Ir para conteúdo

POWERED BY:

Arquivado

Este tópico foi arquivado e está fechado para novas respostas.

Dinoman

[Arquivado] Virus Spy.Banker.Gen

Recommended Posts

Boas pessoal peço desde já as minhas cordiais desculpas por abrir outro tópico com este virus ou malware so que pelo o que vi no outro topico nao pesquei nada nem consegui fazer sozinho sera que alguem me ajuda .

 

Aqui tem o hijackthis

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:35:57, on 08-12-2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Programas\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Programas\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Programas\Ficheiros comuns\ArcSoft\Connection Service\Bin\ACService.exe

C:\WINDOWS\system32\agrsmsvc.exe

C:\Programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\system32\svchost.exe

C:\Programas\LogMeIn\x86\RaMaint.exe

C:\Programas\LogMeIn\x86\LogMeIn.exe

C:\Programas\LogMeIn\x86\LMIGuardian.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\Explorer.EXE

C:\Programas\Synaptics\SynTP\SynTPLpr.exe

C:\Programas\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\system32\RunDll32.exe

C:\Programas\On Screen Display\Hotkey.exe

C:\Programas\Battery miser\batterymiser.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Programas\Ficheiros comuns\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\FixCamera.exe

C:\WINDOWS\tsnp325.exe

C:\WINDOWS\vsnp325.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe

C:\Programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Programas\Windows Live\Messenger\msnmsgr.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Programas\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Programas\Windows Live\Messenger\usnsvc.exe

C:\Programas\LogMeIn\x86\LogMeIn.exe

C:\Programas\LogMeIn\x86\LMIGuardian.exe

C:\Programas\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

 

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

 

http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

 

http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

 

http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Programas\HP\Digital

 

Imaging\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programas\Ficheiros

 

comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} -

 

C:\Programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -

 

C:\Programas\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1

 

\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} -

 

C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -

 

c:\programas\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -

 

C:\Programas\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Programas\HP\Digital

 

Imaging\Smart Web Printing\hpswp_BHO.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

 

c:\programas\google\googletoolbar1.dll

O4 - HKLM\..\Run: [synTPLpr] C:\Programas\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Programas\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [KeybdUtility] "C:\Programas\On Screen Display\Hotkey.exe"

O4 - HKLM\..\Run: [batterymiser] "C:\Programas\Battery miser\batterymiser.exe"

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe

 

bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Programas\Ficheiros comuns\ArcSoft\Connection

 

Service\Bin\ACDaemon.exe

O4 - HKLM\..\Run: [avgnt] "C:\Programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe

O4 - HKLM\..\Run: [tsnp325] C:\WINDOWS\tsnp325.exe

O4 - HKLM\..\Run: [snp325] C:\WINDOWS\vsnp325.exe

O4 - HKLM\..\Run: [task] C:\WINDOWS\system32\task.com

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [iSUSPM] "C:\Documents and Settings\All Users\Application

 

Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler

O4 - HKCU\..\Run: [swg] C:\Programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')

O4 - HKUS\S-1-5-21-2852425141-3399775922-2322413257-1007\..\Run: [CTFMON.EXE]

 

C:\WINDOWS\system32\ctfmon.exe (User 'LogMeInRemoteUser')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} -

 

C:\Programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Seleção HP Smart - {DDE87865-83C5-48c4-8357-2F5B1AA84522} -

 

C:\Programas\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1

 

\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-

 

58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

 

Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

 

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

 

C:\Programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

 

C:\Programas\Messenger\msmsgs.exe

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

 

http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab

O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} - http://mapguide.cm-

 

aveiro.pt/smiga/03Aplicativos/02mapa_ic/layout_03/map/mgaxctrl.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

 

http://update.microsoft.com/microsoftupdat.../muweb_site.cab?

 

1180868710250

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} -

 

http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHEI~1

 

\Skype\SKYPE4~1.DLL

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programas\Lavasoft\Ad-

 

Aware\aawservice.exe

O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Programas\Ficheiros

 

comuns\ArcSoft\Connection Service\Bin\ACService.exe

O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems -

 

C:\WINDOWS\system32\agrsmsvc.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH

 

- C:\Programas\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH -

 

C:\Programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Autodata Limited License Service - Unknown owner - C:\Programas\Ficheiros

 

comuns\Autodata Limited Shared\Service\ADCDLicSvc.exe (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google

 

Updater\GoogleUpdaterService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32

 

\LEXBCES.EXE

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Programas\LogMeIn\x86

 

\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Programas\LogMeIn\x86\LogMeIn.exe

O23 - Service: ServiceLayer - Nokia. - C:\Programas\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation -

 

C:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe

 

--

End of file - 9620 bytes

 

 

e o silent runner

 

"Silent Runners.vbs", revision 59, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"ISUSPM" = ""C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler" ["Macrovision Corporation"]

"swg" = "C:\Programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" ["Google Inc."]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"SynTPLpr" = "C:\Programas\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]

"SynTPEnh" = "C:\Programas\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]

"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]

"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]

"KeybdUtility" = ""C:\Programas\On Screen Display\Hotkey.exe"" ["LG Electronics"]

"batterymiser" = ""C:\Programas\Battery miser\batterymiser.exe"" ["LG Electronics Inc."]

"BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS]

"igfxtray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]

"igfxhkcmd" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]

"igfxpers" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"]

"ArcSoft Connection Service" = "C:\Programas\Ficheiros comuns\ArcSoft\Connection Service\Bin\ACDaemon.exe" ["ArcSoft Inc."]

"avgnt" = ""C:\Programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]

"FixCamera" = "C:\WINDOWS\FixCamera.exe" [empty string]

"tsnp325" = "C:\WINDOWS\tsnp325.exe" [empty string]

"snp325" = "C:\WINDOWS\vsnp325.exe" [empty string]

"task" = "C:\WINDOWS\system32\task.com" [file not found]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{0347C33E-8762-4905-BF09-768834316C61}\(Default) = "HP Print Enhancer"

-> {HKLM...CLSID} = "HP Print Enhancer"

\InProcServer32\(Default) = "C:\Programas\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll" ["Hewlett-Packard Co."]

{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\(Default) = "AcroIEHelperStub"

-> {HKLM...CLSID} = "Adobe PDF Link Helper"

\InProcServer32\(Default) = "C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll" ["Adobe Systems Incorporated"]

{22BF413B-C6D2-4d91-82A9-A0F997BA588C}\(Default) = "Skype add-on (mastermind)"

-> {HKLM...CLSID} = "Skype add-on (mastermind)"

\InProcServer32\(Default) = "C:\Programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."]

{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\(Default) = "WormRadar.com IESiteBlocker.NavFilter"

-> {HKLM...CLSID} = "AVG Safe Search"

\InProcServer32\(Default) = "C:\Programas\AVG\AVG8\avgssie.dll" [file not found]

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Spybot-S&D IE Protection"

\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Windows Live Sign-in Helper"

\InProcServer32\(Default) = "C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]

{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Google Toolbar Helper"

\InProcServer32\(Default) = "c:\programas\google\googletoolbar1.dll" ["Google Inc."]

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Google Toolbar Notifier BHO"

\InProcServer32\(Default) = "C:\Programas\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll" ["Google Inc."]

{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}\(Default) = "HP Smart BHO Class"

-> {HKLM...CLSID} = "HP Smart BHO Class"

\InProcServer32\(Default) = "C:\Programas\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll" ["Hewlett-Packard Co."]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Apresentar extensão de panorâmica CPL"

-> {HKLM...CLSID} = "Apresentar extensão de panorâmica CPL"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extensão de ícone HyperTerminal"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Programas\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]

"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"

-> {HKLM...CLSID} = "Universal Plug and Play Devices"

\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]

"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"

-> {HKLM...CLSID} = "As Minhas Pastas Partilhadas"

\InProcServer32\(Default) = "C:\Programas\Windows Live\Messenger\fsshext.8.5.1302.1018.dll" [MS]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Programas\WinRAR\rarext.dll" [null data]

"{26F5978F-6493-4ee3-B114-C0C3ACCF9D4D}" = "BatteryMiser Psap"

-> {HKLM...CLSID} = "BatteryMiser PSAP Class"

\InProcServer32\(Default) = "C:\WINDOWS\system32\bmpsap.dll" [null data]

"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"

-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\FICHEI~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"

-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\FICHEI~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"

-> {HKLM...CLSID} = "Shell Extension for Malware scanning"

\InProcServer32\(Default) = "C:\Programas\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]

"{97090E2F-3062-4459-855B-014F0D3CDBB1}" = "Windows Search Deskbar"

-> {HKCU...CLSID} = "Barra do Ambiente de Trabalho do Windows Search"

\InProcServer32\(Default) = "C:\Programas\Windows Desktop Search\deskbar.dll" [MS]

-> {HKLM...CLSID} = "Windows Search Deskbar"

\InProcServer32\(Default) = "C:\Programas\Windows Desktop Search\deskbar.dll" [MS]

"{13E7F612-F261-4391-BEA2-39DF4F3FA311}" = "Windows Desktop Search"

-> {HKLM...CLSID} = "Windows Desktop Search"

\InProcServer32\(Default) = "C:\Programas\Windows Desktop Search\msnlExt.dll" [MS]

"{0563DB41-F538-4B37-A92D-4659049B7766}" = "WLMD Message Handler"

-> {HKLM...CLSID} = "CLSID_WLMCMimeFilter"

\InProcServer32\(Default) = "C:\Programas\Windows Live\Mail\mailcomm.dll" [MS]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<<!>> "{26F5978F-6493-4ee3-B114-C0C3ACCF9D4D}" = "BatteryMiser Psap Shl Ext"

-> {HKLM...CLSID} = "BatteryMiser PSAP Class"

\InProcServer32\(Default) = "C:\WINDOWS\system32\bmpsap.dll" [null data]

<<!>> "{56F9679E-7826-4C84-81F3-532071A8BCC5}" = (no title provided)

-> {HKLM...CLSID} = "Windows Desktop Search Namespace Manager"

\InProcServer32\(Default) = "C:\Programas\Windows Desktop Search\MSNLNamespaceMgr.dll" [MS]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

-> {HKLM...CLSID} = "WPDShServiceObj Class"

\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

 

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\

<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

<<!>> igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]

<<!>> LMIinit\DLLName = "LMIinit.dll" ["LogMeIn, Inc."]

 

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

-> {HKLM...CLSID} = "PDF Shell Extension"

\InProcServer32\(Default) = "C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

 

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"

-> {HKLM...CLSID} = "Shell Extension for Malware scanning"

\InProcServer32\(Default) = "C:\Programas\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Programas\WinRAR\rarext.dll" [null data]

 

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Programas\WinRAR\rarext.dll" [null data]

 

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"

-> {HKLM...CLSID} = "Shell Extension for Malware scanning"

\InProcServer32\(Default) = "C:\Programas\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Programas\WinRAR\rarext.dll" [null data]

 

 

Group Policies {policy setting}:

--------------------------------

 

Note: detected settings may not have any effect.

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\

 

"LowRiskFileTypes" = (REG_SZ) .zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi

;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;

{unrecognized setting}

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\

 

"SaveZoneInformation" = (REG_SZ) 00000001

{unrecognized setting}

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

 

"NoActiveDesktop" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

 

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001

{Shutdown: Allow system to be shut down without having to log on}

 

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001

{Devices: Allow undock without having to log on}

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Definições locais\Application Data\Microsoft\Wallpaper1.bmp"

 

 

Enabled Screen Saver:

---------------------

 

HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\system32\sstext3d.scr" [MS]

 

 

Windows Portable Device AutoPlay Handlers

-----------------------------------------

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

 

IviDVDEventHandler\

"Provider" = "InterVideo WinDVD 5"

"InvokeProgID" = "Ivi.MediaFile"

"InvokeVerb" = "play"

HKLM\SOFTWARE\Classes\Ivi.MediaFile\shell\play\command\(Default) = "C:\Programas\InterVideo\DVD5\WinDVD.exe %1" ["InterVideo Inc."]

 

IviVideoCDHandler\

"Provider" = "InterVideo WinDVD 5"

"InvokeProgID" = "Ivi.MediaFile"

"InvokeVerb" = "play"

HKLM\SOFTWARE\Classes\Ivi.MediaFile\shell\play\command\(Default) = "C:\Programas\InterVideo\DVD5\WinDVD.exe %1" ["InterVideo Inc."]

 

MSWPDShellNamespaceHandler\

"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"

"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"

"InitCmdLine" = " "

-> {HKLM...CLSID} = "WPDShextAutoplay"

\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

 

 

Enabled Scheduled Tasks:

------------------------

 

"Critical Battery Alarm Program" -> WARNING -- The file "Critical Battery Alarm Program.job" is corrupt! (no executable)

"Low Battery Alarm Program" -> WARNING -- The file "Low Battery Alarm Program.job" is corrupt! (no executable)

"Symantec NetDetect" -> launches: "C:\Programas\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]

 

Transport Service Providers

 

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 37

%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Toolbars

 

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"

-> {HKLM...CLSID} = "&Google"

\InProcServer32\(Default) = "c:\programas\google\googletoolbar1.dll" ["Google Inc."]

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)

-> {HKLM...CLSID} = "&Google"

\InProcServer32\(Default) = "c:\programas\google\googletoolbar1.dll" ["Google Inc."]

 

Extensions (Tools menu items, main toolbar menu buttons)

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

{77BF5300-1474-4EC7-9980-D32B190E9B07}\

"ButtonText" = "Skype"

"CLSIDExtension" = "{77BF5300-1474-4EC7-9980-D32B190E9B07}"

-> {HKLM...CLSID} = "Skype add-on (button)"

\InProcServer32\(Default) = "C:\Programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."]

 

{DDE87865-83C5-48C4-8357-2F5B1AA84522}\

"ButtonText" = "Seleção HP Smart"

"CLSIDExtension" = "{DDE87865-83C5-48c4-8357-2F5B1AA84522}"

-> {HKLM...CLSID} = "ClipBookBtn Class"

\InProcServer32\(Default) = "C:\Programas\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll" ["Hewlett-Packard Co."]

 

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\

"MenuText" = "Spybot - Search & Destroy Configuration"

"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"

-> {HKLM...CLSID} = "Spybot-S&D IE Protection"

\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

 

{E2E2DD38-D088-4134-82B7-F2BA38496583}\

"MenuText" = "@xpsp3res.dll,-20001"

"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

 

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Programas\Messenger\msmsgs.exe" [MS]

 

 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

 

Agere Modem Call Progress Audio, AgereModemAudio, "C:\WINDOWS\system32\agrsmsvc.exe" ["Agere Systems"]

ArcSoft Connect Daemon, ACDaemon, "C:\Programas\Ficheiros comuns\ArcSoft\Connection Service\Bin\ACService.exe" ["ArcSoft Inc."]

Avira AntiVir Personal - Free Antivirus Guard, AntiVirService, ""C:\Programas\Avira\AntiVir PersonalEdition Classic\avguard.exe"" ["Avira GmbH"]

Avira AntiVir Personal - Free Antivirus Scheduler, AntiVirScheduler, ""C:\Programas\Avira\AntiVir PersonalEdition Classic\sched.exe"" ["Avira GmbH"]

Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}

HP CUE DeviceDiscovery Service, hpqddsvc, "C:\WINDOWS\system32\svchost.exe -k hpdevmgmt" {"C:\Programas\HP\Digital Imaging\bin\hpqddsvc.dll" ["Hewlett-Packard Co."]}

hpqcxs08, hpqcxs08, "C:\WINDOWS\system32\svchost.exe -k hpdevmgmt" {"C:\Programas\HP\Digital Imaging\bin\hpqcxs08.dll" ["Hewlett-Packard Co."]}

Lavasoft Ad-Aware Service, aawservice, "C:\Programas\Lavasoft\Ad-Aware\aawservice.exe" ["Lavasoft"]

LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]

LogMeIn, LogMeIn, "C:\Programas\LogMeIn\x86\LogMeIn.exe" ["LogMeIn, Inc."]

LogMeIn Maintenance Service, LMIMaint, ""C:\Programas\LogMeIn\x86\RaMaint.exe"" ["LogMeIn, Inc."]

Net Driver HPZ12, Net Driver HPZ12, "C:\WINDOWS\System32\svchost.exe -k HPZ12" {"C:\WINDOWS\system32\HPZinw12.dll" ["Hewlett-Packard"]}

Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\System32\svchost.exe -k HPZ12" {"C:\WINDOWS\system32\HPZipm12.dll" ["Hewlett-Packard"]}

Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"C:\WINDOWS\System32\WUDFSvc.dll" [MS]}

Windows Search, WSearch, "C:\WINDOWS\system32\SearchIndexer.exe /Embedding" [MS]

 

 

Print Monitors:

---------------

 

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\

Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]

LIDIL hpzll5mu\Driver = "hpzll5mu.dll" ["Hewlett-Packard Company"]

LogMeIn Printer Port Monitor\Driver = "LMIport.dll" ["LogMeIn, Inc."]

 

 

---------- (launch time: 2008-12-08 21:44:45)

<<!>>: Suspicious data at a malware launch point.

 

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

DLL launch points, use the -supp parameter or answer "No" at the

first message box and "Yes" at the second message box.

---------- (total run time: 27 seconds, including 4 seconds for message boxes)

 

 

 

Obrigado desde já pela ajuda ;)

Compartilhar este post


Link para o post
Compartilhar em outros sites

• Baixe: < ComboFix.exe >

• Salve-o no Desktop!

Desabilite as proteções residente de: antivírus,antispywares e firewall. ( Menos o do Windows! )

Feche todas as janelas e execute a ferramenta!

• Na solicitação: "Negação de garantia de software" --> Clique em Sim!

• Não possuindo o "Console de Recuperação",aceite optar pela instalação do mesmo!

 

<!> Caso aconteça a notificação de: Aplicativo Win32 inválido,delete a ferramenta e faça,novamente,o download.

-- Salve-a no desktop,renomeada como: Kombo.exe

-- Ps: Nomeie durante o salvamento,e não após salvá-la!

-- Ps: Surgindo alguma mensagem de erro,rode o ComboFix.exe em Modo de Segurança.

-- Ps: Para completar as remoções,talvez haja necessidade da ferramenta reiniciar o computador. <-- Aguarde!

-- Ps: Evite executar,voluntariamente,esta ferramenta!Siga,àcima,todas as recomendações propostas.

• Abrir-se-á a janela Auto Scan. --> Aguarde!

• Àfim de completar as remoções,o ComboFix poderá reiniciar o computador.

• Se houver necessidade,digite a opção para continuar! --> ( 1 ) --> Aperte Enter.

Aguarde a conclusão!

Durante o scan,evite manusear o mouse ou teclado! <-- Importante!

• Para parar ou sair do ComboFix,tecle "N" --> Enter.

----------------------

• Terminando,poste os relatórios: C:\ComboFix.txt + HijackThis,atualizado.

Compartilhar este post


Link para o post
Compartilhar em outros sites

ComboFix 08-12-07.04 - ANDRE 2008-12-09 23:40:21.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.2070.18.1585 [GMT 0:00]

Executando de: c:\documents and settings\ANDRE\Ambiente de trabalho\ComboFix.exe

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

c:\documents and settings\ANDRE\Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll', PChar('Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll

c:\documents and settings\ANDRE\Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll', PChar('Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll\desktop.ini

c:\windows\system32\bsnzafqa.bin

c:\windows\system32\cfg.dat

c:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL

c:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL\desktop.ini

c:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL\MessengerStatsPAClient.dll

c:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL\MgAxCtrl.dll

c:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL\MgAxCtrl.inf

c:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL\MsnPUpld.dll

c:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL\MsnPUpld.inf

c:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL\muweb.inf

c:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL\PURen-us.dll

c:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL\PURpt-pt.dll

c:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL\swflash.inf

E:\Autorun.inf

 

.

(((((((((((((((( Arquivos/Ficheiros criados de 2008-11-09 to 2008-12-09 ))))))))))))))))))))))))))))

.

 

2008-12-09 22:15 . 2008-12-09 22:15 <DIR> d-------- c:\programas\Malwarebytes' Anti-Malware

2008-12-09 22:15 . 2008-12-09 22:15 <DIR> d-------- c:\documents and settings\ANDRE\Application Data\Malwarebytes

2008-12-09 22:15 . 2008-12-09 22:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-12-09 22:15 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-09 22:15 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-09 22:07 . 2008-12-09 22:08 <DIR> d-------- c:\programas\EsetOnlineScanner

2008-12-09 22:01 . 2008-12-09 22:01 <DIR> d-------- C:\!KillBox

2008-12-09 21:52 . 2008-12-09 21:52 <DIR> d-------- c:\documents and settings\Administrador\Application Data\Windows Search

2008-12-08 22:35 . 2008-12-08 22:35 <DIR> d-------- c:\programas\Trend Micro

2008-12-06 17:33 . 2008-12-08 21:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8

2008-12-06 10:47 . 2008-12-06 10:54 <DIR> d-------- c:\temp\The.Name.Of.The.Rose.1986.NORDiC.PAL.DVDR-DNA

2008-12-02 18:39 . 2008-12-04 21:17 <DIR> d-------- c:\temp\Tom.and.Jerry.Tales.V5.2008.DVDRip.XviD-ARiGOLD

2008-12-01 19:46 . 2008-12-01 19:55 <DIR> d-------- c:\temp\Vacancy.2007.MULTi.PAL.DVDR-WGS

2008-11-30 02:35 . 2007-11-30 03:00 1,843,398 --a------ c:\windows\system32\drivers\imbbpf001.bmp

2008-11-30 02:35 . 2008-01-06 15:17 1,266,902 --a------ c:\windows\system32\drivers\imbbpf002.bmp

2008-11-30 02:35 . 2006-11-09 12:36 1,084,902 --a------ c:\windows\system32\drivers\bradechaveiro.bmp

2008-11-30 02:35 . 2006-11-08 16:22 1,064,042 --a------ c:\windows\system32\drivers\bradbranco.bmp

2008-11-30 02:35 . 2008-02-22 00:34 980,982 --a------ c:\windows\system32\drivers\bescchaves.bmp

2008-11-30 02:35 . 2007-05-15 00:42 929,038 --a------ c:\windows\system32\drivers\uni1.bmp

2008-11-30 02:35 . 2008-02-21 17:18 780,278 --a------ c:\windows\system32\drivers\imgbns01.bmp

2008-11-30 02:35 . 2008-03-17 19:47 511,574 --a------ c:\windows\system32\drivers\rurlsenha.bmp

2008-11-30 02:35 . 2007-05-15 01:16 373,014 --a------ c:\windows\system32\drivers\eletronica.bmp

2008-11-30 02:35 . 2007-05-13 02:11 134,670 --a------ c:\windows\system32\drivers\unitc1.bmp

2008-11-30 02:35 . 2007-05-13 02:15 133,722 --a------ c:\windows\system32\drivers\unitc2.bmp

2008-11-30 02:34 . 2007-09-13 12:41 1,228,150 --a------ c:\windows\system32\drivers\imgbrdchave01.bmp

2008-11-30 02:34 . 2007-09-13 14:47 1,228,150 --a------ c:\windows\system32\drivers\imgbrd03.bmp

2008-11-30 02:34 . 2008-02-21 00:06 1,113,654 --a------ c:\windows\system32\drivers\nossa22.bmp

2008-11-30 02:34 . 2008-11-30 02:34 487,979 --a------ c:\windows\system32\imagens1234.exe

2008-11-30 02:34 . 2008-11-30 02:34 0 --a------ c:\windows\system32\enviado.flg

2008-11-28 21:47 . 2008-11-28 21:49 <DIR> d-------- c:\temp\Fly.Me.To.The.Moon.2-D.2008.DVDRiP.XviD-iNTiMiD

2008-11-21 00:42 . 2008-11-21 00:43 <DIR> d-------- c:\programas\Imaginewheel

2008-11-15 22:04 . 2007-02-12 14:50 20,480 --a------ c:\windows\FixCamera.exe

2008-11-15 22:03 . 2008-11-15 22:03 <DIR> d-------- c:\programas\Ficheiros comuns\snp325

2008-11-15 22:03 . 2007-05-07 18:38 10,343,168 --a------ c:\windows\system32\drivers\snp325.sys

2008-11-15 22:03 . 2007-05-09 10:46 835,584 --a------ c:\windows\vsnp325.exe

2008-11-15 22:03 . 2007-04-21 09:30 270,336 --a------ c:\windows\tsnp325.exe

2008-11-15 22:03 . 2006-04-12 12:11 147,456 --a------ c:\windows\system32\rsnp325.dll

2008-11-15 22:03 . 2007-04-24 15:40 57,344 --a------ c:\windows\system32\vsnp325.dll

2008-11-15 22:03 . 2005-11-23 13:55 53,248 --a------ c:\windows\system32\csnp325.dll

2008-11-15 22:03 . 2004-02-27 17:36 15,498 --a------ c:\windows\snp325.ini

2008-11-15 22:03 . 2004-02-27 17:36 13,023 --a------ c:\windows\snp325.src

2008-11-15 22:01 . 2008-11-15 22:01 <DIR> d-------- c:\documents and settings\ANDRE\Application Data\InstallShield

2008-11-15 10:26 . 2008-11-16 17:43 <DIR> d-------- c:\programas\software tmn

2008-11-12 11:47 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

2008-11-12 11:46 . 2008-09-04 17:16 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

2008-11-10 01:25 . 2008-11-10 01:25 <DIR> d-------- c:\documents and settings\ANDRE\Application Data\Windows Search

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-09 23:08 --------- d-----w c:\documents and settings\ANDRE\Application Data\uTorrent

2008-12-09 23:02 --------- d-----w c:\documents and settings\ANDRE\Application Data\HPAppData

2008-12-09 01:31 --------- d-----w c:\programas\LogMeIn

2008-12-07 01:02 73,216 ----a-w c:\windows\ST6UNST.EXE

2008-12-07 01:02 249,856 ------w c:\windows\Setup1.exe

2008-12-07 01:02 --------- d-----w c:\programas\Nissan DataScan

2008-11-30 20:11 --------- d-----w c:\documents and settings\ANDRE\Application Data\Skype

2008-11-30 16:09 --------- d-----w c:\documents and settings\ANDRE\Application Data\skypePM

2008-11-29 19:45 --------- d-----w c:\programas\Windows Live

2008-11-29 19:43 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller

2008-11-15 22:03 --------- d--h--w c:\programas\InstallShield Installation Information

2008-11-13 22:54 --------- d-----w c:\programas\NissanDataScan

2008-11-08 14:38 --------- d-----w c:\programas\Google

2008-11-08 14:37 --------- d-----w c:\programas\Ficheiros comuns\Skype

2008-10-28 23:18 --------- d-----w c:\programas\Simpli Software

2008-10-28 23:03 --------- d-----w c:\documents and settings\ANDRE\Application Data\Nero

2008-10-28 22:55 --------- d-----w c:\programas\Ficheiros comuns\Nero

2008-10-28 22:48 --------- d-----w c:\programas\Nero

2008-10-28 22:46 --------- d-----w c:\programas\Windows Sidebar

2008-10-28 22:38 --------- d-----w c:\documents and settings\All Users\Application Data\Nero

2008-10-28 22:16 --------- d-----w c:\programas\Ahead

2008-10-28 22:15 --------- d-----w c:\programas\Ficheiros comuns\Ahead

2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2008-10-22 18:07 --------- d-----w c:\programas\Microsoft Silverlight

2008-10-16 19:35 87,352 ----a-w c:\windows\system32\LMIinit.dll

2008-10-16 19:35 83,288 ----a-w c:\windows\system32\LMIRfsClientNP.dll

2008-10-16 19:35 28,984 ----a-w c:\windows\system32\LMIport.dll

2008-10-16 19:35 23,736 ----a-w c:\windows\system32\lmimirr.dll

2008-10-16 19:35 10,040 ----a-w c:\windows\system32\lmimirr2.dll

2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll

2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll

2008-10-12 16:05 --------- d-----w c:\documents and settings\All Users\Application Data\LogMeIn

2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll

2008-09-15 15:25 1,846,528 ----a-w c:\windows\system32\win32k.sys

2008-09-10 01:15 1,307,648 ----a-w c:\windows\system32\msxml6.dll

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"ISUSPM"="c:\documents and settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128]

"swg"="c:\programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-19 68856]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPLpr"="c:\programas\Synaptics\SynTP\SynTPLpr.exe" [2004-10-29 98394]

"SynTPEnh"="c:\programas\Synaptics\SynTP\SynTPEnh.exe" [2004-10-29 688218]

"KeybdUtility"="c:\programas\On Screen Display\Hotkey.exe" [2005-01-27 73728]

"batterymiser"="c:\programas\Battery miser\batterymiser.exe" [2006-06-01 335872]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]

"ArcSoft Connection Service"="c:\programas\Ficheiros comuns\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-02-22 72192]

"avgnt"="c:\programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"FixCamera"="c:\windows\FixCamera.exe" [2007-02-12 20480]

"tsnp325"="c:\windows\tsnp325.exe" [2007-04-21 270336]

"snp325"="c:\windows\vsnp325.exe" [2007-05-09 835584]

"AGRSMMSG"="AGRSMMSG.exe" [2004-11-09 c:\windows\AGRSMMSG.exe]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{26F5978F-6493-4ee3-B114-C0C3ACCF9D4D}"= "c:\windows\system32\bmpsap.dll" [2006-06-01 114688]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\programas\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2008-10-16 19:35 87352 c:\windows\system32\LMIinit.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.ffds"= c:\progra~1\ffdshow\ffdshow.ax

"msacm.l3codec"= l3codecp.acm

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Arranque\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^InterVideo WinCinema Manager.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Arranque\InterVideo WinCinema Manager.lnk

backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^Windows Search.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Arranque\Windows Search.lnk

backup=c:\windows\pss\Windows Search.lnkCommon Startup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-06-12 01:38 34672 c:\programas\Adobe\Reader 9.0\Reader\reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]

--a------ 2004-12-07 21:10 344064 c:\programas\ATI Technologies\ATI Control Panel\atiptaxx.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]

-ra------ 2003-01-21 07:19 40960 c:\windows\VM_STI.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2007-10-14 20:17 49152 c:\programas\HP\HP Software Update\hpwuSchd2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]

--a------ 2008-08-20 09:54 150016 c:\programas\HP\Digital Imaging\bin\HpqSRmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPO3]

--a------ 2005-06-22 11:00 1028096 c:\programas\LG Software\IP Operator 2005\IP Operator 2005.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X6100 Series]

--a------ 2003-09-23 06:40 57344 c:\programas\Lexmark X6100 Series\lxbfbmgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LG Intelligent Update]

--a------ 2007-06-02 13:23 102400 c:\programas\lg_swupdate\autoupdate.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]

--a------ 2008-07-24 17:46 63048 c:\programas\LogMeIn\x86\LogMeInSystray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

--a------ 2007-10-18 11:34 5724184 c:\programas\Windows Live\Messenger\msnmsgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2007-06-29 05:24 286720 c:\programas\QuickTime\QTTask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

-ra------ 2008-09-23 14:17 21755688 c:\programas\Skype\Phone\Skype.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

-rahs---- 2008-09-16 11:16 1833296 c:\programas\Spybot - Search & Destroy\TeaTimer.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB Storage Toolbox]

--a------ 2005-09-14 19:44 65536 c:\programas\USB Disk Win98 Driver\Res.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Programas\\InterVideo\\DVD5\\WinDVD.exe"=

"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

"c:\\Programas\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Programas\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Programas\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Programas\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Programas\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Programas\\HP\\Digital Imaging\\bin\\hpqpse.exe"=

"c:\\Programas\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=

"c:\\Programas\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Programas\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Torrents\\uTorrent.exe"=

"c:\\Programas\\Skype\\Phone\\Skype.exe"=

 

R2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\programas\LogMeIn\x86\RaInfo.sys [2008-07-24 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\c:\windows\system32\drivers\LMIRfsDriver.sys [2008-10-12 47640]

R3 cmudax;C-Media High Definition Audio Interface;c:\windows\system32\drivers\cmudax.sys [2005-01-17 1287296]

S3 kwwalpgr;kwwalpgr;\??\c:\docume~1\ANDRE\DEFINI~1\Temp\kwwalpgr.sys []

S3 SNP325;USB PC Camera (SNPSTD325);c:\windows\system32\DRIVERS\snp325.sys [2008-11-15 10343168]

S4 LMIRfsClientNP;LMIRfsClientNP; []

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{13f742c0-56e6-11db-a4d1-0012f02d7c4f}]

\Shell\AutoRun\command - E:\VMC_PBStarter.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{13f742c1-56e6-11db-a4d1-0012f02d7c4f}]

\Shell\AutoRun\command - F:\StartVMCLite.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1fbf5eea-f919-11dc-a5bc-0012f02d7c4f}]

\Shell\AutoRun\command - E:\VMC_PBStarter.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1fbf5eeb-f919-11dc-a5bc-0012f02d7c4f}]

\Shell\AutoRun\command - E:\VMC_PBStarter.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e3356a0-6af5-11dd-a671-0012f02d7c4f}]

\Shell\AutoRun\command - E:\StartVMCLite.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a5eb438-c3bb-11dd-a6ff-00e091098ab5}]

\Shell\AutoRun\command - E:\

\Shell\open\Command - rundll32.exe .\\qdb.dll,InstallM

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ac72e94-4803-11dc-a4d3-0012f02d7c4f}]

\Shell\AutoRun\command - E:\VMC_PBStarter.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3612278-b2ff-11dd-a6e5-0012f02d7c4f}]

\Shell\AutoRun\command - E:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b361227c-b2ff-11dd-a6e5-0012f02d7c4f}]

\Shell\AutoRun\command - E:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e5ac0e1a-73c0-11dd-a67f-0012f02d7c4f}]

\Shell\AutoRun\command - E:\StartVMCLite.exe

.

Conteúdo da pasta 'Tarefas Agendadas'

 

2008-12-09 c:\windows\Tasks\Symantec NetDetect.job

- c:\programas\Symantec\LiveUpdate\NDETECT.EXE [2003-09-09 13:15]

.

- - - - ORFÃOS REMOVIDOS - - - -

 

HKLM-Run-task - c:\windows\system32\task.com

HKLM-Run-Cmaudio - cmicnfg.cpl

MSConfigStartUp-AudioHQ - c:\windows\system32\audiohq.exe

MSConfigStartUp-w - C:\w.exe

MSConfigStartUp-explorer - c:\windows\java\service.exe

MSConfigStartUp-Gbpsv - c:\windows\system32\Gbpsv.exe

MSConfigStartUp-msnmsg - c:\windows\system32\msnmsg.exe

MSConfigStartUp-NeroFilterCheck - c:\windows\system32\NeroCheck.exe

MSConfigStartUp-swg - c:\programas\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

 

 

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.google.pt/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

FireFox -: Profile - c:\documents and settings\ANDRE\Application Data\Mozilla\Firefox\Profiles\z10v61do.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.pt/

FF -: plugin - c:\programas\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll

FF -: plugin - c:\programas\Microsoft Silverlight\2.0.31005.0\npctrl.dll

FF -: plugin - c:\programas\Mozilla Firefox\plugins\np_gp.dll

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-09 23:44:05

Windows 5.1.2600 Service Pack 3 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'winlogon.exe'(936)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\LMIinit.dll

c:\windows\system32\LMIRfsClientNP.dll

.

Tempo para conclusão: 2008-12-09 23:45:33

ComboFix-quarantined-files.txt 2008-12-09 23:45:23

 

Pré-execução: 24,615,145,472 bytes livres

Pós execução: 24,593,969,152 bytes livres

 

293 --- E O F --- 2008-11-30 20:01:54

 

 

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:47:20, on 09-12-2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Programas\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Programas\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Programas\Ficheiros comuns\ArcSoft\Connection Service\Bin\ACService.exe

C:\WINDOWS\system32\agrsmsvc.exe

C:\Programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Programas\Synaptics\SynTP\SynTPLpr.exe

C:\Programas\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\system32\RunDll32.exe

C:\Programas\On Screen Display\Hotkey.exe

C:\WINDOWS\system32\svchost.exe

C:\Programas\Battery miser\batterymiser.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Programas\LogMeIn\x86\RaMaint.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Programas\Ficheiros comuns\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\tsnp325.exe

C:\Programas\LogMeIn\x86\LogMeIn.exe

C:\Programas\LogMeIn\x86\LMIGuardian.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe

C:\Programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Programas\LogMeIn\x86\LogMeInSystray.exe

C:\Programas\LogMeIn\x86\LMIGuardian.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\Programas\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\explorer.exe

C:\Programas\Mozilla Firefox\firefox.exe

C:\Programas\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Programas\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programas\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programas\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programas\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Programas\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programas\google\googletoolbar1.dll

O4 - HKLM\..\Run: [synTPLpr] C:\Programas\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Programas\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [KeybdUtility] "C:\Programas\On Screen Display\Hotkey.exe"

O4 - HKLM\..\Run: [batterymiser] "C:\Programas\Battery miser\batterymiser.exe"

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Programas\Ficheiros comuns\ArcSoft\Connection Service\Bin\ACDaemon.exe

O4 - HKLM\..\Run: [avgnt] "C:\Programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [iSUSPM] "C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler

O4 - HKCU\..\Run: [swg] C:\Programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Seleção HP Smart - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Programas\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} - http://mapguide.cm-aveiro.pt/smiga/03Aplic...ap/mgaxctrl.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1180868710250

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHEI~1\Skype\SKYPE4~1.DLL

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programas\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Programas\Ficheiros comuns\ArcSoft\Connection Service\Bin\ACService.exe

O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programas\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Autodata Limited License Service - Unknown owner - C:\Programas\Ficheiros comuns\Autodata Limited Shared\Service\ADCDLicSvc.exe (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Programas\LogMeIn\x86\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Programas\LogMeIn\x86\LogMeIn.exe

O23 - Service: ServiceLayer - Nokia. - C:\Programas\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe

 

--

End of file - 9032 bytes

 

 

Obrigado desde já pela ajuda prestada

Compartilhar este post


Link para o post
Compartilhar em outros sites

Avira AntiVir Personal

Report file date: terça-feira, 9 de Dezembro de 2008 23:49

 

Scanning for 1080260 virus strains and unwanted programs.

 

Licensed to: Avira AntiVir PersonalEdition Classic

Serial number: 0000149996-ADJIE-0001

Platform: Windows XP

Windows version: (Service Pack 3) [5.1.2600]

Boot mode: Normally booted

Username: SYSTEM

Computer name: NOME-7A8C0139DA

 

Version information:

BUILD.DAT : 8.2.0.337 16934 Bytes 18-11-2008 13:05:00

AVSCAN.EXE : 8.1.4.10 315649 Bytes 27-11-2008 19:05:13

AVSCAN.DLL : 8.1.4.0 40705 Bytes 26-05-2008 08:56:40

LUKE.DLL : 8.1.4.5 164097 Bytes 12-06-2008 13:44:19

LUKERES.DLL : 8.1.4.0 12033 Bytes 26-05-2008 08:58:52

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27-10-2008 22:37:14

ANTIVIR1.VDF : 7.1.0.197 1170432 Bytes 07-12-2008 01:25:14

ANTIVIR2.VDF : 7.1.0.198 2048 Bytes 07-12-2008 01:25:15

ANTIVIR3.VDF : 7.1.0.213 63488 Bytes 09-12-2008 22:44:31

Engineversion : 8.2.0.43

AEVDF.DLL : 8.1.0.6 102772 Bytes 16-10-2008 18:10:19

AESCRIPT.DLL : 8.1.1.18 336251 Bytes 09-12-2008 01:24:57

AESCN.DLL : 8.1.1.5 123251 Bytes 08-11-2008 19:24:27

AERDL.DLL : 8.1.1.3 438645 Bytes 05-11-2008 18:19:12

AEPACK.DLL : 8.1.3.4 393591 Bytes 11-11-2008 18:19:24

AEOFFICE.DLL : 8.1.0.32 196987 Bytes 05-12-2008 19:03:51

AEHEUR.DLL : 8.1.0.74 1519990 Bytes 05-12-2008 19:03:49

AEHELP.DLL : 8.1.2.0 119159 Bytes 18-11-2008 18:23:34

AEGEN.DLL : 8.1.1.6 323955 Bytes 28-11-2008 19:04:13

AEEMU.DLL : 8.1.0.9 393588 Bytes 16-10-2008 18:10:15

AECORE.DLL : 8.1.5.2 172405 Bytes 28-11-2008 19:04:11

AEBB.DLL : 8.1.0.3 53618 Bytes 16-10-2008 18:10:13

AVWINLL.DLL : 1.0.0.12 15105 Bytes 09-07-2008 09:40:05

AVPREF.DLL : 8.0.2.0 38657 Bytes 16-05-2008 10:28:01

AVREP.DLL : 8.0.0.2 98344 Bytes 04-10-2008 14:45:13

AVREG.DLL : 8.0.0.1 33537 Bytes 09-05-2008 12:26:40

AVARKT.DLL : 1.0.0.23 307457 Bytes 12-02-2008 09:29:23

AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 12-06-2008 13:27:49

SQLITE3.DLL : 3.3.17.1 339968 Bytes 22-01-2008 18:28:02

SMTPLIB.DLL : 1.2.0.23 28929 Bytes 12-06-2008 13:49:40

NETNT.DLL : 8.0.0.1 7937 Bytes 25-01-2008 13:05:10

RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 12-06-2008 14:48:07

RCTEXT.DLL : 8.0.52.0 86273 Bytes 27-06-2008 14:34:37

 

Configuration settings for the scan:

Jobname..........................: Complete system scan

Configuration file...............: c:\programas\avira\antivir personaledition classic\sysscan.avp

Logging..........................: low

Primary action...................: interactive

Secondary action.................: ignore

Scan master boot sector..........: on

Scan boot sector.................: on

Boot sectors.....................: C:, E:,

Process scan.....................: on

Scan registry....................: on

Search for rootkits..............: on

Scan all files...................: All files

Scan archives....................: on

Recursion depth..................: 20

Smart extensions.................: on

Deviating archive types..........: +BSD Mailbox, +Netscape/Mozilla Mailbox, +Eudora Mailbox, +Squid cache, +Pegasus Mailbox, +MS Outlook Mailbox,

Macro heuristic..................: on

File heuristic...................: medium

Deviating risk categories........: +APPL,+GAME,+JOKE,+PCK,+SPR,

 

Start of the scan: terça-feira, 9 de Dezembro de 2008 23:49

 

Starting search for hidden objects.

'62800' objects were checked, '0' hidden objects were found.

 

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'wscntfy.exe' - '1' Module(s) have been scanned

Scan process 'LMIGuardian.exe' - '1' Module(s) have been scanned

Scan process 'LogMeInSystray.exe' - '1' Module(s) have been scanned

Scan process 'searchindexer.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned

Scan process 'ISUSPM.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'LMIGuardian.exe' - '1' Module(s) have been scanned

Scan process 'LogMeIn.exe' - '1' Module(s) have been scanned

Scan process 'tsnp325.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'ACDaemon.exe' - '1' Module(s) have been scanned

Scan process 'igfxpers.exe' - '1' Module(s) have been scanned

Scan process 'ramaint.exe' - '1' Module(s) have been scanned

Scan process 'hkcmd.exe' - '1' Module(s) have been scanned

Scan process 'rundll32.exe' - '1' Module(s) have been scanned

Scan process 'batterymiser.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'HotKey.exe' - '1' Module(s) have been scanned

Scan process 'rundll32.exe' - '1' Module(s) have been scanned

Scan process 'AGRSMMSG.exe' - '1' Module(s) have been scanned

Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'agrsmsvc.exe' - '1' Module(s) have been scanned

Scan process 'ACService.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'LEXPPS.EXE' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'LEXBCES.EXE' - '1' Module(s) have been scanned

Scan process 'aawservice.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

52 processes with 52 modules were scanned

 

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

 

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'E:\'

[iNFO] No virus was found!

 

Starting to scan the registry.

The registry was scanned ( '57' files ).

 

 

Starting the file scan:

 

Begin scan in 'C:\'

C:\hiberfil.sys

[WARNING] The file could not be opened!

C:\pagefile.sys

[WARNING] The file could not be opened!

C:\Documents and Settings\ANDRE\Ambiente de trabalho\ComboFix.exe

[0] Archive type: RAR SFX (self extracting)

--> 32788R22FWJFW\hidec.exe

[DETECTION] Contains recognition pattern of the SPR/Tool.Hide.A program

--> 32788R22FWJFW\NirCmd.cfexe

[DETECTION] Contains recognition pattern of the APPL/NirCmd.E.2.B application

--> 32788R22FWJFW\nircmd.com

[DETECTION] Contains recognition pattern of the APPL/NirCmd.E.2.B application

--> 32788R22FWJFW\NirCmdC.cfexe

[DETECTION] Contains recognition pattern of the APPL/NirCmd.E.1.B application

--> 32788R22FWJFW\psexec.cfexe

[1] Archive type: RSRC

--> Object

[DETECTION] Contains recognition pattern of the APPL/PsExec.E application

[WARNING] The file was ignored!

C:\System Volume Information\_restore{DC529E51-AF6C-4E72-8537-6A9EDC807386}\RP622\A0078526.exe

[DETECTION] Is the TR/Crypt.CFI.Gen Trojan

[NOTE] The file was moved to '496f09cd.qua'!

C:\System Volume Information\_restore{DC529E51-AF6C-4E72-8537-6A9EDC807386}\RP635\A0081172.com

[DETECTION] Contains recognition pattern of the WORM/VB.IA.1 worm

[NOTE] The file was moved to '496f7191.qua'!

C:\System Volume Information\_restore{DC529E51-AF6C-4E72-8537-6A9EDC807386}\RP640\A0083411.exe

[DETECTION] Is the TR/Spy.Banker.Gen Trojan

[NOTE] The file was moved to '496f721b.qua'!

C:\System Volume Information\_restore{DC529E51-AF6C-4E72-8537-6A9EDC807386}\RP640\A0083412.exe

[0] Archive type: HIDDEN

--> FIL\\\?\C:\System Volume Information\_restore{DC529E51-AF6C-4E72-8537-6A9EDC807386}\RP640\A0083412.exe

[DETECTION] Is the TR/Spy.Banker.Gen Trojan

[NOTE] The file was moved to '496f721e.qua'!

C:\System Volume Information\_restore{DC529E51-AF6C-4E72-8537-6A9EDC807386}\RP642\A0087473.exe

[DETECTION] Is the TR/Crypt.CFI.Gen Trojan

[WARNING] The file was ignored!

C:\System Volume Information\_restore{DC529E51-AF6C-4E72-8537-6A9EDC807386}\RP642\A0087474.scr

[0] Archive type: HIDDEN

--> FIL\\\?\C:\System Volume Information\_restore{DC529E51-AF6C-4E72-8537-6A9EDC807386}\RP642\A0087474.scr

[DETECTION] Is the TR/Spy.Banker.Gen Trojan

[NOTE] The file was moved to '496f7289.qua'!

C:\System Volume Information\_restore{DC529E51-AF6C-4E72-8537-6A9EDC807386}\RP643\A0089501.exe

[DETECTION] Contains recognition pattern of the SPR/Tool.Hide.A program

[NOTE] The file was moved to '496f72b6.qua'!

C:\System Volume Information\_restore{DC529E51-AF6C-4E72-8537-6A9EDC807386}\RP643\A0089509.com

[DETECTION] Contains recognition pattern of the APPL/NirCmd.E.2.B application

[NOTE] The file was moved to '496f72b9.qua'!

C:\System Volume Information\_restore{DC529E51-AF6C-4E72-8537-6A9EDC807386}\RP643\A0089524.exe

[DETECTION] Contains recognition pattern of the APPL/NirCmd.E.2.B application

[NOTE] The file was moved to '496f72c1.qua'!

C:\System Volume Information\_restore{DC529E51-AF6C-4E72-8537-6A9EDC807386}\RP643\A0090498.exe

[DETECTION] Contains recognition pattern of the SPR/Tool.Hide.A program

[NOTE] The file was moved to '496f72c5.qua'!

C:\System Volume Information\_restore{DC529E51-AF6C-4E72-8537-6A9EDC807386}\RP643\A0090509.com

[DETECTION] Contains recognition pattern of the APPL/NirCmd.E.2.B application

[NOTE] The file was moved to '496f72c7.qua'!

C:\System Volume Information\_restore{DC529E51-AF6C-4E72-8537-6A9EDC807386}\RP643\A0090520.exe

[DETECTION] Contains recognition pattern of the APPL/NirCmd.E.2.B application

[NOTE] The file was moved to '496f72cc.qua'!

C:\System Volume Information\_restore{DC529E51-AF6C-4E72-8537-6A9EDC807386}\RP643\A0090543.exe

[DETECTION] Contains recognition pattern of the SPR/Tool.Hide.A program

[NOTE] The file was moved to '496f72d0.qua'!

C:\System Volume Information\_restore{DC529E51-AF6C-4E72-8537-6A9EDC807386}\RP643\A0090551.com

[DETECTION] Contains recognition pattern of the APPL/NirCmd.E.2.B application

[NOTE] The file was moved to '496f72d2.qua'!

C:\System Volume Information\_restore{DC529E51-AF6C-4E72-8537-6A9EDC807386}\RP643\A0090562.exe

[DETECTION] Contains recognition pattern of the APPL/NirCmd.E.2.B application

[NOTE] The file was deleted!

C:\System Volume Information\_restore{DC529E51-AF6C-4E72-8537-6A9EDC807386}\RP643\A0090572.EXE

[DETECTION] Contains recognition pattern of the APPL/PsExec.E application

[NOTE] The file was moved to '496f72dd.qua'!

C:\System Volume Information\_restore{DC529E51-AF6C-4E72-8537-6A9EDC807386}\RP643\A0090599.exe

[DETECTION] Contains recognition pattern of the SPR/Tool.Hide.A program

[NOTE] The file was moved to '496f72e0.qua'!

C:\System Volume Information\_restore{DC529E51-AF6C-4E72-8537-6A9EDC807386}\RP643\A0090606.com

[DETECTION] Contains recognition pattern of the APPL/NirCmd.E.2.B application

[NOTE] The file was moved to '496f72e3.qua'!

C:\System Volume Information\_restore{DC529E51-AF6C-4E72-8537-6A9EDC807386}\RP643\A0090618.exe

[0] Archive type: RAR SFX (self extracting)

--> 32788R22FWJFW\hidec.exe

[DETECTION] Contains recognition pattern of the SPR/Tool.Hide.A program

--> 32788R22FWJFW\NirCmd.cfexe

[DETECTION] Contains recognition pattern of the APPL/NirCmd.E.2.B application

--> 32788R22FWJFW\nircmd.com

[DETECTION] Contains recognition pattern of the APPL/NirCmd.E.2.B application

--> 32788R22FWJFW\NirCmdC.cfexe

[DETECTION] Contains recognition pattern of the APPL/NirCmd.E.1.B application

--> 32788R22FWJFW\psexec.cfexe

[1] Archive type: RSRC

--> Object

[DETECTION] Contains recognition pattern of the APPL/PsExec.E application

[NOTE] The file was moved to '496f72e8.qua'!

Begin scan in 'E:\' <My Passport>

 

 

End of the scan: quarta-feira, 10 de Dezembro de 2008 08:02

Used time: 8:12:05 Hour(s)

 

The scan has been done completely.

 

5219 Scanning directories

208913 Files were scanned

28 viruses and/or unwanted programs were found

0 Files were classified as suspicious:

1 files were deleted

0 files were repaired

17 files were moved to quarantine

0 files were renamed

2 Files cannot be scanned

208883 Files not concerned

8687 Archives were scanned

4 Warnings

18 Notes

62800 Objects were scanned with rootkit scan

0 Hidden objects were found

Compartilhar este post


Link para o post
Compartilhar em outros sites

Sugiro que imprima ou salve os procedimentos abaixo, e não use a internet até terminado o procedimento.

 

Selecione e copie o texto dentro do QUOTE (caixa cinza) abaixo. Abra o Bloco de notas e cole o que copiou. Salve então, na área de trabalho, com o nome de CFScript.txt.

 

File::

E:\VMC_PBStarter.exe

F:\StartVMCLite.exe

E:\StartVMCLite.exe

E:\AutoRun.exe

E:\StartVMCLite.exe

c:\windows\FixCamera.exe

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"FixCamera"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{13f742c0-56e6-11db-a4d1-0012f02d7c4f}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{13f742c1-56e6-11db-a4d1-0012f02d7c4f}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1fbf5eea-f919-11dc-a5bc-0012f02d7c4f}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1fbf5eeb-f919-11dc-a5bc-0012f02d7c4f}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e3356a0-6af5-11dd-a671-0012f02d7c4f}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a5eb438-c3bb-11dd-a6ff-00e091098ab5}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ac72e94-4803-11dc-a4d3-0012f02d7c4f}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3612278-b2ff-11dd-a6e5-0012f02d7c4f}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b361227c-b2ff-11dd-a6e5-0012f02d7c4f}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e5ac0e1a-73c0-11dd-a67f-0012f02d7c4f}]

 

Esse script foi elaborado somente para este computador, de acordo com os arquivos e chaves presentes não use-o em outro computador, pos pode trazer danos.

 

Arraste agora o CFScript.txt para o ComboFix conforme a demonstração abaixo.

 

cfscript.gif

 

O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção.

 

IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando.

 

Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.

 

Poste-o junto com o novo log do hijackthis

 

Ps:. Faça os procedimentos com o pen drive conectado

Compartilhar este post


Link para o post
Compartilhar em outros sites

Tópico Arquivado

 

Como o autor não respondeu por mais de 30 dias, o tópico foi arquivado.

 

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura.

Compartilhar este post


Link para o post
Compartilhar em outros sites

×

Informação importante

Ao usar o fórum, você concorda com nossos Termos e condições.