[Resolvido!] PC cheio de problemas

[jpn2 0]

Boa noite.

 

Agradeço a V. ajuda para resolver os problemas do meu PC que julgo estar cheio de virus para além de ser muito lento.

 

Segundo a regra nr. 2 anexo o Log do HijackThis.

 

Muito obrigado pela V. ajuda e um feliz Natal.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:08:52, on 25-12-2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Utils\Virus\AVG8\avgwdsvc.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\WINDOWS\Logi_MwX.Exe

C:\WINDOWS\System32\svchost.exe

C:\Programas\Utils\Imagem\OmniPageSE4.0\OpwareSE4.exe

C:\Programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\PROGRA~1\Utils\Virus\AVG8\avgtray.exe

C:\Programas\Net\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\Utils\Virus\AVG8\avgrsx.exe

C:\Programas\Windows Media Player\WMPNSCFG.exe

C:\Programas\Ficheiros comuns\pestpatrol\ppRemoteService.exe

C:\WINDOWS\System32\svchost.exe

C:\Programas\Ficheiros comuns\pestpatrol\PPMCActiveDetection.exe

C:\PROGRA~1\Utils\Virus\AVG8\avgemc.exe

C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Programas\Net\ZoneAlarm\MailFrontier\mantispm.exe

C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Hijack\HiJackThis.exe

C:\WINDOWS\system32\ZoneLabs\UpdClient.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programas\Utils\Virus\AVG8\avgssie.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Utils\Virus\SPYBOT~1\SDHelper.dll

O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Programas\Canon\Easy-WebPrint\EWPBrowseLoader.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.5.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programas\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Programas\Ficheiros comuns\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [OpwareSE4] "C:\Programas\Utils\Imagem\OmniPageSE4.0\OpwareSE4.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /runonce

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\Utils\Virus\AVG8\avgtray.exe

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programas\Net\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Programas\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe

O4 - HKUS\S-1-5-19\..\Run: [sAFE6_SAFE] "C:\Programas\Steganos Safe 6\safe.exe" /booting (User 'SERVIÇO LOCAL')

O4 - HKUS\S-1-5-19\..\Run: [sSS6_Suite] "C:\Programas\Steganos Security Suite 6\sss.exe" /booting (User 'SERVIÇO LOCAL')

O4 - HKUS\S-1-5-19\..\Run: [sSS6_SAFE] "C:\Programas\Steganos Security Suite 6\safe.exe" /booting (User 'SERVIÇO LOCAL')

O4 - HKUS\S-1-5-19\..\Run: [sSS6_SPM] "C:\Programas\Steganos Security Suite 6\spm.exe" /booting (User 'SERVIÇO LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [sAFE6_SAFE] "C:\Programas\Steganos Safe 6\safe.exe" /booting (User 'Serviço de rede')

O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background (User 'Default user')

O8 - Extra context menu item: Append to existing PDF - res://C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Programas\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Programas\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Programas\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Programas\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://web.cm-tavira.pt/mapa/cabs/mgaxctrl.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1152944695616

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D062BCF5-F19B-4C14-9C57-6B0F4FED1F1D}: NameServer = 192.168.2.2

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programas\Utils\Virus\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\Programas\Net\Aluria Security Center\ascserv.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\Utils\Virus\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\Utils\Virus\AVG8\avgwdsvc.exe

O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NMSAccessU - Unknown owner - C:\Programas\DVD\CDBurnerXP\NMSAccessU.exe

O23 - Service: PestPatrol Remote - Computer Associates International, Inc. - C:\Programas\Ficheiros comuns\pestpatrol\ppRemoteService.exe

O23 - Service: Steganos Live Encryption Engine (Version 503) [service] (SLEE_503_SERVICE) - Unknown owner - C:\WINDOWS\System32\SLEE503.exe (file missing)

O23 - Service: Check Point SecuRemote Service (SR_Service) - Unknown owner - C:\Programas\CheckPoint\SecuRemote\bin\SR_Service.exe (file missing)

O23 - Service: Remote_Procedure_Call (svchost) - Unknown owner - C:\WINDOWS\system32\svchost.cmd (file missing)

O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programas\Sys\TuneUp Utilities 2006\WinStylerThemeSvc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

--

End of file - 11202 bytes

[jgarcia 1]

Opa jpn2,

 

Baixe o ComboFix em:

ComboFix

 

1) Desabilite o seu anti-vírus temporariamente;

 

2) Dê um duplo-clique no combofix.exe e aguarde (o processo total demora cerca de 10 minutos);

 

3) A janela de “NEGAÇÃO DE GARANTIA DO SOFTWARE” abrir-se-á. Leia atentamente o texto contido nesta janela e clique sobre “SIM” para continuar.

 

PS.: Caso não concorde com os termos clique sobre “NÃO” para sair do software, cabendo lembrar que o processo de desinfecção não será possível sem a continuidade do ComboFix.

 

4) Outra janela irá abrir, caso a sua máquina não possua o CONSOLE DE RECUPERAÇÃO DO WINDOWS. É recomendável executar a instalação do console ante de dar continuidade ao processo, pois tal ação proporcionará a garantia de que o sistema poderá ser recuperado em caso de problemas durante a varredura.

 

Clique sobre “SIM” e aguarde, pois o processo de instalação do console dar-se-á automaticamente através do próprio ComboFix. Ele poderá demorar alguns minutos (dependerá da velocidade de sua conexão), portanto seja paciente.

 

Quando a janela “INSTALANDO O CONSOLE DE RECUPERAÇÃO” aparecer clique em “OK”, depois clique sobre “SIM” para aceitar a licença EULA.

 

Ao término da instalação do console de recuperação abrir-se-á uma janela avisando que “O CONSOLE DE RECUPERAÇÃO FOI INSTALADA COM SUCESSO”.

 

Clique sobre “SIM” para continuar a varredura.

 

5) O ComboFix iniciará o AUTOSCAN (aguarde).

 

ATENÇÃO: Não clique na janela do ComboFix, nem termine o processo abruptamente enquanto a ferramenta estiver sendo executada, pois isto implicará na desconfiguração de seu desktop (ele ficará todo branco).

 

Ao término do processo a máquina será reiniciada para a emissão do relatório.

 

6) Ao reiniciar a máquina o ComboFix irá executar o FIND3M para a criação do relatório final da varredura. O log ficará alocado em C:\ComboFix.txt.

 

7) Reabilite o seu anti-vírus;

 

8) Preciso que você cole o conteúdo do ComboFix.txt em sua próxima resposta.

 

OBS.1: Caso apareça uma mensagem avisando que ESTE NÃO É UM APLICATIVO WIN 32 VÁLIDO baixe o ComboFix novamente, mas salve-o em seu Desktop como KomboFix. Em último caso, tente utilizar o ComboFix em MODO SEGURO.

 

OBS.2: Caso haja um clique sobre a janela do ComboFix em execução, ela irá MAXIMIZAR, sobrepondo-se sobre as demais. Para minimizá-la novamente basta utilizar a combinação ALT + TAB.

 

Abraços.

[jpn2 0]

Opa jgarcia,

 

muito obrigado pela sua ajuda.

 

Corri o Combofix e durante o restart obtive a seguinte mensagem: FINDSTR: Não é possível abrir TEMP01.

 

Contudo, o FIND3M correu até ao fim sem mais problemas.

 

 

ComboFix 08-12-26.03 - Jorge 2008-12-27 15:27:15.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.2070.18.511.190 [GMT 0:00]

Executando de: d:\temp\BitTorrent\Torrents\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)

AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Outdated)

FW: ZoneAlarm Security Suite Firewall *disabled*

* Criado um novo ponto de restauro

 

ATENÇAO - ESTA MAQUINA NAO TEM O CONSOLE DE RECUPERAÇÃO INSTALADA !!

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\hosts

c:\windows\system32\eventmgr.exe

c:\windows\system32\ftpupd.exe

c:\windows\system32\svchost32.exe

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_ASCSERVICE

-------\Legacy_SVCHOST

-------\Service_ASCService

 

 

(((((((((((((((( Arquivos/Ficheiros criados de 2008-11-27 to 2008-12-27 ))))))))))))))))))))))))))))

.

