[Resolvido!] Análise de LOG

_And_ · Fevereiro 9, 2009

Hoje quando liguei meu pc apareceu na tela a seguinte mensagem :

"O aplicativo ou a DLL C:\WINDOWS\system32\digeste.dll não é uma imagem válida para o Windows. Compare com o disco de instalação."

Fiz um scaner no HijackThis (versão do proprio forum) e ai esta o LOG... agradeço antecipadamente :thumbsup:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:06:55, on 9/2/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Arquivos de programas\Faronics\Deep Freeze\Install C-0\DF5Serv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\AhnRpta.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\msauc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe

C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Arquivos de programas\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\TEMP\A7D8.tmp

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe

D:\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com.br/0SEPTBR/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com.br/0SEPTBR/SAOS01?FORM=TOOLBR

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com.br/0SEPTBR/SAOS01?FORM=TOOLBR

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [lsass driver] C:\WINDOWS\msauc.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\kamsoft.exe

O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [vamsoft] C:\WINDOWS\system32\vamsoft.exe

O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Arquivos de programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O8 - Extra context menu item: &Windows Live Search - res://C:\Arquivos de programas\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://D:\Office\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Office\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll

O20 - Winlogon Notify: DfLogon - C:\WINDOWS\SYSTEM32\LogonDll.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: DF5Serv - Faronics Corporation - C:\Arquivos de programas\Faronics\Deep Freeze\Install C-0\DF5Serv.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: NBService - Nero AG - D:\Ahead\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

DigRam · Fevereiro 10, 2009

Boa Tarde! _And_

<@> Baixe: < > ( ...by sUBs )

<@> Salve-o no desktop!

<@> Desabilite as proteções residente de: antivírus,antispywares e firewall. ( Menos o do Windows! )

<@> Feche todas as janelas e execute a ferramenta!

<@> Na solicitação: "Negação de garantia de software" --> Clique em Sim!

<@> Não possuindo o "Console de Recuperação",aceite optar pela instalação do mesmo!

<!> Caso aconteça a notificação de: Aplicativo Win32 inválido,delete a ferramenta e faça,novamente,o download.
<!> Salve-a no desktop,renomeada como: Kombo.exe

<!> Ps: Nomeie durante o salvamento,e não após salvá-la!

<!> Ps: Surgindo alguma mensagem de erro,rode o ComboFix.exe em Modo de Segurança. <-- Link!

<!> Ps: Para completar as remoções,talvez haja necessidade da ferramenta reiniciar o computador. <-- Aguarde!

<!> Ps: Evite executar,voluntariamente,esta ferramenta!Siga,àcima,todas as recomendações propostas.

<@> Abrir-se-á a janela Auto Scan. --> Aguarde!

<@> Àfim de completar as remoções,o ComboFix poderá reiniciar o computador.

<@> Se houver necessidade,digite a opção para continuar! --> ( 1 ) --> Aperte Enter! --> Aguarde a conclusão!

<@> Durante o scan,evite manusear o mouse ou teclado! <-- Importante!

<@> Para parar ou sair do ComboFix,tecle "N" ou "2" --> Aperte Enter!

----------------------------------------

<@> Terminando,poste os relatórios: C:\ComboFix.txt + HijackThis,atualizado.

Abraços!

_And_ · Fevereiro 10, 2009

Mto Boa tarde DigRam , obrigado por me ajudar !

LOG do COMBOFIX

ComboFix 09-02-08.02 - Computador 2009-02-10 13:38:16.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.479.195 [GMT -3:00]

Executando de: c:\documents and settings\Computador\Desktop\ComboFix.exe

AV: avast! antivirus 4.7.1098 [VPS 080919-0] *On-access scanning disabled* (Outdated)

* Criado um novo ponto de restauro

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\08dgu.com

C:\0u.cmd

C:\0w.com

C:\1gk8ha.bat

C:\1u0o8bnq.cmd

C:\1utbfd.bat

C:\2u.com

C:\3rl3lqbq.bat

C:\68.exe

C:\8.bat

C:\9.cmd

C:\9yqusig.bat

C:\abk.bat

C:\Autorun.inf

C:\b.exe

C:\b0j6j16.bat

C:\bo1dhu.bat

C:\e.cmd

C:\ev60a2.cmd

C:\fe.bat

C:\gfqgq.cmd

C:\h3.bat

C:\ij.bat

C:\iky.bat

C:\iqe68o.bat

C:\j60osk9.cmd

C:\lky.exe

C:\m0vnonh.bat

C:\m2nl.bat

C:\n6t1h.cmd

C:\ncyrf.bat

C:\nfdmg.com

C:\nq0cq.cmd

C:\otyh.cmd

C:\p1y2.cmd

C:\pnt.com

C:\pook.com

C:\rcukd.cmd

C:\sq.com

C:\uvsqfgwd.cmd

C:\vva0hc0p.cmd

C:\vxl.exe

c:\windows\msauc.exe

c:\windows\system32\ckvo.exe

c:\windows\system32\ckvo0.dll

c:\windows\system32\ckvo1.dll

c:\windows\system32\crypts.dll

c:\windows\system32\digeste.dll

c:\windows\system32\drivers\str.sys

c:\windows\system32\gasretyw0.dll

c:\windows\system32\gasretyw1.dll

c:\windows\system32\kamsoft.exe

c:\windows\system32\nmdfgds0.dll

c:\windows\system32\nmdfgds1.dll

c:\windows\system32\olhrwef.exe

c:\windows\system32\shell31.dll

c:\windows\system32\vamsoft.exe

c:\windows\system32\wpv211234115319.cpx

c:\windows\system32\wpv571234115403.cpx

c:\windows\wiaserviv.log

C:\wjlfhtfm.cmd

C:\xih9.cmd

C:\xk2n.bat

C:\yannh.cmd

C:\yew.bat

D:\08dgu.com

D:\0u.cmd

D:\0w.com

D:\1gk8ha.bat

D:\1t6yxlxx.cmd

D:\1u0o8bnq.cmd

D:\1utbfd.bat

D:\2u.com

D:\3rl3lqbq.bat

D:\68.exe

D:\8.bat

D:\9.cmd

D:\9yqusig.bat

D:\a1.bat

D:\abk.bat

D:\Autorun.inf

D:\b.exe

D:\b0j6j16.bat

D:\bo1dhu.bat

D:\e.cmd

D:\ev60a2.cmd

D:\fe.bat

D:\gfqgq.cmd

D:\h3.bat

D:\ij.bat

D:\iky.bat

D:\io.bat

D:\iqe68o.bat

D:\j60osk9.cmd

D:\kk3.bat

D:\lky.exe

D:\m0vnonh.bat

D:\m2nl.bat

D:\n6t1h.cmd

D:\ncyrf.bat

D:\nfdmg.com

D:\nq0cq.cmd

D:\otyh.cmd

D:\p1y2.cmd

D:\pnt.com

D:\pook.com

D:\rcukd.cmd

D:\sq.com

D:\uvsqfgwd.cmd

D:\vva0hc0p.cmd

D:\vxl.exe

D:\wjlfhtfm.cmd

D:\xih9.cmd

D:\xk2n.bat

D:\yannh.cmd

D:\yew.bat

.

(((((((((((((((( Arquivos/Ficheiros criados de 2009-01-10 to 2009-02-10 ))))))))))))))))))))))))))))

.

2009-01-30 13:17 . 2009-01-30 18:29 109,127 -r-hs---- C:\hl80c6b1.com

2009-01-21 14:56 . 2009-01-22 20:10 107,882 -r-hs---- C:\w98.com

2009-01-20 09:06 . 2009-01-20 21:04 108,869 -r-hs---- C:\gy.exe

2009-01-19 19:26 . 2001-09-05 23:20 12,288 --a------ c:\windows\system32\drivers\mouhid.sys

2009-01-19 19:26 . 2001-09-05 23:20 12,288 --a--c--- c:\windows\system32\dllcache\mouhid.sys

2009-01-19 19:26 . 2001-08-17 22:02 9,600 --a------ c:\windows\system32\drivers\hidusb.sys

2009-01-19 19:26 . 2001-08-17 22:02 9,600 --a--c--- c:\windows\system32\dllcache\hidusb.sys

2009-01-16 18:52 . 2009-01-16 22:39 110,003 -r-hs---- C:\x2csvg.exe

2009-01-15 18:27 . 2004-08-04 00:45 70,144 --a------ c:\windows\AhnRpta.exe

2009-01-15 18:19 . 2009-01-15 19:43 108,940 -r-hs---- C:\ve.exe

2009-01-14 14:37 . 2009-01-14 14:37 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Nero

2009-01-14 14:37 . 2009-01-14 14:40 <DIR> d-------- c:\arquivos de programas\Arquivos comuns\Ahead

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-09 22:25 85,504 --sh--r c:\windows\system32\vbsdfe0.dll

2008-12-26 11:53 85,504 --sh--r c:\windows\system32\vbsdfe1.dll

2008-12-25 20:15 --------- d--h--w c:\arquivos de programas\InstallShield Installation Information

2008-12-16 18:01 --------- d-----w c:\documents and settings\Computador\Dados de aplicativos\Ahead

2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys

2008-12-09 00:24 107,045 --sh--r C:\m9ma.exe

2008-12-09 00:24 107,045 --sh--r C:\6fnlpetp.exe

2008-11-29 13:16 111,636 --sh--r C:\o1.com

2008-11-10 15:10 108,271 --sh--r C:\whi.com

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"MSMSGS"="c:\arquivos de programas\Messenger\msmsgs.exe" [2004-10-13 1694208]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]

"swg"="c:\arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-23 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="c:\arquiv~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 79224]

"NeroFilterCheck"="c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]

"SoundMan"="SOUNDMAN.EXE" [2004-09-16 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

Adobe Reader Speed Launch.lnk - c:\arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]

Adobe Reader Synchronizer.lnk - c:\arquivos de programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{BB4C402F-882A-4526-8C08-51278EA437C1}"= "c:\windows\system32\afmain1.dll" [2007-06-13 78848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DfLogon]

2004-08-08 08:50 49152 c:\windows\system32\LogonDll.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk /k:C /k:D *

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 DeepFrz;DeepFrz;c:\windows\system32\drivers\DeepFrz.sys [2004-08-08 93568]

R3 PSXGamepadEnabler;Psx Hid to Gamepad Port Enabler;c:\windows\system32\drivers\psxpad.sys [2008-01-21 12160]

R3 PsxPortEnumerator;Psx Port Enumerator;c:\windows\system32\drivers\psxenum.sys [2008-01-21 16896]

S3 XDva031;XDva031;\??\c:\windows\system32\XDva031.sys --> c:\windows\system32\XDva031.sys [?]

S3 XDva068;XDva068;\??\c:\windows\system32\XDva068.sys --> c:\windows\system32\XDva068.sys [?]

S3 XDva081;XDva081;\??\c:\windows\system32\XDva081.sys --> c:\windows\system32\XDva081.sys [?]

S3 XDva132;XDva132;\??\c:\windows\system32\XDva132.sys --> c:\windows\system32\XDva132.sys [?]

S3 XDva195;XDva195;\??\c:\windows\system32\XDva195.sys --> c:\windows\system32\XDva195.sys [?]

S3 XDva204;XDva204;\??\c:\windows\system32\XDva204.sys --> c:\windows\system32\XDva204.sys [?]

S3 XDva214;XDva214;\??\c:\windows\system32\XDva214.sys --> c:\windows\system32\XDva214.sys [?]

S3 XDva220;XDva220;\??\c:\windows\system32\XDva220.sys --> c:\windows\system32\XDva220.sys [?]

S3 XDva221;XDva221;\??\c:\windows\system32\XDva221.sys --> c:\windows\system32\XDva221.sys [?]

S3 XDva223;XDva223;\??\c:\windows\system32\XDva223.sys --> c:\windows\system32\XDva223.sys [?]

S3 XDva224;XDva224;\??\c:\windows\system32\XDva224.sys --> c:\windows\system32\XDva224.sys [?]

S3 XDva225;XDva225;\??\c:\windows\system32\XDva225.sys --> c:\windows\system32\XDva225.sys [?]

