[Arquivado] explorer abrindo e fechando sozinho

gooma · Fevereiro 24, 2009

Bom , aconteceu depois que eu baixei um arquivo , depois que o baixei o explorer fico fechand e abrindo , e só com o ctrl+alt+del pra entrar na net , já tentei o negocio de tirar virus manualmente , mais nada , ja deletei o arquivo e nada

depois vi esse topico : http://forum.imasters.com.br/index.php?showtopic=299698

e tentei o primeiro , primeiro acuso como infected , depois diz que limpo , mais tentei denovo e continua o mesmo problema =\

edit :

Logfile of HijackThis v1.99.1

Scan saved at 02:37:34 Astoufo, on 24/2/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Clarity Framework\Tracker\Bin\cfwupload.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Clarity Framework\Tracker\Bin\cfwtracker.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Arquivos de programas\BitComet\BitComet.exe

C:\Arquivos de programas\NitroPC\NitroPC.exe

C:\Documents and Settings\xp@\Desktop\UTIL\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://google-s.alltalkspectrum.net

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google-s.alltalkspectrum.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://google-s.alltalkspectrum.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O3 - Toolbar: (no name) - {ED4BD629-C1B6-4399-8A34-02CCAA921DC9} - (no file)

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [NitroPC] "C:\Arquivos de programas\NitroPC\NitroPC.exe" -minimized

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Arquivos de programas\MP3 Player Utilities 4.00\AMVConverter\grab.html

O8 - Extra context menu item: Baixar link usando &BitComet - res://C:\Arquivos de programas\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: Baixar todos os links usando BitComet - res://C:\Arquivos de programas\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: Baixar todos os vídeos usando BitComet - res://C:\Arquivos de programas\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Arquivos de programas\MP3 Player Utilities 4.00\MediaManager\grab.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: (no name) - {85e1f530-48f4-11d9-9629-08ff2ffc9f67} - (no file)

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Arquivos de programas\BitComet\tools\BitCometBHO_1.2.8.7.dll/206 (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab

O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2710658C-930E-40A5-89F5-8B74D1730588}: NameServer = 201.10.120.2 201.10.128.3

O17 - HKLM\System\CCS\Services\Tcpip\..\{E56FE72F-9F6C-4D54-8B7C-97D47377A1EC}: NameServer = 201.10.120.2,201.10.128.3

O17 - HKLM\System\CS1\Services\Tcpip\..\{2710658C-930E-40A5-89F5-8B74D1730588}: NameServer = 201.10.120.2 201.10.128.3

O17 - HKLM\System\CS2\Services\Tcpip\..\{2710658C-930E-40A5-89F5-8B74D1730588}: NameServer = 201.10.120.2 201.10.128.3

O17 - HKLM\System\CS3\Services\Tcpip\..\{2710658C-930E-40A5-89F5-8B74D1730588}: NameServer = 201.10.120.2 201.10.128.3

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Clarity - Metrics Tracker (CFWTracker) - Competitive Systems Analysis, Inc. - C:\Arquivos de programas\Clarity Framework\Tracker\Bin\cfwtracker.exe

O23 - Service: Clarity - Tracker Upload (CFWUpload) - Competitive Systems Analysis, Inc. - C:\Arquivos de programas\Clarity Framework\Tracker\Bin\cfwupload.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

DigRam · Fevereiro 25, 2009

Bom Dia! gooma

<@> Baixe: < FixPolicies >

<@> Salve-o no Desktop!

<@> Execute o arquivo FixPolicies.exe,com um duplo-clique.

<@> Clique em Install.

<@> Abra a pasta FixPolicies --> Clique em Fix_policies.cmd

<@> Dê permissão ao reparo,caso seja negada por programas de proteção.

<@> Aguarde o término da verificação!

<><><><><><><><><><>

<@> Baixe: < > ( ...by sUBs )

<@> Salve-o no desktop!

<@> Desabilite as proteções residente de: antivírus,antispywares e firewall. ( Menos o do Windows! )

<@> Feche todas as janelas e execute a ferramenta!

<@> Na solicitação: "Negação de garantia de software" --> Clique em Sim!

<@> Não possuindo o "Console de Recuperação",aceite optar pela instalação do mesmo!

<!> Caso aconteça a notificação de: Aplicativo Win32 inválido,delete a ferramenta e faça,novamente,o download.
<!> Salve-a no desktop,renomeada como: Kombo.exe

<!> Ps: Nomeie durante o salvamento,e não após salvá-la!

<!> Ps: Surgindo alguma mensagem de erro,rode o ComboFix.exe em Modo de Segurança. <-- Link!

<!> Ps: Para completar as remoções,talvez haja necessidade da ferramenta reiniciar o computador. <-- Aguarde!

<!> Ps: Evite executar,voluntariamente,esta ferramenta!Siga,àcima,todas as recomendações propostas.

<!> Ps: O ComboFix é uma ferramenta que pode danificar o sistema. Utilize-o,somente,sob supervisão profissional.

<@> Abrir-se-á a janela Auto Scan. --> Aguarde!

<@> Àfim de completar as remoções,o ComboFix poderá reiniciar o computador.

<@> Se houver necessidade,digite a opção para continuar! --> ( 1 ) --> Aperte Enter! --> Aguarde a conclusão!

<@> Durante o scan,evite manusear o mouse ou teclado! <-- Importante!

<@> Para parar ou sair do ComboFix,tecle "N" ou "2" --> Aperte Enter!

<><><><><><><><><><><><>

<@> Terminando,poste os relatórios: C:\ComboFix\ComboFix.txt + HijackThis,atualizado.

Abraços!

gooma · Fevereiro 25, 2009

Aqui não ta dando nada pelo menos

ComboFix 09-02-21.01 - xp@ 2009-02-24 3:34:58.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.255.34 [GMT -3:00]

Executando de: c:\documents and settings\xp@\Desktop\ComboFix.exe

AV: ESET NOD32 antivirus system 0.0 *On-access scanning disabled* (Outdated)

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\efcAPIXR.dll

c:\windows\system32\geBuRlih.dll

c:\windows\system32\RXIPAcfe.ini

c:\windows\system32\RXIPAcfe.ini2

c:\windows\system32\wvUljGYS.dll

.

(((((((((((((((( Arquivos/Ficheiros criados de 2009-01-24 to 2009-02-24 ))))))))))))))))))))))))))))

.

2009-02-15 13:59 . 2009-02-17 21:59 <DIR> d-------- c:\arquivos de programas\EA GAMES

2009-02-14 01:23 . 2009-02-14 01:23 191,948 --a------ c:\windows\ADDONS SITECS (NONSTEAM) + BOT Uninstaller.exe

2009-02-02 23:09 . 2009-02-02 23:09 <DIR> d-------- c:\arquivos de programas\KP Software

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-24 06:08 --------- d-----w c:\arquivos de programas\Malwarebytes' Anti-Malware

2009-02-21 18:48 --------- d-----w c:\arquivos de programas\TuneUp Utilities 2009

2009-02-19 18:45 --------- d-----w c:\arquivos de programas\ViStart

2009-02-19 18:43 --------- d--h--w c:\arquivos de programas\InstallShield Installation Information

2009-02-19 18:43 --------- d-----w c:\arquivos de programas\Garena

2009-02-19 18:26 --------- d-----w c:\arquivos de programas\No-IP

2009-02-19 18:23 --------- d-----w c:\arquivos de programas\Warcraft III

2009-02-19 18:17 --------- d-----w c:\arquivos de programas\Guitar Pro 5

2009-02-07 05:21 --------- d-----w c:\arquivos de programas\Messenger Plus! Live

2009-02-05 04:01 --------- d-----w c:\arquivos de programas\BitComet

2009-01-16 02:11 --------- d-----w c:\arquivos de programas\DosPop

2009-01-14 22:19 --------- d-----w c:\documents and settings\xp@\Dados de aplicativos\LimeWire

2009-01-10 05:44 --------- d-----w c:\arquivos de programas\NitroPC

2009-01-10 05:35 --------- d---a-w c:\documents and settings\All Users\Dados de aplicativos\TEMP

2009-01-10 01:49 --------- d-----w c:\documents and settings\xp@\Dados de aplicativos\TuneUp Software

2009-01-10 01:48 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\TuneUp Software

2009-01-10 01:45 --------- d-sh--w c:\documents and settings\All Users\Dados de aplicativos\{55A29068-F2CE-456C-9148-C869879E2357}

2009-01-09 23:26 --------- d-----w c:\documents and settings\xp@\Dados de aplicativos\CSA

2009-01-09 23:26 --------- d-----w c:\arquivos de programas\Clarity Framework

2009-01-04 20:38 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-04 20:38 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-01-01 15:48 --------- d-----w c:\arquivos de programas\Valve

2008-12-25 21:03 --------- d-----w c:\arquivos de programas\Ares

2008-12-12 22:42 200,704 ------w c:\windows\Setup1.exe

2008-02-06 21:31 32 ----a-w c:\documents and settings\All Users\Dados de aplicativos\ezsid.dat

2007-06-28 00:16 47,360 ----a-w c:\documents and settings\xp@\Dados de aplicativos\pcouffin.sys

2007-04-15 16:55 40 ----a-w c:\documents and settings\xp@\language.dat

.

------- Sigcheck -------

2006-04-20 09:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys

2007-10-30 13:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys

2008-06-20 08:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys

2007-10-30 14:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtServicePackUninstall$\tcpip.sys

2008-04-13 16:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\TCPIP.SYS

2008-07-20 01:35 361600 eec9730f9cc03819111d90e6caa2dcc9 c:\windows\system32\dllcache\TCPIP.SYS

2008-07-20 01:35 361600 eec9730f9cc03819111d90e6caa2dcc9 c:\windows\system32\drivers\TCPIP.SYS

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

"msnmsgr"="c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoChangeAnimation"= 0 (0x0)

"NoStrCmpLogical"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"MemCheckBoxInRunDlg"= 0 (0x0)

"NoStrCmpLogical"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"UIHost"="c:\documents and settings\All Users\Dados de aplicativos\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2007-11-15 17:46 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.ffds"= ffdshow.ax

"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]

--a------ 2008-12-24 21:46 886784 c:\arquivos de programas\Ares\Ares.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2008-04-13 23:20 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NitroPC]

--a------ 2008-08-19 16:11 3477504 c:\arquivos de programas\NitroPC\NitroPC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--a------ 2006-10-22 11:22 7700480 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

--a------ 2006-10-22 11:22 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

--a------ 2008-11-02 05:38 167936 c:\arquivos de programas\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2006-10-22 11:22 1622016 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\Valve\\hlds.exe"=

"c:\\Arquivos de programas\\Valve\\hl.exe"=

"c:\\Arquivos de programas\\Ares\\Ares.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"10825:TCP"= 10825:TCP:BitComet 10825 TCP

"10825:UDP"= 10825:UDP:BitComet 10825 UDP

"27015:TCP"= 27015:TCP:27015

"27015:UDP"= 27015:UDP:27015

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-02-23 15424]

R2 CFWTracker;Clarity - Metrics Tracker;c:\arquivos de programas\Clarity Framework\Tracker\Bin\cfwtracker.exe [2007-06-07 102400]

R2 CFWUpload;Clarity - Tracker Upload;c:\arquivos de programas\Clarity Framework\Tracker\Bin\cfwupload.exe [2007-06-07 73728]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-02-10 46112]

R2 NwSapAgent;Agente SAP;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336]

R3 tenCapture;tenCapture;c:\windows\system32\drivers\tenCapture.sys [2007-04-21 9344]

S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\arquivos de programas\LogMeIn\x86\RaInfo.sys --> c:\arquivos de programas\LogMeIn\x86\RaInfo.sys [?]

S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\xp@\CONFIG~1\Temp\OUG1B.tmp --> c:\docume~1\xp@\CONFIG~1\Temp\OUG1B.tmp [?]

S3 iadusb;GlobespanVirata USB IAD LAN Modem;c:\windows\system32\DRIVERS\glauiad.sys --> c:\windows\system32\DRIVERS\glauiad.sys [?]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-09 38496]

S3 SHAK31;SHAK31;\??\c:\documents and settings\xp@\Desktop\AFF\SHAK3.sys --> c:\documents and settings\xp@\Desktop\AFF\SHAK3.sys [?]

S3 Sinistro1;Sinistro1;\??\c:\documents and settings\xp@\Desktop\AFF\Sinistro.sys --> c:\documents and settings\xp@\Desktop\AFF\Sinistro.sys [?]

S3 XDva134;XDva134;\??\c:\windows\system32\XDva134.sys --> c:\windows\system32\XDva134.sys [?]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

\Shell\AutoRun\command - E:\RunGame.exe

.

- - - - ORFÃOS REMOVIDOS - - - -

BHO-{2F5661B8-1AFE-4EB7-BE53-0001E406CF75} - c:\windows\system32\efcAPIXR.dll

BHO-{B48733BA-E9C0-4F04-863B-3E138C0BD436} - c:\windows\system32\wvUljGYS.dll

ShellExecuteHooks-{B48733BA-E9C0-4F04-863B-3E138C0BD436} - c:\windows\system32\wvUljGYS.dll

MSConfigStartUp-OneCareUI - c:\arquivos de programas\Microsoft Windows OneCare Live\winssnotify.exe

.

------- Scan Suplementar -------

.

uStart Page = hxxp://google-s.alltalkspectrum.net

uInternet Connection Wizard,ShellNext = iexplore

IE: Add to AMV Convert Tool... - c:\arquivos de programas\MP3 Player Utilities 4.00\AMVConverter\grab.html

IE: Baixar link usando &BitComet - c:\arquivos de programas\BitComet\BitComet.exe/AddLink.htm

IE: Baixar todos os links usando BitComet - c:\arquivos de programas\BitComet\BitComet.exe/AddAllLink.htm

IE: Baixar todos os vídeos usando BitComet - c:\arquivos de programas\BitComet\BitComet.exe/AddVideo.htm

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: MediaManager tool grab multimedia file - c:\arquivos de programas\MP3 Player Utilities 4.00\MediaManager\grab.html

IE: {{85e1f530-48f4-11d9-9629-08ff2ffc9f67}

LSP: c:\windows\system32\imon.dll

TCP: {E56FE72F-9F6C-4D54-8B7C-97D47377A1EC} = 201.10.120.2,201.10.128.3

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\xp@\Dados de aplicativos\Mozilla\Firefox\Profiles\xepget6u.default\

FF - prefs.js: browser.startup.homepage - WWW.ORKUT.COM

FF - component: c:\documents and settings\xp@\Dados de aplicativos\Mozilla\Firefox\Profiles\xepget6u.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll

FF - plugin: c:\arquiv~1\Mozilla Firefox\plugins\np32dsw.dll

FF - plugin: c:\arquiv~1\Mozilla Firefox\plugins\npBitCometAgent.dll

FF - plugin: c:\arquiv~1\Mozilla Firefox\plugins\npnul32.dll

FF - plugin: c:\arquiv~1\Mozilla Firefox\plugins\npyaxmpb.dll

FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\npyaxmpb.dll

---- FIREFOX POLICIES ----

FF - user.js: network.http.max-persistent-connections-per-server - 4

FF - user.js: nglayout.initialpaint.delay - 600

FF - user.js: content.notify.interval - 600000

FF - user.js: content.max.tokenizing.time - 1800000

FF - user.js: content.switch.threshold - 600000

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-24 03:43:57

Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]

"ImagePath"="\??\c:\docume~1\xp@\CONFIG~1\Temp\OUG1B.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-1645522239-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0D00DE4B-2A1B-6CEB-1E7C-BDB8679511F7}*]

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(848)

c:\windows\system32\LMIinit.dll

.

------------------------ Outros Processos em Execução ------------------------

.

c:\arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\nvsvc32.exe

c:\arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\wbem\wmiapsrv.exe

.

**************************************************************************

.

Tempo para conclusão: 2009-02-24 3:48:23 - Máquina reiniciou

ComboFix-quarantined-files.txt 2009-02-24 06:48:18

ComboFix2.txt 2008-12-09 22:23:40

PrÚ-execuþÒo: 24 pasta(s) 58.633.551.872 bytes dispon¡veis

P¾s execuþÒo: 24 pasta(s) 58,591,686,656 bytes dispon¡veis

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /TUTag=YMKM5K /Kernel=TUKernel.exe

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional (TuneUp Backup)" /noexecute=optin /fastdetect /TUTag=YMKM5K-BAK

215 --- E O F --- 2009-02-12 01:03:31

---------------------

Logfile of HijackThis v1.99.1

Scan saved at 18:53:16 Astoufo, on 25/2/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Clarity Framework\Tracker\Bin\cfwupload.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Clarity Framework\Tracker\Bin\cfwtracker.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\Arquivos de programas\Windows Live\Messenger\usnsvc.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Documents and Settings\xp@\Desktop\UTIL\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google-s.alltalkspectrum.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Arquivos de programas\BitComet\tools\BitCometBHO_1.2.8.7.dll

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll