 

 

Em sua próxima resposta, cole os logs do SDFix, ComboFix e um novo log do HijackThis.

[japxz 0]

segue abaixo os logs do SDFix, ComboFix e um novo log do HijackThis.

 

 

 

SDFix: Version 1.240

Run by Administrador on 2008-11-21 at 20:16

 

Microsoft Windows XP [versão 5.1.2600]

Running From: C:\DOCUME~1\ADMINI~1\Desktop\SDFix

 

Checking Services :

 

Rootkit Found :

C:\WINDOWS\system32\drivers\ATI4WCXX.sys - Rootkit Pandex/Cutwail - Protect.sys

C:\WINDOWS\system32\drivers\ATI5KPXX.sys - Rootkit Pandex/Cutwail - Protect.sys

C:\WINDOWS\system32\drivers\ATI0AFXX.sys - Rootkit Pandex/Cutwail - Protect.sys

 

Name :

CbEvtSvc

ICF

restore

ATI5KPXX

CbEvtSvc

FCI

ICF

restore

ATI5KPXX

ATI0AFXX

 

Path :

%SystemRoot%\System32\CbEvtSvc.exe -k netsvcs

C:\WINDOWS\system32\fci.exe.exe:ext.exe

C:\WINDOWS\system32\icf.exe.exe:ext.exe

\??\C:\WINDOWS\system32\drivers\restore.sys

\SystemRoot\System32\Drivers\ati5kpxx.sys

System32\Drivers\ati0afxx.sys

 

CbEvtSvc - Deleted

ICF - Deleted

restore - Deleted

ATI5KPXX - Deleted

CbEvtSvc - Deleted

FCI - Deleted

ICF - Deleted

restore - Deleted

ATI5KPXX - Deleted

ATI0AFXX - Deleted

 

 

 

Restoring Default Security Values

Restoring Default Hosts File

 

DNSChanger Trojan Found!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"="kdaiz.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"C:\\WINDOWS\\system32\\kdaiz.exe"

 

Restoring Default System value

 

 

Rebooting

 

Service ATI0AFXX - Deleted after Reboot

 

Checking Files :

 

Trojan Files Found:

 

C:\WINDOWS\system32\ZGFVQU32.dll - Deleted

C:\WINDOWS\system32\ZGFVQU.dll - Deleted

C:\WINDOWS\system32\kdaiz.exe - Deleted

C:\WINDOWS\SYSTEM32\MSUPDTE.EXE - Deleted

C:\976399~1 - Deleted

C:\Documents and Settings\Administrador\Dados de aplicativos\gadcom\gadcom.exe - Deleted

C:\Documents and Settings\Administrador\Dados de aplicativos\SpeedRunner\config.cfg - Deleted

C:\Documents and Settings\Administrador\Dados de aplicativos\SpeedRunner\SRUninstall.exe - Deleted

C:\Documents and Settings\Administrador\Dados de aplicativos\SpeedRunner\SpeedRunner.exe - Deleted

C:\### backup ###\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\.protected - Deleted

C:\### backup ###\Documents and Settings\Administrador\Menu Iniciar\Programas\Inicializar\.protected - Deleted

C:\resycled\boot.com - Deleted

C:\Arquivos de programas\Webtools\webtools.dll - Deleted

C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\win32.exe - Deleted

C:\WINDOWS\system32\CbEvtSvc.exe - Deleted

C:\WINDOWS\system32\csrcs.exe - Deleted

C:\WINDOWS\system32\msupdte.exe - Deleted

C:\WINDOWS\system32\rs32net.exe - Deleted

C:\WINDOWS\SYSTEM32\DRIVERS\TDSSMHCT.sys - Deleted

C:\WINDOWS\SYSTEM32\TDSSNRSR.dll - Deleted

C:\WINDOWS\SYSTEM32\TDSSRIQP.dll - Deleted

C:\WINDOWS\SYSTEM32\TDSSWRYV.dat - Deleted

C:\WINDOWS\SYSTEM32\TDSSOSVD.dat - Deleted

C:\WINDOWS\system32\drivers\ATI4WCXX.sys - Deleted

C:\WINDOWS\system32\drivers\ATI5KPXX.sys - Deleted

C:\WINDOWS\system32\drivers\ATI0AFXX.sys - Deleted

 

 

 

Folder C:\Documents and Settings\Administrador\Dados de aplicativos\gadcom - Removed

Folder C:\Documents and Settings\Administrador\Dados de aplicativos\SpeedRunner - Removed

Folder C:\Arquivos de programas\Webtools - Removed

Folder C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013 - Removed

Folder C:\resycled - Removed

 

 

Removing Temp Files

 

ADS Check :

 

 

 

Final Check :

 

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-21 20:31:32

Windows 5.1.2600 Service Pack 2 FAT NTAPI

 

scanning hidden processes ...

 

scanning hidden services ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

 

Remaining Services :

 

ATI0AFXX

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Arquivos de programas\\The All-Seeing Eye\\eye.exe"="C:\\Arquivos de programas\\The All-Seeing Eye\\eye.exe:*:Enabled:Yahoo! All-Seeing Eye"

"C:\\Arquivos de programas\\Ares\\Ares.exe"="C:\\Arquivos de programas\\Ares\\Ares.exe:*:Enabled:Ares p2p for windows"

"C:\\Arquivos de programas\\Nival Interactive\\Blitzkrieg\\Run\\game.exe"="C:\\Arquivos de programas\\Nival Interactive\\Blitzkrieg\\Run\\game.exe:*:Enabled:Game"

"C:\\Documents and Settings\\All Users\\Dados de aplicativos\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\English\\setup.exe"="C:\\Documents and Settings\\All Users\\Dados de aplicativos\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\English\\setup.exe:*:Enabled:Kaspersky Anti-Virus 2009 Setup"

"C:\\Arquivos de programas\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"="C:\\Arquivos de programas\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe:*:Enabled:Kaspersky Anti-Virus"

"C:\\Documents and Settings\\All Users\\Dados de aplicativos\\NexonUS\\NGM\\NGM.exe"="C:\\Documents and Settings\\All Users\\Dados de aplicativos\\NexonUS\\NGM\\NGM.exe:*:Enabled:Nexon Game Manager"

"C:\\Combat Arms\\CombatArms.exe"="C:\\Combat Arms\\CombatArms.exe:*Enabled:CombatArms.exe"

"C:\\Combat Arms\\Engine.exe"="C:\\Combat Arms\\Engine.exe:*Enabled:Engine.exe"

"C:\\Combat Arms\\NMService.exe"="C:\\Combat Arms\\NMService.exe:*:Enabled:Nexon Messenger Core"

"C:\\Arquivos de programas\\Activision\\Call of Duty 2\\CoD2MP_s.exe"="C:\\Arquivos de programas\\Activision\\Call of Duty 2\\CoD2MP_s.exe:*:Enabled:CoD2MP_s"

"C:\\Arquivos de programas\\Xfire\\xfire.exe"="C:\\Arquivos de programas\\Xfire\\xfire.exe:*:Enabled:Xfire"

"C:\\Arquivos de programas\\HLSW\\hlsw.exe"="C:\\Arquivos de programas\\HLSW\\hlsw.exe:*:Enabled:HLSW"

"C:\\Arquivos de programas\\Teamspeak2_RC2\\server_windows.exe"="C:\\Arquivos de programas\\Teamspeak2_RC2\\server_windows.exe:*:Enabled:Server"

"C:\\Arquivos de programas\\EA GAMES\\MOHAA\\MOHAA.exe"="C:\\Arquivos de programas\\EA GAMES\\MOHAA\\MOHAA.exe:*:Enabled:Medal of Honor Allied Assault"

"C:\\Arquivos de programas\\EA GAMES\\MOHAA\\MOHAA_server.exe"="C:\\Arquivos de programas\\EA GAMES\\MOHAA\\MOHAA_server.exe:*:Enabled:Medal of Honor Allied Assault"

"C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"="C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

"C:\\Ongame\\KickOff\\Bin\\Game\\Game.exe"="C:\\Ongame\\KickOff\\Bin\\Game\\Game.exe:*:Enabled:KickOff"

"C:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

"C:\\Documents and Settings\\Administrador\\so7.exe"="C:\\Documents and Settings\\Administrador\\so7.exe:*:Disabled:so7"

"C:\\WINDOWS\\system32\\bndmss.exe"="C:\\WINDOWS\\system32\\bndmss.exe:*:Enabled:BNDMSS"

"C:\\Documents and Settings\\Administrador\\skp66.exe"="C:\\Documents and Settings\\Administrador\\skp66.exeskp66.exe:*:Enabled:BNDMSS"

"skp66.exe"="skp66.exe:*:Enabled:BNDMSS"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Combat Arms\\CombatArms.exe"="C:\\Combat Arms\\CombatArms.exe:*Enabled:CombatArms.exe"

"C:\\Combat Arms\\Engine.exe"="C:\\Combat Arms\\Engine.exe:*Enabled:Engine.exe"

"C:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

 

Remaining Files :

 

 

File Backups: - C:\DOCUME~1\ADMINI~1\Desktop\SDFix\backups\backups.zip

 

Files with Hidden Attributes :

