[Resolvido!] Trojan-PWS.Bancos

[MGuitar 11]

1ª Etapa

 

Delete a pasta C:\Avenger.

 

2ª Etapa

 

- Baixe o arquivo upado no link abaixo e salve no desktop;

http://rapidshare.com/files/179906391/Regedit.zip.html

 

- Extraia o arquivo que está dentro da pasta zipada, e coloque o arquivo (regedit.exe) dentro da seguinte pasta > C:\Windows.

 

3ª Etapa

 

- Faça o download do ComboFix e salve-o na área de trabalho;

 

● Desative temporariamente o seu antivirus para não detectar a ferramenta como vírus;

● Duplo clique no ícone combofix.exe para iniciar o scan;

● Leia o contrato que aparecerá e clique em Sim para continuar;

● Abrirá uma janela do Console de Recuperação, clique em Sim para instalar. Se aparecer outra janela do Console, clique em OK > Sim;

● Aguarde enquanto o ComboFix faz o scan;

● Se ocorrer algum problema durante o scan, reinicie seu computador em Modo de Segurança e repita o procedimento;

● Não clique na janela do ComboFix e procure não utilizar o teclado também, para não atrapalhar a varredura da ferramenta;

● Se quiser sair ou parar o ComboFix, tecle N;

● Quando terminar seu micro será reiniciado. Após o reinicio, a ferramenta executará novamente, aguarde;

● Será gerado um log em C:\ComboFix.txt.

 

Cole este log em sua próxima resposta.

[buzzuh1 0]

Thank's e conforme o pedido, ai vai:

 

ComboFix 09-01-05.01 - Usuário 2009-01-05 13:20:19.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1046.18.991.567 [GMT -2:00]

Executando de: c:\documents and settings\Usuário\Desktop\ComboFix.exe

* Criado um novo ponto de restauro

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_GBPSV

-------\Service_GbpSv

 

 

(((((((((((((((( Arquivos/Ficheiros criados de 2008-12-05 to 2009-01-05 ))))))))))))))))))))))))))))

.

 

2009-01-05 13:16 . 2008-04-13 20:21 150,528 --a--c--- c:\windows\system32\dllcache\regedit.exe

2009-01-05 13:16 . 2008-04-13 20:21 150,528 --a------ c:\windows\regedit.exe

2009-01-04 16:08 . 2009-01-04 16:08 410,984 --a------ c:\windows\system32\deploytk.dll

2008-12-30 19:52 . 2008-12-30 19:52 7,168 --a------ c:\windows\system32\drivers\uteznzg1.sys

2008-12-30 13:33 . 2009-01-05 13:25 0 --a------ c:\windows\system.ini

2008-12-30 13:23 . 2008-12-31 03:36 13,613,088 --ahs---- c:\windows\system32\drivers\fidbox.dat

2008-12-30 13:23 . 2008-12-31 03:36 160,604 --ahs---- c:\windows\system32\drivers\fidbox.idx

2008-12-29 18:59 . 2008-12-29 18:59 <DIR> d-------- c:\documents and settings\Usuário\Dados de aplicativos\Malwarebytes

2008-12-29 18:59 . 2008-12-29 18:59 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes

2008-12-29 18:59 . 2008-12-29 18:59 <DIR> d-------- c:\arquivos de programas\Malwarebytes' Anti-Malware

2008-12-29 18:59 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-29 18:59 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-28 15:46 . 2008-12-28 15:46 268 --ah----- C:\sqmdata05.sqm

2008-12-28 15:46 . 2008-12-28 15:46 244 --ah----- C:\sqmnoopt05.sqm

2008-12-28 12:17 . 2008-12-28 12:17 268 --ah----- C:\sqmdata03.sqm

2008-12-28 12:17 . 2008-12-28 12:17 244 --ah----- C:\sqmnoopt04.sqm

2008-12-28 12:17 . 2008-12-28 12:17 244 --ah----- C:\sqmnoopt03.sqm

2008-12-28 12:17 . 2008-12-28 12:17 136 --ah----- C:\sqmdata04.sqm

2008-12-28 10:06 . 2008-12-28 10:06 268 --ah----- C:\sqmdata02.sqm

2008-12-28 10:06 . 2008-12-28 10:06 268 --ah----- C:\sqmdata01.sqm

2008-12-28 10:06 . 2008-12-28 10:06 244 --ah----- C:\sqmnoopt02.sqm

2008-12-28 10:06 . 2008-12-28 10:06 244 --ah----- C:\sqmnoopt01.sqm

2008-12-27 21:05 . 2008-12-27 21:05 <DIR> d--h----- c:\windows\system32\GroupPolicy

