[Arquivado] "csrcs" não inicia!

samea · Fevereiro 17, 2009

Sempre que inicio o pc aparece uma mensagem avisando que o windows não pode encontrar o arquivo "csrcs.exe".

Já ouvi dizer que é um malware. O que devo fazer?

Aproveitando a oportunidade meu pc sempre desliga do nada e as vezes quando inicia aparece a mensagem

not boot failed e pede pra inserir o cd e dar o enter.

Desde já agradeço a ajuda. :cry:

colum4 · Fevereiro 17, 2009

esse arquivo que voce se refere nao faz parte do sistema , ja o csrss ja eh problemativo , entao ...

para resolver voce deve ir em executar > regedit enter

ao abrir o regedit voce vai entrar na opcao editar > procurar enter

vai digita o nome do arquivo e enter

ele vai fazer uma pesquisa no registro e vai encontrar ele . voce pode exluir ele sem medo de ser feliz , logo apos a exclusao , presione F3 para dar continuidade na busca ..

ele deve encontrar novamente outro arquivo voce exlua tambem .. geralmente sao 2 arquivos , mas pode haver mais .. se a busca nao der como finalizada , continue presionando F3 e exluindo

todo arquivo q aparecer , pode ser q haja 3 , eu ja encontrei maquinas assim .. isso ira resolver seu problema .

Mário Monteiro · Fevereiro 17, 2009

post um log conforme topico

http://forum.imasters.com.br/index.php?showtopic=165906

A exclusao diretamente do regedit pode nao ser o mais aconselhavel mas ai é sua escolha

Com o log pode ter uma ajuda mais direcionada se for caso de malware

samea · Fevereiro 18, 2009

post um log conforme topico

http://forum.imasters.com.br/index.php?showtopic=165906

A exclusao diretamente do regedit pode nao ser o mais aconselhavel mas ai é sua escolha

Com o log pode ter uma ajuda mais direcionada se for caso de malware

Aqui estar! :unsure:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:58:44, on 18/02/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\system32\spoolsv.exe

C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe

C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe

C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

C:\ARQUIV~1\AVG\AVG8\avgtray.exe

C:\ARQUIV~1\AVG\AVG8\avgrsx.exe

C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\ctfmon.exe

C:\ARQUIV~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Arquivos de programas\Photodex\ProShowGold\ScsiAccess.exe

C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\HP\Digital Imaging\bin\hpqSTE08.exe

C:\HiJack\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

R3 - URLSearchHook: P2P Torrent Toolbar - {bc4be15d-6a34-4356-9e97-79e43da32b1d} - C:\Arquivos de programas\P2P_Torrent\tbP2P_.dll

F2 - REG:system.ini: Shell=Explorer.exe csrcs.exe

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Arquivos de programas\HP\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Arquivos de programas\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)

O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Arquivos de programas\HP\Smart Web Printing\hpswp_framework.dll

O2 - BHO: 734914 helper - {0BD071A6-C989-49E8-9B8E-80F92A868E26} - (no file)

O2 - BHO: BrowserCmp - {1D8282E6-BC4F-469B-AAED-7E4FF077AD93} - C:\WINDOWS\system32\iebrowserc.dll (file missing)

O2 - BHO: superiorads browser optimizer - {2910e755-0574-9ca1-c006-c1ddc75ac7ff} - C:\WINDOWS\system32\zhnybswtguncukti.dll (file missing)

O2 - BHO: ssh2 Class - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Arquivos de programas\AVG\AVG8\avgssie.dll

O2 - BHO: (no name) - {6FC3C36D-7635-4D43-BA62-0D9D2F2CD06E} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: P2P Torrent Toolbar - {bc4be15d-6a34-4356-9e97-79e43da32b1d} - C:\Arquivos de programas\P2P_Torrent\tbP2P_.dll

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\Arquivos de programas\GbPlugin\gbiehcef.dll

O2 - BHO: mysidesearch search enhancer - {D1AD53DC-8978-AAAE-31E0-11904F82C145} - C:\WINDOWS\system32\gkulgetcloezejx.dll (file missing)

O3 - Toolbar: P2P Torrent Toolbar - {bc4be15d-6a34-4356-9e97-79e43da32b1d} - C:\Arquivos de programas\P2P_Torrent\tbP2P_.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [mpeg heck log link] C:\Documents and Settings\All Users\Dados de aplicativos\Joy coal mpeg heck\win team.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\ARQUIV~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe

O4 - HKCU\..\Run: [RegPowerClean] "C:\Arquivos de programas\Winferno\RegistryPowerCleaner\RegPowerClean.exe"

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bowsmove] C:\DOCUME~1\JOO~1\DADOSD~1\CREATI~1\Bolt Slow Dash.exe

O4 - HKCU\..\Run: [Torrent Finder] "C:\Arquivos de programas\Torrent Finder\Torrent-Finder.exe" hmw

O4 - HKCU\..\RunOnce: [shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322)" -"http://clickjogos.uol.com.br/Jogos-online/Esportes/Formula-1/"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Arquivos de programas\MP3 Player Utilities 4.00\AMVConverter\grab.html

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Arquivos de programas\MP3 Player Utilities 4.00\MediaManager\grab.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Livro de recortes HP - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Arquivos de programas\HP\Smart Web Printing\hpswp_extensions.dll

O9 - Extra button: Seleção HP Smart - {700259D7-1666-479a-93B1-3250410481E8} - C:\Arquivos de programas\HP\Smart Web Printing\hpswp_extensions.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game14.zylom.com/activex/zylomgamesplayer.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://imagem.caixa.gov.br/cab/gbpdist.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.atrativa.com.br/games/applets/p...opcaploader.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Arquivos de programas\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: aGbPlugin - C:\WINDOWS\system\GBPlugins.dll

O20 - Winlogon Notify: GbPluginCef - C:\Arquivos de programas\GbPlugin\gbiehcef.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll

O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - c:\firebird\bin\fbguard.exe

O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - c:\firebird\bin\fbserver.exe

O23 - Service: Gbp Service (GbpSv) - - C:\ARQUIV~1\GbPlugin\GbpSv.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexingService.exe

O23 - Service: NNServ - Unknown owner - C:\Arquivos de programas\NewDotNet\nnrun.exe (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: ScsiAccess - Unknown owner - C:\Arquivos de programas\Photodex\ProShowGold\ScsiAccess.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

O24 - Desktop Component 0: (no name) - http://by111w.bay111.mail.live.com/att/Get...CA9B283FB06D20|

--

End of file - 11108 bytes

samea · Fevereiro 18, 2009

post um log conforme topico

http://forum.imasters.com.br/index.php?showtopic=165906

A exclusao diretamente do regedit pode nao ser o mais aconselhavel mas ai é sua escolha

Com o log pode ter uma ajuda mais direcionada se for caso de malware

Mais uma coisinha, quando rodei o HiJack, a opção de não mostrar pastas e arquivos ocultos estava selecionada.

Isso atrapalha em algo? :blink:

jgarcia · Fevereiro 21, 2009

Opa samea,

Baixe o ComboFix em:

ComboFix

1) Desabilite o seu anti-vírus temporariamente;

2) Dê um duplo-clique no combofix.exe e aguarde (o processo total demora cerca de 10 minutos);

3) A janela de “NEGAÇÃO DE GARANTIA DO SOFTWARE” abrir-se-á. Leia atentamente o texto contido nesta janela e clique sobre “SIM” para continuar.

PS.: Caso não concorde com os termos clique sobre “NÃO” para sair do software, cabendo lembrar que o processo de desinfecção não será possível sem a continuidade do ComboFix.

4) Outra janela irá abrir, caso a sua máquina não possua o CONSOLE DE RECUPERAÇÃO DO WINDOWS. É recomendável executar a instalação do console ante de dar continuidade ao processo, pois tal ação proporcionará a garantia de que o sistema poderá ser recuperado em caso de problemas durante a varredura.

Clique sobre “SIM” e aguarde, pois o processo de instalação do console dar-se-á automaticamente através do próprio ComboFix. Ele poderá demorar alguns minutos (dependerá da velocidade de sua conexão), portanto seja paciente.

Quando a janela “INSTALANDO O CONSOLE DE RECUPERAÇÃO” aparecer clique em “OK”, depois clique sobre “SIM” para aceitar a licença EULA.

Ao término da instalação do console de recuperação abrir-se-á uma janela avisando que “O CONSOLE DE RECUPERAÇÃO FOI INSTALADA COM SUCESSO”.

Clique sobre “SIM” para continuar a varredura.

5) O ComboFix iniciará o AUTOSCAN (aguarde).

ATENÇÃO: Não clique na janela do ComboFix, nem termine o processo abruptamente enquanto a ferramenta estiver sendo executada, pois isto implicará na desconfiguração de seu desktop (ele ficará todo branco).

Ao término do processo a máquina será reiniciada para a emissão do relatório.

6) Ao reiniciar a máquina o ComboFix irá executar o FIND3M para a criação do relatório final da varredura. O log ficará alocado em C:\ComboFix.txt.

7) Reabilite o seu anti-vírus;

8) Preciso que você cole o conteúdo do ComboFix.txt em sua próxima resposta.

OBS.1: Caso apareça uma mensagem avisando que ESTE NÃO É UM APLICATIVO WIN 32 VÁLIDO baixe o ComboFix novamente, mas salve-o em seu Desktop como KomboFix. Em último caso, tente utilizar o ComboFix em MODO SEGURO.

OBS.2: Caso haja um clique sobre a janela do ComboFix em execução, ela irá MAXIMIZAR, sobrepondo-se sobre as demais. Para minimizá-la novamente basta utilizar a combinação ALT + TAB.

Abraços.

samea · Fevereiro 27, 2009

Fiz tudo como você falou, mas ao começar a varredura(que não durou nem 30 seg.) meu pc reiniciou e apareceu uma mensagem da microsoft relatando que o windows teve um problema. E não encontrei o log do combofix.

E agora?

jgarcia · Março 3, 2009

Opa samea,

O Malwarebytes AntiMalware é um produto relativamente novo, porém com grande eficácia na remoção de infecções comuns. O programa é pequeno, gratuito e em português.

A sua instalação é o primeiro passo para a limpeza de um sistema operacional infectado.

Neste tutorial você aprenderá a instalá-lo e executá-lo.

1) Primeiramente faça o download do programa:

http://www.malwarebytes.org/mbam/program/mbam-setup.exe

2) Agora proceda a instalação do programa, conforme segue:

Execute o programa de instalação:

Logo após a execução do arquivo de instalação, será exibida a seguinte tela:

Agora, clique em Instalar para concluir:

Ao término da instalação deixe marcadas as opções de Atualização e Execução:

Será exibida então a tela de atualização do programa:

3) Essa é a tela inicial do programa. Marque a opção Verificação Completa e clique no botão Verificar.

Aguarde até o final da verificação:

Ao concluir a verificação, será exibida essa mensagem:

O resultado da verificação será exibido, com o nome dos arquivos e malwares encontrados.

Para efetivar a limpeza, clique em Remover selecionados:

Para concluir a limpeza haverá a necessidade da reinicialização do computador:

O programa guarda os logs das verificações feitas na pasta C:\Documents and Settings\Seu nome de Usuario\Dados de aplicativos\Malwarebytes\Malwarebytes' Anti-Malware\Logs, que também pode ser acessados na aba Logs, dentro do programa.

Retorne com o resultado da varredura.

Créditos: Fabio Assolini.

Link para a postagem original: aqui.

samea · Março 9, 2009

Fiz o Procedimento.

Já não aparece mais o a janela sobre o "csrcs"

Aqui esta o log:

Malwarebytes' Anti-Malware 1.34

Versão do banco de dados: 1828

Windows 5.1.2600 Service Pack 3

2009-03-09 05:51:47

mbam-log-2009-03-09 (05-51-47).txt

Tipo de Verificação: Completa (C:\|)

Objetos verificados: 220660

Tempo decorrido: 1 hour(s), 57 minute(s), 50 second(s)

Processos da Memória infectados: 0

Módulos de Memória Infectados: 0

Chaves do Registro infectadas: 56

Valores do Registro infectados: 16

Ítens do Registro infectados: 13

Pastas infectadas: 10

Arquivos infectados: 22

Processos da Memória infectados:

(Nenhum ítem malicioso foi detectado)

Módulos de Memória Infectados:

(Nenhum ítem malicioso foi detectado)

Chaves do Registro infectadas:

HKEY_CLASSES_ROOT\iebrowsercmp.browsercmp (Adware.RightOnAds) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\iebrowsercmp.browsercmp.1 (Adware.RightOnAds) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{1601d447-7424-4866-8dcc-acf98a2a41e1} (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{c1a6d8b8-93c3-4186-9dd1-13983f9f1d9b} (Adware.RightOnAds) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{ceb9c60d-f0ad-4b73-a3ab-4fc822e38d66} (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{bc4be15d-6a34-4356-9e97-79e43da32b1d} (Adware.Shopper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bc4be15d-6a34-4356-9e97-79e43da32b1d} (Adware.Shopper) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bc4be15d-6a34-4356-9e97-79e43da32b1d} (Adware.Shopper) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{ceb9c60d-f0ad-4b73-a3ab-4fc822e38d66} (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{1d8282e6-bc4f-469b-aaed-7e4ff077ad93} (Adware.RightOnAds) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{014da6c9-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{c3c0ec2c-2c1c-495c-9ad0-1f0ef833d7b5} (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{3160f356-e8c3-4de2-a698-92eeeb3d3400} (Adware.RightOnAds) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\{8d71eeb8-a1a7-4733-8fa2-1cac015c967d} (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{43fc67b6-4c25-4afd-ae7a-9ef3e4587026} (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6156a32a-c512-4e23-aa9a-2315f4265681} (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0bd071a6-c989-49e8-9b8e-80f92a868e26} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7aa32fc7-133b-4ae7-998e-ced0d9829b12} (Trojan.Dialer) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d8282e6-bc4f-469b-aaed-7e4ff077ad93} (Adware.RightOnAds) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fc3c36d-7635-4d43-ba62-0d9d2f2cd06e} (Adware.Fotomoto) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{79f562e5-768c-4494-8e6c-824ada4a9c2c} (Adware.SuperiorAds) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c17e102b-bd29-4e92-b699-1a21d2cb8e6c} (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0bd071a6-c989-49e8-9b8e-80f92a868e26} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1d8282e6-bc4f-469b-aaed-7e4ff077ad93} (Adware.RightOnAds) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6fc3c36d-7635-4d43-ba62-0d9d2f2cd06e} (Adware.Fotomoto) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\Sidebar.DLL (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\MyWay (Adware.MyWay) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\AdvRemoteDbg (Adware.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\dcadssocial (Adware.RightOnAds) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\e405.e405mgr (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\WUSN.1 (Adware.WhenUSave) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\dcads (Adware.Dcads) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2910e755-0574-9ca1-c006-c1ddc75ac7ff} (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{2910e755-0574-9ca1-c006-c1ddc75ac7ff} (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d1ad53dc-8978-aaae-31e0-11904f82c145} (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{d1ad53dc-8978-aaae-31e0-11904f82c145} (Adware.BHO) -> Quarantined and deleted successfully.

Valores do Registro infectados:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{bc4be15d-6a34-4356-9e97-79e43da32b1d} (Adware.Shopper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{bc4be15d-6a34-4356-9e97-79e43da32b1d} (Adware.Shopper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{bc4be15d-6a34-4356-9e97-79e43da32b1d} (Adware.Shopper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search\searchassistant (Trojan.Zlob) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\searchassistant (Trojan.Zlob) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\default_search_url (Trojan.Zlob) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\searchmigrateddefaulturl (Trojan.Zlob) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\searchurl (Trojan.Zlob) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\default_search_url (Trojan.Zlob) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\search page (Trojan.Zlob) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\search bar (Trojan.Zlob) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\searchmigrateddefaulturl (Trojan.Zlob) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\searchurl (Trojan.Zlob) -> Delete on reboot.

Ítens do Registro infectados:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q=%s'>http://internetsearchservice.com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q=%s'>http://internetsearchservice.com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q={searchTerms}) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar (Hijack.Search) -> Bad: (http://internetsearchservice.com/ie6.html) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q={searchTerms}) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe csrcs.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Pastas infectadas:

C:\Arquivos de programas\MyWay (Adware.MyWay) -> Quarantined and deleted successfully.

C:\Arquivos de programas\MyWay\myBar (Adware.MyWay) -> Quarantined and deleted successfully.

C:\Arquivos de programas\MyWay\myBar\History (Adware.MyWay) -> Quarantined and deleted successfully.

C:\Arquivos de programas\MyWay\myBar\Settings (Adware.MyWay) -> Quarantined and deleted successfully.

C:\Arquivos de programas\MyWay\SrchAstt (Adware.MyWay) -> Quarantined and deleted successfully.

C:\Arquivos de programas\MyWay\SrchAstt\1.bin (Adware.MyWay) -> Quarantined and deleted successfully.

C:\Arquivos de programas\MyWay\SrchAstt\Cache (Adware.MyWay) -> Quarantined and deleted successfully.

C:\Arquivos de programas\MyWay\SrchAstt\Settings (Adware.MyWay) -> Quarantined and deleted successfully.

C:\Arquivos de programas\NewDotNet (Adware.NewDotNet) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\734914 (Trojan.BHO) -> Quarantined and deleted successfully.

Arquivos infectados:

C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.

C:\Arquivos de programas\P2P_Torrent\tbP2P1.dll (Adware.Shopper) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\myss_sb_uninstall.exe (Adware.BHO) -> Quarantined and deleted successfully.

C:\Arquivos de programas\MyWay\myBar\History\search (Adware.MyWay) -> Quarantined and deleted successfully.

C:\Arquivos de programas\MyWay\SrchAstt\1.bin\PARTNER.DAT (Adware.MyWay) -> Quarantined and deleted successfully.

C:\Arquivos de programas\MyWay\SrchAstt\Cache\004002F6 (Adware.MyWay) -> Quarantined and deleted successfully.

C:\Arquivos de programas\MyWay\SrchAstt\Cache\00400FF6 (Adware.MyWay) -> Quarantined and deleted successfully.

C:\Arquivos de programas\MyWay\SrchAstt\Cache\files.ini (Adware.MyWay) -> Quarantined and deleted successfully.

C:\Arquivos de programas\MyWay\SrchAstt\Settings\prevcfg.htm (Adware.MyWay) -> Quarantined and deleted successfully.

C:\Arquivos de programas\NewDotNet\readme.html (Adware.NewDotNet) -> Quarantined and deleted successfully.

C:\WINDOWS\Downloaded Program Files\scpsssh2.inf (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\{273b9b6e-4f66-1694-2da2-48276ae4247b}.dll-uninst.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\{968ca23d-6ef5-c9a0-6a8d-9004e9867165}.dll-uninst.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe (Adware.BHO) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\superiorads-uninst.exe (Adware.BHO) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\DcadsSocial-uninstall.exe (Adware.RightOnAds) -> Quarantined and deleted successfully.

C:\Documents and Settings\João\Dados de aplicativos\urlredir.cfg (Adware.RightOnAds) -> Quarantined and deleted successfully.

C:\WINDOWS\Fonts\blazed.zip (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\Fonts\candy.zip (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\Fonts\download.zip (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\Fonts\fiolex_girls.zip (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\Fonts\mamae_que_nos_faz.zip (Worm.Archive) -> Quarantined and deleted successfully.

:thumbsup: Obrigado!!!

jgarcia · Março 15, 2009

Opa samea,

1. Baixe o BankerFix 3.0.

2. Desative o seu anti-vírus temporariamente.

3. Dê um duplo-clique sobre o bankerfix.exe. A janela do Banker Fix 3.0 abrir-se-á com a seguinte pergunta Instalar o BankerFix 3.0 / Install BankerFix 3.0 ? >> clique em SIM.

4. Uma janela informando que o BankerFix 3.0 será baixado via internet abrir-se-á >> clique sobre OK e aguarde. Na próxima janela clique em OK mais uma vez, a fim de que o BankerFix 3.0 seja iniciado.

5. Pressione qualquer tecla para dar continuidade ao processo e aguarde até que a varredura se complete. Tenha paciência, pois ela pode demorar alguns minutos.

6. Terminado o scan, leia a mensagem na tela e aperte Enter.

7. Habilite o seu anti-vírus.

8. Retorne com o relatorio.txt do BankerFix (ele estará em C:\LinhaDefensiva\).

9. Depois de postar a sua resposta você poderá deletar a pasta LinhaDefensiva contida no C.

Abraços.

PS.: Caso apareça a seguinte mensagem: Site denunciado como foco de ataques!, não se preocupe e clique sobre Ignorar este alerta.

samea · Março 20, 2009

BankerFix 3.0 VALKYRIE

Linha Defensiva | http://www.linhadefensiva.org

http://www.linhadefensiva.org/bankerfix/

-------------------------------------------------------

Data: 2009-03-19 - 23:05

=======================================================

C:\WINDOWS\system\GBPlugins.dll: Arquivo infectado removido com sucesso!

----- Fim -------------------------

jgarcia · Março 20, 2009

Opa samea,

1. Baixe o Kaspersky Virus Removal Tool.

2. O arquivo possui aproximadamente 35 Mb, mas o resultado compensará o trabalho.

3. Reinicie a máquina em Modo Seguro.

4. Execute a ferramenta dando duplo-clique sobre o arquivo baixado.

5. Abrir-se-á a seguinte janela:

6. Marque os diretórios que deseja varrer (é melhor marcar todos).

7. Clique em Scan e aguarde o término do processo.

8. Terminada a varredura, retorne com o resultado.

Abraços.

samea · Março 23, 2009

Opa samea,

1. Baixe o Kaspersky Virus Removal Tool.

2. O arquivo possui aproximadamente 35 Mb, mas o resultado compensará o trabalho.

3. Reinicie a máquina em Modo Seguro.

4. Execute a ferramenta dando duplo-clique sobre o arquivo baixado.

5. Abrir-se-á a seguinte janela:

6. Marque os diretórios que deseja varrer (é melhor marcar todos).

7. Clique em Scan e aguarde o término do processo.

8. Terminada a varredura, retorne com o resultado.

Abraços.

Rodei o programa, mas só achei esse resultado num arquivo XML seria esse?

<?xml version="1.0" encoding="windows-1251" ?>

- <!-- AVZ XML Report

-->

- <AVZ>

- <PROCESS>

</PROCESS>

- <DLL>

</DLL>

- <KERNELOBJ>

</KERNELOBJ>

- <Service>

</Service>

- <Drivers>

</Drivers>

- <AUTORUN>

</AUTORUN>

- <BHO>

</BHO>

- <ExplorerExt>

</ExplorerExt>

- <PrintEXT>

</PrintEXT>

- <TaskScheduler>

</TaskScheduler>

- <DPF>

</DPF>

- <CPL>

</CPL>

- <HOSTS>

</HOSTS>

- <SuspFiles>

</SuspFiles>

- <RK_UM>

</RK_UM>

- <KEYLOGGER>

</KEYLOGGER>

- <WIZARD-TSW>

</WIZARD-TSW>

</AVZ>

samea · Março 23, 2009

E esse outro:

Results of system analysis

Kaspersky Virus Removal Tool 7.0.0.290 (database released 22/03/2009; 14:42)

List of processes

File name PID Description Copyright MD5 Information

c:\windows\explorer.exe

created: 2004-08-04 00:45:34,

modified: 2008-04-13 23:20:58

Command line:

C:\WINDOWS\Explorer.EXE

c:\arquivos de programas\mozilla firefox\firefox.exe

Script: Quarantine, Delete, BC delete, Terminate 2044 Firefox ©Firefox and Mozilla Developers, according to the MPL 1.1/GPL 2.0/LGPL 2.1 licenses, as applicable. ?? 300.49 kb, rsAh,

created: 2009-02-09 14:22:52,

modified: 2009-03-06 22:30:07

Command line:

c:\documents and settings\joгo\desktop\virus removal tool\is-rmfni\is-rmfni.exe

created: 2009-03-22 15:00:26,

modified: 2008-11-12 13:32:32,

name contains national symbols

Command line:

"C:\Documents and Settings\Joгo\Desktop\Virus Removal Tool\is-RMFNI\is-RMFNI.exe"

c:\windows\system32\lsass.exe

created: 2004-08-04 00:45:36,

modified: 2008-04-13 23:21:05

Command line:

C:\WINDOWS\system32\lsass.exe

c:\windows\system32\svchost.exe

created: 2004-08-04 00:45:44,

modified: 2008-04-13 23:21:20

Command line:

C:\WINDOWS\system32\svchost -k DcomLaunch

c:\windows\system32\svchost.exe

created: 2004-08-04 00:45:44,

modified: 2008-04-13 23:21:20

Command line:

C:\WINDOWS\system32\svchost -k rpcss

c:\windows\system32\svchost.exe

created: 2004-08-04 00:45:44,

modified: 2008-04-13 23:21:20

Command line:

C:\WINDOWS\system32\svchost.exe -k netsvcs

c:\windows\system32\winlogon.exe

created: 2004-08-04 00:45:46,

modified: 2008-04-13 23:21:23

Command line:

winlogon.exe

Detected:15, recognized as trusted 14

Module name Handle Description Copyright MD5 Used by processes

C:\Arquivos de programas\GbPlugin\gbiehcef.dll

C:\Arquivos de programas\Scpad\scpLIB.dll

C:\Arquivos de programas\Scpad\scpMIB.dll

C:\Arquivos de programas\Scpad\sshib.dll

C:\WINDOWS\system32\alf2cd.acm

C:\WINDOWS\system32\avgrsstx.dll

C:\WINDOWS\system32\msacm32.drv

C:\WINDOWS\system32\msg711.acm

C:\WINDOWS\system32\msg723.acm

C:\WINDOWS\system32\msgsm32.acm

C:\WINDOWS\system32\scg726.acm

C:\WINDOWS\system32\serwvdrv.dll

C:\WINDOWS\system32\sirenacm.dll

C:\WINDOWS\system32\tsd32.dll

Script: Quarantine, Delete, BC delete 1941045248 -- 932, 1556, 320

C:\WINDOWS\system32\tssoft32.acm

Script: Quarantine, Delete, BC delete 1483538432 Codec de бudio DSP Group TrueSpeech para MSACM V3.50 Copyright DSP Group, Inc. 1993-1996 -- 932, 1556, 320

C:\WINDOWS\system32\umdmxfrm.dll

C:\WINDOWS\system32\WgaLogon.dll

Modules detected:255, recognized as trusted 238

Kernel Space Modules Viewer

Module Base address Size in memory Description Manufacturer

C:\WINDOWS\System32\Drivers\aex3mvvn.SYS

Script: Quarantine, Delete, BC delete F9159000 066000 (417792)

dmload.sys

Script: Quarantine, Delete, BC delete F9A93000 002000 (8192)

C:\WINDOWS\System32\Drivers\dump_atapi.sys

Script: Quarantine, Delete, BC delete F8FEA000 018000 (98304)

C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Script: Quarantine, Delete, BC delete F9AC1000 002000 (8192)

C:\WINDOWS\System32\Drivers\ElbyDelay.sys

ftdisk.sys

Script: Quarantine, Delete, BC delete F940C000 01F000 (126976)

C:\WINDOWS\system32\Drivers\GbpKm.sys

Script: Quarantine, Delete, BC delete F9825000 007000 (28672) GbPlugin Device Driver ® GAS Tecnologia

PCIIde.sys

Script: Quarantine, Delete, BC delete F9B55000 001000 (4096)

C:\WINDOWS\system32\Drivers\sptd.sys

Script: Quarantine, Delete, BC delete F9482000 0EA000 (958464)

Modules detected - 73, recognized as trusted - 64

Services

Service Description Status File Group Dependencies

AresChatServer

Service: Stop, Delete, Disable Ares Chatroom server Not started C:\Arquivos de programas\Ares\chatServer.exe

Script: Quarantine, Delete, BC delete

avg8wd

Service: Stop, Delete, Disable AVG Free8 WatchDog Not started C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

Script: Quarantine, Delete, BC delete

GbpSv

Service: Stop, Delete, Disable Gbp Service Not started C:\ARQUIV~1\GbPlugin\GbpSv.exe

Script: Quarantine, Delete, BC delete GbPlugin Group

NMIndexingService

Service: Stop, Delete, Disable NMIndexingService Not started C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexingService.exe

Script: Quarantine, Delete, BC delete RPCSS

NNServ

Service: Stop, Delete, Disable NNServ Not started C:\Arquivos de programas\NewDotNet\nnrun.exe

Script: Quarantine, Delete, BC delete

Pml Driver HPZ12

Service: Stop, Delete, Disable Pml Driver HPZ12 Not started C:\WINDOWS\system32\HPZipm12.exe

Script: Quarantine, Delete, BC delete

RSVP

Service: Stop, Delete, Disable QoS RSVP Not started C:\WINDOWS\system32\rsvp.exe

Script: Quarantine, Delete, BC delete TcpIp

Detected - 104, recognized as trusted - 97

Drivers

Service Description Status File Group Dependencies

Beep

Driver: Unload, Delete, Disable Beep Running Beep.sys

Script: Quarantine, Delete, BC delete Base

ElbyDelay

Driver: Unload, Delete, Disable ElbyDelay Running C:\WINDOWS\system32\Drivers\ElbyDelay.sys

Script: Quarantine, Delete, BC delete

Ftdisk

Driver: Unload, Delete, Disable Volume Manager Driver Running C:\WINDOWS\system32\DRIVERS\ftdisk.sys

Script: Quarantine, Delete, BC delete System Bus Extender

GbpKm

Driver: Unload, Delete, Disable Gbp KernelMode Running C:\WINDOWS\system32\drivers\GbpKm.sys

Script: Quarantine, Delete, BC delete GbPlugin Group

Null

Driver: Unload, Delete, Disable Null Running Null.sys

Script: Quarantine, Delete, BC delete Base

PCIIde

Driver: Unload, Delete, Disable PCIIde Running PCIIde.sys

Script: Quarantine, Delete, BC delete System Bus Extender

sptd

Driver: Unload, Delete, Disable sptd Running C:\WINDOWS\System32\Drivers\sptd.sys

Script: Quarantine, Delete, BC delete Boot Bus Extender

Abiosdsk

Driver: Unload, Delete, Disable Abiosdsk Not started Abiosdsk.sys

Script: Quarantine, Delete, BC delete Primary disk

abp480n5

Driver: Unload, Delete, Disable abp480n5 Not started abp480n5.sys

Script: Quarantine, Delete, BC delete SCSI miniport

ACPIEC

Driver: Unload, Delete, Disable ACPIEC Not started ACPIEC.sys

Script: Quarantine, Delete, BC delete Boot Bus Extender

adpu160m

Driver: Unload, Delete, Disable adpu160m Not started adpu160m.sys

Script: Quarantine, Delete, BC delete SCSI miniport

Aha154x

Driver: Unload, Delete, Disable Aha154x Not started Aha154x.sys

Script: Quarantine, Delete, BC delete SCSI miniport

aic78u2

Driver: Unload, Delete, Disable aic78u2 Not started aic78u2.sys

Script: Quarantine, Delete, BC delete SCSI miniport

aic78xx

Driver: Unload, Delete, Disable aic78xx Not started aic78xx.sys

Script: Quarantine, Delete, BC delete SCSI miniport

AliIde

Driver: Unload, Delete, Disable AliIde Not started AliIde.sys

Script: Quarantine, Delete, BC delete System Bus Extender

amsint

Driver: Unload, Delete, Disable amsint Not started amsint.sys

Script: Quarantine, Delete, BC delete SCSI miniport

asc

Driver: Unload, Delete, Disable asc Not started asc.sys

Script: Quarantine, Delete, BC delete SCSI miniport

asc3350p

Driver: Unload, Delete, Disable asc3350p Not started asc3350p.sys

Script: Quarantine, Delete, BC delete SCSI miniport

asc3550

Driver: Unload, Delete, Disable asc3550 Not started asc3550.sys

Script: Quarantine, Delete, BC delete SCSI miniport

Atdisk

Driver: Unload, Delete, Disable Atdisk Not started Atdisk.sys

Script: Quarantine, Delete, BC delete Primary disk

AvgLdx86

Driver: Unload, Delete, Disable AVG Free AVI Loader Driver x86 Not started C:\WINDOWS\System32\Drivers\avgldx86.sys

Script: Quarantine, Delete, BC delete AVG

AvgMfx86

Driver: Unload, Delete, Disable AVG Free On-access Scanner Minifilter Driver x86 Not started C:\WINDOWS\System32\Drivers\avgmfx86.sys

Script: Quarantine, Delete, BC delete AVG

AvgTdiX

Driver: Unload, Delete, Disable AVG Free8 Network Redirector Not started C:\WINDOWS\System32\Drivers\avgtdix.sys

Script: Quarantine, Delete, BC delete PNP_TDI

cbidf2k

Driver: Unload, Delete, Disable cbidf2k Not started cbidf2k.sys

Script: Quarantine, Delete, BC delete SCSI miniport

cd20xrnt

Driver: Unload, Delete, Disable cd20xrnt Not started cd20xrnt.sys

Script: Quarantine, Delete, BC delete SCSI miniport

Cdaudio

Driver: Unload, Delete, Disable Cdaudio Not started Cdaudio.sys

Script: Quarantine, Delete, BC delete Filter

Changer

Driver: Unload, Delete, Disable Changer Not started Changer.sys

Script: Quarantine, Delete, BC delete Filter

CmdIde

Driver: Unload, Delete, Disable CmdIde Not started CmdIde.sys

Script: Quarantine, Delete, BC delete System Bus Extender

Cpqarray

Driver: Unload, Delete, Disable Cpqarray Not started Cpqarray.sys

Script: Quarantine, Delete, BC delete SCSI miniport

dac960nt

Driver: Unload, Delete, Disable dac960nt Not started dac960nt.sys

Script: Quarantine, Delete, BC delete SCSI miniport

dpti2o

Driver: Unload, Delete, Disable dpti2o Not started dpti2o.sys

Script: Quarantine, Delete, BC delete SCSI miniport

dump_wmimmc

Driver: Unload, Delete, Disable dump_wmimmc Not started C:\Documents and Settings\Joгo\Desktop\Grand Chase\GameGuard\dump_wmimmc.sys

Script: Quarantine, Delete, BC delete

ElbyCDIO

Driver: Unload, Delete, Disable ElbyCDIO Driver Not started C:\WINDOWS\system32\Drivers\ElbyCDIO.sys

Script: Quarantine, Delete, BC delete

hpn

Driver: Unload, Delete, Disable hpn Not started hpn.sys

Script: Quarantine, Delete, BC delete SCSI miniport

i2omgmt

Driver: Unload, Delete, Disable i2omgmt Not started i2omgmt.sys

Script: Quarantine, Delete, BC delete SCSI Class

i2omp

Driver: Unload, Delete, Disable i2omp Not started i2omp.sys

Script: Quarantine, Delete, BC delete SCSI miniport

ini910u

Driver: Unload, Delete, Disable ini910u Not started ini910u.sys

Script: Quarantine, Delete, BC delete SCSI miniport

lbrtfdc

Driver: Unload, Delete, Disable lbrtfdc Not started lbrtfdc.sys

Script: Quarantine, Delete, BC delete System Bus Extender

mnmdd

Driver: Unload, Delete, Disable mnmdd Not started mnmdd.sys

Script: Quarantine, Delete, BC delete Video Save

mraid35x

Driver: Unload, Delete, Disable mraid35x Not started mraid35x.sys

Script: Quarantine, Delete, BC delete SCSI miniport

ParVdm

Driver: Unload, Delete, Disable ParVdm Not started ParVdm.sys

Script: Quarantine, Delete, BC delete Extended base Parport

PCIDump

Driver: Unload, Delete, Disable PCIDump Not started PCIDump.sys

Script: Quarantine, Delete, BC delete PCI Configuration

PDCOMP

Driver: Unload, Delete, Disable PDCOMP Not started PDCOMP.sys

Script: Quarantine, Delete, BC delete

PDFRAME

Driver: Unload, Delete, Disable PDFRAME Not started PDFRAME.sys

Script: Quarantine, Delete, BC delete

PDRELI

Driver: Unload, Delete, Disable PDRELI Not started PDRELI.sys

Script: Quarantine, Delete, BC delete

PDRFRAME

Driver: Unload, Delete, Disable PDRFRAME Not started PDRFRAME.sys

Script: Quarantine, Delete, BC delete

perc2

Driver: Unload, Delete, Disable perc2 Not started perc2.sys

Script: Quarantine, Delete, BC delete SCSI miniport

perc2hib

Driver: Unload, Delete, Disable perc2hib Not started perc2hib.sys

Script: Quarantine, Delete, BC delete Filter

ProCam Usb

Driver: Unload, Delete, Disable ProCam Digital Camera on USB Not started C:\WINDOWS\system32\DRIVERS\CoachUsb.sys

Script: Quarantine, Delete, BC delete

ql1080

Driver: Unload, Delete, Disable ql1080 Not started ql1080.sys

Script: Quarantine, Delete, BC delete SCSI miniport

Ql10wnt

Driver: Unload, Delete, Disable Ql10wnt Not started Ql10wnt.sys

Script: Quarantine, Delete, BC delete SCSI miniport

ql12160

Driver: Unload, Delete, Disable ql12160 Not started ql12160.sys

Script: Quarantine, Delete, BC delete SCSI miniport

ql1240

Driver: Unload, Delete, Disable ql1240 Not started ql1240.sys

Script: Quarantine, Delete, BC delete SCSI miniport

ql1280

Driver: Unload, Delete, Disable ql1280 Not started ql1280.sys

Script: Quarantine, Delete, BC delete SCSI miniport

Simbad

Driver: Unload, Delete, Disable Simbad Not started Simbad.sys

Script: Quarantine, Delete, BC delete Filter

Sparrow

Driver: Unload, Delete, Disable Sparrow Not started Sparrow.sys

Script: Quarantine, Delete, BC delete SCSI miniport

sym_hi

Driver: Unload, Delete, Disable sym_hi Not started sym_hi.sys

Script: Quarantine, Delete, BC delete SCSI miniport

sym_u3

Driver: Unload, Delete, Disable sym_u3 Not started sym_u3.sys

Script: Quarantine, Delete, BC delete SCSI miniport

symc810

Driver: Unload, Delete, Disable symc810 Not started symc810.sys

Script: Quarantine, Delete, BC delete SCSI miniport

symc8xx

Driver: Unload, Delete, Disable symc8xx Not started symc8xx.sys

Script: Quarantine, Delete, BC delete SCSI miniport

TosIde

Driver: Unload, Delete, Disable TosIde Not started TosIde.sys

Script: Quarantine, Delete, BC delete System Bus Extender

ultra

Driver: Unload, Delete, Disable ultra Not started ultra.sys

Script: Quarantine, Delete, BC delete SCSI miniport

ViaIde

Driver: Unload, Delete, Disable ViaIde Not started ViaIde.sys

Script: Quarantine, Delete, BC delete System Bus Extender

WDICA

Driver: Unload, Delete, Disable WDICA Not started WDICA.sys

Script: Quarantine, Delete, BC delete

Detected - 191, recognized as trusted - 127

Autoruns

File name Status Startup method Description

Active Registry key HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Utility Manager\Narrator, Application path

C:\ARQUIV~1\AVG\AVG8\avgtray.exe

Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, AVG8_TRAY

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe

Script: Quarantine, Delete, BC delete Active Registry key HKEY_USERS, S-1-5-21-1960408961-682003330-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run, BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}

C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe

Script: Quarantine, Delete, BC delete Active Shortcut in Autoruns folder C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\, C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\HP Digital Imaging Monitor.lnk,

C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe

Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, HP Software Update

C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, SunJavaUpdateSched

C:\Arquivos de programas\Scpad\scpLIB.dll

Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler, {A3717295-941D-416F-9384-ED1736729F1C}

C:\Arquivos de programas\Scpad\scpLIB.dll

Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, CompIBBrd

C:\Arquivos de programas\Torrent Finder\Torrent-Finder.exe

Script: Quarantine, Delete, BC delete Active Registry key HKEY_USERS, S-1-5-21-1960408961-682003330-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run, Torrent Finder

C:\Arquivos de programas\Winferno\RegistryPowerCleaner\RegPowerClean.exe

Script: Quarantine, Delete, BC delete Active Registry key HKEY_USERS, S-1-5-21-1960408961-682003330-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run, RegPowerClean

C:\DOCUME~1\JOO~1\DADOSD~1\CREATI~1\Bolt Slow Dash.exe

Script: Quarantine, Delete, BC delete Active Registry key HKEY_USERS, S-1-5-21-1960408961-682003330-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run, bowsmove

C:\Documents and Settings\All Users\Dados de aplicativos\Joy coal mpeg heck\win team.exe

Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, mpeg heck log link

C:\WINDOWS\system32\dfrg.msc %c:

Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath,

C:\WINDOWS\system\GBPlugins.dll

Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ aGbPlugin, DLLName

WgaLogon.dll

Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon, DLLName

avgrsstx.dll

Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter, DLLName

Autoruns items detected - 74, recognized as trusted - 58

Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)

File name Type Description Manufacturer CLSID

C:\Arquivos de programas\HP\Smart Web Printing\hpswp_printenhancer.dll

Delete

C:\Arquivos de programas\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL

Script: Quarantine, Delete, BC delete BHO {04079851-5845-4dea-848C-3ECD647AA554}

Delete

C:\Arquivos de programas\HP\Smart Web Printing\hpswp_framework.dll

Delete

C:\Arquivos de programas\Scpad\scpsssh2.dll

Delete

C:\Arquivos de programas\AVG\AVG8\avgssie.dll

Delete

C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

Delete

BHO {7E853D72-626A-48EC-A868-BA8D5E23E045}

Delete

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

Delete

C:\Arquivos de programas\GbPlugin\gbiehcef.dll

Delete

Extension module {58ECB495-38F0-49cb-A538-10282ABF65E7}

Delete

Extension module {700259D7-1666-479a-93B1-3250410481E8}

Delete

Elements detected - 14, recognized as trusted - 3

Windows Explorer extension modules

File name Destination Description Manufacturer CLSID

icmui.dll

Script: Quarantine, Delete, BC delete Gerenciamento de scanner ICM DLL da interface com o usuбrio do sistema de correspondкncia de cores Microsoft © Microsoft Corporation. Todos os direitos reservados. {176d6597-26d3-11d1-b350-080036a75b03}

docprop.dll

Script: Quarantine, Delete, BC delete Pбgina de propriedades do arquivo de documento OLE Pбgina de propriedades do arquivo de documento OLE © Microsoft Corporation. Todos os direitos reservados. {3EA48300-8CF6-101B-84FB-666CCB9BCD32}

deskadp.dll

Script: Quarantine, Delete, BC delete Extensгo do 'Painel de controle' para adaptador de vнdeo Propriedades avanзadas de adaptador de vнdeo © Microsoft Corporation. Todos os direitos reservados. {42071712-76d4-11d1-8b24-00a0c9068ff3}

deskmon.dll

Script: Quarantine, Delete, BC delete Extensгo do 'Painel de controle' para monitor de vнdeo Propriedades avanзadas de monitor © Microsoft Corporation. Todos os direitos reservados. {42071713-76d4-11d1-8b24-00a0c9068ff3}

Extensгo do 'Painel de controle' para panorвmica de vнdeo {42071714-76d4-11d1-8b24-00a0c9068ff3}

ntlanui2.dll

Script: Quarantine, Delete, BC delete Extensхes do shell para objetos Microsoft Windows Network Objeto de rede do shell da interface de usuбrio © Microsoft Corporation. Todos os direitos reservados. {59be4990-f85c-11ce-aff7-00aa003ca9f6}

C:\WINDOWS\System32\icmui.dll

Script: Quarantine, Delete, BC delete Gerenciamento de monitor ICM DLL da interface com o usuбrio do sistema de correspondкncia de cores Microsoft © Microsoft Corporation. Todos os direitos reservados. {5DB2625A-54DF-11D0-B6C4-0800091AA605}

C:\WINDOWS\system32\icmui.dll

Script: Quarantine, Delete, BC delete Gerenciamento de impressora ICM DLL da interface com o usuбrio do sistema de correspondкncia de cores Microsoft © Microsoft Corporation. Todos os direitos reservados. {675F097E-4C4D-11D0-B6C1-0800091AA605}

Extensхes do shell para compactaзгo de arquivos {764BF0E1-F219-11ce-972D-00AA00A14F56}

Menu de contexto de criptografia {853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}

C:\WINDOWS\system32\hticons.dll

C:\WINDOWS\system32\icmui.dll

Script: Quarantine, Delete, BC delete Perfil ICC DLL da interface com o usuбrio do sistema de correspondкncia de cores Microsoft © Microsoft Corporation. Todos os direitos reservados. {DBCE2480-C732-101B-BE72-BA78E9AD5B27}

deskperf.dll

Script: Quarantine, Delete, BC delete Display TroubleShoot CPL Extension Propriedades avanзadas de desempenho de vнdeo © Microsoft Corporation. Todos os direitos reservados. {f92e8c40-3d33-11d2-b1aa-080036a75b03}

Barra de tarefas e menu Iniciar {0DF44EAA-FF21-4412-828E-260A8728E7F1}

rundll32.exe C:\WINDOWS\system32\shimgvw.dll,ImageView_COMServer {00E7B358-F65B-4dcf-83DF-CD026B94BFD4}

Script: Quarantine, Delete, BC delete Autoplay for SlideShow {00E7B358-F65B-4dcf-83DF-CD026B94BFD4}

Contas de usuбrio {7A9D77BD-5403-11d2-8785-2E0420524153}

C:\Arquivos de programas\Microsoft Office\Office10\OLKFSTUB.DLL

Script: Quarantine, Delete, BC delete Microsoft Outlook Custom Icon Handler Outlook Shell Hook for Start/Find Copyright© Microsoft Corporation 1995-2001. Todos os direitos reservados. {0006F045-0000-0000-C000-000000000046}

CorelDRAW Shell Extension Component

C:\WINDOWS\system32\mscoree.dll

Shell Extension for Malware scanning {45AC2688-0253-4ED8-97DE-B5370FA7D48A}

C:\Arquivos de programas\GbPlugin\gbiehcef.dll

C:\Arquivos de programas\AVG\AVG8\avgse.dll

AVG8 Find Extension {9F97547E-460A-42C5-AE0C-81C61FFAEBC3}

Elements detected - 206, recognized as trusted - 183

Printing system extensions (print monitors, providers)

File name Type Name Description Manufacturer

C:\WINDOWS\system32\hpz3l054.dll

Elements detected - 10, recognized as trusted - 9

Task Scheduler jobs

File name Job name Job status Description Manufacturer

c:\docume~1\joo~1\dadosd~1\creati~1\pokeviewfunk.exe

Script: Quarantine, Delete, BC delete BC5747FE9388E1CE.job The task is ready to run at its next scheduled time.

C:\Arquivos de programas\Winferno\RegistryPowerCleaner\RegPowerClean.exe

Script: Quarantine, Delete, BC delete rpc.job The task has not yet run.

Elements detected - 2, recognized as trusted - 0

SPI/LSP settings

Namespace providers (NSP)

Manufacturer Status EXE file Description GUID

Detected - 3, recognized as trusted - 3

Transport protocol providers (TSP, LSP)

Manufacturer EXE file Description

Detected - 15, recognized as trusted - 15

Results of automatic SPI settings check

LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes

TCP ports

UDP ports

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL

Microsoft XML Parser for Java

Delete file://C:\WINDOWS\Java\classes\xmldso.cab

C:\WINDOWS\Downloaded Program Files\msgrchkr.dll

Delete http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

Delete http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}

Delete http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab

C:\WINDOWS\Downloaded Program Files\zylomgamesplayer.dll

Delete http://game14.zylom.com/activex/zylomgamesplayer.cab

C:\WINDOWS\Downloaded Program Files\MessengerStatsPAClient.dll

Delete http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

Delete http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

Delete http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

Delete http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

Delete http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

C:\Arquivos de programas\Java\jre1.6.0_07\bin\npjpi160_07.dll

Delete http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

C:\Arquivos de programas\GbPlugin\GbpDist.dll

Delete https://imagem.caixa.gov.br/cab/gbpdist.cab

Elements detected - 12, recognized as trusted - 0

Control Panel Applets (CPL)

File name Description Manufacturer

C:\WINDOWS\system32\ImageDrive.cpl

Script: Quarantine, Delete, BC delete

C:\WINDOWS\system32\ISUSPM.cpl

C:\WINDOWS\system32\javacpl.cpl

C:\WINDOWS\system32\main.cpl

C:\WINDOWS\system32\ncpa.cpl

C:\WINDOWS\system32\nwc.cpl

C:\WINDOWS\system32\telephon.cpl

Elements detected - 28, recognized as trusted - 21

Active Setup

File name Description Manufacturer CLSID

Elements detected - 15, recognized as trusted - 15

HOSTS file

Hosts file record

127.0.0.1 localhost

Protocols and handlers

File name Type Description Manufacturer CLSID

C:\WINDOWS\system32\mscoree.dll

C:\Arquivos de programas\AVG\AVG8\avgpp.dll

Script: Quarantine, Delete, BC delete Handler Safe Search pluggable protocol (linkscanner: ExPLabs.com Pluggable Protocol) Copyright © 2008 AVG Technologies CZ, s.r.o. {F274614C-63F8-47D5-A4D1-FBDDE494F8D1}

Elements detected - 33, recognized as trusted - 29

Suspicious objects

File Description Type

C:\WINDOWS\system32\serwvdrv.dll

Script: Quarantine, Delete, BC delete Suspicion for Keylogger Suspicion for Keylogger or Trojan DLL

C:\WINDOWS\system32\umdmxfrm.dll

Script: Quarantine, Delete, BC delete Suspicion for Keylogger Suspicion for Keylogger or Trojan DLL

C:\WINDOWS\system32\msacm32.drv

Script: Quarantine, Delete, BC delete Suspicion for Keylogger Suspicion for Keylogger or Trojan DLL

C:\WINDOWS\system32\msg711.acm

Script: Quarantine, Delete, BC delete Suspicion for Keylogger Suspicion for Keylogger or Trojan DLL

C:\WINDOWS\system32\msgsm32.acm

Script: Quarantine, Delete, BC delete Suspicion for Keylogger Suspicion for Keylogger or Trojan DLL

C:\WINDOWS\system32\tssoft32.acm

Script: Quarantine, Delete, BC delete Suspicion for Keylogger Suspicion for Keylogger or Trojan DLL

C:\WINDOWS\system32\tsd32.dll

Script: Quarantine, Delete, BC delete Suspicion for Keylogger Suspicion for Keylogger or Trojan DLL

C:\WINDOWS\system32\msg723.acm

Script: Quarantine, Delete, BC delete Suspicion for Keylogger Suspicion for Keylogger or Trojan DLL

C:\WINDOWS\system32\sirenacm.dll

Script: Quarantine, Delete, BC delete Suspicion for Keylogger Suspicion for Keylogger or Trojan DLL

C:\WINDOWS\system32\scg726.acm

Script: Quarantine, Delete, BC delete Suspicion for Keylogger Suspicion for Keylogger or Trojan DLL

C:\WINDOWS\system32\alf2cd.acm

Script: Quarantine, Delete, BC delete Suspicion for Keylogger Suspicion for Keylogger or Trojan DLL

Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 3"

System Restore: enabled

System booted in Safe Mode

1.1 Searching for user-mode API hooks

Analysis: kernel32.dll, export table found in section .text

Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C80236B->61F03F42

Hook kernel32.dll:CreateProcessA (99) blocked

Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802336->61F04040

Hook kernel32.dll:CreateProcessW (103) blocked

Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AC6E->61F041FC

Hook kernel32.dll:FreeLibrary (241) blocked

Function kernel32.dll:GetModuleFileNameA (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B55F->61F040FB

Hook kernel32.dll:GetModuleFileNameA (373) blocked

Function kernel32.dll:GetModuleFileNameW (374) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B465->61F041A0

Hook kernel32.dll:GetModuleFileNameW (374) blocked

Function kernel32.dll:GetProcAddress (409) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE30->61F04648

Hook kernel32.dll:GetProcAddress (409) blocked

Function kernel32.dll:LoadLibraryA (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D7B->61F03C6F

Hook kernel32.dll:LoadLibraryA (581) blocked

>>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)

Function kernel32.dll:LoadLibraryExA (582) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D53->61F03DAF

Hook kernel32.dll:LoadLibraryExA (582) blocked

>>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)

Function kernel32.dll:LoadLibraryExW (583) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF5->61F03E5A

Hook kernel32.dll:LoadLibraryExW (583) blocked

Function kernel32.dll:LoadLibraryW (584) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AEDB->61F03D0C

Hook kernel32.dll:LoadLibraryW (584) blocked

IAT modification detected: LoadLibraryW - 00B40010<>7C80AEDB

Analysis: ntdll.dll, export table found in section .text

Analysis: user32.dll, export table found in section .text

Analysis: advapi32.dll, export table found in section .text

Analysis: ws2_32.dll, export table found in section .text

Analysis: wininet.dll, export table found in section .text

Analysis: rasapi32.dll, export table found in section .text

Analysis: urlmon.dll, export table found in section .text

Analysis: netapi32.dll, export table found in section .text

1.2 Searching for kernel-mode API hooks

Driver loaded successfully

Driver communication failure [00000002] - [1]

1.4 Searching for masking processes and drivers

Checking not performed: extended monitoring driver (AVZPM) is not installed

Driver loaded successfully

Driver communication failure [00000002] - [1]

C:\WINDOWS\system32\serwvdrv.dll --> Suspicion for Keylogger or Trojan DLL

C:\WINDOWS\system32\serwvdrv.dll>>> Behavioral analysis

Behaviour typical for keyloggers not detected

C:\WINDOWS\system32\umdmxfrm.dll --> Suspicion for Keylogger or Trojan DLL

C:\WINDOWS\system32\umdmxfrm.dll>>> Behavioral analysis

Behaviour typical for keyloggers not detected

C:\WINDOWS\system32\msacm32.drv --> Suspicion for Keylogger or Trojan DLL

C:\WINDOWS\system32\msacm32.drv>>> Behavioral analysis

Behaviour typical for keyloggers not detected

C:\WINDOWS\system32\msg711.acm --> Suspicion for Keylogger or Trojan DLL

C:\WINDOWS\system32\msg711.acm>>> Behavioral analysis

Behaviour typical for keyloggers not detected

C:\WINDOWS\system32\msgsm32.acm --> Suspicion for Keylogger or Trojan DLL

C:\WINDOWS\system32\msgsm32.acm>>> Behavioral analysis

Behaviour typical for keyloggers not detected

C:\WINDOWS\system32\tssoft32.acm --> Suspicion for Keylogger or Trojan DLL

C:\WINDOWS\system32\tssoft32.acm>>> Behavioral analysis

Behaviour typical for keyloggers not detected

C:\WINDOWS\system32\tsd32.dll --> Suspicion for Keylogger or Trojan DLL

C:\WINDOWS\system32\tsd32.dll>>> Behavioral analysis

Behaviour typical for keyloggers not detected

C:\WINDOWS\system32\msg723.acm --> Suspicion for Keylogger or Trojan DLL

C:\WINDOWS\system32\msg723.acm>>> Behavioral analysis

Behaviour typical for keyloggers not detected

C:\WINDOWS\system32\sirenacm.dll --> Suspicion for Keylogger or Trojan DLL

C:\WINDOWS\system32\sirenacm.dll>>> Behavioral analysis

Behaviour typical for keyloggers not detected

C:\WINDOWS\system32\scg726.acm --> Suspicion for Keylogger or Trojan DLL

C:\WINDOWS\system32\scg726.acm>>> Behavioral analysis

Behaviour typical for keyloggers not detected

C:\WINDOWS\system32\alf2cd.acm --> Suspicion for Keylogger or Trojan DLL

C:\WINDOWS\system32\alf2cd.acm>>> Behavioral analysis

Behaviour typical for keyloggers not detected

Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs

>> Services: potentially dangerous service allowed: RemoteRegistry (Registro remoto)

>> Services: potentially dangerous service allowed: TermService (Serviзos de terminal)

>> Services: potentially dangerous service allowed: SSDPSRV (Serviзo de descoberta SSDP)

>> Services: potentially dangerous service allowed: Schedule (Agendador de tarefas)

>> Services: potentially dangerous service allowed: mnmsrvc (Compartilhamento remoto da бrea de trabalho do NetMeeting)

>> Services: potentially dangerous service allowed: RDSessMgr (Gerenciador de sessгo de ajuda de бrea de trabalho remota)

> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!

>> Security: disk drives' autorun is enabled

>> Security: administrative shares (C$, D$ ...) are enabled

>> Security: anonymous user access is enabled

>> Security: sending Remote Assistant queries is enabled

>> Disable HDD autorun

>> Disable autorun from network drives

>> Disable CD/DVD autorun

>> Disable removable media autorun

System Analysis in progress

Script commands

Add commands to script:

* Blocking hooks using Anti-Rootkit

* Enable AVZGuard

* BootCleaner - import list of deleted files

* Registry cleanup after deleting files

* BootCleaner - activate

* Reboot

* Insert template for QuarantineFile() - quarantining file

* Insert template for BC_QrFile() - quarantining file via BootCleaner

* Insert template for DeleteFile() - deleting file

* Insert template for DelCLSID() - deleting CLSID item from registry

Additional operations:

* Performance tweaking: disable service RemoteRegistry (Registro remoto)

* Performance tweaking: disable service TermService (Serviзos de terminal)

* Performance tweaking: disable service SSDPSRV (Serviзo de descoberta SSDP)

* Performance tweaking: disable service Schedule (Agendador de tarefas)

* Performance tweaking: disable service mnmsrvc (Compartilhamento remoto da бrea de trabalho do NetMeeting)

* Performance tweaking: disable service RDSessMgr (Gerenciador de sessгo de ajuda de бrea de trabalho remota)

* Security tweaking: disable CD autorun

* Security tweaking: disable administrative shares

* Security tweaking: disable anonymous user access

* Security: disable sending Remote Assistant queries

File list

jgarcia · Março 26, 2009

Opa samea,

Desative o seu anti-vírus temporariamente.

Execute um Scan Online com o Kasperky Virusscanner.

* Clique em ;

* Quando questionado sobre a instalação do ActiveX, clique sobre ;

* Aguarde a instalação e a atualização. Depois clique em ;

* Clique agora sobre ;

* Nas opções do scan (settings), certifique-se de que as entradas abaixo estão selecionadas:

Scan using the following Anti-Virus database:
Extended (if available otherwise Standard).
Scan Options:
Scan Archives Scan Mail Bases

* Clique em ;

* Clique em My Computer para que seja feito um scan completo em seu sistema;

* Será iniciado o scan e a varredura poderá demorar um pouco. Seja paciente e aguarde;

* No final do scan, clique no botão Save as Text;

* Salve o log com os resultados e cole o conteúdo em sua próxima mensagem.

Abraços.

Mário Monteiro · Abril 27, 2009

Tópico Arquivado

Como o autor não respondeu por mais de 30 dias, o tópico foi arquivado.

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura.

Arquivado

[Arquivado] "csrcs" não inicia!

Recommended Posts

samea 0

Compartilhar este post

Link para o post

Compartilhar em outros sites

colum4 0

Compartilhar este post

Link para o post

Compartilhar em outros sites

Mário Monteiro 179

Compartilhar este post

Link para o post

Compartilhar em outros sites

samea 0

Compartilhar este post

Link para o post

Compartilhar em outros sites

samea 0

Compartilhar este post

Link para o post

Compartilhar em outros sites

jgarcia 1

Compartilhar este post

Link para o post

Compartilhar em outros sites

samea 0

Compartilhar este post

Link para o post

Compartilhar em outros sites

jgarcia 1

Compartilhar este post

Link para o post

Compartilhar em outros sites

samea 0

Compartilhar este post

Link para o post

Compartilhar em outros sites

jgarcia 1

Compartilhar este post

Link para o post

Compartilhar em outros sites

samea 0

Compartilhar este post

Link para o post

Compartilhar em outros sites

jgarcia 1

Compartilhar este post

Link para o post

Compartilhar em outros sites

samea 0

Compartilhar este post

Link para o post

Compartilhar em outros sites

samea 0

Compartilhar este post

Link para o post

Compartilhar em outros sites

jgarcia 1

Compartilhar este post

Link para o post

Compartilhar em outros sites

Mário Monteiro 179

Compartilhar este post

Link para o post

Compartilhar em outros sites

Fixar div até atingir uma certa altura

Ajuda com Extends e envio para o banco

PHP+Codeginiter - Orientação para Impressão

Fóruns

Tempo Real

Informação importante