 

2008-12-26 11:28 . 2008-12-27 15:03 <DIR> d--h----- C:\$AVG8.VAULT$

2008-12-25 22:03 . 2008-12-25 22:08 <DIR> d-------- C:\Hijack

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-27 17:07 29,689,888 --sha-w c:\windows\system32\drivers\fidbox.dat

2008-12-27 15:45 409,808 --sha-w c:\windows\system32\drivers\fidbox.idx

2008-12-26 13:44 2,209,280 ----a-w c:\windows\Internet Logs\xDBA3.tmp

2008-12-23 23:01 94,208 ----a-w c:\windows\Internet Logs\xDBA2.tmp

2008-12-21 22:20 2,175,488 ----a-w c:\windows\Internet Logs\xDBA1.tmp

2008-12-21 21:31 --------- d-----w c:\programas\Ficheiros comuns\PestPatrol

2008-12-20 10:38 2,175,488 ----a-w c:\windows\Internet Logs\xDBA0.tmp

2008-12-16 21:53 108,032 ----a-w c:\windows\Internet Logs\xDB9F.tmp

2008-12-14 12:24 220,160 ----a-w c:\windows\Internet Logs\xDB9E.tmp

2008-12-05 19:53 166,400 ----a-w c:\windows\Internet Logs\xDB9D.tmp

2008-12-02 21:59 156,672 ----a-w c:\windows\Internet Logs\xDB9C.tmp

2008-12-02 20:59 2,168,320 ----a-w c:\windows\Internet Logs\xDB9B.tmp

2008-12-01 20:55 2,166,784 ----a-w c:\windows\Internet Logs\xDB9A.tmp

2008-11-28 22:17 64,000 ----a-w c:\windows\Internet Logs\xDB99.tmp

2008-11-28 21:43 67,072 ----a-w c:\windows\Internet Logs\xDB98.tmp

2008-11-27 21:45 79,360 ----a-w c:\windows\Internet Logs\xDB96.tmp

2008-11-27 21:45 2,164,224 ----a-w c:\windows\Internet Logs\xDB97.tmp

2008-11-27 21:41 2,164,224 ----a-w c:\windows\Internet Logs\xDB95.tmp

2008-11-26 22:03 102,400 ----a-w c:\windows\Internet Logs\xDB94.tmp

2008-11-25 22:26 782,848 ----a-w c:\windows\Internet Logs\xDB93.tmp

2008-11-23 21:56 65,536 ----a-w c:\windows\Internet Logs\xDB92.tmp

2008-11-23 11:08 105,984 ----a-w c:\windows\Internet Logs\xDB91.tmp

2008-11-22 10:17 182,272 ----a-w c:\windows\Internet Logs\xDB90.tmp

2008-11-22 07:55 2,141,184 ----a-w c:\windows\Internet Logs\xDB8F.tmp

2008-11-19 22:08 137,216 ----a-w c:\windows\Internet Logs\xDB8E.tmp

2008-11-18 09:52 61,952 ----a-w c:\windows\Internet Logs\xDB8D.tmp

2008-11-17 22:12 77,824 ----a-w c:\windows\Internet Logs\xDB8C.tmp

2008-11-16 21:11 64,512 ----a-w c:\windows\Internet Logs\xDB8B.tmp

2008-11-16 17:06 98,304 ----a-w c:\windows\Internet Logs\xDB8A.tmp

2008-11-15 09:29 25,600 ----a-w c:\windows\Internet Logs\xDB88.tmp

2008-11-15 09:29 2,135,552 ----a-w c:\windows\Internet Logs\xDB89.tmp

2008-11-14 19:53 168,960 ----a-w c:\windows\Internet Logs\xDB87.tmp

2008-11-12 18:56 420,864 ----a-w c:\windows\Internet Logs\xDB86.tmp

2008-11-11 16:13 2,127,360 ----a-w c:\windows\Internet Logs\xDB85.tmp

2008-11-10 21:11 2,145,792 ----a-w c:\windows\Internet Logs\xDB84.tmp

2008-11-07 18:49 5,862,457 ----a-w c:\windows\Internet Logs\tvDebug.zip

2008-11-05 21:58 2,124,288 ----a-w c:\windows\Internet Logs\xDB83.tmp

2008-11-04 20:45 209,408 ----a-w c:\windows\Internet Logs\xDB82.tmp

2008-11-04 19:48 --------- d-----w c:\documents and settings\Paula\Application Data\Canon

2008-11-01 21:58 100,864 ----a-w c:\windows\Internet Logs\xDB81.tmp

2008-11-01 16:35 98,816 ----a-w c:\windows\Internet Logs\xDB80.tmp

2008-11-01 10:36 58,880 ----a-w c:\windows\Internet Logs\xDB7F.tmp

2008-10-31 23:09 54,784 ----a-w c:\windows\Internet Logs\xDB7E.tmp

2008-10-31 21:57 64,000 ----a-w c:\windows\Internet Logs\xDB7C.tmp

2008-10-31 21:57 2,099,712 ----a-w c:\windows\Internet Logs\xDB7D.tmp

2008-10-29 21:46 62,464 ----a-w c:\windows\Internet Logs\xDB7B.tmp

2008-10-29 20:06 55,296 ----a-w c:\windows\Internet Logs\xDB7A.tmp

2008-10-28 21:37 162,304 ----a-w c:\windows\Internet Logs\xDB79.tmp

2008-10-26 20:59 102,400 ----a-w c:\windows\Internet Logs\xDB78.tmp

2008-10-26 16:42 80,896 ----a-w c:\windows\Internet Logs\xDB76.tmp

2008-10-26 16:42 2,094,080 ----a-w c:\windows\Internet Logs\xDB77.tmp

2008-10-26 09:37 2,093,568 ----a-w c:\windows\Internet Logs\xDB75.tmp

2008-10-25 20:53 951,808 ----a-w c:\windows\Internet Logs\xDB74.tmp

2008-10-25 17:10 222,208 ----a-w c:\windows\Internet Logs\xDB72.tmp

2008-10-25 17:10 2,093,056 ----a-w c:\windows\Internet Logs\xDB73.tmp

2008-10-23 21:25 260,096 ----a-w c:\windows\Internet Logs\xDB71.tmp

2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll

2008-10-20 21:32 67,072 ----a-w c:\windows\Internet Logs\xDB70.tmp

2008-10-19 16:51 734,208 ----a-w c:\windows\Internet Logs\xDB6F.tmp

2008-10-16 20:18 826,368 ----a-w c:\windows\system32\wininet.dll

2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll

2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll

2008-10-12 21:35 2,081,280 ----a-w c:\windows\Internet Logs\xDB6E.tmp

2008-10-12 17:50 62,976 ----a-w c:\windows\Internet Logs\xDB6D.tmp

2008-10-11 23:09 65,024 ----a-w c:\windows\Internet Logs\xDB6C.tmp

2008-10-10 21:49 337,920 ----a-w c:\windows\Internet Logs\xDB6B.tmp

2008-10-09 21:57 2,078,208 ----a-w c:\windows\Internet Logs\xDB6A.tmp

2008-10-06 21:19 70,144 ----a-w c:\windows\Internet Logs\xDB69.tmp

2008-10-05 21:34 2,070,528 ----a-w c:\windows\Internet Logs\xDB68.tmp

2008-10-04 22:11 66,048 ----a-w c:\windows\Internet Logs\xDB67.tmp

2008-10-03 10:03 247,326 ----a-w c:\windows\system32\strmdll.dll

2008-10-02 21:00 99,840 ----a-w c:\windows\Internet Logs\xDB66.tmp

2008-10-01 17:02 99,840 ----a-w c:\windows\Internet Logs\xDB65.tmp

2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll

2008-09-29 21:06 187,392 ----a-w c:\windows\Internet Logs\xDB64.tmp

2008-09-28 08:13 117,760 ----a-w c:\windows\Internet Logs\xDB63.tmp

2008-09-27 20:10 192,000 ----a-w c:\windows\Internet Logs\xDB62.tmp

2006-06-12 14:16 26,328 ----a-w c:\documents and settings\Paula\Application Data\GDIPFONTCACHEV1.DAT

2006-02-18 08:27 25,456 -c--a-w c:\documents and settings\Jorge\Application Data\GDIPFONTCACHEV1.DAT

2005-10-05 16:59 25,048 -c--a-w c:\documents and settings\Daniela\Application Data\GDIPFONTCACHEV1.DAT

2005-04-17 07:46 25,048 ----a-w c:\documents and settings\Sofia\Application Data\GDIPFONTCACHEV1.DAT

2004-03-14 07:10 119 --sh--w c:\windows\cnerolf.dat

2004-11-28 11:38 2 --shatr c:\windows\winstart.bat

2005-05-26 19:31 56 --sh--r c:\windows\system32\0E0928266D.sys

2005-05-28 18:08 6,580 --sha-w c:\windows\system32\KGyGaAvL.sys

2008-07-05 16:59 32,768 --sha-w c:\windows\system32\config\systemprofile\Definições locais\Histórico\History.IE5\MSHist012008070520080706\index.dat

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"WMPNSCFG"="c:\programas\Windows Media Player\WMPNSCFG.exe" [2007-01-05 204288]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SSBkgdUpdate"="c:\programas\Ficheiros comuns\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]

"OpwareSE4"="c:\programas\Utils\Imagem\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]

"QuickTime Task"="c:\programas\QuickTime\qttask.exe" [2004-03-21 98304]

"FinePrint Dispatcher v5"="c:\windows\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2004-03-04 393216]

"Acrobat Assistant 8.0"="c:\programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]

"AVG8_TRAY"="c:\progra~1\Utils\Virus\AVG8\avgtray.exe" [2008-11-27 1261336]

"ZoneAlarm Client"="c:\programas\Net\ZoneAlarm\zlclient.exe" [2008-07-09 919016]

"SoundMan"="SOUNDMAN.EXE" [2004-02-26 c:\windows\soundman.exe]

"Logitech Utility"="Logi_MwX.Exe" [2003-03-04 c:\windows\Logi_MwX.Exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\programas\Messenger\msmsgs.exe" [2008-04-14 1695232]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=avgrsstx.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.ivimp3en"= ivimp3en.acm

"vidc.DIV3"= DivXc32.dll

"vidc.DIV4"= DivXc32f.dll

"msacm.divxa32"= DivXa32.acm

"msacm.lameacm"= LameACM.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"QuickTime Task"="c:\programas\QuickTime\qttask.exe" -atboottime

"Windows Media Connect 2"="c:\programas\Windows Media Connect 2\WMCCFG.exe" /StartQuiet

"SunJavaUpdateSched"=c:\programas\Java\jre1.5.0_07\bin\jusched.exe

"FinePrint Dispatcher v5"=c:\windows\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe

"FineReader7NewsReaderPro"=c:\programas\Utils\OCR\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Programas\\Microsoft Games\\Flight Simulator 9\\fs9.exe"=

"c:\\WINDOWS\\system32\\dpnsvr.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

"c:\\Programas\\Net\\uTorrent\\utorrent.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Programas\\Utils\\Virus\\AVG8\\avgupd.exe"=

"c:\\Programas\\Utils\\Virus\\AVG8\\avgemc.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Programas\\MSN Messenger\\msnmsgr.exe"=

"c:\\Programas\\MSN Messenger\\livecall.exe"=

 

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [2004-02-27 9344]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-06-13 97928]

R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\Utils\Virus\AVG8\avgemc.exe [2008-07-05 875288]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\Utils\Virus\AVG8\avgwdsvc.exe [2008-07-05 231704]

R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-06-13 76040]

R2 SVKP;SVKP;\??\c:\windows\System32\SVKP.sys [2004-03-06 2368]

S2 SLEE_503_DRIVER;Steganos Live Encryption Engine (Version 503) [Driver];\??\c:\windows\System32\drivers\SLEE503.sys []

S3 kwwalpgr;kwwalpgr;\??\c:\docume~1\Jorge\DEFINI~1\Temp\kwwalpgr.sys []

S3 scsiscan;Controlador de scanner SCSI;c:\windows\system32\DRIVERS\scsiscan.sys [2005-07-16 11520]

S3 USRUSBCM;U.S. Robotics Cable Modem NDIS Driver;c:\windows\system32\DRIVERS\USR6000.sys [2004-03-28 12398]

S4 Abmc8a;Abmc8a; []

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9438a160-f89b-11da-9d0e-00c0df0f6079}]

\Shell\AutoRun\command - G:\On.bat

.

Conteúdo da pasta 'Tarefas Agendadas'

 

2008-12-26 c:\windows\Tasks\1-Click Maintenance.job

- c:\programas\Sys\TuneUp Utilities 2006\SystemOptimizer.exe [2005-09-21 21:35]

 

2008-12-27 c:\windows\Tasks\Symantec NetDetect.job

- c:\programas\Symantec\LiveUpdate\NDetect.exe []

 

2006-03-04 c:\windows\Tasks\XoftSpy.job

- c:\programas\Sys\XoftSpy\XoftSpy.exe []

.

- - - - ORFÃOS REMOVIDOS - - - -

 

HKLM-Run-Cmaudio - cmicnfg.cpl

HKU-Default-Run-SAFE6_SAFE - c:\programas\Steganos Safe 6\safe.exe

HKU-Default-Run-SSS6_Suite - c:\programas\Steganos Security Suite 6\sss.exe

HKU-Default-Run-SSS6_SAFE - c:\programas\Steganos Security Suite 6\safe.exe

HKU-Default-Run-SSS6_SPM - c:\programas\Steganos Security Suite 6\spm.exe

ShellExecuteHooks-{08B7F610-340A-40DC-FE9F-9DE498F790CB} - (no file)

Notify-ckpNotify - (no file)

 

 

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.google.pt/

uInternet Connection Wizard,ShellNext = iexplore

IE: Append to existing PDF - c:\programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\programas\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\programas\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\programas\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\programas\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

TCP: {D062BCF5-F19B-4C14-9C57-6B0F4FED1F1D} = 192.168.2.2

 

c:\windows\Downloaded Program Files\GoPetsWeb.ocx - O16 -: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8}

hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab

c:\windows\Downloaded Program Files\GoPetsWeb.inf

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-27 17:02:26

Windows 5.1.2600 Service Pack 3 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

.

------------------------ Outros Processos em Execução ------------------------

.

c:\windows\system32\drivers\CDAC11BA.EXE

c:\programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\programas\DVD\CDBurnerXP\NMSAccessU.exe

c:\programas\Ficheiros comuns\PestPatrol\ppRemoteService.exe

c:\programas\Windows Media Player\wmpnetwk.exe

c:\programas\Ficheiros comuns\PestPatrol\PPMCActiveDetection.exe

c:\progra~1\Utils\Virus\AVG8\avgrsx.exe

c:\windows\system32\wscntfy.exe

c:\programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

.

**************************************************************************

.

Tempo para conclusão: 2008-12-27 17:11:37 - Máquina reiniciou

ComboFix-quarantined-files.txt 2008-12-27 17:11:27

 

PrÚ-execuþÒo: 6.018.854.912 bytes livres

P¾s execuþÒo: 6,662,983,680 bytes livres

 

257 --- E O F --- 2008-12-26 10:50:20

 

Melhores cumprimentos,

JPN2

[jgarcia 1]

Opa jpn2,

 

Siga as instruções:

 

1. Abra o Bloco de Notas -> Copie (Control + C) e Cole (Control + V) todo o texto incluído no "Quote":

File::

c:\windows\system32\config\systemprofile\Definições locais\Histórico\History.IE5\MSHist012008070520080706\index.dat

c:\documents and settings\Paula\Application Data\GDIPFONTCACHEV1.DAT

c:\documents and settings\Jorge\Application Data\GDIPFONTCACHEV1.DAT

c:\documents and settings\Daniela\Application Data\GDIPFONTCACHEV1.DAT

c:\documents and settings\Sofia\Application Data\GDIPFONTCACHEV1.DAT

c:\docume~1\Jorge\DEFINI~1\Temp\kwwalpgr.sys

c:\windows\Internet Logs\xDBA3.tmp

c:\windows\Internet Logs\xDBA2.tmp

c:\windows\Internet Logs\xDBA1.tmp

c:\windows\Internet Logs\xDBA0.tmp

c:\windows\Internet Logs\xDB9F.tmp

c:\windows\Internet Logs\xDB9E.tmp

c:\windows\Internet Logs\xDB9D.tmp

c:\windows\Internet Logs\xDB9C.tmp

c:\windows\Internet Logs\xDB9B.tmp

c:\windows\Internet Logs\xDB9A.tmp

c:\windows\Internet Logs\xDB99.tmp

c:\windows\Internet Logs\xDB98.tmp

c:\windows\Internet Logs\xDB96.tmp

c:\windows\Internet Logs\xDB97.tmp

c:\windows\Internet Logs\xDB95.tmp

c:\windows\Internet Logs\xDB94.tmp

c:\windows\Internet Logs\xDB93.tmp

c:\windows\Internet Logs\xDB92.tmp

c:\windows\Internet Logs\xDB91.tmp

c:\windows\Internet Logs\xDB90.tmp

c:\windows\Internet Logs\xDB8F.tmp

c:\windows\Internet Logs\xDB8E.tmp

c:\windows\Internet Logs\xDB8D.tmp

c:\windows\Internet Logs\xDB8C.tmp

c:\windows\Internet Logs\xDB8B.tmp

c:\windows\Internet Logs\xDB8A.tmp

c:\windows\Internet Logs\xDB88.tmp

c:\windows\Internet Logs\xDB89.tmp

c:\windows\Internet Logs\xDB87.tmp

c:\windows\Internet Logs\xDB86.tmp

c:\windows\Internet Logs\xDB85.tmp

c:\windows\Internet Logs\xDB84.tmp

c:\windows\Internet Logs\tvDebug.zip

c:\windows\Internet Logs\xDB83.tmp

c:\windows\Internet Logs\xDB82.tmp

c:\windows\Internet Logs\xDB81.tmp

c:\windows\Internet Logs\xDB80.tmp

c:\windows\Internet Logs\xDB7F.tmp

c:\windows\Internet Logs\xDB7E.tmp

c:\windows\Internet Logs\xDB7C.tmp

c:\windows\Internet Logs\xDB7D.tmp

c:\windows\Internet Logs\xDB7B.tmp

c:\windows\Internet Logs\xDB7A.tmp

c:\windows\Internet Logs\xDB79.tmp

c:\windows\Internet Logs\xDB78.tmp

c:\windows\Internet Logs\xDB76.tmp

c:\windows\Internet Logs\xDB77.tmp

c:\windows\Internet Logs\xDB75.tmp

c:\windows\Internet Logs\xDB74.tmp

c:\windows\Internet Logs\xDB72.tmp

c:\windows\Internet Logs\xDB73.tmp

c:\windows\Internet Logs\xDB71.tmp

c:\windows\Internet Logs\xDB70.tmp

c:\windows\Internet Logs\xDB6F.tmp

c:\windows\Internet Logs\xDB6E.tmp

c:\windows\Internet Logs\xDB6D.tmp

c:\windows\Internet Logs\xDB6C.tmp

c:\windows\Internet Logs\xDB6B.tmp

c:\windows\Internet Logs\xDB6A.tmp

c:\windows\Internet Logs\xDB69.tmp

c:\windows\Internet Logs\xDB68.tmp

c:\windows\Internet Logs\xDB67.tmp

c:\windows\Internet Logs\xDB66.tmp

c:\windows\Internet Logs\xDB65.tmp

c:\windows\Internet Logs\xDB64.tmp

c:\windows\Internet Logs\xDB63.tmp

c:\windows\Internet Logs\xDB62.tmp

c:\windows\system32\0E0928266D.sys

c:\windows\system32\KGyGaAvL.sys

c:\windows\System32\SVKP.sys

c:\windows\cnerolf.dat

c:\windows\winstart.bat

G:\On.bat

Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000000

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 1 (0x1)

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9438a160-f89b-11da-9d0e-00c0df0f6079}]

Driver::

R2 SVKP

S3 kwwalpgr

S4 Abmc8a

ATENÇÃO: O script acima foi elaborado especificamente para a infecção contida neste computador. Utilizá-lo em outra máquina poderá originar graves problemas ao usuário.

• 2. Salve o arquivo como CFScript.txt;
   
  3. Tal como exemplificado na foto abaixo, arraste o arquivo CFScript.txt para o ComboFix.exe.
  
   
  4. Ao término do processo a ferramenta irá gerar um log. Poste-o (C:\ComboFix.txt) em sua próxima resposta, juntamente com um novo log do HijackThis.
  

Abraços.

 

PS.: Execute a ação com o Pendrive conectado ao PC.

[jpn2 0]

Opa jgarcia.

 

Mais uma vez muito obrigado pelo seu apoio e tempo.

 

Desta vez, o processo de analise do ComboFix foi mais complicado, porque aparentemente crashou após ter comcluido o log, ficando com o ecran em azul (cerca de 6 hrs). Quando detectei que o disco não estava a ser usado desliguei o PV através da opção apropriada pelo Gestor de Tarefas do Windows que acedi através do Ctrl+Alt+Del.

 

Hoje actualizei o ComboFix e fix novo log e depois corri o HijackThis.

 

Assim, posto os tres logs pela sequencia que foram feitos.

 

LOG-1 do ComboFix

ComboFix 08-12-26.03 - Jorge 2008-12-29 18:50:50.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.2070.18.511.233 [GMT 0:00]

Running from: d:\temp\BitTorrent\Torrents\ComboFix.exe

Command switches used :: c:\documents and settings\Jorge\Ambiente de trabalho\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)

AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Outdated)

FW: ZoneAlarm Security Suite Firewall *disabled*

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

 

FILE ::

c:\docume~1\Jorge\DEFINI~1\Temp\kwwalpgr.sys

c:\documents and settings\Daniela\Application Data\GDIPFONTCACHEV1.DAT

c:\documents and settings\Jorge\Application Data\GDIPFONTCACHEV1.DAT

c:\documents and settings\Paula\Application Data\GDIPFONTCACHEV1.DAT

c:\documents and settings\Sofia\Application Data\GDIPFONTCACHEV1.DAT

c:\windows\cnerolf.dat

c:\windows\Internet Logs\tvDebug.zip

c:\windows\Internet Logs\xDB62.tmp

c:\windows\Internet Logs\xDB63.tmp

c:\windows\Internet Logs\xDB64.tmp

c:\windows\Internet Logs\xDB65.tmp

c:\windows\Internet Logs\xDB66.tmp

c:\windows\Internet Logs\xDB67.tmp

c:\windows\Internet Logs\xDB68.tmp

c:\windows\Internet Logs\xDB69.tmp

c:\windows\Internet Logs\xDB6A.tmp

c:\windows\Internet Logs\xDB6B.tmp

c:\windows\Internet Logs\xDB6C.tmp

c:\windows\Internet Logs\xDB6D.tmp

c:\windows\Internet Logs\xDB6E.tmp

c:\windows\Internet Logs\xDB6F.tmp

c:\windows\Internet Logs\xDB70.tmp

c:\windows\Internet Logs\xDB71.tmp

c:\windows\Internet Logs\xDB72.tmp

c:\windows\Internet Logs\xDB73.tmp

c:\windows\Internet Logs\xDB74.tmp

c:\windows\Internet Logs\xDB75.tmp

c:\windows\Internet Logs\xDB76.tmp

c:\windows\Internet Logs\xDB77.tmp

c:\windows\Internet Logs\xDB78.tmp

c:\windows\Internet Logs\xDB79.tmp

c:\windows\Internet Logs\xDB7A.tmp

c:\windows\Internet Logs\xDB7B.tmp

c:\windows\Internet Logs\xDB7C.tmp

c:\windows\Internet Logs\xDB7D.tmp

c:\windows\Internet Logs\xDB7E.tmp

c:\windows\Internet Logs\xDB7F.tmp

c:\windows\Internet Logs\xDB80.tmp

c:\windows\Internet Logs\xDB81.tmp

c:\windows\Internet Logs\xDB82.tmp

c:\windows\Internet Logs\xDB83.tmp

c:\windows\Internet Logs\xDB84.tmp

c:\windows\Internet Logs\xDB85.tmp

c:\windows\Internet Logs\xDB86.tmp

c:\windows\Internet Logs\xDB87.tmp

c:\windows\Internet Logs\xDB88.tmp

c:\windows\Internet Logs\xDB89.tmp

c:\windows\Internet Logs\xDB8A.tmp

c:\windows\Internet Logs\xDB8B.tmp

c:\windows\Internet Logs\xDB8C.tmp

c:\windows\Internet Logs\xDB8D.tmp

c:\windows\Internet Logs\xDB8E.tmp

c:\windows\Internet Logs\xDB8F.tmp

c:\windows\Internet Logs\xDB90.tmp

c:\windows\Internet Logs\xDB91.tmp

c:\windows\Internet Logs\xDB92.tmp

c:\windows\Internet Logs\xDB93.tmp

c:\windows\Internet Logs\xDB94.tmp

c:\windows\Internet Logs\xDB95.tmp

c:\windows\Internet Logs\xDB96.tmp

c:\windows\Internet Logs\xDB97.tmp

c:\windows\Internet Logs\xDB98.tmp

c:\windows\Internet Logs\xDB99.tmp

c:\windows\Internet Logs\xDB9A.tmp

c:\windows\Internet Logs\xDB9B.tmp

c:\windows\Internet Logs\xDB9C.tmp

c:\windows\Internet Logs\xDB9D.tmp

c:\windows\Internet Logs\xDB9E.tmp

c:\windows\Internet Logs\xDB9F.tmp

c:\windows\Internet Logs\xDBA0.tmp

c:\windows\Internet Logs\xDBA1.tmp

c:\windows\Internet Logs\xDBA2.tmp

c:\windows\Internet Logs\xDBA3.tmp

c:\windows\system32\0E0928266D.sys

c:\windows\system32\config\systemprofile\Definições locais\Histórico\History.IE5\MSHist012008070520080706\index.dat

c:\windows\system32\KGyGaAvL.sys

c:\windows\System32\SVKP.sys

c:\windows\winstart.bat

G:\On.bat

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\Administrador\Defini‡äes locais\Temporary Internet Files\

c:\documents and settings\Daniela\Application Data\GDIPFONTCACHEV1.DAT

c:\documents and settings\Daniela\Defini‡äes locais\Temporary Internet Files\

c:\documents and settings\Jorge\Application Data\GDIPFONTCACHEV1.DAT

c:\documents and settings\Jorge\Defini‡äes locais\Temporary Internet Files\

c:\documents and settings\LocalService\Defini‡äes locais\Temporary Internet Files\

c:\documents and settings\NetworkService\Defini‡äes locais\Temporary Internet Files\

c:\documents and settings\Paula\Application Data\GDIPFONTCACHEV1.DAT

c:\documents and settings\Paula\Defini‡äes locais\Temporary Internet Files\

c:\documents and settings\Sofia\Application Data\GDIPFONTCACHEV1.DAT

c:\documents and settings\Sofia\Defini‡äes locais\Temporary Internet Files\

c:\windows\cnerolf.dat

c:\windows\Internet Logs\tvDebug.zip

c:\windows\Internet Logs\xDB62.tmp

c:\windows\Internet Logs\xDB63.tmp

c:\windows\Internet Logs\xDB64.tmp

c:\windows\Internet Logs\xDB65.tmp

c:\windows\Internet Logs\xDB66.tmp

c:\windows\Internet Logs\xDB67.tmp

c:\windows\Internet Logs\xDB68.tmp

c:\windows\Internet Logs\xDB69.tmp

c:\windows\Internet Logs\xDB6A.tmp

c:\windows\Internet Logs\xDB6B.tmp

c:\windows\Internet Logs\xDB6C.tmp

c:\windows\Internet Logs\xDB6D.tmp

c:\windows\Internet Logs\xDB6E.tmp

c:\windows\Internet Logs\xDB6F.tmp

c:\windows\Internet Logs\xDB70.tmp

c:\windows\Internet Logs\xDB71.tmp

c:\windows\Internet Logs\xDB72.tmp

c:\windows\Internet Logs\xDB73.tmp

c:\windows\Internet Logs\xDB74.tmp

c:\windows\Internet Logs\xDB75.tmp

c:\windows\Internet Logs\xDB76.tmp

c:\windows\Internet Logs\xDB77.tmp

c:\windows\Internet Logs\xDB78.tmp

c:\windows\Internet Logs\xDB79.tmp

c:\windows\Internet Logs\xDB7A.tmp

c:\windows\Internet Logs\xDB7B.tmp

c:\windows\Internet Logs\xDB7C.tmp

c:\windows\Internet Logs\xDB7D.tmp

c:\windows\Internet Logs\xDB7E.tmp

c:\windows\Internet Logs\xDB7F.tmp

c:\windows\Internet Logs\xDB80.tmp

c:\windows\Internet Logs\xDB81.tmp

c:\windows\Internet Logs\xDB82.tmp

c:\windows\Internet Logs\xDB83.tmp

c:\windows\Internet Logs\xDB84.tmp

c:\windows\Internet Logs\xDB85.tmp

c:\windows\Internet Logs\xDB86.tmp

c:\windows\Internet Logs\xDB87.tmp

c:\windows\Internet Logs\xDB88.tmp

c:\windows\Internet Logs\xDB89.tmp

c:\windows\Internet Logs\xDB8A.tmp

c:\windows\Internet Logs\xDB8B.tmp

c:\windows\Internet Logs\xDB8C.tmp

c:\windows\Internet Logs\xDB8D.tmp

c:\windows\Internet Logs\xDB8E.tmp

c:\windows\Internet Logs\xDB8F.tmp

c:\windows\Internet Logs\xDB90.tmp

c:\windows\Internet Logs\xDB91.tmp

c:\windows\Internet Logs\xDB92.tmp

c:\windows\Internet Logs\xDB93.tmp

c:\windows\Internet Logs\xDB94.tmp

c:\windows\Internet Logs\xDB95.tmp

c:\windows\Internet Logs\xDB96.tmp

c:\windows\Internet Logs\xDB97.tmp

c:\windows\Internet Logs\xDB98.tmp

c:\windows\Internet Logs\xDB99.tmp

c:\windows\Internet Logs\xDB9A.tmp

c:\windows\Internet Logs\xDB9B.tmp

c:\windows\Internet Logs\xDB9C.tmp

c:\windows\Internet Logs\xDB9D.tmp

c:\windows\Internet Logs\xDB9E.tmp

c:\windows\Internet Logs\xDB9F.tmp

c:\windows\Internet Logs\xDBA0.tmp

c:\windows\Internet Logs\xDBA1.tmp

c:\windows\Internet Logs\xDBA2.tmp

c:\windows\Internet Logs\xDBA3.tmp

c:\windows\system32\0E0928266D.sys

c:\windows\system32\config\systemprofile\Definições locais\Histórico\History.IE5\MSHist012008070520080706\index.dat

c:\windows\system32\KGyGaAvL.sys

c:\windows\System32\SVKP.sys

c:\windows\winstart.bat

 

.

((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-29 )))))))))))))))))))))))))))))))

.

 

2008-12-26 11:28 . 2008-12-27 15:03 <DIR> d--h----- C:\$AVG8.VAULT$

2008-12-25 22:03 . 2008-12-25 22:08 <DIR> d-------- C:\Hijack

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-29 18:26 --------- d-----w c:\programas\Ficheiros comuns\PestPatrol

2008-12-28 19:39 2,242,560 ----a-w c:\windows\Internet Logs\xDBA6.tmp

2008-12-28 19:37 31,637,792 --sha-w c:\windows\system32\drivers\fidbox.dat

2008-12-28 13:50 --------- d-----w c:\documents and settings\Jorge\Application Data\Canon

2008-12-28 10:40 2,242,560 ----a-w c:\windows\Internet Logs\xDBA5.tmp

2008-12-27 22:06 413,120 --sha-w c:\windows\system32\drivers\fidbox.idx

2008-12-27 17:35 894,464 ----a-w c:\windows\Internet Logs\xDBA4.tmp

2008-11-04 19:48 --------- d-----w c:\documents and settings\Paula\Application Data\Canon

2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll

2008-10-16 20:18 826,368 ----a-w c:\windows\system32\wininet.dll

2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll

2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll

2008-10-03 10:03 247,326 ----a-w c:\windows\system32\strmdll.dll

2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll

.

 

((((((((((((((((((((((((((((( snapshot@2008-12-27_17.10.24.64 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-03-01 10:27:26 295,606 ----a-r c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe

+ 2008-12-27 20:17:30 295,606 ----a-r c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe

- 2008-03-01 10:27:26 295,606 ----a-r c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat_3D.exe

+ 2008-12-27 20:17:34 295,606 ----a-r c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat_3D.exe

- 2008-03-01 10:27:26 295,606 ----a-r c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat_Standard.exe

+ 2008-12-27 20:17:33 295,606 ----a-r c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat_Standard.exe

- 2008-03-01 10:27:26 25,214 ----a-r c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Distiller.exe

+ 2008-12-27 20:17:34 25,214 ----a-r c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Distiller.exe

- 2008-03-01 10:27:26 7,278 ----a-r c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_ELEMENTS_DT.exe

+ 2008-12-27 20:17:34 7,278 ----a-r c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_ELEMENTS_DT.exe

- 2008-03-01 10:27:25 23,558 ----a-r c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\SC_Designer_PFM.70DBED24_B579_40CB_AB0B_F1221A3E9EC5.exe

+ 2008-12-27 20:17:30 23,558 ----a-r c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\SC_Designer_PFM.70DBED24_B579_40CB_AB0B_F1221A3E9EC5.exe

- 2008-12-14 10:40:30 4,212 ---h--w c:\windows\system32\zllictbl.dat

+ 2008-12-27 17:27:01 4,212 ---h--w c:\windows\system32\zllictbl.dat

- 2008-12-27 15:49:15 694,132 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat

+ 2008-12-29 18:45:37 717,288 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat

- 2008-12-25 20:48:39 294,912 ----a-w c:\windows\system32\ZoneLabs\zlqrtdb.dat

+ 2008-12-28 11:54:12 288,768 ----a-w c:\windows\system32\ZoneLabs\zlqrtdb.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"WMPNSCFG"="c:\programas\Windows Media Player\WMPNSCFG.exe" [2007-01-05 204288]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SSBkgdUpdate"="c:\programas\Ficheiros comuns\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]

"OpwareSE4"="c:\programas\Utils\Imagem\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]

"QuickTime Task"="c:\programas\QuickTime\qttask.exe" [2004-03-21 98304]

"FinePrint Dispatcher v5"="c:\windows\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2004-03-04 393216]

"Acrobat Assistant 8.0"="c:\programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]

"AVG8_TRAY"="c:\progra~1\Utils\Virus\AVG8\avgtray.exe" [2008-11-27 1261336]

"ZoneAlarm Client"="c:\programas\Net\ZoneAlarm\zlclient.exe" [2008-07-09 919016]

"SoundMan"="SOUNDMAN.EXE" [2004-02-26 c:\windows\soundman.exe]

"Logitech Utility"="Logi_MwX.Exe" [2003-03-04 c:\windows\Logi_MwX.Exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\programas\Messenger\msmsgs.exe" [2008-04-14 1695232]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=avgrsstx.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.ivimp3en"= ivimp3en.acm

"vidc.DIV3"= DivXc32.dll

"vidc.DIV4"= DivXc32f.dll

"msacm.divxa32"= DivXa32.acm

"msacm.lameacm"= LameACM.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"QuickTime Task"="c:\programas\QuickTime\qttask.exe" -atboottime

"Windows Media Connect 2"="c:\programas\Windows Media Connect 2\WMCCFG.exe" /StartQuiet

"SunJavaUpdateSched"=c:\programas\Java\jre1.5.0_07\bin\jusched.exe

"FinePrint Dispatcher v5"=c:\windows\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe

"FineReader7NewsReaderPro"=c:\programas\Utils\OCR\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Programas\\Microsoft Games\\Flight Simulator 9\\fs9.exe"=

"c:\\WINDOWS\\system32\\dpnsvr.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

"c:\\Programas\\Net\\uTorrent\\utorrent.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Programas\\Utils\\Virus\\AVG8\\avgupd.exe"=

"c:\\Programas\\Utils\\Virus\\AVG8\\avgemc.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Programas\\MSN Messenger\\msnmsgr.exe"=

"c:\\Programas\\MSN Messenger\\livecall.exe"=

 

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [2004-02-27 9344]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-06-13 97928]

R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\Utils\Virus\AVG8\avgemc.exe [2008-07-05 875288]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\Utils\Virus\AVG8\avgwdsvc.exe [2008-07-05 231704]

R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-06-13 76040]

R2 SVKP;SVKP;\??\c:\windows\System32\SVKP.sys []

S2 SLEE_503_DRIVER;Steganos Live Encryption Engine (Version 503) [Driver];\??\c:\windows\System32\drivers\SLEE503.sys []

S3 kwwalpgr;kwwalpgr;\??\c:\docume~1\Jorge\DEFINI~1\Temp\kwwalpgr.sys []

S3 scsiscan;Controlador de scanner SCSI;c:\windows\system32\DRIVERS\scsiscan.sys [2005-07-16 11520]

S3 USRUSBCM;U.S. Robotics Cable Modem NDIS Driver;c:\windows\system32\DRIVERS\USR6000.sys [2004-03-28 12398]

S4 Abmc8a;Abmc8a; []

.

Contents of the 'Scheduled Tasks' folder

 

2008-12-26 c:\windows\Tasks\1-Click Maintenance.job

- c:\programas\Sys\TuneUp Utilities 2006\SystemOptimizer.exe [2005-09-21 21:35]

 

2008-12-29 c:\windows\Tasks\Symantec NetDetect.job

- c:\programas\Symantec\LiveUpdate\NDetect.exe []

 

2006-03-04 c:\windows\Tasks\XoftSpy.job

- c:\programas\Sys\XoftSpy\XoftSpy.exe []

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.pt/

uInternet Connection Wizard,ShellNext = iexplore

IE: Append to existing PDF - c:\programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\programas\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\programas\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\programas\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\programas\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

TCP: {D062BCF5-F19B-4C14-9C57-6B0F4FED1F1D} = 192.168.2.2

 

c:\windows\Downloaded Program Files\GoPetsWeb.ocx - O16 -: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8}

hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab

c:\windows\Downloaded Program Files\GoPetsWeb.inf

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-29 19:00:32

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(596)

c:\windows\system32\avgrsstx.dll

 

- - - - - - - > 'lsass.exe'(672)

c:\windows\system32\avgrsstx.dll

.

Completion time: 2008-12-29 19:04:56

ComboFix-quarantined-files.txt 2008-12-29 19:04:50

ComboFix2.txt 2008-12-27 17:11:43

 

Pre-Run: 5.792.169.984 bytes livres

Post-Run: 5,781,356,544 bytes livres

 

340 --- E O F --- 2008-12-26 10:50:20

 

 

LOG-2 do ComboFix

ComboFix 08-12-29.02 - Jorge 2008-12-30 19:12:40.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.2070.18.511.243 [GMT 0:00]

Executando de: c:\documents and settings\Jorge\Ambiente de trabalho\ComboFix.exe

* Criado um novo ponto de restauro

.

 

(((((((((((((((( Arquivos/Ficheiros criados de 2008-11-28 to 2008-12-30 ))))))))))))))))))))))))))))

.

 

2008-12-29 19:05 . 2008-12-29 19:05 <DIR> d-------- c:\windows\system32\config\systemprofile\Defini‡äes locais

2008-12-29 19:05 . 2008-12-29 19:05 <DIR> d-------- c:\documents and settings\Sofia\Defini‡äes locais

2008-12-29 19:05 . 2008-12-29 19:05 <DIR> d-------- c:\documents and settings\Paula\Defini‡äes locais

2008-12-29 19:05 . 2008-12-29 19:05 <DIR> d-------- c:\documents and settings\NetworkService\Defini‡äes locais

2008-12-29 19:05 . 2008-12-29 19:05 <DIR> d-------- c:\documents and settings\LocalService\Defini‡äes locais

2008-12-29 19:05 . 2008-12-29 19:05 <DIR> d-------- c:\documents and settings\Jorge\Defini‡äes locais

2008-12-29 19:05 . 2008-12-29 19:05 <DIR> d-------- c:\documents and settings\Daniela\Defini‡äes locais

2008-12-29 19:05 . 2008-12-29 19:05 <DIR> d-------- c:\documents and settings\Administrador\Defini‡äes locais

2008-12-26 11:28 . 2008-12-27 15:03 <DIR> d--h----- C:\$AVG8.VAULT$

2008-12-25 22:03 . 2008-12-25 22:08 <DIR> d-------- C:\Hijack

2008-11-22 18:37 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

2008-11-22 18:34 . 2008-09-04 17:16 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

2008-11-04 19:51 . 2008-09-08 10:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys

2008-11-04 19:50 . 2008-08-14 13:23 2,193,024 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe

2008-11-04 19:50 . 2008-08-14 13:23 2,149,376 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe

2008-11-04 19:50 . 2008-08-14 13:23 2,069,888 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe

2008-11-04 19:50 . 2008-08-14 13:23 2,028,032 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe

2008-11-04 19:50 . 2008-09-15 15:25 1,846,528 -----c--- c:\windows\system32\dllcache\win32k.sys

2008-11-04 19:50 . 2008-10-15 16:36 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-30 10:20 420,992 --sha-w c:\windows\system32\drivers\fidbox.idx

2008-12-30 10:20 31,637,792 --sha-w c:\windows\system32\drivers\fidbox.dat

2008-12-29 18:26 --------- d-----w c:\programas\Ficheiros comuns\PestPatrol

2008-12-28 19:39 2,242,560 ----a-w c:\windows\Internet Logs\xDBA6.tmp

2008-12-28 13:50 --------- d-----w c:\documents and settings\Jorge\Application Data\Canon

2008-12-28 10:40 2,242,560 ----a-w c:\windows\Internet Logs\xDBA5.tmp

2008-12-27 17:35 894,464 ----a-w c:\windows\Internet Logs\xDBA4.tmp

2008-11-04 19:48 --------- d-----w c:\documents and settings\Paula\Application Data\Canon

2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll

2008-10-16 20:18 826,368 ----a-w c:\windows\system32\wininet.dll

2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll

2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll

2008-10-03 10:03 247,326 ----a-w c:\windows\system32\strmdll.dll

2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll

2008-09-24 20:47 155,136 ----a-w c:\windows\Internet Logs\xDB61.tmp

2008-09-23 19:39 2,016,256 ----a-w c:\windows\Internet Logs\xDB60.tmp

2008-09-23 18:44 2,016,256 ----a-w c:\windows\Internet Logs\xDB5F.tmp

2008-09-22 20:46 324,608 ----a-w c:\windows\Internet Logs\xDB5E.tmp

2008-09-22 18:03 2,014,208 ----a-w c:\windows\Internet Logs\xDB5D.tmp

2008-09-17 20:19 96,768 ----a-w c:\windows\Internet Logs\xDB5B.tmp

2008-09-17 20:19 2,007,552 ----a-w c:\windows\Internet Logs\xDB5C.tmp

2008-09-16 19:03 60,928 ----a-w c:\windows\Internet Logs\xDB5A.tmp

2008-09-15 21:20 2,079,232 ----a-w c:\windows\Internet Logs\xDB59.tmp

2008-09-15 18:23 2,004,992 ----a-w c:\windows\Internet Logs\xDB58.tmp

2008-09-15 15:25 1,846,528 ----a-w c:\windows\system32\win32k.sys

2008-09-13 11:49 2,002,432 ----a-w c:\windows\Internet Logs\xDB57.tmp

2008-09-12 20:55 102,400 ----a-w c:\windows\Internet Logs\xDB56.tmp

2008-09-11 20:42 99,328 ----a-w c:\windows\Internet Logs\xDB55.tmp

2008-09-10 21:19 175,616 ----a-w c:\windows\Internet Logs\xDB54.tmp

2008-09-10 01:15 1,307,648 ------w c:\windows\system32\msxml6.dll

2008-09-08 22:04 1,995,776 ----a-w c:\windows\Internet Logs\xDB53.tmp

2008-09-08 14:47 67,072 ----a-w c:\windows\Internet Logs\xDB52.tmp

2008-09-08 11:11 64,000 ----a-w c:\windows\Internet Logs\xDB51.tmp

2008-09-07 21:16 108,544 ----a-w c:\windows\Internet Logs\xDB50.tmp

2008-09-07 16:20 30,208 ----a-w c:\windows\Internet Logs\xDB4F.tmp

2008-09-07 16:02 93,696 ----a-w c:\windows\Internet Logs\xDB4D.tmp

2008-09-07 16:02 1,989,120 ----a-w c:\windows\Internet Logs\xDB4E.tmp

2008-09-06 10:39 98,304 ----a-w c:\windows\Internet Logs\xDB4C.tmp

2008-09-05 19:14 111,616 ----a-w c:\windows\Internet Logs\xDB4B.tmp

2008-09-04 20:59 65,536 ----a-w c:\windows\Internet Logs\xDB4A.tmp

2008-09-04 17:16 1,106,944 ----a-w c:\windows\system32\msxml3.dll

2008-09-03 21:55 68,608 ----a-w c:\windows\Internet Logs\xDB49.tmp

2008-09-03 18:41 148,480 ----a-w c:\windows\Internet Logs\xDB48.tmp

2008-09-02 17:25 103,936 ----a-w c:\windows\Internet Logs\xDB47.tmp

2008-09-02 09:46 1,981,440 ----a-w c:\windows\Internet Logs\xDB46.tmp

2008-09-01 22:08 136,192 ----a-w c:\windows\Internet Logs\xDB45.tmp

.

 

((((((((((((((((((((((((((((( snapshot@2008-12-27_17.10.24.64 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-03-01 10:27:26 295,606 ----a-r c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe

+ 2008-12-27 20:17:30 295,606 ----a-r c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe

- 2008-03-01 10:27:26 295,606 ----a-r c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat_3D.exe

+ 2008-12-27 20:17:34 295,606 ----a-r c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat_3D.exe

- 2008-03-01 10:27:26 295,606 ----a-r c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat_Standard.exe

+ 2008-12-27 20:17:33 295,606 ----a-r c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat_Standard.exe

- 2008-03-01 10:27:26 25,214 ----a-r c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Distiller.exe

+ 2008-12-27 20:17:34 25,214 ----a-r c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Distiller.exe

- 2008-03-01 10:27:26 7,278 ----a-r c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_ELEMENTS_DT.exe

+ 2008-12-27 20:17:34 7,278 ----a-r c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_ELEMENTS_DT.exe

- 2008-03-01 10:27:25 23,558 ----a-r c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\SC_Designer_PFM.70DBED24_B579_40CB_AB0B_F1221A3E9EC5.exe

+ 2008-12-27 20:17:30 23,558 ----a-r c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\SC_Designer_PFM.70DBED24_B579_40CB_AB0B_F1221A3E9EC5.exe

- 2008-12-14 10:40:30 4,212 ---h--w c:\windows\system32\zllictbl.dat

+ 2008-12-27 17:27:01 4,212 ---h--w c:\windows\system32\zllictbl.dat

- 2008-12-27 15:49:15 694,132 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat

+ 2008-12-30 18:03:21 721,796 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat

- 2008-12-25 20:05:36 10,558,372 ----a-w c:\windows\system32\ZoneLabs\spyware.dat

+ 2008-12-30 09:21:37 10,586,951 ----a-w c:\windows\system32\ZoneLabs\spyware.dat

- 2008-12-25 20:48:39 294,912 ----a-w c:\windows\system32\ZoneLabs\zlqrtdb.dat

+ 2008-12-28 11:54:12 288,768 ----a-w c:\windows\system32\ZoneLabs\zlqrtdb.dat

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"WMPNSCFG"="c:\programas\Windows Media Player\WMPNSCFG.exe" [2007-01-05 204288]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SSBkgdUpdate"="c:\programas\Ficheiros comuns\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]

"OpwareSE4"="c:\programas\Utils\Imagem\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]

"QuickTime Task"="c:\programas\QuickTime\qttask.exe" [2004-03-21 98304]

"FinePrint Dispatcher v5"="c:\windows\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2004-03-04 393216]

"Acrobat Assistant 8.0"="c:\programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]

"AVG8_TRAY"="c:\progra~1\Utils\Virus\AVG8\avgtray.exe" [2008-11-27 1261336]

"ZoneAlarm Client"="c:\programas\Net\ZoneAlarm\zlclient.exe" [2008-07-09 919016]

"SoundMan"="SOUNDMAN.EXE" [2004-02-26 c:\windows\soundman.exe]

"Logitech Utility"="Logi_MwX.Exe" [2003-03-04 c:\windows\Logi_MwX.Exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\programas\Messenger\msmsgs.exe" [2008-04-14 1695232]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=avgrsstx.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.ivimp3en"= ivimp3en.acm

"vidc.DIV3"= DivXc32.dll

"vidc.DIV4"= DivXc32f.dll

"msacm.divxa32"= DivXa32.acm

"msacm.lameacm"= LameACM.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"QuickTime Task"="c:\programas\QuickTime\qttask.exe" -atboottime

"Windows Media Connect 2"="c:\programas\Windows Media Connect 2\WMCCFG.exe" /StartQuiet

"SunJavaUpdateSched"=c:\programas\Java\jre1.5.0_07\bin\jusched.exe

"FinePrint Dispatcher v5"=c:\windows\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe

"FineReader7NewsReaderPro"=c:\programas\Utils\OCR\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Programas\\Microsoft Games\\Flight Simulator 9\\fs9.exe"=

"c:\\WINDOWS\\system32\\dpnsvr.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

"c:\\Programas\\Net\\uTorrent\\utorrent.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Programas\\Utils\\Virus\\AVG8\\avgupd.exe"=

"c:\\Programas\\Utils\\Virus\\AVG8\\avgemc.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Programas\\MSN Messenger\\msnmsgr.exe"=

"c:\\Programas\\MSN Messenger\\livecall.exe"=

 

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [2004-02-27 9344]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-06-13 97928]

R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\Utils\Virus\AVG8\avgemc.exe [2008-07-05 875288]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\Utils\Virus\AVG8\avgwdsvc.exe [2008-07-05 231704]

R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-06-13 76040]

S2 SLEE_503_DRIVER;Steganos Live Encryption Engine (Version 503) [Driver];\??\c:\windows\System32\drivers\SLEE503.sys []

S2 SVKP;SVKP;\??\c:\windows\System32\SVKP.sys []

S3 kwwalpgr;kwwalpgr;\??\c:\docume~1\Jorge\DEFINI~1\Temp\kwwalpgr.sys []

S3 scsiscan;Controlador de scanner SCSI;c:\windows\system32\DRIVERS\scsiscan.sys [2005-07-16 11520]

S3 USRUSBCM;U.S. Robotics Cable Modem NDIS Driver;c:\windows\system32\DRIVERS\USR6000.sys [2004-03-28 12398]

S4 Abmc8a;Abmc8a; []

.

Conteúdo da pasta 'Tarefas Agendadas'

 

2008-12-26 c:\windows\Tasks\1-Click Maintenance.job

- c:\programas\Sys\TuneUp Utilities 2006\SystemOptimizer.exe [2005-09-21 21:35]

 

2008-12-30 c:\windows\Tasks\Symantec NetDetect.job

- c:\programas\Symantec\LiveUpdate\NDetect.exe []

 

2006-03-04 c:\windows\Tasks\XoftSpy.job

- c:\programas\Sys\XoftSpy\XoftSpy.exe []

.

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.google.pt/

uInternet Connection Wizard,ShellNext = iexplore

IE: Append to existing PDF - c:\programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\programas\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\programas\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\programas\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\programas\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

TCP: {D062BCF5-F19B-4C14-9C57-6B0F4FED1F1D} = 192.168.2.2

 

c:\windows\Downloaded Program Files\GoPetsWeb.ocx - O16 -: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8}

hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab

c:\windows\Downloaded Program Files\GoPetsWeb.inf

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-30 19:21:12

Windows 5.1.2600 Service Pack 3 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'winlogon.exe'(596)

c:\windows\system32\avgrsstx.dll

 

- - - - - - - > 'lsass.exe'(672)

c:\windows\system32\avgrsstx.dll

.

Tempo para conclusão: 2008-12-30 19:23:53

ComboFix-quarantined-files.txt 2008-12-30 19:23:46

ComboFix2.txt 2008-12-27 17:11:43

 

Pré-execução: 5.738.434.560 bytes livres

Pós execução: 5,729,468,416 bytes livres

 

WindowsXP-KB310994-SP2-Pro-BootDisk-PTB.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

 

229 --- E O F --- 2008-12-26 10:50:20

 

 

LOG do HijackThis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:45:01, on 30-12-2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Utils\Virus\AVG8\avgwdsvc.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\WINDOWS\System32\svchost.exe

C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Programas\DVD\CDBurnerXP\NMSAccessU.exe

C:\Programas\Ficheiros comuns\pestpatrol\ppRemoteService.exe

C:\WINDOWS\System32\svchost.exe

C:\Programas\Ficheiros comuns\pestpatrol\PPMCActiveDetection.exe

C:\PROGRA~1\Utils\Virus\AVG8\avgrsx.exe

C:\PROGRA~1\Utils\Virus\AVG8\avgemc.exe

C:\WINDOWS\Logi_MwX.Exe

C:\Programas\Utils\Imagem\OmniPageSE4.0\OpwareSE4.exe

C:\Programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programas\Windows Media Player\WMPNSCFG.exe

C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\Hijack\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programas\Utils\Virus\AVG8\avgssie.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Utils\Virus\SPYBOT~1\SDHelper.dll

O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Programas\Canon\Easy-WebPrint\EWPBrowseLoader.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.5.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programas\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Programas\Ficheiros comuns\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [OpwareSE4] "C:\Programas\Utils\Imagem\OmniPageSE4.0\OpwareSE4.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /runonce

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\Utils\Virus\AVG8\avgtray.exe

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programas\Net\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Programas\Windows Media Player\WMPNSCFG.exe

O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background (User 'Default user')

O8 - Extra context menu item: Append to existing PDF - res://C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Programas\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Programas\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Programas\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Programas\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://web.cm-tavira.pt/mapa/cabs/mgaxctrl.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1152944695616

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D062BCF5-F19B-4C14-9C57-6B0F4FED1F1D}: NameServer = 192.168.2.2

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programas\Utils\Virus\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\Utils\Virus\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\Utils\Virus\AVG8\avgwdsvc.exe

O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NMSAccessU - Unknown owner - C:\Programas\DVD\CDBurnerXP\NMSAccessU.exe

O23 - Service: PestPatrol Remote - Computer Associates International, Inc. - C:\Programas\Ficheiros comuns\pestpatrol\ppRemoteService.exe

O23 - Service: Steganos Live Encryption Engine (Version 503) [service] (SLEE_503_SERVICE) - Unknown owner - C:\WINDOWS\System32\SLEE503.exe (file missing)

O23 - Service: Check Point SecuRemote Service (SR_Service) - Unknown owner - C:\Programas\CheckPoint\SecuRemote\bin\SR_Service.exe (file missing)

O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programas\Sys\TuneUp Utilities 2006\WinStylerThemeSvc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

--

End of file - 9636 bytes

 

 

 

Despeço-me desejando-lhe a si e à sua família um óptimo 2009!

 

Um abraço,

JPN2

[jgarcia 1]

Opa jpn2,

 

O Malwarebytes AntiMalware é um produto relativamente novo, porém com grande eficácia na remoção de infecções comuns. O programa é pequeno, gratuito e em português.

 

A sua instalação é o primeiro passo para a limpeza de um sistema operacional infectado.

 

Neste tutorial você aprenderá a instalá-lo e executá-lo.

 

1) Primeiramente faça o download do programa:

http://www.malwarebytes.org/mbam/program/mbam-setup.exe

 

2) Agora proceda a instalação do programa, conforme segue:

 

Execute o programa de instalação:

 

Logo após a execução do arquivo de instalação, será exibida a seguinte tela:

 

Agora, clique em Instalar para concluir:

 

Ao término da instalação deixe marcadas as opções de Atualização e Execução:

 

Será exibida então a tela de atualização do programa:

 

3) Essa é a tela inicial do programa. Marque a opção Verificação Completa e clique no botão Verificar.

 

Aguarde até o final da verificação:

 

Ao concluir a verificação, será exibida essa mensagem:

 

O resultado da verificação será exibido, com o nome dos arquivos e malwares encontrados.

Para efetivar a limpeza, clique em Remover selecionados:

 

Para concluir a limpeza haverá a necessidade da reinicialização do computador:

 

O programa guarda os logs das verificações feitas na pasta C:\Documents and Settings\Seu nome de Usuario\Dados de aplicativos\Malwarebytes\Malwarebytes' Anti-Malware\Logs, que também pode ser acessados na aba Logs, dentro do programa.

 

Retorne com o resultado da varredura.

 

Créditos: Fabio Assolini.

 

Link para a postagem original: aqui.

[jpn2 0]

Opa jgarcia

 

Aqui vai o log do MalwareBytes:

 

Malwarebytes' Anti-Malware 1.31

Versão do banco de dados: 1581

Windows 5.1.2600 Service Pack 3

 

31-12-2008 8:46:28

mbam-log-2008-12-31 (08-46-28).txt

 

Tipo de Verificação: Rápida

Objetos verificados: 68186

Tempo decorrido: 21 minute(s), 2 second(s)

 

Processos da Memória infectados: 0

Módulos de Memória Infectados: 0

Chaves do Registo infectadas: 0

Valores do Registo infectados: 0

Ítens do Registo infectados: 0

Pastas infectadas: 0

Ficheiros infectados: 2

 

Processos da Memória infectados:

(Nenhum item malicioso foi detectado)

 

Módulos de Memória Infectados:

(Nenhum item malicioso foi detectado)

 

Chaves do Registo infectadas:

(Nenhum item malicioso foi detectado)

 

Valores do Registo infectados:

(Nenhum item malicioso foi detectado)

 

Ítens do Registo infectados:

(Nenhum item malicioso foi detectado)

 

Pastas infectadas:

(Nenhum item malicioso foi detectado)

 

Ficheiros infectados:

C:\Documents and Settings\Jorge\Ambiente de trabalho\Nero 6.6.0.8 Keygen.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\svchost.ini (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

 

Um abraço,

JPN2

[jgarcia 1]

Opa jpn2,

 

Baixe a EliStarA = no final da página clique no botão Descargar EliStarA.

 

Sugiro que imprima ou salve os procedimentos abaixo, e não utilize a internet até terminado o procedimento.

 

Reinicie em Modo Seguro (pressione repetidamente a tecla F8 durante a inicialização, até que apareça o menu, onde você deverá selecionar Modo Seguro).

 

Execute o EliStarA.exe e aguarde, pois o scan é um pouco demorado.

 

Terminado o processo, reinicie e poste o log (ele estará em C:\infoSat.txt).

 

Abraços.

 

PS.: O pendrive deverá estar conectado ao PC. Desculpe a demora, pois só retornei ontem de viagem. :thumbsup:

[jpn2 0]

Opá JGarcia.

 

Aqui vai o log do EliStart:

Wed Jan 14 21:15:12 2009

EliStartPage v17.79 ©2009 S.G.H. / Satinfo S.L. (Actualizado el 14 de Enero del 2009)

--------------------------------------------------

Lista de Acciones (por Acción Directa):

Eliminados Ficheros Temporales del IE

 

Wed Jan 14 21:15:34 2009

EliStartPage v17.79 ©2009 S.G.H. / Satinfo S.L. (Actualizado el 14 de Enero del 2009)

--------------------------------------------------

Lista de Acciones (por Exploración):

Explorando "C:\"

C:\Documents and Settings\Jorge\Ambiente de trabalho\Utils\XP KEYFINDER.EXE --> Eliminado, FindKeyXp(dropper)

 

Nº Total de Directorios: 9770

Nº Total de Ficheros: 170647

Nº de Ficheros Analizados: 33144

Nº de Ficheros Infectados: 1

Nº de Ficheros Limpiados: 1

 

 

Mais uma vez obrigado pelo seu apoio.

 

Cumprimentos,

JPn2

[jgarcia 1]

Opa jpn2,

 

Nós utilizamos, em seu caso, várias ferramentas e ao que parece a sua máquina está livre de infecções. Ainda há algum problema?

[Mário Monteiro 179]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.