 

Thu 10 Jul 2008 660 ..SHR --- "C:\io64.sys"

Sat 8 Mar 2003 20,480 ..SH. --- "C:\WINDOWS\WinTask.exe"

Sun 24 Feb 2008 4,184 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"

Sun 16 Nov 2008 72,704 ..SHR --- "C:\RECYCLER\S-1-5-21-5588034762-7734295857-701353445-4507\winigon.exe"

Sat 18 Oct 2008 2,568 A.SH. --- "C:\Documents and Settings\All Users\Dados de aplicativos\KGyGaAvL.sys"

Sun 24 Feb 2008 8 ..SHR --- "C:\Documents and Settings\All Users\Dados de aplicativos\C790E63A43.sys"

Sat 16 Jun 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Thu 18 Sep 2008 2,568 A.SH. --- "C:\System Volume Information\_restore{BF1C9098-DD76-4CA9-9E86-AAC53D8017A4}\RP395\A0181991.sys"

Wed 6 Aug 2008 114,176 A.SH. --- "C:\System Volume Information\_restore{BF1C9098-DD76-4CA9-9E86-AAC53D8017A4}\RP397\A0183152.EXE"

Tue 28 Oct 2008 30,208 A.SHR --- "C:\System Volume Information\_restore{BF1C9098-DD76-4CA9-9E86-AAC53D8017A4}\RP417\A0187382.com"

Sun 24 Feb 2008 61,435 A..H. --- "C:\Documents and Settings\Administrador\Dados de aplicativos\Free Download Manager\downloads.bak"

Mon 24 Jul 2006 4,348 ..SH. --- "C:\### backup ###\Documents and Settings\All Users\DRM\DRMv1.bak"

Tue 12 Sep 2006 20 A..H. --- "C:\Documents and Settings\Administrador\Meus documentos\Minhas m£sicas\Backup de Licen‡a\drmv1lic.bak"

Mon 24 Jul 2006 4,348 ...H. --- "C:\Documents and Settings\Administrador\Meus documentos\Minhas m£sicas\Backup de Licen‡a\drmv1key.bak"

Mon 24 Jul 2006 312 A.SH. --- "C:\Documents and Settings\Administrador\Meus documentos\Minhas m£sicas\Backup de Licen‡a\drmv2key.bak"

Fri 6 Apr 2007 0 A.SH. --- "C:\### backup ###\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Tue 28 Oct 2008 30,208 A.SHR --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\tmp6A.tmp"

Sun 18 Feb 2007 444 ...HR --- "C:\### backup ###\Documents and Settings\Administrador\Dados de aplicativos\SecuROM\UserData\securom_v7_01.bak"

Wed 12 Nov 2008 207 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic6.tmp"

Wed 12 Nov 2008 287 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic4E4.tmp"

Thu 13 Nov 2008 2,594 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic1B8.tmp"

Thu 13 Nov 2008 3,004 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic1B9.tmp"

Thu 13 Nov 2008 1,719 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic57.tmp"

Thu 13 Nov 2008 2,825 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic60.tmp"

Thu 13 Nov 2008 851 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic4.tmp"

Thu 13 Nov 2008 2,221 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic5B.tmp"

Thu 13 Nov 2008 2,878 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic61.tmp"

Thu 13 Nov 2008 2,983 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic63.tmp"

Thu 13 Nov 2008 3,046 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic65.tmp"

Thu 13 Nov 2008 3,009 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic66.tmp"

Fri 14 Nov 2008 1,795 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic34.tmp"

Fri 14 Nov 2008 2,297 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic3D.tmp"

Fri 14 Nov 2008 2,845 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic3E.tmp"

Fri 14 Nov 2008 2,791 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic3F.tmp"

Fri 14 Nov 2008 2,899 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic2E0.tmp"

Fri 14 Nov 2008 2,841 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic3AB.tmp"

Sat 15 Nov 2008 1,826 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\ticFA.tmp"

Sat 15 Nov 2008 1,369 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic5.tmp"

Sat 15 Nov 2008 1,391 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic7.tmp"

Sat 15 Nov 2008 3,045 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\ticE.tmp"

Sun 16 Nov 2008 2,443 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic1BE.tmp"

Sun 16 Nov 2008 2,791 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic1C8.tmp"

Sun 16 Nov 2008 2,855 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic26A.tmp"

Sun 16 Nov 2008 2,793 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic30C.tmp"

Sun 16 Nov 2008 1,174 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic8.tmp"

Sun 16 Nov 2008 1,119 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\ticD.tmp"

Mon 17 Nov 2008 2,811 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\ticAC.tmp"

Mon 17 Nov 2008 814 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\ticAD.tmp"

Mon 17 Nov 2008 1,750 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\ticB.tmp"

Mon 17 Nov 2008 2,299 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic133.tmp"

Mon 17 Nov 2008 2,832 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic13B.tmp"

Mon 17 Nov 2008 2,835 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic13C.tmp"

Mon 17 Nov 2008 283 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic15E.tmp"

Mon 17 Nov 2008 2,822 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic299.tmp"

Tue 18 Nov 2008 2,239 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic4D.tmp"

Tue 18 Nov 2008 1,799 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic9.tmp"

Tue 18 Nov 2008 2,619 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic10.tmp"

Tue 18 Nov 2008 2,995 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic12.tmp"

Tue 18 Nov 2008 2,735 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic13.tmp"

Tue 18 Nov 2008 2,744 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic7D.tmp"

Tue 18 Nov 2008 2,157 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic17C.tmp"

Wed 19 Nov 2008 1,717 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\ticA.tmp"

Wed 19 Nov 2008 2,834 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\ticF.tmp"

Wed 19 Nov 2008 2,858 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic11.tmp"

Wed 19 Nov 2008 2,791 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\ticC0.tmp"

Wed 19 Nov 2008 3,007 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\ticEF.tmp"

Wed 19 Nov 2008 2,857 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic19B.tmp"

Wed 19 Nov 2008 2,611 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic2BA.tmp"

Wed 19 Nov 2008 2,586 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic2BB.tmp"

Wed 19 Nov 2008 2,845 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic315.tmp"

Wed 19 Nov 2008 2,897 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic316.tmp"

Wed 19 Nov 2008 2,795 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic317.tmp"

Thu 20 Nov 2008 172 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\ticC.tmp"

Thu 20 Nov 2008 817 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic14.tmp"

Thu 20 Nov 2008 814 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic17.tmp"

Thu 20 Nov 2008 812 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic1B.tmp"

Thu 20 Nov 2008 172 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\ticFC.tmp"

Thu 20 Nov 2008 128 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic15.tmp"

Fri 21 Nov 2008 1,744 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\ticECE.tmp"

Fri 21 Nov 2008 2,513 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic163.tmp"

Fri 21 Nov 2008 162 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic164.tmp"

Wed 12 Nov 2008 411 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic1BA.tmp"

Wed 12 Nov 2008 1,283 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Configura‡äes locais\temp\Free Download Manager\tic1BD.tmp"

 

Finished!

 

----------------------------------------------------------------------------------------------------------------------------------------------

 

ComboFix 08-11-21.03 - Administrador 2008-11-21 21:21:20.5 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.697 [GMT -2:00]

Executando de: C:\Documents and Settings\Administrador\Desktop\ComboFix.exe

 

ATENÇAO - ESTA MAQUINA NAO TEM O CONSOLE DE RECUPERAÇÃO INSTALADA !!

.

 

----------------------------------------------------------------------------------------------------------------------------------------------

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:11, on 2008-11-21

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\savedump.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\bndmss.exe

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe

C:\Arquivos de programas\ICQ6Toolbar\ICQ Service.exe

C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

C:\WINDOWS\system32\ctfmon.exe

c:\Arquivos de programas\Arquivos comuns\Protexis\License Service\PsiService_2.exe

C:\Arquivos de programas\CyberLink\Shared files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Documents and Settings\Administrador\Desktop\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: (no name) - - (no file)

R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Arquivos de programas\ICQ6Toolbar\ICQToolBar.dll

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: AVG Safe Search - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Arquivos de programas\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: Click-to-Call BHO - {5c255c8a-e604-49b4-9d64-90988571cecb} - C:\Arquivos de programas\Windows Live\Messenger\wlchtc.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\ARQUIV~1\MICROS~1\Office12\GRA8E1~1.DLL

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Notifier BHO - {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll

O2 - BHO: FDMIECookiesBHO Class - {cc59e0f9-7e43-44fa-9faa-8377850bf205} - C:\Arquivos de programas\Free Download Manager\iefdmcks.dll

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Arquivos de programas\ICQ6Toolbar\ICQToolBar.dll

O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [iSUSPM Startup] C:\ARQUIV~1\ARQUIV~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [GLDStart] C:\Arquivos de programas\GLDirect\gldirect.exe -filterstart

O4 - HKLM\..\Run: [RAM Idle Professional] C:\Arquivos de programas\RAM Idle LE\RAM_XP.exe

O4 - HKLM\..\Run: [uSBFW] C:\Program Files\Net Studio\USB FireWall\USB FireWall.exe

O4 - HKLM\..\Run: [C:\WINDOWS\SYSTEM32\kdiox.exe] C:\WINDOWS\SYSTEM32\kdiox.exe

O4 - HKLM\..\Run: [AVP] "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_02] rundll32 advpack.dll,DelNodeRunDLL32 "%SystemRoot%\System32\dllcache" (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_06] cmd.exe /c md "%USERPROFILE%\Configurações locais\Temp" (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_08] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_09] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_02] rundll32 advpack.dll,DelNodeRunDLL32 "%SystemRoot%\System32\dllcache" (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Recorte de tela e Iniciador do OneNote 2007.lnk = C:\Arquivos de programas\Microsoft Office\Office12\ONENOTEM.EXE

O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: RagnaOne.lnk = C:\Arquivos de programas\Gravity\Ragnarok Online\RagnaONE.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra button: Estatísticas do Antivírus da Web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll

O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~1\Office12\REFIEBAR.DLL

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=www.propheta.com.br

O15 - Trusted Zone: http://*.mcafee.com

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Arquivos de programas\Yahoo!\Common\Yinsthelper200711281.dll

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} - https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{4D6ABA02-67F2-4B89-B0AD-24315A678565}: NameServer = 85.255.112.207;85.255.112.68

O17 - HKLM\System\CCS\Services\Tcpip\..\{D2859381-0B90-4EC6-8499-0B55F9B2ACBC}: NameServer = 85.255.112.207;85.255.112.68

O17 - HKLM\System\CS1\Services\Tcpip\..\{4D6ABA02-67F2-4B89-B0AD-24315A678565}: NameServer = 85.255.112.207;85.255.112.68

O17 - HKLM\System\CS2\Services\Tcpip\..\{4D6ABA02-67F2-4B89-B0AD-24315A678565}: NameServer = 85.255.112.207;85.255.112.68

O17 - HKLM\System\CS3\Services\Tcpip\..\{4D6ABA02-67F2-4B89-B0AD-24315A678565}: NameServer = 85.255.112.207;85.255.112.68

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\ARQUIV~1\MICROS~1\Office12\GR99D3~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: GbPluginBb - C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll

O20 - Winlogon Notify: zgfvqu - zgfvqu.dll (file missing)

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exe

O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)

O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

O23 - Service: Windows Network Data Management System Service (BNDMSS) - Unknown owner - C:\WINDOWS\system32\bndmss.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe

O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: ICQ Service - Unknown owner - C:\Arquivos de programas\ICQ6Toolbar\ICQ Service.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Serviço iPod (iPod Service) - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Arquivos de programas\Arquivos comuns\Protexis\License Service\PsiService_2.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared files\RichVideo.exe

 

--

End of file - 12133 bytes

[MGuitar 11]

Delete a pasta C:\SDFix.

 

1ª Etapa

 

- Faça o download do Malwarebytes Anti-Malware e salve-o no desktop;

 

● Dê dois cliques no programa para iniciar a instalação. Selecione o idioma Português (Brasil);

● No meio da instalação, marque as opções "Atualizar Malwarebytes Anti-Malware" e "Executar Malwarebytes Anti-Malware", e clique em Concluir;

● Após a instalação execute o programa;

● Marque a opção Verificação Completa e depois clique em Verificar. Selecione sua unidade C: e clique no botão Iniciar Verificação;

● Quando o scan terminar, clique em OK e o log será automaticamente aberto para você;

● Se algo for detectado, verifique se todos os itens estão marcados e clique no botão Remover;

● O log pode ser consultado clicando em Logs do menu principal também;

 

Copie e cole o conteúdo desse log na sua próxima resposta, juntamente com um novo log do HijackThis.

 

 

2ª Etapa

 

ComboFix 08-11-21.03 - Administrador 2008-11-21 21:21:20.5 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.697 [GMT -2:00]

Executando de: C:\Documents and Settings\Administrador\Desktop\ComboFix.exe

 

ATENÇAO - ESTA MAQUINA NAO TEM O CONSOLE DE RECUPERAÇÃO INSTALADA !!

O ComboFix não rodou corretamente. Por favor, reinicie seu computador em Modo de Segurança (pressionando e mantendo a tecla F8 na inicialização do sistema e escolhendo no menu a opção Modo Seguro).

Já em Modo de Segurança, repita os procedimentos que lhe passei para rodar o ComboFix novamente. Depois em Modo Normal copie e cole o log dele aqui junto com o do Malwarebytes.

[Mário Monteiro 179]

Tópico Arquivado

 

Como o autor não respondeu por mais de 30 dias, o tópico foi arquivado.

 

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura.