cobradorf 0 Denunciar post Postado Dezembro 20, 2008 Olá, Boa tarde a todos, me desculpe se estiver postando no lugar errado, a algum tempo atrás eu usava o Avira, e não conseguia mais atualiza-lo, e então resolvi remove-lo e baixa-lo de novo, porém desde então não consigo mais instalar nenhum antivírus, tentei o AVG, Avira, McAfee, entre outros e nada, inclusive formatei o pc, embora não entenda muito de informática, gostaria que alguém pudesse me ajudar, desde já agradeço muito a todos...vlw Compartilhar este post Link para o post Compartilhar em outros sites
JonJon CS 1 Denunciar post Postado Dezembro 20, 2008 Realmente, lugar errado, isso tem que ser postado na sessão de malwares. Baixe o hijackthis no baixaki, e post o log para os nossos moderadores lhe ajudar. Compartilhar este post Link para o post Compartilhar em outros sites
Mário Monteiro 179 Denunciar post Postado Dezembro 20, 2008 Tópico Movido Origem: Dúvidas Gerais :seta: Destino: Segurança & Malwares ----------------------- Post um log conforme este topico http://forum.imasters.com.br/index.php?showtopic=165906 Compartilhar este post Link para o post Compartilhar em outros sites
cobradorf 0 Denunciar post Postado Dezembro 20, 2008 Olá, me desculpem o engano sobre a postagem do problema....o log gerado foi esse: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:07:47, on 20/12/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\bndmss.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\ZSSnp211.exe C:\WINDOWS\Domino.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\XP-5CED94A8.EXE C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winvggws.exe C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winyrxak.exe C:\Hijack\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe, explorer.exe O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [skyTel] SkyTel.EXE O4 - HKLM\..\Run: [sMSERIAL] C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [ZSSnp211] C:\WINDOWS\ZSSnp211.exe O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.exe O4 - HKLM\..\Run: [barsaka] explorer.exe O4 - HKLM\..\Run: [XP-5CED94A8] C:\WINDOWS\system32\XP-5CED94A8.EXE O4 - HKLM\..\RunOnce: [Execute] C:\WINDOWS\System32\Tools\DelFolders.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [NitroPC] "C:\Arquivos de programas\NitroPC\NitroPC.exe" -minimized O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: ¡¡¡¡¡¡.lnk = C:\WINDOWS\system32\XP-5CED94A8.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Reboot.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{C42F28EA-3D2B-41C1-BA4B-F8E16335B24D}: NameServer = 200.222.0.34 200.202.193.75 O23 - Service: Windows Network Data Management System Service (BNDMSS) - Unknown owner - C:\WINDOWS\system32\bndmss.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 4877 bytes Compartilhar este post Link para o post Compartilhar em outros sites
cobradorf 0 Denunciar post Postado Dezembro 24, 2008 Será que eu consigo passar o ano novo de pc em forma....rsrs Compartilhar este post Link para o post Compartilhar em outros sites
MGuitar 11 Denunciar post Postado Janeiro 9, 2009 cobradorf, desculpe-nos a demora. Se ainda estiver necessitando de ajuda, siga o procedimento abaixo. - Faça o download do ComboFix e salve-o na área de trabalho; ● Desative temporariamente o seu antivirus para não detectar a ferramenta como vírus; ● Duplo clique no ícone combofix.exe para iniciar o scan; ● Leia o contrato que aparecerá e clique em Sim para continuar; ● Abrirá uma janela do Console de Recuperação, clique em Sim para instalar. Se aparecer outra janela do Console, clique em OK > Sim; ● Aguarde enquanto o ComboFix faz o scan; ● Se ocorrer algum problema durante o scan, reinicie seu computador em Modo de Segurança e repita o procedimento; ● Não clique na janela do ComboFix e procure não utilizar o teclado também, para não atrapalhar a varredura da ferramenta; ● Se quiser sair ou parar o ComboFix, tecle N; ● Quando terminar seu micro será reiniciado. Após o reinicio, a ferramenta executará novamente, aguarde; ● Será gerado um log em C:\ComboFix.txt. Cole este log em sua próxima resposta. Compartilhar este post Link para o post Compartilhar em outros sites
cobradorf 0 Denunciar post Postado Janeiro 9, 2009 Tomara que eu tenha feito certo....ComboFix 09-01-08.05 - Fernilson 2009-01-09 19:54:23.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1046.18.446.71 [GMT -2:00] Executando de: c:\documents and settings\Fernilson\Desktop\ComboFix.exe * Criado um novo ponto de restauro . ((((((((((((((((((((((((((((((((((((( Outras Exclusões ))))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\FERNIL~1\CONFIG~1\Temp\E_4 c:\docume~1\FERNIL~1\CONFIG~1\Temp\E_4\com.run c:\docume~1\FERNIL~1\CONFIG~1\Temp\E_4\dp1.fne c:\docume~1\FERNIL~1\CONFIG~1\Temp\E_4\eAPI.fne c:\docume~1\FERNIL~1\CONFIG~1\Temp\E_4\internet.fne c:\docume~1\FERNIL~1\CONFIG~1\Temp\E_4\krnln.fnr c:\docume~1\FERNIL~1\CONFIG~1\Temp\E_4\RegEx.fnr c:\docume~1\FERNIL~1\CONFIG~1\Temp\E_4\shell.fne c:\docume~1\FERNIL~1\CONFIG~1\Temp\E_4\spec.fne c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013 c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\exe32.exe c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\ise.exe c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\isee.exe c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\winupd32.exe c:\windows\IE4 Error Log.txt c:\windows\system32\4560.EXE c:\windows\system32\com.run c:\windows\system32\dp1.fne c:\windows\system32\eAPI.fne c:\windows\system32\internet.fne c:\windows\system32\krnln.fnr c:\windows\system32\og.dll c:\windows\system32\og.edt c:\windows\system32\RegEx.fnr c:\windows\system32\shell.fne c:\windows\system32\spec.fne c:\windows\system32\ul.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Serviços ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_BNDMSS -------\Legacy_GBPSV -------\Service_BNDMSS -------\Service_GbpSv (((((((((((((((( Arquivos/Ficheiros criados de 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))) . 2009-01-08 09:29 . 2009-01-08 09:29 0 --a------ C:\a73c 2009-01-06 05:34 . 2009-01-06 05:34 0 --a------ C:\a028 2008-12-28 06:02 . 2008-12-28 06:02 0 --a------ C:\b18d 2008-12-27 20:57 . 2008-12-27 20:57 <DIR> d-------- c:\arquivos de programas\Lexmark 510 Series 2008-12-27 20:57 . 2003-11-06 05:57 307,200 --a------ c:\windows\system32\LEXBCES.EXE 2008-12-27 20:57 . 2003-11-06 05:57 201,216 --a------ c:\windows\system32\LEXP2P32.DLL 2008-12-27 20:57 . 2003-11-06 06:03 200,192 --a------ c:\windows\system32\lexlmpm.dll 2008-12-27 20:57 . 2003-11-06 05:56 197,120 --a------ c:\windows\system32\LEX2KUSB.DLL 2008-12-27 20:57 . 2003-11-06 05:57 174,592 --a------ c:\windows\system32\LEXPPS.EXE 2008-12-27 20:57 . 2003-11-06 05:56 147,456 --a------ c:\windows\system32\LEXBCE.DLL 2008-12-27 20:57 . 2004-02-13 09:46 73,728 --a------ c:\windows\system32\lxbzpwr.dll 2008-12-26 18:18 . 2008-12-26 18:18 0 --a------ C:\151d4 2008-12-24 09:51 . 2008-10-24 12:10 31,296 --a------ c:\windows\system32\drivers\gbpkm.sys 2008-12-24 09:30 . 2008-12-24 09:51 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Dados de aplicativos\GbPlugin 2008-12-24 09:30 . 2008-12-24 09:51 <DIR> d-------- c:\arquivos de programas\GbPlugin 2008-12-20 19:06 . 2008-12-20 19:07 <DIR> d-------- C:\Hijack 2008-12-20 14:53 . 2008-12-20 14:53 16,896 ---hs---- c:\windows\system32\winzareg.exe 2008-12-15 17:57 . 2008-12-15 17:57 16,896 ---hs---- c:\windows\system32\winzcreg.exe 2008-12-15 17:57 . 2008-12-23 18:20 16,896 --a------ c:\windows\system32\DF7BE.EXE 2008-12-13 10:15 . 2008-12-13 10:15 16,896 ---hs---- c:\windows\system32\winycreg.exe 2008-12-09 15:50 . 2008-12-09 15:50 <DIR> d-------- c:\arquivos de programas\Total Video Player 2008-12-09 15:50 . 2008-12-09 15:50 16,896 ---hs---- c:\windows\system32\winxcreg.exe 2008-12-09 15:50 . 2008-12-15 17:29 16,896 --a------ c:\windows\system32\4560BFF.EXE . ((((((((((((((((((((((((((((((((((((( Relatório Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-08 11:32 17,528 ----a-w c:\documents and settings\Fernilson\Dados de aplicativos\GDIPFONTCACHEV1.DAT 2008-12-04 08:26 111,281 ----a-w c:\documents and settings\Fernilson\wxp.exe 2008-11-30 21:30 30,720 ----a-w c:\documents and settings\Fernilson\skp66.exe 2008-11-26 15:34 --------- d-----w c:\arquivos de programas\Masfoot 2006 2008-11-25 08:50 --------- d-----w c:\arquivos de programas\XeFlashPlayer 2008-11-19 01:54 --------- d-----w c:\arquivos de programas\MSN Messenger 2008-11-17 20:31 --------- d--h--w c:\arquivos de programas\InstallShield Installation Information 2008-11-17 20:31 --------- d-----w c:\documents and settings\Fernilson\Dados de aplicativos\InstallShield 2008-11-17 20:31 --------- d-----w c:\arquivos de programas\Vimicro 2008-10-28 00:09 315,392 ----a-w c:\windows\HideWin.exe . (((((((((((((((((((((((((( Pontos de Carregamento do Registro ))))))))))))))))))))))))))))))))))))))) . . *Nota* entradas vazias e legítimas por defeito não são mostradas. REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-16 7630848] "SMSERIAL"="c:\arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe" [2006-09-14 651264] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-16 86016] "Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 218992] "ZSSnp211"="c:\windows\ZSSnp211.exe" [2007-04-06 131072] "Domino"="c:\windows\Domino.exe" [2006-08-18 49152] "XP-5CED94A8"="c:\windows\system32\XP-5CED94A8.EXE" [2008-12-01 1586572] "nwiz"="nwiz.exe" [2006-08-16 c:\windows\system32\nwiz.exe] "SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe] "RTHDCPL"="RTHDCPL.EXE" [2006-12-19 c:\windows\RTHDCPL.exe] "Barsaka"="explorer.exe" [2008-04-14 c:\windows\explorer.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\Fernilson\Menu Iniciar\Programas\Inicializar\ .lnk - c:\windows\system32\XP-5CED94A8.EXE [2008-12-01 1586572] c:\documents and settings\All Users.WINDOWS\Menu Iniciar\Programas\Inicializar\ Microsoft Office.lnk - c:\arquivos de programas\Microsoft Office\Office10\OSA.EXE [2001-02-13 157088] Reboot.exe [2006-12-29 409088] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"= 1 (0x1) "DisableRegistryTools"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.ffds"= ffdshow.ax [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "FirewallDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 "UacDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "AntiVirusOverride"=dword:00000001 "AntiVirusDisableNotify"=dword:00000001 "FirewallDisableNotify"=dword:00000001 "FirewallOverride"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "UacDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Arquivos de programas\\Motorola\\SMSERIAL\\sm56hlpr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\nwiz.exe"= "c:\\Arquivos de programas\\Microsoft Office\\Office10\\OSA.EXE"= "c:\\WINDOWS\\system32\\userinit.exe"= "c:\\WINDOWS\\RTHDCPL.EXE"= "c:\\Arquivos de programas\\MSN Messenger\\usnsvc.exe"= "c:\\WINDOWS\\system32\\wuauclt.exe"= "c:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXBZPSWX.EXE"= "c:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"= "c:\\Arquivos de programas\\Adobe\\Reader 9.0\\Reader\\Reader_sl.exe"= "c:\\WINDOWS\\system32\\bndmss.exe"= "c:\\Documents and Settings\\Fernilson\\skp66.exe"=skp66.exe "skp66.exe"= skp66.exe:BNDMSS "c:\\WINDOWS\\system32\\netsh.exe"= "c:\\WINDOWS\\ALCMTR.EXE"= "c:\\WINDOWS\\ZSSnp211.exe"= "c:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"= "c:\\Arquivos de programas\\MSN Messenger\\livecall.exe"= "c:\\WINDOWS\\system32\\sol.exe"= "c:\\Arquivos de programas\\Windows Media Player\\wmplayer.exe"= "c:\\WINDOWS\\System32\\Tools\\DelFolders.exe"= "c:\\WINDOWS\\system32\\XP-5CED94A8.EXE"= "c:\\WINDOWS\\system32\\C2CE.EXE"= "c:\\WINDOWS\\system32\\mshearts.exe"= "c:\\WINDOWS\\Domino.exe"= "c:\\WINDOWS\\system32\\DF7BE.EXE"= "c:\\WINDOWS\\system32\\freecell.exe"= "c:\\ComboFix\\NirCmd.cfexe"= R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\gbpkm.sys [2008-12-24 31296] R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\jniem.sys --> c:\windows\system32\drivers\jniem.sys [?] R4 BNDMSS;Windows Network Data Management System Service;c:\windows\system32\bndmss.exe [2008-11-09 30720] S3 SQTECH9160;Digital Camera;c:\windows\system32\drivers\Capt9160.sys [2008-10-28 45711] --- Other Services/Drivers In Memory --- *NewlyCreated* - BNDMSS [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1165ded0-088e-11dd-b119-001bb9923f0e}] \shELl\AUtoPLaY\CoMmaNd - E:\uubfbc.pif \shELl\AutoRun\command - E:\uubfbc.pif \shELl\explore\Command - E:\uubfbc.pif \shELl\opEn\CommanD - E:\uubfbc.pif [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4365a4a2-dbfb-11dc-86ba-dab8cdb64535}] \Shell\AutoRun\command - E:\Recycled.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5058be38-b29d-11dc-85d6-001bb9923f0e}] \Shell\1\Command - E:\Recycled.exe \Shell\2\Command - E:\Recycled.exe \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ec711a9-886d-11dc-84ee-001bb9923f0e}] \Shell\1\Command - F:\Recycled.exe \Shell\2\Command - F:\ \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f3d5cb4-cf81-11dd-b9b1-001bb9923f0e}] \Shell\1\Command - E:\Recycled.exe \Shell\2\Command - E:\Recycled.exe \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled.exe . - - - - ORFÃOS REMOVIDOS - - - - HKCU-Run-NitroPC - c:\arquivos de programas\NitroPC\NitroPC.exe . ------- Scan Suplementar ------- . uInternet Connection Wizard,ShellNext = iexplore IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office10\EXCEL.EXE/3000 TCP: {C42F28EA-3D2B-41C1-BA4B-F8E16335B24D} = 200.222.0.34 200.202.193.75 c:\windows\Downloaded Program Files\gbpdist.dll - O16 -: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} hxxps://imagem.caixa.gov.br/cab/gbpdist.cab c:\windows\Downloaded Program Files\gbpdist.inf FF - ProfilePath - c:\documents and settings\Fernilson\Dados de aplicativos\Mozilla\Firefox\Profiles\1krgw69w.default\ ---- FIREFOX POLICIES ---- c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br"); . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-09 19:59:11 Windows 5.1.2600 Service Pack 3 NTFS Procurando processos ocultos ... Procurando entradas auto inicializáveis ocultas ... Procurando ficheiros/arquivos ocultos ... c:\windows\system32\shell.fne 40960 bytes executable c:\windows\system32\spec.fne 73728 bytes executable c:\windows\system32\ul.dll 1868 bytes Varredura completada com sucesso arquivos/ficheiros ocultos: 3 ************************************************************************** . ------------------------ Outros Processos em Execução ------------------------ . c:\windows\system32\LEXBCES.EXE c:\windows\system32\LEXPPS.EXE c:\windows\system32\nvsvc32.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\rundll32.exe c:\windows\system32\netsh.exe . ************************************************************************** . Tempo para conclusão: 2009-01-09 20:07:57 - Máquina reiniciou ComboFix-quarantined-files.txt 2009-01-09 22:07:52 PrÚ-execuþÒo: 12 pasta(s) 23.127.359.488 bytes dispon¡veis P¾s execuþÒo: 12 pasta(s) 23,066,722,304 bytes dispon¡veis WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 238 --- E O F --- 2008-12-20 03:54:35 Compartilhar este post Link para o post Compartilhar em outros sites
MGuitar 11 Denunciar post Postado Janeiro 10, 2009 1ª Etapa Acesse o VirusTotal. Copie este caminho em negrito abaixo e cole ao lado do botão . Clique em Enviar Arquivo e aguarde. c:\windows\system32\XP-5CED94A8.EXE Copie o link que estará em frente ao nome Permalink e cole-o aqui. Veja na imagem: Logo após, faça o mesmo procedimento, mas agora, colando o seguinte caminho > c:\windows\system32\DF7BE.EXE. Poste o relatório das duas análises. 2ª Etapa Delete a pasta C:\Qoobox e o log C:\ComboFix.txt. Selecione e copie todo este conteúdo aqui abaixo (começando de Driver). Cole o conteúdo copiado no Bloco de Notas de seu PC e salve-o no desktop como CFScript.txt Driver::abp470n5BNDMSSFile::C:\a73cC:\a028C:\b18dC:\151d4c:\windows\system32\winzareg.exec:\windows\system32\winzcreg.exec:\windows\system32\winycreg.exec:\windows\system32\winxcreg.exec:\windows\system32\4560BFF.EXEc:\documents and settings\Fernilson\Dados de aplicativos\GDIPFONTCACHEV1.DATc:\documents and settings\Fernilson\wxp.exec:\documents and settings\Fernilson\skp66.exec:\windows\system32\drivers\jniem.sysc:\windows\system32\bndmss.exeE:\uubfbc.pifE:\Recycled.exec:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled.exeF:\Recycled.exeRootkit::c:\windows\system32\shell.fne c:\windows\system32\spec.fne c:\windows\system32\ul.dllRegistry::[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Barsaka"=""[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]"DisableTaskMgr"=-"DisableRegistryTools"=-[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"c:\\Documents and Settings\\Fernilson\\skp66.exe"=-"skp66.exe"=-[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1165ded0-088e-11dd-b119-001bb9923f0e}][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4365a4a2-dbfb-11dc-86ba-dab8cdb64535}][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5058be38-b29d-11dc-85d6-001bb9923f0e}][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ec711a9-886d-11dc-84ee-001bb9923f0e}][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f3d5cb4-cf81-11dd-b9b1-001bb9923f0e}] Arraste o CFScript para o ComboFix como na imagem aqui abaixo e aguarde a execução automática da ferramenta: ● Se for solicitado à você, pressione Enter para iniciar o processo de remoção; ● Não use o mouse nem o teclado quando o ComboFix estiver rodando; ● Quando terminar, será gerado um novo log que estará em C:\ComboFix.txt; ● Talvez seu computador seja reiniciado automaticamente. Caso não ocorra, reinicie-o manualmente. Na sua próxima resposta, cole o novo ComboFix.txt e os resultados da análise no VirusTotal. Compartilhar este post Link para o post Compartilhar em outros sites
cobradorf 0 Denunciar post Postado Janeiro 13, 2009 Não sei se por minha conexão ser discada, não estou conseguindo abrir o http://www.virustotal.com/pt/, a página não abre.... Compartilhar este post Link para o post Compartilhar em outros sites
MGuitar 11 Denunciar post Postado Janeiro 13, 2009 Ok, não precisa fazer o procedimento no VirusTotal. Prossiga com a "2ª Etapa" e faça o procedimento com o ComboFix. Compartilhar este post Link para o post Compartilhar em outros sites
cobradorf 0 Denunciar post Postado Janeiro 14, 2009 A tela que aparece é essa: O ComboFix.exe encontrou um problema e precisa ser fechado.... Compartilhar este post Link para o post Compartilhar em outros sites
MGuitar 11 Denunciar post Postado Janeiro 15, 2009 - Faça o download do OTMoveIt3 e salve no desktop; ● Dê um duplo clique no ícone do programa (OTMoveIt3) para executá-lo; ● Selecione e copie todo este conteúdo aqui abaixo dentro do code: :Processesexplorer.exe:Servicesabp470n5BNDMSS:FilesC:\a73cC:\a028C:\b18dC:\151d4c:\windows\system32\winzareg.exec:\windows\system32\winzcreg.exec:\windows\system32\winycreg.exec:\windows\system32\winxcreg.exec:\windows\system32\4560BFF.EXEc:\documents and settings\Fernilson\Dados de aplicativos\GDIPFONTCACHEV1.DATc:\documents and settings\Fernilson\wxp.exec:\documents and settings\Fernilson\skp66.exec:\windows\system32\drivers\jniem.sysc:\windows\system32\bndmss.exec:\windows\system32\shell.fnec:\windows\system32\spec.fnec:\windows\system32\ul.dllE:\uubfbc.pifE:\Recycled.exec:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled.exeF:\Recycled.exe:Reg[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Barsaka"=""[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]"DisableTaskMgr"=-"DisableRegistryTools"=-[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"c:\\Documents and Settings\\Fernilson\\skp66.exe"=-"skp66.exe"=-[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1165ded0-088e-11dd-b119-001bb9923f0e}][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4365a4a2-dbfb-11dc-86ba-dab8cdb64535}][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5058be38-b29d-11dc-85d6-001bb9923f0e}][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ec711a9-886d-11dc-84ee-001bb9923f0e}][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f3d5cb4-cf81-11dd-b9b1-001bb9923f0e}]:Commands[purity][emptytemp][start explorer][Reboot] ● Cole o que você copiou no programa (no espaço em branco da janela); ● Clique no botão MoveIt; ● Se aparecer uma mensagem para reiniciar o computador, reinicie-o; ● Na sua proxima resposta, copie e cole o todo o conteúdo que está em Results; ● Se o computador reiniciou, vá na pasta C:\_OTMoveIt\MovedFiles, e abra o mais recente arquivo .log presente. Copie e cole todo o conteúdo desse arquivo. Compartilhar este post Link para o post Compartilhar em outros sites
cobradorf 0 Denunciar post Postado Janeiro 15, 2009 ========== PROCESSES ========== Process explorer.exe killed successfully. ========== SERVICES/DRIVERS ========== Unable to stop service abp470n5 . Service BNDMSS stopped successfully. Service BNDMSS deleted successfully. ========== FILES ========== File/Folder C:\a73c not found. File/Folder C:\a028 not found. File/Folder C:\b18d not found. File/Folder C:\151d4 not found. File/Folder c:\windows\system32\winzareg.exe not found. File/Folder c:\windows\system32\winzcreg.exe not found. File/Folder c:\windows\system32\winycreg.exe not found. File/Folder c:\windows\system32\winxcreg.exe not found. File/Folder c:\windows\system32\4560BFF.EXE not found. File/Folder c:\documents and settings\Fernilson\Dados de aplicativos\GDIPFONTCACHEV1.DAT not found. File/Folder c:\documents and settings\Fernilson\wxp.exe not found. File/Folder c:\documents and settings\Fernilson\skp66.exe not found. File/Folder c:\windows\system32\drivers\jniem.sys not found. File/Folder c:\windows\system32\bndmss.exe not found. c:\windows\system32\shell.fne moved successfully. c:\windows\system32\spec.fne moved successfully. LoadLibrary failed for c:\windows\system32\ul.dll c:\windows\system32\ul.dll NOT unregistered. File move failed. c:\windows\system32\ul.dll scheduled to be moved on reboot. File/Folder E:\uubfbc.pif not found. File/Folder E:\Recycled.exe not found. File/Folder c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled.exe not found. File/Folder F:\Recycled.exe not found. ========== REGISTRY ========== HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\"Barsaka"|"" /E : value set successfully! Registry value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\\DisableTaskMgr deleted successfully. Registry value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\\DisableRegistryTools deleted successfully. Registry key HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List not found. Registry key HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List not found. Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1165ded0-088e-11dd-b119-001bb9923f0e}\\ not found. Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4365a4a2-dbfb-11dc-86ba-dab8cdb64535}\\ not found. Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5058be38-b29d-11dc-85d6-001bb9923f0e}\\ not found. Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ec711a9-886d-11dc-84ee-001bb9923f0e}\\ not found. Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f3d5cb4-cf81-11dd-b9b1-001bb9923f0e}\\ not found. ========== COMMANDS ========== File delete failed. C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\E_4\com.run scheduled to be deleted on reboot. File delete failed. C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\E_4\dp1.fne scheduled to be deleted on reboot. File delete failed. C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\E_4\eAPI.fne scheduled to be deleted on reboot. File delete failed. C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\E_4\internet.fne scheduled to be deleted on reboot. File delete failed. C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\E_4\krnln.fnr scheduled to be deleted on reboot. File delete failed. C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\E_4\shell.fne scheduled to be deleted on reboot. File delete failed. C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\00016155_Rar\XP-5CED94A8.EXE scheduled to be deleted on reboot. File delete failed. C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\etilqs_9Dx6MNoe447V3rbeuAHt scheduled to be deleted on reboot. File delete failed. C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\tufwt.exe scheduled to be deleted on reboot. File delete failed. C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winbmlcq.exe scheduled to be deleted on reboot. File delete failed. C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winhnres.exe scheduled to be deleted on reboot. User's Temp folder emptied. User's Temporary Internet Files folder emptied. User's Internet Explorer cache folder emptied. Local Service Temp folder emptied. Local Service Temporary Internet Files folder emptied. Windows Temp folder emptied. File delete failed. C:\Documents and Settings\Fernilson\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\1krgw69w.default\Cache\453C1F77d01 scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\Fernilson\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\1krgw69w.default\Cache\_CACHE_001_ scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\Fernilson\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\1krgw69w.default\Cache\_CACHE_002_ scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\Fernilson\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\1krgw69w.default\Cache\_CACHE_003_ scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\Fernilson\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\1krgw69w.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\Fernilson\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\1krgw69w.default\urlclassifier3.sqlite scheduled to be deleted on reboot. FireFox cache emptied. Temp folders emptied. Explorer started successfully OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01152009_180611 Files moved on Reboot... LoadLibrary failed for c:\windows\system32\ul.dll c:\windows\system32\ul.dll NOT unregistered. c:\windows\system32\ul.dll moved successfully. C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\E_4\com.run moved successfully. C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\E_4\dp1.fne moved successfully. C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\E_4\eAPI.fne moved successfully. C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\E_4\internet.fne moved successfully. C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\E_4\krnln.fnr moved successfully. C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\E_4\shell.fne moved successfully. C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\00016155_Rar\XP-5CED94A8.EXE moved successfully. File C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\etilqs_9Dx6MNoe447V3rbeuAHt not found! C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\tufwt.exe moved successfully. C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winbmlcq.exe moved successfully. C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winhnres.exe moved successfully. C:\Documents and Settings\Fernilson\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\1krgw69w.default\Cache\453C1F77d01 moved successfully. C:\Documents and Settings\Fernilson\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\1krgw69w.default\Cache\_CACHE_001_ moved successfully. C:\Documents and Settings\Fernilson\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\1krgw69w.default\Cache\_CACHE_002_ moved successfully. C:\Documents and Settings\Fernilson\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\1krgw69w.default\Cache\_CACHE_003_ moved successfully. C:\Documents and Settings\Fernilson\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\1krgw69w.default\Cache\_CACHE_MAP_ moved successfully. C:\Documents and Settings\Fernilson\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\1krgw69w.default\urlclassifier3.sqlite moved successfully. Compartilhar este post Link para o post Compartilhar em outros sites
MGuitar 11 Denunciar post Postado Janeiro 15, 2009 - Faça o download do RSIT e salve no seu desktop; ● Dê dois cliques em RSIT.exe para executar o programa; ● Na janela que abrir clique no botão Continue para que a ferramenta comece a rodar; ● Quando a ferramenta terminar de rodar, abrirá um log automaticamente no bloco de notas contendo o resultado do scan. Cole o resultado desse log (log.txt) na sua próxima resposta; ● Cole também o conteúdo do arquivo info.txt que estará em C:\rsit\info.txt. Compartilhar este post Link para o post Compartilhar em outros sites
cobradorf 0 Denunciar post Postado Janeiro 16, 2009 Logfile of random's system information tool 1.05 (written by random/random) Run by Fernilson at 2009-01-16 05:07:18 Microsoft Windows XP Professional Service Pack 3 System drive C: has 19 GB (50%) free of 38 GB Total RAM: 446 MB (28% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:07:47, on 20/12/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\bndmss.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\ZSSnp211.exe C:\WINDOWS\Domino.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\XP-5CED94A8.EXE C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winvggws.exe C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winyrxak.exe C:\Hijack\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe, explorer.exe O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [skyTel] SkyTel.EXE O4 - HKLM\..\Run: [sMSERIAL] C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [ZSSnp211] C:\WINDOWS\ZSSnp211.exe O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.exe O4 - HKLM\..\Run: [barsaka] explorer.exe O4 - HKLM\..\Run: [XP-5CED94A8] C:\WINDOWS\system32\XP-5CED94A8.EXE O4 - HKLM\..\RunOnce: [Execute] C:\WINDOWS\System32\Tools\DelFolders.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [NitroPC] "C:\Arquivos de programas\NitroPC\NitroPC.exe" -minimized O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: ¡¡¡¡¡¡.lnk = C:\WINDOWS\system32\XP-5CED94A8.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Reboot.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{C42F28EA-3D2B-41C1-BA4B-F8E16335B24D}: NameServer = 200.222.0.34 200.202.193.75 O23 - Service: Windows Network Data Management System Service (BNDMSS) - Unknown owner - C:\WINDOWS\system32\bndmss.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 4877 bytes ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}] Adobe PDF Link Helper - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-08-16 7630848] "nwiz"=nwiz.exe /install [] "SkyTel"=C:\WINDOWS\SkyTel.EXE [2006-05-16 2879488] "SMSERIAL"=C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe [2006-09-14 651264] "NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2006-08-16 86016] "RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2006-12-19 16062464] "Adobe Reader Speed Launcher"=C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 218992] "ZSSnp211"=C:\WINDOWS\ZSSnp211.exe [2007-04-06 131072] "Domino"=C:\WINDOWS\Domino.exe [2006-08-18 49152] "Barsaka"= [] "XP-5CED94A8"=C:\WINDOWS\system32\XP-5CED94A8.EXE [2008-12-01 1586572] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360] "13CFG914-K641-26SF-N31P"=C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0950\vsse33.exe [] C:\Documents and Settings\All Users.WINDOWS\Menu Iniciar\Programas\Inicializar Microsoft Office.lnk - C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE Reboot.exe C:\Documents and Settings\Fernilson\Menu Iniciar\Programas\Inicializar ¡¡¡¡¡¡.lnk - C:\WINDOWS\system32\XP-5CED94A8.EXE [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableTaskMgr"=1 "DisableRegistryTools"=1 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 "EnableLUA"=0 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"=323 "NoDriveAutoRun"=67108863 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoResolveSearch"= "NoDriveAutoRun"= "NoDriveTypeAutoRun"= "NoDrives"= [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe"="C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe:*:Enabled:ipsec" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\WINDOWS\system32\nwiz.exe"="C:\WINDOWS\system32\nwiz.exe:*:Enabled:ipsec" "C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE"="C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE:*:Enabled:ipsec" "C:\WINDOWS\system32\userinit.exe"="C:\WINDOWS\system32\userinit.exe:*:Enabled:ipsec" "C:\WINDOWS\RTHDCPL.EXE"="C:\WINDOWS\RTHDCPL.EXE:*:Enabled:ipsec" "C:\Arquivos de programas\MSN Messenger\usnsvc.exe"="C:\Arquivos de programas\MSN Messenger\usnsvc.exe:*:Enabled:ipsec" "C:\WINDOWS\system32\wuauclt.exe"="C:\WINDOWS\system32\wuauclt.exe:*:Enabled:ipsec" "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBZPSWX.EXE"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBZPSWX.EXE:*:Enabled:ipsec" "C:\Arquivos de programas\Mozilla Firefox\firefox.exe"="C:\Arquivos de programas\Mozilla Firefox\firefox.exe:*:Enabled:ipsec" "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"="C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe:*:Enabled:ipsec" "C:\WINDOWS\system32\bndmss.exe"="C:\WINDOWS\system32\bndmss.exe:*:Enabled:BNDMSS" "C:\Documents and Settings\Fernilson\skp66.exe"="C:\Documents and Settings\Fernilson\skp66.exeskp66.exe:*:Enabled:BNDMSS" "skp66.exe"="skp66.exe:*:Enabled:BNDMSS" "C:\WINDOWS\system32\netsh.exe"="C:\WINDOWS\system32\netsh.exe:*:Enabled:ipsec" "C:\WINDOWS\ALCMTR.EXE"="C:\WINDOWS\ALCMTR.EXE:*:Enabled:ipsec" "C:\WINDOWS\ZSSnp211.exe"="C:\WINDOWS\ZSSnp211.exe:*:Enabled:ipsec" "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe"="C:\Arquivos de programas\MSN Messenger\msnmsgr.exe:*:Enabled:ipsec" "C:\Arquivos de programas\MSN Messenger\livecall.exe"="C:\Arquivos de programas\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" "C:\WINDOWS\system32\sol.exe"="C:\WINDOWS\system32\sol.exe:*:Enabled:ipsec" "C:\Arquivos de programas\Windows Media Player\wmplayer.exe"="C:\Arquivos de programas\Windows Media Player\wmplayer.exe:*:Enabled:ipsec" "C:\WINDOWS\System32\Tools\DelFolders.exe"="C:\WINDOWS\System32\Tools\DelFolders.exe:*:Enabled:ipsec" "C:\WINDOWS\system32\XP-5CED94A8.EXE"="C:\WINDOWS\system32\XP-5CED94A8.EXE:*:Enabled:ipsec" "C:\WINDOWS\system32\C2CE.EXE"="C:\WINDOWS\system32\C2CE.EXE:*:Enabled:ipsec" "C:\WINDOWS\system32\mshearts.exe"="C:\WINDOWS\system32\mshearts.exe:*:Enabled:ipsec" "C:\WINDOWS\Domino.exe"="C:\WINDOWS\Domino.exe:*:Enabled:ipsec" "C:\WINDOWS\system32\DF7BE.EXE"="C:\WINDOWS\system32\DF7BE.EXE:*:Enabled:ipsec" "C:\WINDOWS\system32\freecell.exe"="C:\WINDOWS\system32\freecell.exe:*:Enabled:ipsec" "C:\ComboFix\NirCmd.cfexe"="C:\ComboFix\NirCmd.cfexe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\iise.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\iise.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\njvm.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\njvm.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winsbldwo.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winsbldwo.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winpxbca.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winpxbca.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winwrow.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winwrow.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winuqqwj.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winuqqwj.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\windnihn.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\windnihn.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\fyqvn.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\fyqvn.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winyxma.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winyxma.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\okvt.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\okvt.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\rhpx.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\rhpx.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winuirgeh.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winuirgeh.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\klafm.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\klafm.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winefmqkd.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winefmqkd.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wingpfily.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wingpfily.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winkxob.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winkxob.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\ckkqx.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\ckkqx.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\vmqx.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\vmqx.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\qipvay.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\qipvay.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\cwtap.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\cwtap.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\emrse.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\emrse.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winacgini.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winacgini.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\kgfec.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\kgfec.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\arpvdx.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\arpvdx.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winluutvs.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winluutvs.exe:*:Enabled:ipsec" "C:\WINDOWS\system32\ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe:*:Enabled:ipsec" "C:\WINDOWS\Explorer.EXE"="C:\WINDOWS\Explorer.EXE:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winbqpnp.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winbqpnp.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winrcghas.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winrcghas.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wingclejl.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wingclejl.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winvklxxp.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winvklxxp.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winyqgeyx.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winyqgeyx.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winseiqkf.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winseiqkf.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winnefua.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winnefua.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winrfneu.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winrfneu.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winmesmay.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winmesmay.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\huxgwj.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\huxgwj.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winwpfff.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winwpfff.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\sdqqk.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\sdqqk.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winsfglp.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winsfglp.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\qlbpjv.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\qlbpjv.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winespx.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winespx.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winftbpuh.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winftbpuh.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\kfvbm.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\kfvbm.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wingflr.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wingflr.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winrsoas.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winrsoas.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winmswuo.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winmswuo.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winggpthb.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winggpthb.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wingtwj.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wingtwj.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wincxfuy.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wincxfuy.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winqtmwm.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winqtmwm.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winxvaut.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winxvaut.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\oqvite.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\oqvite.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\riimh.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\riimh.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winxfge.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winxfge.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winpeatv.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winpeatv.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winjjel.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winjjel.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\ffhs.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\ffhs.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\saed.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\saed.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\yhfli.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\yhfli.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\fbsu.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\fbsu.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\iaea.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\iaea.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winghsx.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winghsx.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\qgyw.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\qgyw.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winvndllb.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winvndllb.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\ldpl.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\ldpl.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winafre.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winafre.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winhibijp.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winhibijp.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winvyiwg.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winvyiwg.exe:*:Enabled:ipsec" "C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wegmtw.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wegmtw.exe:*:Enabled:ipsec" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe"="C:\Arquivos de programas\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\Arquivos de programas\MSN Messenger\livecall.exe"="C:\Arquivos de programas\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb3eca5e-6e59-11dd-b2f7-001bb9923f0e}] shell\AutoRun\command - E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\exe32.exe shell\open\command - E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\exe32.exe ======List of files/folders created in the last 1 months====== 2009-01-16 05:07:18 ----D---- C:\rsit 2009-01-15 18:09:20 ----ASH---- C:\WINDOWS\system32\ul.dll 2009-01-15 17:58:15 ----D---- C:\_OTMoveIt 2009-01-14 19:24:40 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$ 2009-01-13 19:08:14 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$ 2009-01-09 20:29:16 ----ASH---- C:\WINDOWS\system32\og.dll 2009-01-09 20:19:15 ----RSHD---- C:\RECYCLER 2009-01-09 19:55:36 ----D---- C:\WINDOWS\temp 2009-01-09 19:53:23 ----A---- C:\Boot.bak 2009-01-09 19:53:08 ----RASHD---- C:\cmdcons 2009-01-09 19:12:16 ----A---- C:\WINDOWS\zip.exe 2009-01-09 19:12:16 ----A---- C:\WINDOWS\VFIND.exe 2009-01-09 19:12:16 ----A---- C:\WINDOWS\SWXCACLS.exe 2009-01-09 19:12:16 ----A---- C:\WINDOWS\SWSC.exe 2009-01-09 19:12:16 ----A---- C:\WINDOWS\SWREG.exe 2009-01-09 19:12:16 ----A---- C:\WINDOWS\sed.exe 2009-01-09 19:12:16 ----A---- C:\WINDOWS\NIRCMD.exe 2009-01-09 19:12:16 ----A---- C:\WINDOWS\grep.exe 2009-01-09 19:12:16 ----A---- C:\WINDOWS\fdsv.exe 2009-01-09 19:12:09 ----D---- C:\ComboFix 2008-12-27 20:57:56 ----A---- C:\WINDOWS\system32\lxbzpwr.dll 2008-12-27 20:57:52 ----A---- C:\WINDOWS\system32\LEXPPS.EXE 2008-12-27 20:57:52 ----A---- C:\WINDOWS\system32\LEXP2P32.DLL 2008-12-27 20:57:52 ----A---- C:\WINDOWS\system32\LEXBCES.EXE 2008-12-27 20:57:52 ----A---- C:\WINDOWS\system32\LEXBCE.DLL 2008-12-27 20:57:52 ----A---- C:\WINDOWS\system32\LEX2KUSB.DLL 2008-12-27 20:57:50 ----D---- C:\Arquivos de programas\Lexmark 510 Series 2008-12-27 20:57:50 ----A---- C:\WINDOWS\system32\lexlmpm.dll 2008-12-24 09:30:56 ----D---- C:\Documents and Settings\All Users.WINDOWS\Dados de aplicativos\GbPlugin 2008-12-24 09:30:56 ----D---- C:\Arquivos de programas\GbPlugin 2008-12-20 19:06:03 ----D---- C:\Hijack ======List of files/folders modified in the last 1 months====== 2009-01-16 05:01:14 ----D---- C:\Arquivos de programas\Mozilla Firefox 2009-01-16 05:01:05 ----A---- C:\WINDOWS\ModemLog_Motorola SM56 Data Fax Modem.txt 2009-01-16 04:59:09 ----D---- C:\WINDOWS\system32\drivers 2009-01-15 22:25:24 ----A---- C:\WINDOWS\SchedLgU.Txt 2009-01-15 18:09:20 ----D---- C:\WINDOWS\system32 2009-01-14 22:25:47 ----RSHDC---- C:\WINDOWS\system32\dllcache 2009-01-14 22:25:33 ----D---- C:\WINDOWS\system32\CatRoot2 2009-01-14 19:27:08 ----D---- C:\WINDOWS 2009-01-14 19:25:12 ----HD---- C:\WINDOWS\inf 2009-01-13 19:08:25 ----A---- C:\WINDOWS\imsins.BAK 2009-01-13 19:07:56 ----HD---- C:\WINDOWS\$hf_mig$ 2009-01-11 00:56:55 ----D---- C:\WINDOWS\Prefetch 2009-01-09 23:19:14 ----D---- C:\WINDOWS\Help 2009-01-09 23:18:23 ----RSD---- C:\WINDOWS\Fonts 2009-01-09 20:06:10 ----D---- C:\WINDOWS\repair 2009-01-09 20:00:16 ----A---- C:\WINDOWS\system.ini 2009-01-09 19:57:10 ----D---- C:\WINDOWS\system32\config 2009-01-09 19:56:38 ----D---- C:\WINDOWS\ERDNT 2009-01-09 19:55:11 ----D---- C:\WINDOWS\AppPatch 2009-01-09 19:55:11 ----D---- C:\Arquivos de programas\Arquivos comuns 2009-01-09 19:53:23 ----RASH---- C:\boot.ini 2008-12-27 21:02:33 ----A---- C:\WINDOWS\LEXSTAT.INI 2008-12-27 21:00:03 ----D---- C:\WINDOWS\system32\CatRoot 2008-12-27 20:57:50 ----RD---- C:\Arquivos de programas 2008-12-26 09:19:54 ----D---- C:\WINDOWS\system32\Restore 2008-12-24 09:30:55 ----SD---- C:\WINDOWS\Downloaded Program Files 2008-12-23 18:20:00 ----A---- C:\WINDOWS\system32\DF7BE.EXE ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R3 abp470n5;abp470n5; \??\C:\WINDOWS\system32\drivers\jniem.sys [] R3 HDAudBus;Driver de Barramento Microsoft UAA para High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384] R3 HidUsb;Driver de classe HID da Microsoft; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368] R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-12-21 4405248] R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-09-05 12288] R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-08-16 3959712] R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-07-11 57856] R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-07-11 20480] R3 smserial;smserial; C:\WINDOWS\system32\DRIVERS\smserial.sys [2006-09-14 980736] R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208] R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520] R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152] R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856] S3 catchme;catchme; \??\C:\ComboFix\catchme.sys [] S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024] S3 MSTEE;Conversor em T entre locais de fluxo contínuo Microsoft; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504] S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248] S3 NdisIP;Conexão de TV e vídeo da Microsoft; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880] S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136] S3 SQTECH9160;Digital Camera; C:\WINDOWS\System32\Drivers\Capt9160.sys [2006-03-21 45711] S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232] S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368] S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200] S3 ZSMC211;ZSMC USB PC Camera; C:\WINDOWS\System32\Drivers\ZS211.sys [2007-08-03 1470592] S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys [] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE [2003-11-06 307200] R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-08-16 155715] R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912] S3 usnjsvc;Serviço de Compartilhamento de Pastas Messenger do USN Journal Reader; C:\Arquivos de programas\MSN Messenger\usnsvc.exe [2007-01-19 170864] -----------------EOF----------------- Compartilhar este post Link para o post Compartilhar em outros sites
cobradorf 0 Denunciar post Postado Janeiro 16, 2009 info.txt logfile of random's system information tool 1.05 2009-01-16 05:07:37 ======Uninstall list====== -->C:\Arquivos de programas\DivX\DivXConverterUninstall.exe /CONVERTER -->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Acrobat.com-->C:\Arquivos de programas\Arquivos comuns\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07} Adobe AIR-->C:\Arquivos de programas\Arquivos comuns\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F} Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001} Advanced WindowsCare Personal-->"C:\Arquivos de programas\IObit\Advanced WindowsCare V2\unins000.exe" Arquivo do WinRAR-->C:\Arquivos de programas\WinRAR\uninstall.exe Atualização de Segurança para o Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe" Atualização de Segurança para o Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe" Atualização de Segurança para Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe" Atualização de Segurança para Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe" Atualização de Segurança para Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe" Atualização de Segurança para Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe" Atualização de Segurança para Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe" Atualização de Segurança para Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe" Atualização de Segurança para Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe" Atualização de Segurança para Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe" Atualização de Segurança para Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe" Atualização de Segurança para Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe" Atualização de Segurança para Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe" Atualização de Segurança para Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe" Atualização de Segurança para Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe" Atualização de Segurança para Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe" Atualização de Segurança para Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe" Atualização de Segurança para Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe" Atualização de Segurança para Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe" Atualização de Segurança para Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe" Atualização de Segurança para Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe" Atualização de Segurança para Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe" Atualização de Segurança para Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe" Atualização de Segurança para Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe" Atualização de Segurança para Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe" Atualização de Segurança para Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe" Atualização de Segurança para Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe" Atualização para Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe" Atualização para Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe" Atualização para Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe" Digital Camera Driver-->C:\ARQUIV~1\DIGITA~1\UNWISE.EXE C:\ARQUIV~1\DIGITA~1\INSTALL.LOG DivX Codec-->C:\Arquivos de programas\DivX\DivXCodecUninstall.exe /CODEC DivX Converter-->C:\Arquivos de programas\DivX\DivXConverterUninstall.exe /CONVERTER DivX Player-->C:\Arquivos de programas\DivX\DivXPlayerUninstall.exe /PLAYER DivX Web Player-->C:\Arquivos de programas\DivX\DivXWebPlayerUninstall.exe /PLUGIN E.M. Total Video Player 1.31-->"C:\Arquivos de programas\Total Video Player\unins000.exe" HijackThis 2.0.2-->"C:\Hijack\HijackThis.exe" /uninstall Hotfix para Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe" Lexmark 510 Series-->C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBZUN5C.EXE -dLexmark 510 Series Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe" Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe" Microsoft Office XP Professional com FrontPage-->MsiExec.exe /I{90280416-6000-11D3-8CFE-0050048383C9} Motorola SM56 Data Fax Modem-->rundll32.exe sm56coin.dll,SM56UnInstaller Mozilla Firefox (3.0.4)-->C:\Arquivos de programas\Mozilla Firefox\uninstall\helper.exe NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI On-line Help Console-->RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{6283826F-59A2-11D9-BB04-000AE6BE6EE7}\setup.exe" -l0x9 Realtek High Definition Audio Driver-->RtlUpd.exe -r -m Windows Live Messenger-->MsiExec.exe /I{37FD253D-5064-4034-8CEC-CC3995F823A4} Windows Media Format Runtime-->"C:\Arquivos de programas\Windows Media Player\wmsetsdk.exe" /UninstallAll Windows Media Player 10-->"C:\Arquivos de programas\Windows Media Player\Setup_wm.exe" /Uninstall Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe" XeFlashPlayer 1.0-->C:\Arquivos de programas\XeFlashPlayer\uninst.exe ZSMC USB PC Camera-->C:\Arquivos de programas\InstallShield Installation Information\{44D02D8B-FFB3-4245-8D26-68D10B4C4023}\setup.exe -runfromtemp -l0x0416 -removeonly System event log Computer Name: WILSON-9B32FAF9 Event Code: 64001 Message: Tentativa de substituição do arquivo no arquivo do sistema protegido c:\arquivos de programas\msn gaming zone\windows\zclientm.exe. Esse arquivo foi restaurado para a versão original para manter a estabilidade do sistema. A versão do arquivo inválido é 1.2.626.1, a versão do arquivo do sistema é 1.2.626.1. Record Number: 7786 Source Name: Windows File Protection Time Written: 20081224160752.000000-120 Event Type: Informações User: Computer Name: WILSON-9B32FAF9 Event Code: 64001 Message: Tentativa de substituição do arquivo no arquivo do sistema protegido c:\arquivos de programas\msn gaming zone\windows\zclientm.exe. Esse arquivo foi restaurado para a versão original para manter a estabilidade do sistema. A versão do arquivo inválido é 1.2.626.1, a versão do arquivo do sistema é 1.2.626.1. Record Number: 7785 Source Name: Windows File Protection Time Written: 20081224160052.000000-120 Event Type: Informações User: Computer Name: WILSON-9B32FAF9 Event Code: 64001 Message: Tentativa de substituição do arquivo no arquivo do sistema protegido c:\arquivos de programas\msn gaming zone\windows\zclientm.exe. Esse arquivo foi restaurado para a versão original para manter a estabilidade do sistema. A versão do arquivo inválido é 1.2.626.1, a versão do arquivo do sistema é 1.2.626.1. Record Number: 7784 Source Name: Windows File Protection Time Written: 20081224154707.000000-120 Event Type: Informações User: Computer Name: WILSON-9B32FAF9 Event Code: 20158 Message: O usuário . estabeleceu com êxito uma conexão a ig2008 usando o dispositivo COM3. Record Number: 7783 Source Name: RemoteAccess Time Written: 20081224154014.000000-120 Event Type: Informações User: Computer Name: WILSON-9B32FAF9 Event Code: 64001 Message: Tentativa de substituição do arquivo no arquivo do sistema protegido c:\arquivos de programas\msn gaming zone\windows\zclientm.exe. Esse arquivo foi restaurado para a versão original para manter a estabilidade do sistema. A versão do arquivo inválido é 1.2.626.1, a versão do arquivo do sistema é 1.2.626.1. Record Number: 7782 Source Name: Windows File Protection Time Written: 20081224154000.000000-120 Event Type: Informações User: Application event log Computer Name: WILSON-9B32FAF9 Event Code: 300 Message: msnmsgr (3204) \\.\C:\Documents and Settings\Fernilson\Configurações locais\Dados de aplicativos\Microsoft\Messenger\wbarros1975@hotmail.com\SharingMetadata\Working\database_5498_8408_9883_E738\dfsr.db: O mecanismo de banco de dados está iniciando as etapas de recuperação. Record Number: 1131 Source Name: ESENT Time Written: 20081209234424.000000-120 Event Type: Informações User: Computer Name: WILSON-9B32FAF9 Event Code: 102 Message: msnmsgr (3204) \\.\C:\Documents and Settings\Fernilson\Configurações locais\Dados de aplicativos\Microsoft\Messenger\wbarros1975@hotmail.com\SharingMetadata\Working\database_5498_8408_9883_E738\dfsr.db: O mecanismo de banco de dados iniciou uma nova instância (0). Record Number: 1130 Source Name: ESENT Time Written: 20081209234423.000000-120 Event Type: Informações User: Computer Name: WILSON-9B32FAF9 Event Code: 100 Message: msnmsgr (3204) O mecanismo de banco de dados 5.01.2600.5512 foi iniciado. Record Number: 1129 Source Name: ESENT Time Written: 20081209234422.000000-120 Event Type: Informações User: Computer Name: WILSON-9B32FAF9 Event Code: 12001 Message: The Messenger Sharing USN Journal Reader service started successfully. Record Number: 1128 Source Name: usnjsvc Time Written: 20081209234416.000000-120 Event Type: User: Computer Name: WILSON-9B32FAF9 Event Code: 1800 Message: O Serviço da Central de Segurança do Windows foi iniciado. Record Number: 1127 Source Name: SecurityCenter Time Written: 20081209234044.000000-120 Event Type: Informações User: ======Environment variables====== "ComSpec"=%SystemRoot%\system32\cmd.exe "Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\WBEM "windir"=%SystemRoot% "FP_NO_HOST_CHECK"=NO "OS"=Windows_NT "PROCESSOR_ARCHITECTURE"=x86 "PROCESSOR_LEVEL"=15 "PROCESSOR_IDENTIFIER"=x86 Family 15 Model 79 Stepping 2, AuthenticAMD "PROCESSOR_REVISION"=4f02 "NUMBER_OF_PROCESSORS"=1 "PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH "TEMP"=%SystemRoot%\TEMP "TMP"=%SystemRoot%\TEMP -----------------EOF----------------- Compartilhar este post Link para o post Compartilhar em outros sites
MGuitar 11 Denunciar post Postado Janeiro 17, 2009 Vá em Iniciar > Executar, digite o comando abaixo e dê um OK. reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Barsaka /f Execute o HijackThis e clique em Do a system scan only. Marque as entradas abaixo e clique no botão Fix Checked. F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe, explorer.exe O4 - HKLM\..\Run: [barsaka] explorer.exe O4 - Global Startup: Reboot.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 1ª Etapa - Execute o OTMoveIt3 e cole este conteúdo abaixo na janela do programa: :Processesexplorer.exeC:\WINDOWS\system32\bndmss.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winvggws.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winyrxak.exe:Servicesabp470n5:FilesC:\WINDOWS\system32\bndmss.exeC:\Documents and Settings\Fernilson\skp66.exeC:\Documents and Settings\Fernilson\skp66.exeskp66.exeC:\WINDOWS\system32\ul.dllC:\WINDOWS\system32\og.dllC:\WINDOWS\system32\drivers\jniem.sysC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\iise.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\njvm.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winsbldwo.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winpxbca.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winwrow.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winuqqwj.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\windnihn.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\fyqvn.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winyxma.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\okvt.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\rhpx.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winuirgeh.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\klafm.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winefmqkd.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wingpfily.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winkxob.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\ckkqx.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\vmqx.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\qipvay.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\cwtap.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\emrse.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winacgini.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\kgfec.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\arpvdx.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winluutvs.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winbqpnp.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winrcghas.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wingclejl.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winvklxxp.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winyqgeyx.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winseiqkf.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winnefua.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winrfneu.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winmesmay.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\huxgwj.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winwpfff.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\sdqqk.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winsfglp.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\qlbpjv.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winespx.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winftbpuh.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\kfvbm.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wingflr.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winrsoas.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winmswuo.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winggpthb.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wingtwj.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wincxfuy.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winqtmwm.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winxvaut.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\oqvite.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\riimh.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winxfge.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winpeatv.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winjjel.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\ffhs.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\saed.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\yhfli.exe"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\fbsu.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\iaea.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winghsx.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\qgyw.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winvndllb.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\ldpl.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winafre.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winhibijp.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winvyiwg.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wegmtw.exe:Reg[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]"DisableTaskMgr"=-"DisableRegistryTools"=-[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]"C:\WINDOWS\system32\bndmss.exe"=-"C:\Documents and Settings\Fernilson\skp66.exe"=-"skp66.exe"=-[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb3eca5e-6e59-11dd-b2f7-001bb9923f0e}]:Commands[purity][emptytemp][start explorer][Reboot] ● Clique no botão MoveIt; ● Se aparecer uma mensagem para reiniciar o computador, reinicie-o; ● Na sua proxima resposta, copie e cole o todo o conteúdo que está em Results; ● Se o computador reiniciou, vá na pasta C:\_OTMoveIt\MovedFiles, e abra o mais recente arquivo .log presente. Copie e cole todo o conteúdo desse arquivo. 2ª Etapa - Baixe o FindyKill e salve a ferramenta na pasta C:\Arquivos de Programas; - Feche programas que estejam abertos; - Instale a ferramenta, e aceite todas as condições pedidas; - Terminando, execute a ferramenta com um duplo-clique, em: C:\Arquivos de Programas\FindyKill\FindyKill.bat; - No prompt, aperte o C > Enter; - À seguir, aperte o 2 e dê um Enter, o computador vai reiniciar,por duas vezes; - Terminando, clique em uma área vazia do prompt e dê um Enter; - Abrirá o Bloco de Notas, com o relatório: C:\FindyKill.txt. Cole o log do OTMoveIt3, FindyKill e um novo log do RSIT (apenas o log.txt) em sua próxima resposta. Compartilhar este post Link para o post Compartilhar em outros sites
cobradorf 0 Denunciar post Postado Janeiro 23, 2009 2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe, explorer.exe O4 - HKLM\..\Run: [barsaka] explorer.exe Essas entradas, não tinham no HijackThis.... Compartilhar este post Link para o post Compartilhar em outros sites
MGuitar 11 Denunciar post Postado Janeiro 26, 2009 Por favor, poste um novo log do HijackThis. Compartilhar este post Link para o post Compartilhar em outros sites
cobradorf 0 Denunciar post Postado Janeiro 31, 2009 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 09:59:34, on 31/1/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\ZSSnp211.exe C:\WINDOWS\Domino.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\XP-5CED94A8.EXE C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\novmbf.exe C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winxlgr.exe C:\HiJackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [skyTel] SkyTel.EXE O4 - HKLM\..\Run: [sMSERIAL] C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [ZSSnp211] C:\WINDOWS\ZSSnp211.exe O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.exe O4 - HKLM\..\Run: [XP-5CED94A8] C:\WINDOWS\system32\XP-5CED94A8.EXE O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [13CFG914-K641-26SF-N31P] C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0950\vsse33.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: ¡¡¡¡¡¡.lnk = C:\WINDOWS\system32\XP-5CED94A8.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Reboot.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://imagem.caixa.gov.br/cab/gbpdist.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{C42F28EA-3D2B-41C1-BA4B-F8E16335B24D}: NameServer = 200.222.0.34 200.202.193.75 O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 4320 bytes Compartilhar este post Link para o post Compartilhar em outros sites