2008-12-23 22:13 . 2008-12-29 19:49 <DIR> d-------- C:\Hijack

2008-12-22 23:05 . 2009-01-04 23:18 <DIR> d-a------ c:\documents and settings\All Users\Dados de aplicativos\TEMP

2008-12-22 23:04 . 2008-12-22 23:04 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Avg8

2008-12-18 19:57 . 2008-12-18 19:57 <DIR> d-------- c:\arquivos de programas\Alwil Software

2008-12-18 19:57 . 2003-03-18 17:20 1,060,864 --a------ c:\windows\system32\MFC71.dll

2008-12-16 23:59 . 2008-12-16 23:59 6,144 --ahs---- c:\windows\system32\Thumbs.db

2008-12-13 18:42 . 2008-12-31 03:49 69 --a------ c:\windows\NeroDigital.ini

2008-12-11 23:13 . 2009-01-04 16:00 112 --a------ c:\windows\win.ini

2008-12-09 16:03 . 2008-12-09 18:08 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2008-12-09 16:03 . 2008-12-09 18:08 <DIR> d-------- c:\arquivos de programas\Spybot - Search & Destroy

2008-12-09 14:41 . 2008-12-09 14:41 0 --a------ c:\windows\system32\dkwork.ini

2008-12-09 13:05 . 2008-12-09 13:05 <DIR> d-------- c:\arquivos de programas\Yahoo!

2008-12-09 12:38 . 2008-12-09 12:38 <DIR> d-------- c:\windows\BricoPacks

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-04 18:08 --------- d-----w c:\arquivos de programas\Java

2008-12-23 01:00 --------- d-----w c:\arquivos de programas\CCleaner

2008-12-09 20:08 --------- d-----w c:\arquivos de programas\GbPlugin

2008-11-14 12:28 --------- d-----w c:\documents and settings\Usuário\Dados de aplicativos\BSplayer

2008-11-08 01:47 --------- d-----w c:\documents and settings\Usuário\Dados de aplicativos\BSplayer Pro

2008-11-08 01:47 --------- d-----w c:\arquivos de programas\Webteh

2008-11-07 10:43 --------- d-----w c:\arquivos de programas\Arquivos comuns\Adobe

2008-07-17 13:38 32,768 --sha-w c:\windows\system32\config\systemprofile\Configurações locais\Histórico\History.IE5\index.dat

2008-07-17 13:38 32,768 --sha-w c:\windows\system32\config\systemprofile\Configurações locais\Histórico\History.IE5\MSHist012008071720080718\index.dat

2008-07-17 13:38 32,768 --sha-w c:\windows\system32\config\systemprofile\Configurações locais\Temporary Internet Files\Content.IE5\index.dat

2008-07-17 13:38 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat

2008-04-13 22:21 1,695,232 --sha-w c:\windows\VistaMizer\old\msmsgs.exe

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-13 25088]

"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\arquivos de programas\Arquivos comuns\Nero\Lib\NMBgMonitor.exe" [2008-06-24 132392]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LifeCam"="c:\arquivos de programas\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]

"VX1000"="c:\windows\vVX1000.exe" [2007-04-10 709992]

"NBKeyScan"="c:\arquivos de programas\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-08 2221352]

"NeroFilterCheck"="c:\arquivos de programas\Arquivos comuns\Nero\Lib\NeroCheck.exe" [2008-06-19 570664]

"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"avast!"="c:\arquiv~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]

"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre6\bin\jusched.exe" [2009-01-04 136600]

"SiSPower"="SiSPower.dll" [2007-04-11 c:\windows\system32\SiSPower.dll]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 25088]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_2"="shell32" [X]

 

c:\documents and settings\Usu rio\Menu Iniciar\Programas\Inicializar\

RocketDock.lnk - c:\windows\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe [2006-05-14 344064]

UberIcon.lnk - c:\windows\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe [2006-02-05 180224]

Y'z Shadow.lnk - c:\windows\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe [2002-09-30 131072]

Y'z Toolbar.lnk - c:\windows\BricoPacks\Crystal Clear\YzToolbar\YzToolBar.exe [2002-09-29 90112]

 

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

BTTray.lnk - c:\arquivos de programas\Software WIDCOMM\Bluetooth\BTTray.exe [2005-10-09 610365]

InterVideo WinCinema Manager.lnk - c:\arquivos de programas\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-07-17 212992]

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\InterVideo\\DVD6\\WinDVD.exe"=

"c:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

"c:\\Arquivos de programas\\Microsoft LifeCam\\LifeCam.exe"=

"c:\\Arquivos de programas\\Microsoft LifeCam\\LifeExp.exe"=

"c:\\Arquivos de programas\\Arquivos comuns\\Nero\\Nero Web\\SetupX.exe"=

"c:\\Arquivos de programas\\Nero\\Nero8\\Nero Home\\NeroHome.exe"=

"c:\\Arquivos de programas\\Nero\\Nero8\\Nero ShowTime\\ShowTime.exe"=

 

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-27 111184]

R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-12-27 20560]

S3 uteznzg1;AVZ Kernel Driver;c:\windows\system32\drivers\uteznzg1.sys [2008-12-30 7168]

.

- - - - ORFÃOS REMOVIDOS - - - -

 

HKLM-Run-Cmaudio - cmicnfg.cpl

ShellExecuteHooks-{E37CB5F0-51F5-4395-A808-5FA49E399003} - (no file)

 

 

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.uol.com.br/

uInternet Connection Wizard,ShellNext = iexplore

IE: c:\arquivos de programas\Software WIDCOMM\Bluetooth\btsendto_ie_ctx.htm

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

 

O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-05 13:25:49

Windows 5.1.2600 Service Pack 3 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'winlogon.exe'(516)

c:\windows\system32\sfc_os.dll

c:\windows\system32\COMRes.dll

c:\windows\system32\cscui.dll

.

------------------------ Outros Processos em Execução ------------------------

.

c:\arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

c:\arquivos de programas\Alwil Software\Avast4\ashServ.exe

c:\arquivos de programas\Software WIDCOMM\Bluetooth\bin\btwdins.exe

c:\arquivos de programas\Java\jre6\bin\jqs.exe

c:\arquivos de programas\Microsoft LifeCam\MSCamS32.exe

c:\arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe

c:\windows\system32\IoctlSvc.exe

c:\arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

c:\arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

c:\windows\system32\wbem\wmiapsrv.exe

c:\arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexingService.exe

c:\arquivos de programas\Software WIDCOMM\Bluetooth\BTStackServer.exe

.

**************************************************************************

.

Tempo para conclusão: 2009-01-05 13:28:35 - Máquina reiniciou

ComboFix-quarantined-files.txt 2009-01-05 15:28:32

 

Pré-execução: 20 pasta(s) 19.107.475.456 bytes disponíveis

Pós execução: 20 pasta(s) 18,992,082,944 bytes disponíveis

 

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

 

171 --- E O F --- 2008-12-18 16:58:54

 

No aguardo de um novo contato, espero que breve.

[MGuitar 11]

Selecione e copie o conteúdo abaixo. Cole-o no Bloco de Notas de seu PC e salve no desktop como CFScript.txt

 

File::

C:\sqmdata05.sqm

C:\sqmnoopt05.sqm

C:\sqmdata03.sqm

C:\sqmnoopt04.sqm

C:\sqmnoopt03.sqm

C:\sqmdata04.sqm

C:\sqmdata02.sqm

C:\sqmdata01.sqm

C:\sqmnoopt02.sqm

C:\sqmnoopt01.sqm

c:\windows\system32\dkwork.ini

Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000000

DirLook::

c:\windows\system32\GroupPolicy

Arraste o CFScript para o ComboFix como na imagem aqui abaixo e aguarde a execução automática da ferramenta:

 

 

● Se for solicitado à você, pressione Enter para iniciar o processo de remoção;

● Não use o mouse nem o teclado quando o ComboFix estiver rodando;

● Quando terminar, será gerado um novo log que estará em C:\ComboFix.txt;

● Talvez seu computador seja reiniciado automaticamente. Caso não ocorra, reinicie-o manualmente.

 

Na sua próxima resposta, cole o ComboFix.txt e um novo log do HijackThis.

[buzzuh1 0]

Conforme pedido:

 

ComboFix Log

 

ComboFix 09-01-05.02 - Usuário 2009-01-05 18:34:56.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1046.18.991.559 [GMT -2:00]

Executando de: c:\documents and settings\Usuário\Desktop\ComboFix.exe

Comandos utilizados :: c:\documents and settings\Usuário\Desktop\CFScript.txt

* Criado um novo ponto de restauro

 

FILE ::

C:\sqmdata01.sqm

C:\sqmdata02.sqm

C:\sqmdata03.sqm

C:\sqmdata04.sqm

C:\sqmdata05.sqm

C:\sqmnoopt01.sqm

C:\sqmnoopt02.sqm

C:\sqmnoopt03.sqm

C:\sqmnoopt04.sqm

C:\sqmnoopt05.sqm

c:\windows\system32\dkwork.ini

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\sqmdata01.sqm

C:\sqmdata02.sqm

C:\sqmdata03.sqm

C:\sqmdata04.sqm

C:\sqmdata05.sqm

C:\sqmnoopt01.sqm

C:\sqmnoopt02.sqm

C:\sqmnoopt03.sqm

C:\sqmnoopt04.sqm

C:\sqmnoopt05.sqm

c:\windows\system32\dkwork.ini

 

.

(((((((((((((((( Arquivos/Ficheiros criados de 2008-12-05 to 2009-01-05 ))))))))))))))))))))))))))))

.

 

2009-01-05 13:16 . 2008-04-13 20:21 150,528 --a--c--- c:\windows\system32\dllcache\regedit.exe

2009-01-05 13:16 . 2008-04-13 20:21 150,528 --a------ c:\windows\regedit.exe

2009-01-04 16:08 . 2009-01-04 16:08 410,984 --a------ c:\windows\system32\deploytk.dll

2008-12-30 19:52 . 2008-12-30 19:52 7,168 --a------ c:\windows\system32\drivers\uteznzg1.sys

2008-12-30 13:33 . 2009-01-05 18:36 0 --a------ c:\windows\system.ini

2008-12-30 13:23 . 2008-12-31 03:36 13,613,088 --ahs---- c:\windows\system32\drivers\fidbox.dat

2008-12-30 13:23 . 2008-12-31 03:36 160,604 --ahs---- c:\windows\system32\drivers\fidbox.idx

2008-12-29 18:59 . 2008-12-29 18:59 <DIR> d-------- c:\documents and settings\Usuário\Dados de aplicativos\Malwarebytes

2008-12-29 18:59 . 2008-12-29 18:59 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes

2008-12-29 18:59 . 2008-12-29 18:59 <DIR> d-------- c:\arquivos de programas\Malwarebytes' Anti-Malware

2008-12-29 18:59 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-29 18:59 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-27 21:05 . 2008-12-27 21:05 <DIR> d--h----- c:\windows\system32\GroupPolicy

2008-12-23 22:13 . 2008-12-29 19:49 <DIR> d-------- C:\Hijack

2008-12-22 23:05 . 2009-01-04 23:18 <DIR> d-a------ c:\documents and settings\All Users\Dados de aplicativos\TEMP

2008-12-22 23:04 . 2008-12-22 23:04 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Avg8

2008-12-18 19:57 . 2008-12-18 19:57 <DIR> d-------- c:\arquivos de programas\Alwil Software

2008-12-18 19:57 . 2003-03-18 17:20 1,060,864 --a------ c:\windows\system32\MFC71.dll

2008-12-16 23:59 . 2008-12-16 23:59 6,144 --ahs---- c:\windows\system32\Thumbs.db

2008-12-13 18:42 . 2008-12-31 03:49 69 --a------ c:\windows\NeroDigital.ini

2008-12-11 23:13 . 2009-01-04 16:00 112 --a------ c:\windows\win.ini

2008-12-09 16:03 . 2008-12-09 18:08 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2008-12-09 16:03 . 2008-12-09 18:08 <DIR> d-------- c:\arquivos de programas\Spybot - Search & Destroy

2008-12-09 13:05 . 2008-12-09 13:05 <DIR> d-------- c:\arquivos de programas\Yahoo!

2008-12-09 12:38 . 2008-12-09 12:38 <DIR> d-------- c:\windows\BricoPacks

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-04 18:08 --------- d-----w c:\arquivos de programas\Java

2008-12-23 01:00 --------- d-----w c:\arquivos de programas\CCleaner

2008-12-09 20:08 --------- d-----w c:\arquivos de programas\GbPlugin

2008-12-09 14:45 219,648 ----a-w c:\windows\system32\uxtheme.dll

2008-11-14 12:28 --------- d-----w c:\documents and settings\Usuário\Dados de aplicativos\BSplayer

2008-11-08 01:47 --------- d-----w c:\documents and settings\Usuário\Dados de aplicativos\BSplayer Pro

2008-11-08 01:47 --------- d-----w c:\arquivos de programas\Webteh

2008-11-07 10:43 --------- d-----w c:\arquivos de programas\Arquivos comuns\Adobe

2008-10-23 12:37 286,720 ----a-w c:\windows\system32\gdi32.dll

2008-10-16 20:23 1,260,544 ----a-w c:\windows\system32\wininet.dll

2008-10-16 16:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 16:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 16:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 16:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 16:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 16:09 69,144 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 16:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 16:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-16 16:06 268,648 ----a-w c:\windows\system32\mucltui.dll

2008-10-16 16:06 208,744 ----a-w c:\windows\system32\muweb.dll

2008-07-17 13:38 32,768 --sha-w c:\windows\system32\config\systemprofile\Configurações locais\Histórico\History.IE5\index.dat

2008-07-17 13:38 32,768 --sha-w c:\windows\system32\config\systemprofile\Configurações locais\Histórico\History.IE5\MSHist012008071720080718\index.dat

2008-07-17 13:38 32,768 --sha-w c:\windows\system32\config\systemprofile\Configurações locais\Temporary Internet Files\Content.IE5\index.dat

2008-07-17 13:38 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat

2008-04-13 22:21 1,695,232 --sha-w c:\windows\VistaMizer\old\msmsgs.exe

.

 

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

---- Directory of c:\windows\system32\GroupPolicy ----

 

2008-12-27 21:07 8 --a------ c:\windows\system32\GroupPolicy\User\Registry.pol

2008-12-27 21:07 79 --a------ c:\windows\system32\GroupPolicy\gpt.ini

2008-12-27 21:05 81 ---h----- c:\windows\system32\GroupPolicy\Adm\admfiles.ini

2008-10-16 14:04 60148 --a------ c:\windows\system32\GroupPolicy\Adm\wuau.adm

2008-06-10 08:48 2483706 --a------ c:\windows\system32\GroupPolicy\Adm\inetres.adm

2007-10-15 04:57 1915598 --a------ c:\windows\system32\GroupPolicy\Adm\system.adm

2007-09-18 22:07 43086 --a------ c:\windows\system32\GroupPolicy\Adm\conf.adm

2006-11-03 00:30 74934 --a------ c:\windows\system32\GroupPolicy\Adm\wmplayer.adm

 

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-13 25088]

"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\arquivos de programas\Arquivos comuns\Nero\Lib\NMBgMonitor.exe" [2008-06-24 132392]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LifeCam"="c:\arquivos de programas\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]

"VX1000"="c:\windows\vVX1000.exe" [2007-04-10 709992]

"NBKeyScan"="c:\arquivos de programas\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-08 2221352]

"NeroFilterCheck"="c:\arquivos de programas\Arquivos comuns\Nero\Lib\NeroCheck.exe" [2008-06-19 570664]

"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"avast!"="c:\arquiv~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]

"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre6\bin\jusched.exe" [2009-01-04 136600]

"SiSPower"="SiSPower.dll" [2007-04-11 c:\windows\system32\SiSPower.dll]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 25088]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_2"="shell32" [X]

 

c:\documents and settings\Usu rio\Menu Iniciar\Programas\Inicializar\

RocketDock.lnk - c:\windows\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe [2006-05-14 344064]

UberIcon.lnk - c:\windows\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe [2006-02-05 180224]

Y'z Shadow.lnk - c:\windows\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe [2002-09-30 131072]

Y'z Toolbar.lnk - c:\windows\BricoPacks\Crystal Clear\YzToolbar\YzToolBar.exe [2002-09-29 90112]

 

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

BTTray.lnk - c:\arquivos de programas\Software WIDCOMM\Bluetooth\BTTray.exe [2005-10-09 610365]

InterVideo WinCinema Manager.lnk - c:\arquivos de programas\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-07-17 212992]

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\InterVideo\\DVD6\\WinDVD.exe"=

"c:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

"c:\\Arquivos de programas\\Microsoft LifeCam\\LifeCam.exe"=

"c:\\Arquivos de programas\\Microsoft LifeCam\\LifeExp.exe"=

"c:\\Arquivos de programas\\Arquivos comuns\\Nero\\Nero Web\\SetupX.exe"=

"c:\\Arquivos de programas\\Nero\\Nero8\\Nero Home\\NeroHome.exe"=

"c:\\Arquivos de programas\\Nero\\Nero8\\Nero ShowTime\\ShowTime.exe"=

 

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-27 111184]

R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-12-27 20560]

S3 uteznzg1;AVZ Kernel Driver;c:\windows\system32\drivers\uteznzg1.sys [2008-12-30 7168]

.

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.uol.com.br/

uInternet Connection Wizard,ShellNext = iexplore

IE: c:\arquivos de programas\Software WIDCOMM\Bluetooth\btsendto_ie_ctx.htm

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

 

O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-05 18:36:15

Windows 5.1.2600 Service Pack 3 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'winlogon.exe'(516)

c:\windows\system32\sfc_os.dll

c:\windows\system32\COMRes.dll

c:\windows\system32\cscui.dll

.

Tempo para conclusão: 2009-01-05 18:37:37

ComboFix-quarantined-files.txt 2009-01-05 20:37:23

 

Pré-execução: 20 pasta(s) 19.311.566.848 bytes disponíveis

Pós execução: 20 pasta(s) 19,258,679,296 bytes disponíveis

 

175 --- E O F --- 2008-12-18 16:58:54

 

 

HijackThis Log

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:45:11, on 5/1/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Software WIDCOMM\Bluetooth\bin\btwdins.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Microsoft LifeCam\MSCamS32.exe

C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\vVX1000.exe

C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexStoreSvr.exe

C:\Arquivos de programas\Software WIDCOMM\Bluetooth\BTTray.exe

C:\Arquivos de programas\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe

C:\WINDOWS\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe

C:\WINDOWS\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe

C:\WINDOWS\BricoPacks\Crystal Clear\YzToolbar\YzToolBar.exe

C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexingService.exe

C:\ARQUIV~1\SOFTWA~1\BLUETO~1\BTSTAC~1.EXE

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\internet explorer\iexplore.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Hijack\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [LifeCam] "C:\Arquivos de programas\Microsoft LifeCam\LifeExp.exe"

O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe

O4 - HKLM\..\Run: [NBKeyScan] "C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [indxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMBgMonitor.exe"

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')

O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe

O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe

O4 - Startup: Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe

O4 - Startup: Y'z Toolbar.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\YzToolbar\YzToolBar.exe

O4 - Global Startup: BTTray.lnk = ?

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Arquivos de programas\InterVideo\Common\Bin\WinCinemaMgr.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Arquivos de programas\Software WIDCOMM\Bluetooth\bin\btwdins.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexingService.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

 

--

End of file - 7221 bytes

 

 

No aguardo de um novo contato, espero que breve.

[MGuitar 11]

1ª Etapa

 

Execute o HijackThis e clique em Do a system scan only. Marque a entrada abaixo e clique no botão Fix Checked.

 

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

 

2ª Etapa

 

Vá em Iniciar > Executar, digite: combofix /u e tecle Enter. Aguarde a remoção da ferramenta.

Se ainda não desinstalou o Kaspersky Removal Tool, indicado anteriormente, vá até a pasta dele e dê um duplo clique no arquivo denominado unins000.exe. Clique em OK duas vezes.

 

3ª Etapa

 

- Faça o download do ToolsCleaner e salve no desktop;

 

- Feche todas as janelas abertas e dê um duplo clique no ícone do programa para executá-lo:

- Clique no botão Recherche para iniciar o scan e aguarde:

- Quando o scan terminar, será apresentado os itens que serão removidos;

- Clique no botão Supression para remover os itens encontrados e depois clique em Quitter para que o programa se feche e o log será gerado;

- O log estará em C:\TCleaner.txt.

 

Cole este log do ToolsCleaner em sua próxima resposta.

 

 

No mais os logs estão limpos. Algum problema ainda?

[buzzuh1 0]

Log

 

[ Rapport ToolsCleaner version 2.3.0 (par A.Rothstein & dj QUIOU) ]

 

-->- Recherche:

 

C:\Qoobox: trouvé !

C:\Hijack\HijackThis.exe: trouvé !

 

---------------------------------

-->- Suppression:

 

C:\Hijack\HijackThis.exe: supprimé !

C:\Qoobox: supprimé !

 

Etapas

 

Concluidas

 

Problemas

 

Estarei verificando e passando a você dentro de pouco tempo.

 

Mais algo estou aqui.

[MGuitar 11]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.