[Arquivado] Não consigo instalar nenhum antivirus...

[cobradorf 0]

Olá, Boa tarde a todos, me desculpe se estiver postando no lugar errado, a algum tempo atrás eu usava o Avira, e não conseguia mais atualiza-lo, e então resolvi remove-lo e baixa-lo de novo, porém desde então não consigo mais instalar nenhum antivírus, tentei o AVG, Avira, McAfee, entre outros e nada, inclusive formatei o pc, embora não entenda muito de informática, gostaria que alguém pudesse me ajudar, desde já agradeço muito a todos...vlw

[JonJon CS 1]

Realmente, lugar errado, isso tem que ser postado

na sessão de malwares.

Baixe o hijackthis no baixaki, e post o log para

os nossos moderadores lhe ajudar.

[Mário Monteiro 179]

Tópico Movido

 

Origem: Dúvidas Gerais :seta: Destino: Segurança & Malwares

 

-----------------------

 

Post um log conforme este topico

 

http://forum.imasters.com.br/index.php?showtopic=165906

[cobradorf 0]

Olá, me desculpem o engano sobre a postagem do problema....o log gerado foi esse:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:07:47, on 20/12/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\bndmss.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\ZSSnp211.exe

C:\WINDOWS\Domino.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\XP-5CED94A8.EXE

C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winvggws.exe

C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winyrxak.exe

C:\Hijack\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe, explorer.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [sMSERIAL] C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [ZSSnp211] C:\WINDOWS\ZSSnp211.exe

O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.exe

O4 - HKLM\..\Run: [barsaka] explorer.exe

O4 - HKLM\..\Run: [XP-5CED94A8] C:\WINDOWS\system32\XP-5CED94A8.EXE

O4 - HKLM\..\RunOnce: [Execute] C:\WINDOWS\System32\Tools\DelFolders.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [NitroPC] "C:\Arquivos de programas\NitroPC\NitroPC.exe" -minimized

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: ¡¡¡¡¡¡.lnk = C:\WINDOWS\system32\XP-5CED94A8.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Reboot.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C42F28EA-3D2B-41C1-BA4B-F8E16335B24D}: NameServer = 200.222.0.34 200.202.193.75

O23 - Service: Windows Network Data Management System Service (BNDMSS) - Unknown owner - C:\WINDOWS\system32\bndmss.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

--

End of file - 4877 bytes

[cobradorf 0]

Será que eu consigo passar o ano novo de pc em forma....rsrs

[MGuitar 11]

cobradorf, desculpe-nos a demora.

 

Se ainda estiver necessitando de ajuda, siga o procedimento abaixo.

 

- Faça o download do ComboFix e salve-o na área de trabalho;

 

● Desative temporariamente o seu antivirus para não detectar a ferramenta como vírus;

● Duplo clique no ícone combofix.exe para iniciar o scan;

● Leia o contrato que aparecerá e clique em Sim para continuar;

● Abrirá uma janela do Console de Recuperação, clique em Sim para instalar. Se aparecer outra janela do Console, clique em OK > Sim;

● Aguarde enquanto o ComboFix faz o scan;

● Se ocorrer algum problema durante o scan, reinicie seu computador em Modo de Segurança e repita o procedimento;

● Não clique na janela do ComboFix e procure não utilizar o teclado também, para não atrapalhar a varredura da ferramenta;

● Se quiser sair ou parar o ComboFix, tecle N;

● Quando terminar seu micro será reiniciado. Após o reinicio, a ferramenta executará novamente, aguarde;

● Será gerado um log em C:\ComboFix.txt.

 

Cole este log em sua próxima resposta.

[cobradorf 0]

Tomara que eu tenha feito certo....ComboFix 09-01-08.05 - Fernilson 2009-01-09 19:54:23.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1046.18.446.71 [GMT -2:00]

Executando de: c:\documents and settings\Fernilson\Desktop\ComboFix.exe

* Criado um novo ponto de restauro

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\docume~1\FERNIL~1\CONFIG~1\Temp\E_4

c:\docume~1\FERNIL~1\CONFIG~1\Temp\E_4\com.run

c:\docume~1\FERNIL~1\CONFIG~1\Temp\E_4\dp1.fne

c:\docume~1\FERNIL~1\CONFIG~1\Temp\E_4\eAPI.fne

c:\docume~1\FERNIL~1\CONFIG~1\Temp\E_4\internet.fne

c:\docume~1\FERNIL~1\CONFIG~1\Temp\E_4\krnln.fnr

c:\docume~1\FERNIL~1\CONFIG~1\Temp\E_4\RegEx.fnr

c:\docume~1\FERNIL~1\CONFIG~1\Temp\E_4\shell.fne

c:\docume~1\FERNIL~1\CONFIG~1\Temp\E_4\spec.fne

c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013

c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini

c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\exe32.exe

c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\ise.exe

c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\isee.exe

c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\winupd32.exe

c:\windows\IE4 Error Log.txt

c:\windows\system32\4560.EXE

c:\windows\system32\com.run

c:\windows\system32\dp1.fne

c:\windows\system32\eAPI.fne

c:\windows\system32\internet.fne

c:\windows\system32\krnln.fnr

c:\windows\system32\og.dll

c:\windows\system32\og.edt

c:\windows\system32\RegEx.fnr

c:\windows\system32\shell.fne

c:\windows\system32\spec.fne

c:\windows\system32\ul.dll

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_BNDMSS

-------\Legacy_GBPSV

-------\Service_BNDMSS

-------\Service_GbpSv

 

 

(((((((((((((((( Arquivos/Ficheiros criados de 2008-12-09 to 2009-01-09 ))))))))))))))))))))))))))))

.

 

2009-01-08 09:29 . 2009-01-08 09:29 0 --a------ C:\a73c

2009-01-06 05:34 . 2009-01-06 05:34 0 --a------ C:\a028

2008-12-28 06:02 . 2008-12-28 06:02 0 --a------ C:\b18d

2008-12-27 20:57 . 2008-12-27 20:57 <DIR> d-------- c:\arquivos de programas\Lexmark 510 Series

2008-12-27 20:57 . 2003-11-06 05:57 307,200 --a------ c:\windows\system32\LEXBCES.EXE

2008-12-27 20:57 . 2003-11-06 05:57 201,216 --a------ c:\windows\system32\LEXP2P32.DLL

2008-12-27 20:57 . 2003-11-06 06:03 200,192 --a------ c:\windows\system32\lexlmpm.dll

2008-12-27 20:57 . 2003-11-06 05:56 197,120 --a------ c:\windows\system32\LEX2KUSB.DLL

2008-12-27 20:57 . 2003-11-06 05:57 174,592 --a------ c:\windows\system32\LEXPPS.EXE

2008-12-27 20:57 . 2003-11-06 05:56 147,456 --a------ c:\windows\system32\LEXBCE.DLL

2008-12-27 20:57 . 2004-02-13 09:46 73,728 --a------ c:\windows\system32\lxbzpwr.dll

2008-12-26 18:18 . 2008-12-26 18:18 0 --a------ C:\151d4

2008-12-24 09:51 . 2008-10-24 12:10 31,296 --a------ c:\windows\system32\drivers\gbpkm.sys

2008-12-24 09:30 . 2008-12-24 09:51 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Dados de aplicativos\GbPlugin

2008-12-24 09:30 . 2008-12-24 09:51 <DIR> d-------- c:\arquivos de programas\GbPlugin

2008-12-20 19:06 . 2008-12-20 19:07 <DIR> d-------- C:\Hijack

2008-12-20 14:53 . 2008-12-20 14:53 16,896 ---hs---- c:\windows\system32\winzareg.exe

2008-12-15 17:57 . 2008-12-15 17:57 16,896 ---hs---- c:\windows\system32\winzcreg.exe

2008-12-15 17:57 . 2008-12-23 18:20 16,896 --a------ c:\windows\system32\DF7BE.EXE

2008-12-13 10:15 . 2008-12-13 10:15 16,896 ---hs---- c:\windows\system32\winycreg.exe

2008-12-09 15:50 . 2008-12-09 15:50 <DIR> d-------- c:\arquivos de programas\Total Video Player

2008-12-09 15:50 . 2008-12-09 15:50 16,896 ---hs---- c:\windows\system32\winxcreg.exe

2008-12-09 15:50 . 2008-12-15 17:29 16,896 --a------ c:\windows\system32\4560BFF.EXE

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-08 11:32 17,528 ----a-w c:\documents and settings\Fernilson\Dados de aplicativos\GDIPFONTCACHEV1.DAT

2008-12-04 08:26 111,281 ----a-w c:\documents and settings\Fernilson\wxp.exe

2008-11-30 21:30 30,720 ----a-w c:\documents and settings\Fernilson\skp66.exe

2008-11-26 15:34 --------- d-----w c:\arquivos de programas\Masfoot 2006

2008-11-25 08:50 --------- d-----w c:\arquivos de programas\XeFlashPlayer

2008-11-19 01:54 --------- d-----w c:\arquivos de programas\MSN Messenger

2008-11-17 20:31 --------- d--h--w c:\arquivos de programas\InstallShield Installation Information

2008-11-17 20:31 --------- d-----w c:\documents and settings\Fernilson\Dados de aplicativos\InstallShield

2008-11-17 20:31 --------- d-----w c:\arquivos de programas\Vimicro

2008-10-28 00:09 315,392 ----a-w c:\windows\HideWin.exe

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-16 7630848]

"SMSERIAL"="c:\arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe" [2006-09-14 651264]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-16 86016]

"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 218992]

"ZSSnp211"="c:\windows\ZSSnp211.exe" [2007-04-06 131072]

"Domino"="c:\windows\Domino.exe" [2006-08-18 49152]

"XP-5CED94A8"="c:\windows\system32\XP-5CED94A8.EXE" [2008-12-01 1586572]

"nwiz"="nwiz.exe" [2006-08-16 c:\windows\system32\nwiz.exe]

"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

"RTHDCPL"="RTHDCPL.EXE" [2006-12-19 c:\windows\RTHDCPL.exe]

"Barsaka"="explorer.exe" [2008-04-14 c:\windows\explorer.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

c:\documents and settings\Fernilson\Menu Iniciar\Programas\Inicializar\

­­­­­­.lnk - c:\windows\system32\XP-5CED94A8.EXE [2008-12-01 1586572]

 

c:\documents and settings\All Users.WINDOWS\Menu Iniciar\Programas\Inicializar\

Microsoft Office.lnk - c:\arquivos de programas\Microsoft Office\Office10\OSA.EXE [2001-02-13 157088]

Reboot.exe [2006-12-29 409088]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableTaskMgr"= 1 (0x1)

"DisableRegistryTools"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.ffds"= ffdshow.ax

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"FirewallDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

"UacDisableNotify"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusOverride"=dword:00000001

"AntiVirusDisableNotify"=dword:00000001

"FirewallDisableNotify"=dword:00000001

"FirewallOverride"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"UacDisableNotify"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Motorola\\SMSERIAL\\sm56hlpr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\nwiz.exe"=

"c:\\Arquivos de programas\\Microsoft Office\\Office10\\OSA.EXE"=

"c:\\WINDOWS\\system32\\userinit.exe"=

"c:\\WINDOWS\\RTHDCPL.EXE"=

"c:\\Arquivos de programas\\MSN Messenger\\usnsvc.exe"=

"c:\\WINDOWS\\system32\\wuauclt.exe"=

"c:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXBZPSWX.EXE"=

"c:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"=

"c:\\Arquivos de programas\\Adobe\\Reader 9.0\\Reader\\Reader_sl.exe"=

"c:\\WINDOWS\\system32\\bndmss.exe"=

"c:\\Documents and Settings\\Fernilson\\skp66.exe"=skp66.exe

"skp66.exe"= skp66.exe:BNDMSS

"c:\\WINDOWS\\system32\\netsh.exe"=

"c:\\WINDOWS\\ALCMTR.EXE"=

"c:\\WINDOWS\\ZSSnp211.exe"=

"c:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

"c:\\WINDOWS\\system32\\sol.exe"=

"c:\\Arquivos de programas\\Windows Media Player\\wmplayer.exe"=

"c:\\WINDOWS\\System32\\Tools\\DelFolders.exe"=

"c:\\WINDOWS\\system32\\XP-5CED94A8.EXE"=

"c:\\WINDOWS\\system32\\C2CE.EXE"=

"c:\\WINDOWS\\system32\\mshearts.exe"=

"c:\\WINDOWS\\Domino.exe"=

"c:\\WINDOWS\\system32\\DF7BE.EXE"=

"c:\\WINDOWS\\system32\\freecell.exe"=

"c:\\ComboFix\\NirCmd.cfexe"=

 

R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\gbpkm.sys [2008-12-24 31296]

R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\jniem.sys --> c:\windows\system32\drivers\jniem.sys [?]

R4 BNDMSS;Windows Network Data Management System Service;c:\windows\system32\bndmss.exe [2008-11-09 30720]

S3 SQTECH9160;Digital Camera;c:\windows\system32\drivers\Capt9160.sys [2008-10-28 45711]

 

--- Other Services/Drivers In Memory ---

 

*NewlyCreated* - BNDMSS

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1165ded0-088e-11dd-b119-001bb9923f0e}]

\shELl\AUtoPLaY\CoMmaNd - E:\uubfbc.pif

\shELl\AutoRun\command - E:\uubfbc.pif

\shELl\explore\Command - E:\uubfbc.pif

\shELl\opEn\CommanD - E:\uubfbc.pif

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4365a4a2-dbfb-11dc-86ba-dab8cdb64535}]

\Shell\AutoRun\command - E:\Recycled.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5058be38-b29d-11dc-85d6-001bb9923f0e}]

\Shell\1\Command - E:\Recycled.exe

\Shell\2\Command - E:\Recycled.exe

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ec711a9-886d-11dc-84ee-001bb9923f0e}]

\Shell\1\Command - F:\Recycled.exe

\Shell\2\Command - F:\

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f3d5cb4-cf81-11dd-b9b1-001bb9923f0e}]

\Shell\1\Command - E:\Recycled.exe

\Shell\2\Command - E:\Recycled.exe

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled.exe

.

- - - - ORFÃOS REMOVIDOS - - - -

 

HKCU-Run-NitroPC - c:\arquivos de programas\NitroPC\NitroPC.exe

 

 

.

------- Scan Suplementar -------

.

uInternet Connection Wizard,ShellNext = iexplore

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office10\EXCEL.EXE/3000

TCP: {C42F28EA-3D2B-41C1-BA4B-F8E16335B24D} = 200.222.0.34 200.202.193.75

 

c:\windows\Downloaded Program Files\gbpdist.dll - O16 -: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931}

hxxps://imagem.caixa.gov.br/cab/gbpdist.cab

c:\windows\Downloaded Program Files\gbpdist.inf

FF - ProfilePath - c:\documents and settings\Fernilson\Dados de aplicativos\Mozilla\Firefox\Profiles\1krgw69w.default\

 

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-09 19:59:11

Windows 5.1.2600 Service Pack 3 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

 

c:\windows\system32\shell.fne 40960 bytes executable

c:\windows\system32\spec.fne 73728 bytes executable

c:\windows\system32\ul.dll 1868 bytes

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 3

 

**************************************************************************

.

------------------------ Outros Processos em Execução ------------------------

.

c:\windows\system32\LEXBCES.EXE

c:\windows\system32\LEXPPS.EXE

c:\windows\system32\nvsvc32.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\netsh.exe

.

**************************************************************************

.

Tempo para conclusão: 2009-01-09 20:07:57 - Máquina reiniciou

ComboFix-quarantined-files.txt 2009-01-09 22:07:52

 

PrÚ-execuþÒo: 12 pasta(s) 23.127.359.488 bytes dispon¡veis

P¾s execuþÒo: 12 pasta(s) 23,066,722,304 bytes dispon¡veis

 

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

 

238 --- E O F --- 2008-12-20 03:54:35

[MGuitar 11]

1ª Etapa

 

Acesse o VirusTotal. Copie este caminho em negrito abaixo e cole ao lado do botão . Clique em Enviar Arquivo e aguarde.

 

c:\windows\system32\XP-5CED94A8.EXE

 

Copie o link que estará em frente ao nome Permalink e cole-o aqui. Veja na imagem:

 

 

Logo após, faça o mesmo procedimento, mas agora, colando o seguinte caminho > c:\windows\system32\DF7BE.EXE.

Poste o relatório das duas análises.

 

 

2ª Etapa

 

Delete a pasta C:\Qoobox e o log C:\ComboFix.txt.

 

Selecione e copie todo este conteúdo aqui abaixo (começando de Driver). Cole o conteúdo copiado no Bloco de Notas de seu PC e salve-o no desktop como CFScript.txt

 

Driver::abp470n5BNDMSSFile::C:\a73cC:\a028C:\b18dC:\151d4c:\windows\system32\winzareg.exec:\windows\system32\winzcreg.exec:\windows\system32\winycreg.exec:\windows\system32\winxcreg.exec:\windows\system32\4560BFF.EXEc:\documents and settings\Fernilson\Dados de aplicativos\GDIPFONTCACHEV1.DATc:\documents and settings\Fernilson\wxp.exec:\documents and settings\Fernilson\skp66.exec:\windows\system32\drivers\jniem.sysc:\windows\system32\bndmss.exeE:\uubfbc.pifE:\Recycled.exec:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled.exeF:\Recycled.exeRootkit::c:\windows\system32\shell.fne c:\windows\system32\spec.fne c:\windows\system32\ul.dllRegistry::[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Barsaka"=""[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]"DisableTaskMgr"=-"DisableRegistryTools"=-[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"c:\\Documents and Settings\\Fernilson\\skp66.exe"=-"skp66.exe"=-[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1165ded0-088e-11dd-b119-001bb9923f0e}][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4365a4a2-dbfb-11dc-86ba-dab8cdb64535}][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5058be38-b29d-11dc-85d6-001bb9923f0e}][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ec711a9-886d-11dc-84ee-001bb9923f0e}][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f3d5cb4-cf81-11dd-b9b1-001bb9923f0e}]

Arraste o CFScript para o ComboFix como na imagem aqui abaixo e aguarde a execução automática da ferramenta:

 

 

● Se for solicitado à você, pressione Enter para iniciar o processo de remoção;

● Não use o mouse nem o teclado quando o ComboFix estiver rodando;

● Quando terminar, será gerado um novo log que estará em C:\ComboFix.txt;

● Talvez seu computador seja reiniciado automaticamente. Caso não ocorra, reinicie-o manualmente.

 

Na sua próxima resposta, cole o novo ComboFix.txt e os resultados da análise no VirusTotal.

[cobradorf 0]

Não sei se por minha conexão ser discada, não estou conseguindo abrir o http://www.virustotal.com/pt/, a página não abre....

[MGuitar 11]

Ok, não precisa fazer o procedimento no VirusTotal.

 

Prossiga com a "2ª Etapa" e faça o procedimento com o ComboFix.

[cobradorf 0]

A tela que aparece é essa: O ComboFix.exe encontrou um problema e precisa ser fechado....

[MGuitar 11]

- Faça o download do OTMoveIt3 e salve no desktop;

 

● Dê um duplo clique no ícone do programa (OTMoveIt3) para executá-lo;

● Selecione e copie todo este conteúdo aqui abaixo dentro do code:

 

:Processesexplorer.exe:Servicesabp470n5BNDMSS:FilesC:\a73cC:\a028C:\b18dC:\151d4c:\windows\system32\winzareg.exec:\windows\system32\winzcreg.exec:\windows\system32\winycreg.exec:\windows\system32\winxcreg.exec:\windows\system32\4560BFF.EXEc:\documents and settings\Fernilson\Dados de aplicativos\GDIPFONTCACHEV1.DATc:\documents and settings\Fernilson\wxp.exec:\documents and settings\Fernilson\skp66.exec:\windows\system32\drivers\jniem.sysc:\windows\system32\bndmss.exec:\windows\system32\shell.fnec:\windows\system32\spec.fnec:\windows\system32\ul.dllE:\uubfbc.pifE:\Recycled.exec:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled.exeF:\Recycled.exe:Reg[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Barsaka"=""[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]"DisableTaskMgr"=-"DisableRegistryTools"=-[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"c:\\Documents and Settings\\Fernilson\\skp66.exe"=-"skp66.exe"=-[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1165ded0-088e-11dd-b119-001bb9923f0e}][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4365a4a2-dbfb-11dc-86ba-dab8cdb64535}][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5058be38-b29d-11dc-85d6-001bb9923f0e}][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ec711a9-886d-11dc-84ee-001bb9923f0e}][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f3d5cb4-cf81-11dd-b9b1-001bb9923f0e}]:Commands[purity][emptytemp][start explorer][Reboot]

● Cole o que você copiou no programa (no espaço em branco da janela);

● Clique no botão MoveIt;

● Se aparecer uma mensagem para reiniciar o computador, reinicie-o;

● Na sua proxima resposta, copie e cole o todo o conteúdo que está em Results;

● Se o computador reiniciou, vá na pasta C:\_OTMoveIt\MovedFiles, e abra o mais recente arquivo .log presente. Copie e cole todo o conteúdo desse arquivo.

[cobradorf 0]

========== PROCESSES ==========

Process explorer.exe killed successfully.

========== SERVICES/DRIVERS ==========

Unable to stop service abp470n5 .

Service BNDMSS stopped successfully.

Service BNDMSS deleted successfully.

========== FILES ==========

File/Folder C:\a73c not found.

File/Folder C:\a028 not found.

File/Folder C:\b18d not found.

File/Folder C:\151d4 not found.

File/Folder c:\windows\system32\winzareg.exe not found.

File/Folder c:\windows\system32\winzcreg.exe not found.

File/Folder c:\windows\system32\winycreg.exe not found.

File/Folder c:\windows\system32\winxcreg.exe not found.

File/Folder c:\windows\system32\4560BFF.EXE not found.

File/Folder c:\documents and settings\Fernilson\Dados de aplicativos\GDIPFONTCACHEV1.DAT not found.

File/Folder c:\documents and settings\Fernilson\wxp.exe not found.

File/Folder c:\documents and settings\Fernilson\skp66.exe not found.

File/Folder c:\windows\system32\drivers\jniem.sys not found.

File/Folder c:\windows\system32\bndmss.exe not found.

c:\windows\system32\shell.fne moved successfully.

c:\windows\system32\spec.fne moved successfully.

LoadLibrary failed for c:\windows\system32\ul.dll

c:\windows\system32\ul.dll NOT unregistered.

File move failed. c:\windows\system32\ul.dll scheduled to be moved on reboot.

File/Folder E:\uubfbc.pif not found.

File/Folder E:\Recycled.exe not found.

File/Folder c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled.exe not found.

File/Folder F:\Recycled.exe not found.

========== REGISTRY ==========

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\"Barsaka"|"" /E : value set successfully!

Registry value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\\DisableTaskMgr deleted successfully.

Registry value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\\DisableRegistryTools deleted successfully.

Registry key HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List not found.

Registry key HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List not found.

Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1165ded0-088e-11dd-b119-001bb9923f0e}\\ not found.

Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4365a4a2-dbfb-11dc-86ba-dab8cdb64535}\\ not found.

Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5058be38-b29d-11dc-85d6-001bb9923f0e}\\ not found.

Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ec711a9-886d-11dc-84ee-001bb9923f0e}\\ not found.

Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f3d5cb4-cf81-11dd-b9b1-001bb9923f0e}\\ not found.

========== COMMANDS ==========

File delete failed. C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\E_4\com.run scheduled to be deleted on reboot.

File delete failed. C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\E_4\dp1.fne scheduled to be deleted on reboot.

File delete failed. C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\E_4\eAPI.fne scheduled to be deleted on reboot.

File delete failed. C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\E_4\internet.fne scheduled to be deleted on reboot.

File delete failed. C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\E_4\krnln.fnr scheduled to be deleted on reboot.

File delete failed. C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\E_4\shell.fne scheduled to be deleted on reboot.

File delete failed. C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\00016155_Rar\XP-5CED94A8.EXE scheduled to be deleted on reboot.

File delete failed. C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\etilqs_9Dx6MNoe447V3rbeuAHt scheduled to be deleted on reboot.

File delete failed. C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\tufwt.exe scheduled to be deleted on reboot.

File delete failed. C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winbmlcq.exe scheduled to be deleted on reboot.

File delete failed. C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winhnres.exe scheduled to be deleted on reboot.

User's Temp folder emptied.

User's Temporary Internet Files folder emptied.

User's Internet Explorer cache folder emptied.

Local Service Temp folder emptied.

Local Service Temporary Internet Files folder emptied.

Windows Temp folder emptied.

File delete failed. C:\Documents and Settings\Fernilson\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\1krgw69w.default\Cache\453C1F77d01 scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Fernilson\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\1krgw69w.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Fernilson\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\1krgw69w.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Fernilson\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\1krgw69w.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Fernilson\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\1krgw69w.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Fernilson\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\1krgw69w.default\urlclassifier3.sqlite scheduled to be deleted on reboot.

FireFox cache emptied.

Temp folders emptied.

Explorer started successfully

 

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01152009_180611

 

Files moved on Reboot...

LoadLibrary failed for c:\windows\system32\ul.dll

c:\windows\system32\ul.dll NOT unregistered.

c:\windows\system32\ul.dll moved successfully.

C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\E_4\com.run moved successfully.

C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\E_4\dp1.fne moved successfully.

C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\E_4\eAPI.fne moved successfully.

C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\E_4\internet.fne moved successfully.

C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\E_4\krnln.fnr moved successfully.

C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\E_4\shell.fne moved successfully.

C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\00016155_Rar\XP-5CED94A8.EXE moved successfully.

File C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\etilqs_9Dx6MNoe447V3rbeuAHt not found!

C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\tufwt.exe moved successfully.

C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winbmlcq.exe moved successfully.

C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winhnres.exe moved successfully.

C:\Documents and Settings\Fernilson\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\1krgw69w.default\Cache\453C1F77d01 moved successfully.

C:\Documents and Settings\Fernilson\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\1krgw69w.default\Cache\_CACHE_001_ moved successfully.

C:\Documents and Settings\Fernilson\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\1krgw69w.default\Cache\_CACHE_002_ moved successfully.

C:\Documents and Settings\Fernilson\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\1krgw69w.default\Cache\_CACHE_003_ moved successfully.

C:\Documents and Settings\Fernilson\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\1krgw69w.default\Cache\_CACHE_MAP_ moved successfully.

C:\Documents and Settings\Fernilson\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\1krgw69w.default\urlclassifier3.sqlite moved successfully.

[MGuitar 11]

- Faça o download do RSIT e salve no seu desktop;

 

● Dê dois cliques em RSIT.exe para executar o programa;

● Na janela que abrir clique no botão Continue para que a ferramenta comece a rodar;

● Quando a ferramenta terminar de rodar, abrirá um log automaticamente no bloco de notas contendo o resultado do scan. Cole o resultado desse log (log.txt) na sua próxima resposta;

● Cole também o conteúdo do arquivo info.txt que estará em C:\rsit\info.txt.

[cobradorf 0]

Logfile of random's system information tool 1.05 (written by random/random)

Run by Fernilson at 2009-01-16 05:07:18

Microsoft Windows XP Professional Service Pack 3

System drive C: has 19 GB (50%) free of 38 GB

Total RAM: 446 MB (28% free)

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:07:47, on 20/12/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\bndmss.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\ZSSnp211.exe

C:\WINDOWS\Domino.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\XP-5CED94A8.EXE

C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winvggws.exe

C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winyrxak.exe

C:\Hijack\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe, explorer.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [sMSERIAL] C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [ZSSnp211] C:\WINDOWS\ZSSnp211.exe

O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.exe

O4 - HKLM\..\Run: [barsaka] explorer.exe

O4 - HKLM\..\Run: [XP-5CED94A8] C:\WINDOWS\system32\XP-5CED94A8.EXE

O4 - HKLM\..\RunOnce: [Execute] C:\WINDOWS\System32\Tools\DelFolders.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [NitroPC] "C:\Arquivos de programas\NitroPC\NitroPC.exe" -minimized

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: ¡¡¡¡¡¡.lnk = C:\WINDOWS\system32\XP-5CED94A8.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Reboot.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C42F28EA-3D2B-41C1-BA4B-F8E16335B24D}: NameServer = 200.222.0.34 200.202.193.75

O23 - Service: Windows Network Data Management System Service (BNDMSS) - Unknown owner - C:\WINDOWS\system32\bndmss.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

--

End of file - 4877 bytes

 

======Registry dump======

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]

Adobe PDF Link Helper - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-08-16 7630848]

"nwiz"=nwiz.exe /install []

"SkyTel"=C:\WINDOWS\SkyTel.EXE [2006-05-16 2879488]

"SMSERIAL"=C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe [2006-09-14 651264]

"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2006-08-16 86016]

"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2006-12-19 16062464]

"Adobe Reader Speed Launcher"=C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 218992]

"ZSSnp211"=C:\WINDOWS\ZSSnp211.exe [2007-04-06 131072]

"Domino"=C:\WINDOWS\Domino.exe [2006-08-18 49152]

"Barsaka"= []

"XP-5CED94A8"=C:\WINDOWS\system32\XP-5CED94A8.EXE [2008-12-01 1586572]

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

"13CFG914-K641-26SF-N31P"=C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0950\vsse33.exe []

 

C:\Documents and Settings\All Users.WINDOWS\Menu Iniciar\Programas\Inicializar

Microsoft Office.lnk - C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

Reboot.exe

 

C:\Documents and Settings\Fernilson\Menu Iniciar\Programas\Inicializar

¡¡¡¡¡¡.lnk - C:\WINDOWS\system32\XP-5CED94A8.EXE

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"DisableTaskMgr"=1

"DisableRegistryTools"=1

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"dontdisplaylastusername"=0

"legalnoticecaption"=

"legalnoticetext"=

"shutdownwithoutlogon"=1

"undockwithoutlogon"=1

"EnableLUA"=0

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"NoDriveTypeAutoRun"=323

"NoDriveAutoRun"=67108863

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"NoResolveSearch"=

"NoDriveAutoRun"=

"NoDriveTypeAutoRun"=

"NoDrives"=

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe"="C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe:*:Enabled:ipsec"

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\WINDOWS\system32\nwiz.exe"="C:\WINDOWS\system32\nwiz.exe:*:Enabled:ipsec"

"C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE"="C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE:*:Enabled:ipsec"

"C:\WINDOWS\system32\userinit.exe"="C:\WINDOWS\system32\userinit.exe:*:Enabled:ipsec"

"C:\WINDOWS\RTHDCPL.EXE"="C:\WINDOWS\RTHDCPL.EXE:*:Enabled:ipsec"

"C:\Arquivos de programas\MSN Messenger\usnsvc.exe"="C:\Arquivos de programas\MSN Messenger\usnsvc.exe:*:Enabled:ipsec"

"C:\WINDOWS\system32\wuauclt.exe"="C:\WINDOWS\system32\wuauclt.exe:*:Enabled:ipsec"

"C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBZPSWX.EXE"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBZPSWX.EXE:*:Enabled:ipsec"

"C:\Arquivos de programas\Mozilla Firefox\firefox.exe"="C:\Arquivos de programas\Mozilla Firefox\firefox.exe:*:Enabled:ipsec"

"C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"="C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe:*:Enabled:ipsec"

"C:\WINDOWS\system32\bndmss.exe"="C:\WINDOWS\system32\bndmss.exe:*:Enabled:BNDMSS"

"C:\Documents and Settings\Fernilson\skp66.exe"="C:\Documents and Settings\Fernilson\skp66.exeskp66.exe:*:Enabled:BNDMSS"

"skp66.exe"="skp66.exe:*:Enabled:BNDMSS"

"C:\WINDOWS\system32\netsh.exe"="C:\WINDOWS\system32\netsh.exe:*:Enabled:ipsec"

"C:\WINDOWS\ALCMTR.EXE"="C:\WINDOWS\ALCMTR.EXE:*:Enabled:ipsec"

"C:\WINDOWS\ZSSnp211.exe"="C:\WINDOWS\ZSSnp211.exe:*:Enabled:ipsec"

"C:\Arquivos de programas\MSN Messenger\msnmsgr.exe"="C:\Arquivos de programas\MSN Messenger\msnmsgr.exe:*:Enabled:ipsec"

"C:\Arquivos de programas\MSN Messenger\livecall.exe"="C:\Arquivos de programas\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

"C:\WINDOWS\system32\sol.exe"="C:\WINDOWS\system32\sol.exe:*:Enabled:ipsec"

"C:\Arquivos de programas\Windows Media Player\wmplayer.exe"="C:\Arquivos de programas\Windows Media Player\wmplayer.exe:*:Enabled:ipsec"

"C:\WINDOWS\System32\Tools\DelFolders.exe"="C:\WINDOWS\System32\Tools\DelFolders.exe:*:Enabled:ipsec"

"C:\WINDOWS\system32\XP-5CED94A8.EXE"="C:\WINDOWS\system32\XP-5CED94A8.EXE:*:Enabled:ipsec"

"C:\WINDOWS\system32\C2CE.EXE"="C:\WINDOWS\system32\C2CE.EXE:*:Enabled:ipsec"

"C:\WINDOWS\system32\mshearts.exe"="C:\WINDOWS\system32\mshearts.exe:*:Enabled:ipsec"

"C:\WINDOWS\Domino.exe"="C:\WINDOWS\Domino.exe:*:Enabled:ipsec"

"C:\WINDOWS\system32\DF7BE.EXE"="C:\WINDOWS\system32\DF7BE.EXE:*:Enabled:ipsec"

"C:\WINDOWS\system32\freecell.exe"="C:\WINDOWS\system32\freecell.exe:*:Enabled:ipsec"

"C:\ComboFix\NirCmd.cfexe"="C:\ComboFix\NirCmd.cfexe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\iise.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\iise.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\njvm.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\njvm.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winsbldwo.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winsbldwo.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winpxbca.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winpxbca.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winwrow.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winwrow.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winuqqwj.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winuqqwj.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\windnihn.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\windnihn.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\fyqvn.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\fyqvn.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winyxma.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winyxma.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\okvt.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\okvt.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\rhpx.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\rhpx.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winuirgeh.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winuirgeh.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\klafm.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\klafm.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winefmqkd.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winefmqkd.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wingpfily.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wingpfily.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winkxob.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winkxob.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\ckkqx.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\ckkqx.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\vmqx.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\vmqx.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\qipvay.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\qipvay.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\cwtap.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\cwtap.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\emrse.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\emrse.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winacgini.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winacgini.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\kgfec.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\kgfec.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\arpvdx.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\arpvdx.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winluutvs.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winluutvs.exe:*:Enabled:ipsec"

"C:\WINDOWS\system32\ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe:*:Enabled:ipsec"

"C:\WINDOWS\Explorer.EXE"="C:\WINDOWS\Explorer.EXE:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winbqpnp.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winbqpnp.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winrcghas.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winrcghas.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wingclejl.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wingclejl.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winvklxxp.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winvklxxp.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winyqgeyx.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winyqgeyx.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winseiqkf.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winseiqkf.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winnefua.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winnefua.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winrfneu.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winrfneu.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winmesmay.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winmesmay.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\huxgwj.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\huxgwj.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winwpfff.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winwpfff.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\sdqqk.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\sdqqk.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winsfglp.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winsfglp.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\qlbpjv.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\qlbpjv.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winespx.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winespx.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winftbpuh.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winftbpuh.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\kfvbm.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\kfvbm.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wingflr.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wingflr.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winrsoas.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winrsoas.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winmswuo.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winmswuo.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winggpthb.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winggpthb.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wingtwj.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wingtwj.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wincxfuy.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wincxfuy.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winqtmwm.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winqtmwm.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winxvaut.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winxvaut.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\oqvite.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\oqvite.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\riimh.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\riimh.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winxfge.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winxfge.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winpeatv.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winpeatv.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winjjel.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winjjel.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\ffhs.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\ffhs.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\saed.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\saed.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\yhfli.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\yhfli.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\fbsu.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\fbsu.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\iaea.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\iaea.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winghsx.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winghsx.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\qgyw.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\qgyw.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winvndllb.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winvndllb.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\ldpl.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\ldpl.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winafre.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winafre.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winhibijp.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winhibijp.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winvyiwg.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winvyiwg.exe:*:Enabled:ipsec"

"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wegmtw.exe"="C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wegmtw.exe:*:Enabled:ipsec"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\Arquivos de programas\MSN Messenger\msnmsgr.exe"="C:\Arquivos de programas\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\Arquivos de programas\MSN Messenger\livecall.exe"="C:\Arquivos de programas\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb3eca5e-6e59-11dd-b2f7-001bb9923f0e}]

shell\AutoRun\command - E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\exe32.exe

shell\open\command - E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\exe32.exe

 

 

======List of files/folders created in the last 1 months======

 

2009-01-16 05:07:18 ----D---- C:\rsit

2009-01-15 18:09:20 ----ASH---- C:\WINDOWS\system32\ul.dll

2009-01-15 17:58:15 ----D---- C:\_OTMoveIt

2009-01-14 19:24:40 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$

2009-01-13 19:08:14 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$

2009-01-09 20:29:16 ----ASH---- C:\WINDOWS\system32\og.dll

2009-01-09 20:19:15 ----RSHD---- C:\RECYCLER

2009-01-09 19:55:36 ----D---- C:\WINDOWS\temp

2009-01-09 19:53:23 ----A---- C:\Boot.bak

2009-01-09 19:53:08 ----RASHD---- C:\cmdcons

2009-01-09 19:12:16 ----A---- C:\WINDOWS\zip.exe

2009-01-09 19:12:16 ----A---- C:\WINDOWS\VFIND.exe

2009-01-09 19:12:16 ----A---- C:\WINDOWS\SWXCACLS.exe

2009-01-09 19:12:16 ----A---- C:\WINDOWS\SWSC.exe

2009-01-09 19:12:16 ----A---- C:\WINDOWS\SWREG.exe

2009-01-09 19:12:16 ----A---- C:\WINDOWS\sed.exe

2009-01-09 19:12:16 ----A---- C:\WINDOWS\NIRCMD.exe

2009-01-09 19:12:16 ----A---- C:\WINDOWS\grep.exe

2009-01-09 19:12:16 ----A---- C:\WINDOWS\fdsv.exe

2009-01-09 19:12:09 ----D---- C:\ComboFix

2008-12-27 20:57:56 ----A---- C:\WINDOWS\system32\lxbzpwr.dll

2008-12-27 20:57:52 ----A---- C:\WINDOWS\system32\LEXPPS.EXE

2008-12-27 20:57:52 ----A---- C:\WINDOWS\system32\LEXP2P32.DLL

2008-12-27 20:57:52 ----A---- C:\WINDOWS\system32\LEXBCES.EXE

2008-12-27 20:57:52 ----A---- C:\WINDOWS\system32\LEXBCE.DLL

2008-12-27 20:57:52 ----A---- C:\WINDOWS\system32\LEX2KUSB.DLL

2008-12-27 20:57:50 ----D---- C:\Arquivos de programas\Lexmark 510 Series

2008-12-27 20:57:50 ----A---- C:\WINDOWS\system32\lexlmpm.dll

2008-12-24 09:30:56 ----D---- C:\Documents and Settings\All Users.WINDOWS\Dados de aplicativos\GbPlugin

2008-12-24 09:30:56 ----D---- C:\Arquivos de programas\GbPlugin

2008-12-20 19:06:03 ----D---- C:\Hijack

 

======List of files/folders modified in the last 1 months======

 

2009-01-16 05:01:14 ----D---- C:\Arquivos de programas\Mozilla Firefox

2009-01-16 05:01:05 ----A---- C:\WINDOWS\ModemLog_Motorola SM56 Data Fax Modem.txt

2009-01-16 04:59:09 ----D---- C:\WINDOWS\system32\drivers

2009-01-15 22:25:24 ----A---- C:\WINDOWS\SchedLgU.Txt

2009-01-15 18:09:20 ----D---- C:\WINDOWS\system32

2009-01-14 22:25:47 ----RSHDC---- C:\WINDOWS\system32\dllcache

2009-01-14 22:25:33 ----D---- C:\WINDOWS\system32\CatRoot2

2009-01-14 19:27:08 ----D---- C:\WINDOWS

2009-01-14 19:25:12 ----HD---- C:\WINDOWS\inf

2009-01-13 19:08:25 ----A---- C:\WINDOWS\imsins.BAK

2009-01-13 19:07:56 ----HD---- C:\WINDOWS\$hf_mig$

2009-01-11 00:56:55 ----D---- C:\WINDOWS\Prefetch

2009-01-09 23:19:14 ----D---- C:\WINDOWS\Help

2009-01-09 23:18:23 ----RSD---- C:\WINDOWS\Fonts

2009-01-09 20:06:10 ----D---- C:\WINDOWS\repair

2009-01-09 20:00:16 ----A---- C:\WINDOWS\system.ini

2009-01-09 19:57:10 ----D---- C:\WINDOWS\system32\config

2009-01-09 19:56:38 ----D---- C:\WINDOWS\ERDNT

2009-01-09 19:55:11 ----D---- C:\WINDOWS\AppPatch

2009-01-09 19:55:11 ----D---- C:\Arquivos de programas\Arquivos comuns

2009-01-09 19:53:23 ----RASH---- C:\boot.ini

2008-12-27 21:02:33 ----A---- C:\WINDOWS\LEXSTAT.INI

2008-12-27 21:00:03 ----D---- C:\WINDOWS\system32\CatRoot

2008-12-27 20:57:50 ----RD---- C:\Arquivos de programas

2008-12-26 09:19:54 ----D---- C:\WINDOWS\system32\Restore

2008-12-24 09:30:55 ----SD---- C:\WINDOWS\Downloaded Program Files

2008-12-23 18:20:00 ----A---- C:\WINDOWS\system32\DF7BE.EXE

 

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

 

R3 abp470n5;abp470n5; \??\C:\WINDOWS\system32\drivers\jniem.sys []

R3 HDAudBus;Driver de Barramento Microsoft UAA para High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]

R3 HidUsb;Driver de classe HID da Microsoft; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]

R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-12-21 4405248]

R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-09-05 12288]

R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-08-16 3959712]

R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-07-11 57856]

R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-07-11 20480]

R3 smserial;smserial; C:\WINDOWS\system32\DRIVERS\smserial.sys [2006-09-14 980736]

R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]

R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]

R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]

R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]

S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []

S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]

S3 MSTEE;Conversor em T entre locais de fluxo contínuo Microsoft; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]

S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]

S3 NdisIP;Conexão de TV e vídeo da Microsoft; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]

S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]

S3 SQTECH9160;Digital Camera; C:\WINDOWS\System32\Drivers\Capt9160.sys [2006-03-21 45711]

S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]

S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]

S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]

S3 ZSMC211;ZSMC USB PC Camera; C:\WINDOWS\System32\Drivers\ZS211.sys [2007-08-03 1470592]

S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

 

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

 

R2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE [2003-11-06 307200]

R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-08-16 155715]

R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]

S3 usnjsvc;Serviço de Compartilhamento de Pastas Messenger do USN Journal Reader; C:\Arquivos de programas\MSN Messenger\usnsvc.exe [2007-01-19 170864]

 

-----------------EOF-----------------

[cobradorf 0]

info.txt logfile of random's system information tool 1.05 2009-01-16 05:07:37

 

======Uninstall list======

 

-->C:\Arquivos de programas\DivX\DivXConverterUninstall.exe /CONVERTER

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

Acrobat.com-->C:\Arquivos de programas\Arquivos comuns\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}

Adobe AIR-->C:\Arquivos de programas\Arquivos comuns\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall

Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}

Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe

Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe

Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}

Advanced WindowsCare Personal-->"C:\Arquivos de programas\IObit\Advanced WindowsCare V2\unins000.exe"

Arquivo do WinRAR-->C:\Arquivos de programas\WinRAR\uninstall.exe

Atualização de Segurança para o Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"

Atualização de Segurança para o Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"

Atualização de Segurança para Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"

Atualização de Segurança para Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"

Atualização de Segurança para Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"

Atualização de Segurança para Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"

Atualização de Segurança para Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"

Atualização de Segurança para Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"

Atualização de Segurança para Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"

Atualização de Segurança para Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"

Atualização de Segurança para Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"

Atualização de Segurança para Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"

Atualização de Segurança para Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"

Atualização de Segurança para Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"

Atualização de Segurança para Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"

Atualização de Segurança para Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"

Atualização de Segurança para Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"

Atualização de Segurança para Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"

Atualização de Segurança para Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"

Atualização de Segurança para Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"

Atualização de Segurança para Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"

Atualização de Segurança para Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"

Atualização de Segurança para Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"

Atualização de Segurança para Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"

Atualização de Segurança para Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"

Atualização de Segurança para Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"

Atualização de Segurança para Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"

Atualização para Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"

Atualização para Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"

Atualização para Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"

Digital Camera Driver-->C:\ARQUIV~1\DIGITA~1\UNWISE.EXE C:\ARQUIV~1\DIGITA~1\INSTALL.LOG

DivX Codec-->C:\Arquivos de programas\DivX\DivXCodecUninstall.exe /CODEC

DivX Converter-->C:\Arquivos de programas\DivX\DivXConverterUninstall.exe /CONVERTER

DivX Player-->C:\Arquivos de programas\DivX\DivXPlayerUninstall.exe /PLAYER

DivX Web Player-->C:\Arquivos de programas\DivX\DivXWebPlayerUninstall.exe /PLUGIN

E.M. Total Video Player 1.31-->"C:\Arquivos de programas\Total Video Player\unins000.exe"

HijackThis 2.0.2-->"C:\Hijack\HijackThis.exe" /uninstall

Hotfix para Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"

Lexmark 510 Series-->C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBZUN5C.EXE -dLexmark 510 Series

Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"

Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"

Microsoft Office XP Professional com FrontPage-->MsiExec.exe /I{90280416-6000-11D3-8CFE-0050048383C9}

Motorola SM56 Data Fax Modem-->rundll32.exe sm56coin.dll,SM56UnInstaller

Mozilla Firefox (3.0.4)-->C:\Arquivos de programas\Mozilla Firefox\uninstall\helper.exe

NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI

On-line Help Console-->RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{6283826F-59A2-11D9-BB04-000AE6BE6EE7}\setup.exe" -l0x9

Realtek High Definition Audio Driver-->RtlUpd.exe -r -m

Windows Live Messenger-->MsiExec.exe /I{37FD253D-5064-4034-8CEC-CC3995F823A4}

Windows Media Format Runtime-->"C:\Arquivos de programas\Windows Media Player\wmsetsdk.exe" /UninstallAll

Windows Media Player 10-->"C:\Arquivos de programas\Windows Media Player\Setup_wm.exe" /Uninstall

Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

XeFlashPlayer 1.0-->C:\Arquivos de programas\XeFlashPlayer\uninst.exe

ZSMC USB PC Camera-->C:\Arquivos de programas\InstallShield Installation Information\{44D02D8B-FFB3-4245-8D26-68D10B4C4023}\setup.exe -runfromtemp -l0x0416 -removeonly

 

System event log

 

Computer Name: WILSON-9B32FAF9

Event Code: 64001

Message: Tentativa de substituição do arquivo no arquivo do sistema protegido c:\arquivos de programas\msn gaming zone\windows\zclientm.exe.

Esse arquivo foi restaurado para a versão original para manter a estabilidade do sistema.

A versão do arquivo inválido é 1.2.626.1, a versão do arquivo do sistema é 1.2.626.1.

 

Record Number: 7786

Source Name: Windows File Protection

Time Written: 20081224160752.000000-120

Event Type: Informações

User:

 

Computer Name: WILSON-9B32FAF9

Event Code: 64001

Message: Tentativa de substituição do arquivo no arquivo do sistema protegido c:\arquivos de programas\msn gaming zone\windows\zclientm.exe.

Esse arquivo foi restaurado para a versão original para manter a estabilidade do sistema.

A versão do arquivo inválido é 1.2.626.1, a versão do arquivo do sistema é 1.2.626.1.

 

Record Number: 7785

Source Name: Windows File Protection

Time Written: 20081224160052.000000-120

Event Type: Informações

User:

 

Computer Name: WILSON-9B32FAF9

Event Code: 64001

Message: Tentativa de substituição do arquivo no arquivo do sistema protegido c:\arquivos de programas\msn gaming zone\windows\zclientm.exe.

Esse arquivo foi restaurado para a versão original para manter a estabilidade do sistema.

A versão do arquivo inválido é 1.2.626.1, a versão do arquivo do sistema é 1.2.626.1.

 

Record Number: 7784

Source Name: Windows File Protection

Time Written: 20081224154707.000000-120

Event Type: Informações

User:

 

Computer Name: WILSON-9B32FAF9

Event Code: 20158

Message: O usuário . estabeleceu com êxito uma conexão a ig2008 usando o dispositivo COM3.

 

Record Number: 7783

Source Name: RemoteAccess

Time Written: 20081224154014.000000-120

Event Type: Informações

User:

 

Computer Name: WILSON-9B32FAF9

Event Code: 64001

Message: Tentativa de substituição do arquivo no arquivo do sistema protegido c:\arquivos de programas\msn gaming zone\windows\zclientm.exe.

Esse arquivo foi restaurado para a versão original para manter a estabilidade do sistema.

A versão do arquivo inválido é 1.2.626.1, a versão do arquivo do sistema é 1.2.626.1.

 

Record Number: 7782

Source Name: Windows File Protection

Time Written: 20081224154000.000000-120

Event Type: Informações

User:

 

Application event log

 

Computer Name: WILSON-9B32FAF9

Event Code: 300

Message: msnmsgr (3204) \\.\C:\Documents and Settings\Fernilson\Configurações locais\Dados de aplicativos\Microsoft\Messenger\wbarros1975@hotmail.com\SharingMetadata\Working\database_5498_8408_9883_E738\dfsr.db: O mecanismo de banco de dados está iniciando as etapas de recuperação.

 

Record Number: 1131

Source Name: ESENT

Time Written: 20081209234424.000000-120

Event Type: Informações

User:

 

Computer Name: WILSON-9B32FAF9

Event Code: 102

Message: msnmsgr (3204) \\.\C:\Documents and Settings\Fernilson\Configurações locais\Dados de aplicativos\Microsoft\Messenger\wbarros1975@hotmail.com\SharingMetadata\Working\database_5498_8408_9883_E738\dfsr.db: O mecanismo de banco de dados iniciou uma nova instância (0).

 

Record Number: 1130

Source Name: ESENT

Time Written: 20081209234423.000000-120

Event Type: Informações

User:

 

Computer Name: WILSON-9B32FAF9

Event Code: 100

Message: msnmsgr (3204) O mecanismo de banco de dados 5.01.2600.5512 foi iniciado.

 

Record Number: 1129

Source Name: ESENT

Time Written: 20081209234422.000000-120

Event Type: Informações

User:

 

Computer Name: WILSON-9B32FAF9

Event Code: 12001

Message: The Messenger Sharing USN Journal Reader service started successfully.

 

Record Number: 1128

Source Name: usnjsvc

Time Written: 20081209234416.000000-120

Event Type:

User:

 

Computer Name: WILSON-9B32FAF9

Event Code: 1800

Message: O Serviço da Central de Segurança do Windows foi iniciado.

 

Record Number: 1127

Source Name: SecurityCenter

Time Written: 20081209234044.000000-120

Event Type: Informações

User:

 

======Environment variables======

 

"ComSpec"=%SystemRoot%\system32\cmd.exe

"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\WBEM

"windir"=%SystemRoot%

"FP_NO_HOST_CHECK"=NO

"OS"=Windows_NT

"PROCESSOR_ARCHITECTURE"=x86

"PROCESSOR_LEVEL"=15

"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 79 Stepping 2, AuthenticAMD

"PROCESSOR_REVISION"=4f02

"NUMBER_OF_PROCESSORS"=1

"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

"TEMP"=%SystemRoot%\TEMP

"TMP"=%SystemRoot%\TEMP

 

-----------------EOF-----------------

[MGuitar 11]

Vá em Iniciar > Executar, digite o comando abaixo e dê um OK.

 

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Barsaka /f

 

Execute o HijackThis e clique em Do a system scan only. Marque as entradas abaixo e clique no botão Fix Checked.

 

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe, explorer.exe

 

O4 - HKLM\..\Run: [barsaka] explorer.exe

 

O4 - Global Startup: Reboot.exe

 

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

 

1ª Etapa

 

- Execute o OTMoveIt3 e cole este conteúdo abaixo na janela do programa:

 

:Processesexplorer.exeC:\WINDOWS\system32\bndmss.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winvggws.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winyrxak.exe:Servicesabp470n5:FilesC:\WINDOWS\system32\bndmss.exeC:\Documents and Settings\Fernilson\skp66.exeC:\Documents and Settings\Fernilson\skp66.exeskp66.exeC:\WINDOWS\system32\ul.dllC:\WINDOWS\system32\og.dllC:\WINDOWS\system32\drivers\jniem.sysC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\iise.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\njvm.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winsbldwo.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winpxbca.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winwrow.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winuqqwj.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\windnihn.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\fyqvn.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winyxma.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\okvt.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\rhpx.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winuirgeh.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\klafm.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winefmqkd.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wingpfily.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winkxob.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\ckkqx.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\vmqx.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\qipvay.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\cwtap.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\emrse.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winacgini.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\kgfec.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\arpvdx.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winluutvs.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winbqpnp.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winrcghas.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wingclejl.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winvklxxp.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winyqgeyx.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winseiqkf.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winnefua.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winrfneu.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winmesmay.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\huxgwj.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winwpfff.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\sdqqk.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winsfglp.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\qlbpjv.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winespx.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winftbpuh.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\kfvbm.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wingflr.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winrsoas.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winmswuo.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winggpthb.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wingtwj.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wincxfuy.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winqtmwm.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winxvaut.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\oqvite.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\riimh.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winxfge.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winpeatv.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winjjel.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\ffhs.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\saed.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\yhfli.exe"C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\fbsu.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\iaea.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winghsx.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\qgyw.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winvndllb.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\ldpl.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winafre.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winhibijp.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winvyiwg.exeC:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\wegmtw.exe:Reg[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]"DisableTaskMgr"=-"DisableRegistryTools"=-[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]"C:\WINDOWS\system32\bndmss.exe"=-"C:\Documents and Settings\Fernilson\skp66.exe"=-"skp66.exe"=-[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb3eca5e-6e59-11dd-b2f7-001bb9923f0e}]:Commands[purity][emptytemp][start explorer][Reboot]

● Clique no botão MoveIt;

● Se aparecer uma mensagem para reiniciar o computador, reinicie-o;

● Na sua proxima resposta, copie e cole o todo o conteúdo que está em Results;

● Se o computador reiniciou, vá na pasta C:\_OTMoveIt\MovedFiles, e abra o mais recente arquivo .log presente. Copie e cole todo o conteúdo desse arquivo.

 

2ª Etapa

 

- Baixe o FindyKill e salve a ferramenta na pasta C:\Arquivos de Programas;

- Feche programas que estejam abertos;

- Instale a ferramenta, e aceite todas as condições pedidas;

- Terminando, execute a ferramenta com um duplo-clique, em: C:\Arquivos de Programas\FindyKill\FindyKill.bat;

- No prompt, aperte o C > Enter;

- À seguir, aperte o 2 e dê um Enter, o computador vai reiniciar,por duas vezes;

- Terminando, clique em uma área vazia do prompt e dê um Enter;

- Abrirá o Bloco de Notas, com o relatório: C:\FindyKill.txt.

 

Cole o log do OTMoveIt3, FindyKill e um novo log do RSIT (apenas o log.txt) em sua próxima resposta.

[cobradorf 0]

2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe, explorer.exe

 

O4 - HKLM\..\Run: [barsaka] explorer.exe

 

Essas entradas, não tinham no HijackThis....

[MGuitar 11]

Por favor, poste um novo log do HijackThis.

[cobradorf 0]

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 09:59:34, on 31/1/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\ZSSnp211.exe

C:\WINDOWS\Domino.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\XP-5CED94A8.EXE

C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\novmbf.exe

C:\DOCUME~1\FERNIL~1\CONFIG~1\Temp\winxlgr.exe

C:\HiJackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [sMSERIAL] C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [ZSSnp211] C:\WINDOWS\ZSSnp211.exe

O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.exe

O4 - HKLM\..\Run: [XP-5CED94A8] C:\WINDOWS\system32\XP-5CED94A8.EXE

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [13CFG914-K641-26SF-N31P] C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0950\vsse33.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: ¡¡¡¡¡¡.lnk = C:\WINDOWS\system32\XP-5CED94A8.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Reboot.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://imagem.caixa.gov.br/cab/gbpdist.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C42F28EA-3D2B-41C1-BA4B-F8E16335B24D}: NameServer = 200.222.0.34 200.202.193.75

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

--

End of file - 4320 bytes