S3 XDva226;XDva226;\??\c:\windows\system32\XDva226.sys --> c:\windows\system32\XDva226.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25f68ad6-cb91-11dd-9ac6-00142a3527d4}]

\Shell\AutoRun\command - G:\m9ma.exe

\Shell\explore\Command - G:\m9ma.exe

\Shell\open\Command - G:\m9ma.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b1c6e4e-9a59-11dd-9a2c-00142a3527d4}]

\Shell\AutoRun\command - G:\hl80c6b1.com

\Shell\open\Command - G:\hl80c6b1.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63a92f08-d5ca-11dd-9aec-00142a3527d4}]

\Shell\AutoRun\command - G:\iqe68o.bat

\Shell\explore\Command - G:\iqe68o.bat

\Shell\open\Command - G:\iqe68o.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7bad4ad6-c12e-11dd-9aa6-00142a3527d4}]

\Shell\AutoRun\command - G:\iqe68o.bat

\Shell\explore\Command - G:\iqe68o.bat

\Shell\open\Command - G:\iqe68o.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7bad4ad7-c12e-11dd-9aa6-00142a3527d4}]

\Shell\AutoRun\command - H:\iqe68o.bat

\Shell\explore\Command - H:\iqe68o.bat

\Shell\open\Command - H:\iqe68o.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e2ef8486-d388-11dd-9ae3-00142a3527d4}]

\Shell\AutoRun\command - G:\m9ma.exe

\Shell\explore\Command - G:\m9ma.exe

\Shell\open\Command - G:\m9ma.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e2ef8487-d388-11dd-9ae3-00142a3527d4}]

\Shell\AutoRun\command - H:\m9ma.exe

\Shell\explore\Command - H:\m9ma.exe

\Shell\open\Command - H:\m9ma.exe

.

Conteúdo da pasta 'Tarefas Agendadas'

2009-02-10 c:\windows\Tasks\Verificar Atualizações para a Barra de Ferramentas do Windows Live.job

- c:\arquivos de programas\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 17:39]

.

- - - - ORFÃOS REMOVIDOS - - - -

HKCU-Run-vamsoft - c:\windows\system32\vamsoft.exe

HKCU-Run-cdoosoft - c:\windows\system32\olhrwef.exe

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.google.com.br/

uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

uSearchURL,(Default) = hxxp://g.msn.com.br/0SEPTBR/SAOS01?FORM=TOOLBR

IE: &Windows Live Search - c:\arquivos de programas\Windows Live Toolbar\msntb.dll/search.htm

IE: E&xportar para o Microsoft Excel - d:\office\OFFICE11\EXCEL.EXE/3000

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-10 13:42:50

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

c:\windows\system32\drivers\str.sys 213024 bytes executable

c:\windows\system32\drivers\mcqavfo.sys 30976 bytes executable

Varredura completada com sucesso

arquivos/ficheiros ocultos: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kfpixqfkwoqkf]

"ImagePath"="\??\c:\windows\system32\drivers\mcqavfo.sys"

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(656)

c:\windows\system32\LogonDll.dll

.

------------------------ Outros Processos em Execução ------------------------

.

c:\arquivos de programas\Faronics\Deep Freeze\Install C-0\DF5Serv.exe

c:\arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

c:\arquivos de programas\Alwil Software\Avast4\ashServ.exe

c:\windows\AhnRpta.exe

c:\arquivos de programas\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe

c:\arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

c:\arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe

.

**************************************************************************

.

Tempo para conclusão: 2009-02-10 13:45:35 - Máquina reiniciou

ComboFix-quarantined-files.txt 2009-02-10 16:45:31

Pré-execução: 2.124.902.400 bytes disponíveis

Pós execução: 2,141,605,888 bytes disponíveis

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

288 --- E O F --- 2009-01-15 03:25:42

LOG do HijackThis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:53:18, on 10/2/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Arquivos de programas\Faronics\Deep Freeze\Install C-0\DF5Serv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\AhnRpta.exe

C:\Arquivos de programas\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe

C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Arquivos de programas\internet explorer\iexplore.exe