[Resolvido!] Vírus CiD

[lgma-UFC 0]

Olá, sou novo no fórum. Procurei topicos sobre esse vírus e encontrei alguns, porém acredito que meu caso seja diferente por ser um pc público e tb acho que há varios outros malwares nesse pc. Ficam abrindo janelas com propagandas do mercado livre direto.

Aqui está o log:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:51:07, on 2/3/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\AhnRpta.exe

C:\Arquivos de programas\MSN Messenger\usnsvc.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Hijack\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Long Internet Team Stupid] C:\Documents and Settings\All Users\Dados de aplicativos\comp two long internet\Help Math.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [more tick] C:\DOCUME~1\Usuario\DADOSD~1\DRVPLA~1\math heart way.exe

O4 - HKCU\..\Run: [Windows Video Drivers] C:\RECYCLER\S-1-5-21-4585258326-2761105510-496851341-7808\winlogon.exe

O4 - HKCU\..\Run: [ertyuop] C:\WINDOWS\system32\rttrwq.exe

O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARQUIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{50AADCB4-E716-4134-9597-89395EBD86A7}: NameServer = 200.19.190.1,200.17.41.36

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

O24 - Desktop Component 0: (no name) - http://upload.wikimedia.org/wikipedia/en/1...acara-liops.jpg

 

--

End of file - 5615 bytes

 

 

agradeço

[Silas Martins 0]

Baixe o Norman Malware Cleaner aqui:http://superdownloads.uol.com.br/redir.cfm?softid=63672

Depois de instalado execute e adicione todas as áreas físicas e removiveis do seu pc ( ex: Ec: F: e outras) só então clique em Scan.

Apos isso poste o log do Hijackthis,juntamente com o log do Norman

[lgma-UFC 0]

Estou utilizando outro pc, pois o pc o qual mencionei no topico ficou inoperante dpois que eu passei o Norman. Ficou extremamente lento, de um jeito que fica praticamente impossivel de postar os logs aqui. Eu passei o Norman e logo após reiniciei, depois de reiniciar foi que ele começou a travar. O que eu faço?

[lgma-UFC 0]

Pronto, entrei pelo modo de segurança

 

Log do Hijack

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:48:33, on 3/3/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\AhnRpta.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Hijack\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Long Internet Team Stupid] C:\Documents and Settings\All Users\Dados de aplicativos\comp two long internet\Help Math.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [more tick] C:\DOCUME~1\Usuario\DADOSD~1\DRVPLA~1\math heart way.exe

O4 - HKCU\..\Run: [Windows Video Drivers] C:\RECYCLER\S-1-5-21-4585258326-2761105510-496851341-7808\winlogon.exe

O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARQUIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{50AADCB4-E716-4134-9597-89395EBD86A7}: NameServer = 200.19.190.1,200.17.41.36

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

O24 - Desktop Component 0: (no name) - http://upload.wikimedia.org/wikipedia/en/1...acara-liops.jpg

 

--

End of file - 5601 bytes

 

 

Log do Norman

 

Norman Malware Cleaner

Copyright © 1990 - 2009, Norman ASA. Built 2009/03/02 09:11:48

 

Norman Scanner Engine Version: 6.00.06

Nvcbin.def Version: 6.00.00, Date: 2009/03/02 09:11:48, Variants: 2926698

 

Scan started: 03/03/2009 09:51:44

 

Running pre-scan cleanup routine:

Operating System: Microsoft Windows XP Professional 5.1.2600 Service Pack 2

Logged on user: UFC-12911B37ACF\Usuario

 

Removed registry value: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools = 0x00000000

 

 

Scanning running processes and process memory...

 

C:\WINDOWS\Explorer.EXE!0x01BB269E (Infected with W32/NSAnti.gen11)

Terminated thread

 

C:\WINDOWS\Explorer.EXE(248) (C:\WINDOWS\system32\mkfght1.dll!0x01BA0000) (Infected with W32/Smalltroj.LFXC)

File marked for defered cleaning (reboot required)

 

C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe(1816) (C:\WINDOWS\system32\mkfght1.dll!0x030D0000) (Infected with W32/Smalltroj.LFXC)

File marked for defered cleaning (reboot required)

 

C:\WINDOWS\system32\ctfmon.exe(236) (C:\WINDOWS\system32\mkfght1.dll!0x00C00000) (Infected with W32/Smalltroj.LFXC)

File marked for defered cleaning (reboot required)

 

C:\Arquivos de programas\Internet Explorer\iexplore.exe(2052) (C:\WINDOWS\system32\mkfght1.dll!0x04940000) (Infected with W32/Smalltroj.LFXC)

File marked for defered cleaning (reboot required)

 

C:\WINDOWS\system32\wuauclt.exe(2372) (C:\WINDOWS\system32\mkfght1.dll!0x10000000) (Infected with W32/Smalltroj.LFXC)

File marked for defered cleaning (reboot required)

 

Number of processes/threads found: 1646

Number of processes/threads scanned: 1646

Number of processes/threads not scanned: 0

Number of infected processes/threads terminated: 1

Total scanning time: 28s

 

 

Scanning file system...

 

Scanning: C:\*.*

 

C:\6fnlpetp.exe (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

C:\a1agmur.cmd (Infected with OnLineGames.IAPV)

Deleted file

 

C:\autorun.inf (Infected with BAT/AutoRun.BI)

Deleted file

 

C:\cv22.cmd (Infected with OnLineGames.IAPV)

Deleted file

 

C:\gi2ky.exe (Infected with OnLineGames.IAPV)

Deleted file

 

C:\hyetn1i.exe (Infected with OnLineGames.IAPV)

Deleted file

 

C:\il0byu3h.com (Infected with OnLineGames.IRRD)

Deleted file

 

C:\p1y2.cmd (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

C:\ph.com (Infected with W32/Viking.gen5)

Deleted file

 

C:\qphdin.com (Infected with OnLineGames.IAPV)

Deleted file

 

C:\u9dyi.exe (Infected with W32/Viking.gen5)

Deleted file

 

C:\wx8o0bt1.com (Infected with W32/DLoader.dam)

Deleted file

 

C:\Documents and Settings\Usuario\Configurações locais\Temp\32n1.tmp (Infected with W32/Smalltroj.KOIH)

Deleted file

 

C:\Documents and Settings\Usuario\Configurações locais\Temp\32n14.tmp (Infected with W32/Smalltroj.KOIH)

Deleted file

 

C:\Documents and Settings\Usuario\Configurações locais\Temp\32n2.tmp (Infected with W32/Smalltroj.KOIH)

Deleted file

 

C:\Documents and Settings\Usuario\Configurações locais\Temp\32n3.tmp (Infected with W32/Smalltroj.KOIH)

Deleted file

 

C:\Documents and Settings\Usuario\Configurações locais\Temp\32n4.tmp (Infected with W32/Smalltroj.KOIH)

Deleted file

 

C:\Documents and Settings\Usuario\Configurações locais\Temp\32n5.tmp (Infected with W32/Smalltroj.KOIH)

Deleted file

 

C:\Documents and Settings\Usuario\Configurações locais\Temp\32n6.tmp (Infected with W32/Smalltroj.KOIH)

Deleted file

 

C:\Documents and Settings\Usuario\Configurações locais\Temp\32n7.tmp (Infected with W32/Smalltroj.KOIH)

Deleted file

 

C:\Documents and Settings\Usuario\Configurações locais\Temp\32n8.tmp (Infected with W32/Smalltroj.KOIH)

Deleted file

 

C:\Documents and Settings\Usuario\Configurações locais\Temp\32n9.tmp (Infected with W32/Smalltroj.KOIH)

Deleted file

 

C:\Documents and Settings\Usuario\Configurações locais\Temporary Internet Files\Content.IE5\CLQFWD6J\zz[1].exe (Infected with W32/Smalltroj.KOIH)

Deleted file

 

C:\RECYCLER\S-1-5-21-4585258326-2761105510-496851341-7808\winlogon.exe (Infected with W32/Autorun.LIN)

Removed registry value: HKCU\Software\Microsoft\Windows\CurrentVersion\Run -> Windows Video Drivers = "C:\RECYCLER\S-1-5-21-4585258326-2761105510-496851341-7808\winlogon.exe"

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP104\A0030662.dll (Infected with W32/OnLineGames.CMSY)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP104\A0030663.dll (Infected with W32/Smalltroj.JHHY)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP104\A0030666.com (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP104\A0030667.exe (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP104\A0030668.inf (Infected with BAT/Autorun.BJ)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP104\A0030669.exe (Infected with W32/Smalltroj.JSKN)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0030687.cmd (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0030688.inf (Infected with BAT/Autorun.BJ)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0030689.com (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0030715.dll (Infected with W32/OnLineGames.CMSY)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0031716.dll (Infected with W32/Smalltroj.JHHY)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0031719.cmd (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0031720.com (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0031721.inf (Infected with BAT/Autorun.BJ)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0031734.dll (Infected with W32/Smalltroj.JHHY)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0031735.dll (Infected with W32/Smalltroj.JTJE)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0031738.com (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0031739.inf (Infected with BAT/AutoRun.AE)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0031740.cmd (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0032735.dll (Infected with W32/Smalltroj.JHHY)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0032736.dll (Infected with W32/Smalltroj.JTJE)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0032738.com (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0032739.inf (Infected with BAT/Autorun.BJ)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0032740.cmd (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0032758.dll (Infected with W32/Smalltroj.JTJE)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0032759.dll (Infected with W32/Smalltroj.JHHY)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0032762.com (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0032763.cmd (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0032766.inf (Infected with BAT/Autorun.BJ)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0032780.dll (Infected with W32/Smalltroj.JTJE)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0032781.dll (Infected with W32/Smalltroj.JHHY)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0032783.cmd (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0032784.inf (Infected with BAT/Autorun.BJ)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0032785.com (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0032786.exe (Infected with W32/Smalltroj.JWUL)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0033779.dll (Infected with W32/Smalltroj.JWKK)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0033780.dll (Infected with W32/Smalltroj.JHHY)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0033783.com (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0033784.cmd (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0033785.inf (Infected with BAT/Autorun.BJ)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP106\A0033797.cmd (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP106\A0033798.com (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP106\A0033799.inf (Infected with BAT/AutoRun.AE)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP106\A0034782.dll (Infected with W32/Smalltroj.JHHY)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP106\A0034783.dll (Infected with W32/Smalltroj.JWKK)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP106\A0034785.com (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP106\A0034786.inf (Infected with BAT/Autorun.BJ)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP106\A0034787.cmd (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034832.dll (Infected with W32/Smalltroj.JWKK)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034835.dll (Infected with W32/Smalltroj.JHHY)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034837.cmd (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034838.inf (Infected with BAT/Autorun.BJ)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034839.com (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034840.exe (Infected with W32/Smalltroj.JULW)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034841.dll (Infected with W32/Smalltroj.JTJE)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034852.dll (Infected with W32/Smalltroj.JWKK)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034855.dll (Infected with W32/Smalltroj.JHHY)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034858.cmd (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034859.inf (Infected with BAT/Autorun.BJ)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034860.com (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034873.dll (Infected with W32/Smalltroj.JHHY)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034876.dll (Infected with W32/Smalltroj.JWNX)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034878.com (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034879.inf (Infected with BAT/Autorun.BJ)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034880.cmd (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034896.dll (Infected with W32/Smalltroj.JHHY)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034897.dll (Infected with W32/Smalltroj.JWNX)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034900.cmd (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034901.inf (Infected with BAT/AutoRun.AE)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034902.com (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034903.exe (Infected with W32/Smalltroj.JVTI)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034904.dll (Infected with W32/Smalltroj.JWNX)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034917.dll (Infected with W32/Smalltroj.JHHY)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034918.dll (Infected with W32/Smalltroj.JWNX)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034928.com (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034929.inf (Infected with BAT/Autorun.BJ)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034930.bat (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034944.dll (Infected with W32/Smalltroj.JHHY)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034946.dll (Infected with W32/Smalltroj.JWEE)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034950.com (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034951.inf (Infected with BAT/Autorun.BJ)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034952.bat (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034957.exe (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP108\A0034966.inf (Infected with BAT/Autorun.BJ)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP108\A0035030.exe (Infected with W32/Smalltroj.JYNN)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP122\A0038952.exe (Infected with W32/Banger.DYOR)

File marked for defered cleaning (reboot required)

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP135\A0040622.inf (Infected with BAT/Autorun.BJ)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP135\A0041586.dll (Infected with W32/Smalltroj.LFXC)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP135\A0041587.dll (Infected with W32/NSAnti.WFQ)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP135\A0041591.exe (Infected with OnLineGames.IRRD)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP135\A0041592.dll (Infected with W32/Smalltroj.LFXC)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP135\A0042588.dll (Infected with W32/Smalltroj.LFXC)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP135\A0043590.dll (Infected with W32/NSAnti.WFQ)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP135\A0043592.com (Infected with OnLineGames.IRRD)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP135\A0043594.com (Infected with OnLineGames.IAPV)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP135\A0043595.exe (Infected with OnLineGames.IRRD)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP135\A0043596.dll (Infected with W32/Smalltroj.LFXC)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP135\A0043597.exe (Infected with OnLineGames.IAPV)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP135\A0043598.dll (Infected with W32/NSAnti.WFQ)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP135\A0043611.dll (Infected with W32/Smalltroj.LFXC)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP135\A0045612.dll (Infected with W32/NSAnti.WFQ)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP135\A0045614.com (Infected with OnLineGames.IAPV)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP135\A0045615.com (Infected with OnLineGames.IRRD)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP135\A0045617.exe (Infected with OnLineGames.IAPV)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP135\A0045618.dll (Infected with W32/NSAnti.WFQ)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP135\A0045619.exe (Infected with OnLineGames.IRRD)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP135\A0045620.dll (Infected with W32/Smalltroj.LFXC)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP135\A0045624.dll (Infected with W32/NSAnti.WEZ)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP136\A0045625.com (Infected with OnLineGames.IRRD)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP136\A0045627.exe (Infected with OnLineGames.IAPV)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP136\A0045643.dll (Infected with W32/OnlineGames.IRAT)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP136\A0045644.dll (Infected with W32/Smalltroj.LFXC)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP136\A0045646.exe (Infected with OnLineGames.IAPV)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP136\A0045648.com (Infected with OnLineGames.IRRD)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP136\A0045650.exe (Infected with OnLineGames.IAPV)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP136\A0045651.dll (Infected with W32/OnlineGames.IRAT)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP136\A0045652.exe (Infected with OnLineGames.IRRD)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP136\A0045653.dll (Infected with W32/Smalltroj.LFXC)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP136\A0045656.dll (Infected with W32/NSAnti.WEZ)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP136\A0045686.dll (Infected with W32/Smalltroj.LFXC)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP136\A0045687.dll (Infected with W32/OnlineGames.IRAT)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP136\A0045689.com (Infected with OnLineGames.IRRD)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP136\A0045690.cmd (Infected with OnLineGames.IAPV)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP136\A0045691.inf (Infected with BAT/AutoRun.BI)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP136\A0046685.sys (Infected with W32/Rootkit.AIYH)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP136\A0046688.dll (Infected with W32/Smalltroj.LFXC)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP136\A0046690.cmd (Infected with OnLineGames.IAPV)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP136\A0046692.com (Infected with OnLineGames.IRRD)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP136\A0046693.exe (Infected with OnLineGames.IRRD)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP136\A0046694.dll (Infected with W32/Smalltroj.LFXC)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP136\A0046695.exe (Infected with OnLineGames.IAPV)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP137\A0046703.com (Infected with OnLineGames.IRRD)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP137\A0046704.inf (Infected with BAT/AutoRun.BI)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP137\A0046705.cmd (Infected with OnLineGames.IAPV)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP137\A0046718.dll (Infected with W32/Smalltroj.LFXC)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP137\A0046721.cmd (Infected with OnLineGames.IAPV)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP137\A0046722.com (Infected with OnLineGames.IRRD)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP137\A0046723.inf (Infected with BAT/AutoRun.BI)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP137\A0046724.exe (Infected with OnLineGames.IAPV)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP138\A0046736.cmd (Infected with OnLineGames.IAPV)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP138\A0046738.com (Infected with OnLineGames.IRRD)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP138\A0046751.dll (Infected with W32/Smalltroj.LFXC)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP138\A0046755.com (Infected with OnLineGames.IRRD)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP138\A0046757.cmd (Infected with OnLineGames.IAPV)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP138\A0046758.exe (Infected with OnLineGames.IAPV)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP138\A0046760.exe (Infected with OnLineGames.IRRD)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP138\A0046761.dll (Infected with W32/Smalltroj.LFXC)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP139\A0046771.com (Infected with OnLineGames.IRRD)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP139\A0046773.com (Infected with W32/DLoader.dam)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP139\A0046774.exe (Infected with W32/DLoader.dam)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP140\A0046794.dll (Infected with W32/Smalltroj.LFXC)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP140\A0046800.com (Infected with OnLineGames.IRRD)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP140\A0046801.inf (Infected with BAT/AutoRun.BI)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP141\A0046819.exe (Infected with OnLineGames.IAPV)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP141\A0046821.com (Infected with OnLineGames.IRRD)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP142\A0046822.exe (Infected with OnLineGames.IAPV)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP142\A0046824.com (Infected with OnLineGames.IRRD)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP142\A0047795.dll (Infected with W32/Smalltroj.LFXC)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP142\A0047797.com (Infected with OnLineGames.IRRD)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP142\A0047798.exe (Infected with OnLineGames.IAPV)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP142\A0047801.exe (Infected with OnLineGames.IAPV)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP142\A0048794.dll (Infected with W32/Smalltroj.LFXC)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP142\A0048796.exe (Infected with OnLineGames.IAPV)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP142\A0048798.com (Infected with OnLineGames.IRRD)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP142\A0048799.exe (Infected with OnLineGames.IAPV)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP142\A0048801.exe (Infected with OnLineGames.IRRD)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP142\A0048802.dll (Infected with W32/Smalltroj.LFXC)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP143\A0048808.cmd (Infected with OnLineGames.IAPV)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP143\A0048810.com (Infected with OnLineGames.IRRD)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP143\A0048826.dll (Infected with W32/Smalltroj.LFXC)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP143\A0048830.com (Infected with OnLineGames.IRRD)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP143\A0048832.cmd (Infected with OnLineGames.IAPV)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP143\A0048837.exe (Infected with OnLineGames.IRRD)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP143\A0048838.dll (Infected with W32/Smalltroj.LFXC)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP143\A0048841.exe (Infected with OnLineGames.IAPV)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP143\A0048861.dll (Infected with W32/Smalltroj.LFXC)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP143\A0048863.cmd (Infected with OnLineGames.IAPV)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP143\A0048865.com (Infected with OnLineGames.IRRD)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP143\A0048866.exe (Infected with OnLineGames.IAPV)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP143\A0048868.exe (Infected with OnLineGames.IRRD)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP143\A0048869.dll (Infected with W32/Smalltroj.LFXC)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP143\A0048873.cmd (Infected with OnLineGames.IAPV)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP143\A0048874.exe (Infected with OnLineGames.IAPV)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP143\A0048875.exe (Infected with OnLineGames.IAPV)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP143\A0048876.com (Infected with W32/Viking.gen5)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP143\A0048877.com (Infected with OnLineGames.IAPV)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP143\A0048878.exe (Infected with W32/Viking.gen5)

Deleted file

 

C:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP143\A0048879.com (Infected with W32/DLoader.dam)

Deleted file

 

C:\WINDOWS\system32\mkfght0.dll (Infected with W32/Smalltroj.LFXC)

Deleted file

 

C:\WINDOWS\system32\mkfght1.dll (Infected with W32/Smalltroj.LFXC)

File marked for defered cleaning (reboot required)

 

C:\WINDOWS\system32\olhrwef.exe (Infected with OnLineGames.IAPV)

Removed registry value: HKCU\Software\Microsoft\Windows\CurrentVersion\Run -> cdoosoft = "C:\WINDOWS\system32\olhrwef.exe"

Deleted file

 

C:\WINDOWS\system32\rttrwq.exe (Infected with OnLineGames.IRRD)

Removed registry value: HKCU\Software\Microsoft\Windows\CurrentVersion\Run -> ertyuop = "C:\WINDOWS\system32\rttrwq.exe"

Deleted file

 

C:\WINDOWS\system32\vbsdfe0.dll (Infected with W32/Smalltroj.JWEE)

Deleted file

 

C:\WINDOWS\system32\vbsdfe1.dll (Infected with W32/Smalltroj.JWEE)

Deleted file

 

C:\WINDOWS\system32\WinDkill.exe (Infected with W32/Smalltroj.IRZF)

File marked for defered cleaning (reboot required)

 

C:\WINDOWS\system32\dk\systemac.dll (Infected with W32/Smalltroj.LKEX)

Deleted file

 

Scanning: D:\*.*

 

Scanning: c:\System Volume Information\*.*

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP104\A0030663.dll (Infected with W32/Smalltroj.JHHY)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP104\A0030666.com (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP104\A0030667.exe (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP104\A0030669.exe (Infected with W32/Smalltroj.JSKN)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0030687.cmd (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0030689.com (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0031716.dll (Infected with W32/Smalltroj.JHHY)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0031719.cmd (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0031720.com (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0031734.dll (Infected with W32/Smalltroj.JHHY)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0031735.dll (Infected with W32/Smalltroj.JTJE)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0031738.com (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0031740.cmd (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0032735.dll (Infected with W32/Smalltroj.JHHY)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0032736.dll (Infected with W32/Smalltroj.JTJE)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0032738.com (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0032740.cmd (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0032758.dll (Infected with W32/Smalltroj.JTJE)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0032759.dll (Infected with W32/Smalltroj.JHHY)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0032762.com (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0032763.cmd (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0032780.dll (Infected with W32/Smalltroj.JTJE)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0032781.dll (Infected with W32/Smalltroj.JHHY)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0032783.cmd (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0032785.com (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0032786.exe (Infected with W32/Smalltroj.JWUL)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0033780.dll (Infected with W32/Smalltroj.JHHY)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0033783.com (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP105\A0033784.cmd (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP106\A0033797.cmd (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP106\A0033798.com (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP106\A0034782.dll (Infected with W32/Smalltroj.JHHY)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP106\A0034785.com (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP106\A0034787.cmd (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034835.dll (Infected with W32/Smalltroj.JHHY)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034837.cmd (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034839.com (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034840.exe (Infected with W32/Smalltroj.JULW)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034841.dll (Infected with W32/Smalltroj.JTJE)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034855.dll (Infected with W32/Smalltroj.JHHY)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034858.cmd (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034860.com (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034873.dll (Infected with W32/Smalltroj.JHHY)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034876.dll (Infected with W32/Smalltroj.JWNX)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034878.com (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034880.cmd (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034896.dll (Infected with W32/Smalltroj.JHHY)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034897.dll (Infected with W32/Smalltroj.JWNX)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034900.cmd (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034902.com (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034903.exe (Infected with W32/Smalltroj.JVTI)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034904.dll (Infected with W32/Smalltroj.JWNX)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034917.dll (Infected with W32/Smalltroj.JHHY)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034918.dll (Infected with W32/Smalltroj.JWNX)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034928.com (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034930.bat (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034944.dll (Infected with W32/Smalltroj.JHHY)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034950.com (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034952.bat (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP107\A0034957.exe (Infected with OnLineGames.IAPV)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP108\A0035030.exe (Infected with W32/Smalltroj.JYNN)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP122\A0038952.exe (Infected with W32/Banger.DYOR)

File marked for defered cleaning (reboot required)

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP143\A0048880.dll (Infected with W32/Smalltroj.JWEE)

Deleted file

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP143\A0048881.dll (Infected with W32/Smalltroj.JWEE)

Deleted file

 

c:\System Volume Information\_restore{DDE049B2-532A-4DDB-9CDE-0741512F4A17}\RP143\A0048882.dll (Infected with W32/Smalltroj.LKEX)

Deleted file

 

 

Running post-scan cleanup routine:

 

Number of files found: 63984

Number of archives unpacked: 596

Number of files scanned: 63966

Number of files not scanned: 18

Number of files skipped due to exclude list: 0

Number of infected files found: 285

Number of infected files repaired/deleted: 156

Number of infections removed: 156

Total scanning time: 17m 55s

[Silas Martins 0]

Desinstale o Norman; Execute a limpeza de disco:

Iniciar>Todos os programas>Acessórios>Ferramentas de Sistema>Limpeza de Disco (exclua todos os arquivos inúteis.

 

 

Sigas as instruções abaixo:

 

Baixe o bankerfix.exe.

desative o seu antivírus temporariamente, para não haver conflitos e para uma melhor detecção.

Clique duas vezes sobre bankerfix.exe, dê o Enter e espere ele terminar. Ao terminar, leia a mensagem na tela e aperte Enter novamente.

 

Habilite o seu antivírus. e gere um novo log do hijackthis, e poste juntamente com o relatório.txt do Bankerfix.

 

Aguardo o Retorno

[lgma-UFC 0]

relatorio do bankerfix:

BankerFix 3.0 VALKYRIE - Removedor de Bankers

Linha Defensiva | http://www.linhadefensiva.org

http://www.linhadefensiva.org/bankerfix/

-------------------------------------------------------

Data: 2009-03-05 - 08:43

-------------------------------------------------------

Lista de Definição: 2009-01-21-2 | CORE: 2009-01-21-1

=======================================================

 

Arquivo infectado detectado: C:\WINDOWS\system32\configex.dll

Arquivo infectado removido com sucesso!

 

Arquivo infectado detectado: C:\WINDOWS\system32\dkwork.ini

Arquivo infectado removido com sucesso!

 

Arquivo infectado detectado: C:\WINDOWS\system32\WinDkill.exe

Arquivo infectado removido com sucesso!

 

 

 

----- Fim -------------------------

 

 

log do hijack:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 08:44:31, on 5/3/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

C:\WINDOWS\AhnRpta.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Hijack\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Long Internet Team Stupid] C:\Documents and Settings\All Users\Dados de aplicativos\comp two long internet\Help Math.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [more tick] C:\DOCUME~1\Usuario\DADOSD~1\DRVPLA~1\math heart way.exe

O4 - HKCU\..\Run: [Windows Video Drivers] C:\RECYCLER\S-1-5-21-4585258326-2761105510-496851341-7808\winlogon.exe

O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARQUIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{50AADCB4-E716-4134-9597-89395EBD86A7}: NameServer = 200.19.190.1,200.17.41.36

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

O24 - Desktop Component 0: (no name) - http://upload.wikimedia.org/wikipedia/en/1...acara-liops.jpg

 

--

End of file - 5268 bytes

[Silas Martins 0]

Siga as instruções abaixo:

 

Baixe o Killbox

Execute o KillBox,clique em Delete on Reboot.

Copie a lista abaixo:

C:\WINDOWS\AhnRpta.exe

C:\DOCUME~1\Usuario\DADOSD~1\DRVPLA~1\math heart way.exe

C:\RECYCLER\S-1-5-21-4585258326-2761105510-496851341-7808\winlogon.exe

C:\WINDOWS\system32\olhrwef.exe

 

Vá ao Killbox.E clique em File > Paste from clipboard. Clique em All Files.

 

Pressione "X". Responda "NÃO" à pergunta.

 

Reinicie

o computador em Modo Seguro (após reiniciar aperte a tecla F8 repetidamente até aparecer uma tela preta em DOS e escolha Modo Seguro).

 

Execute o HijackThis, clique em Do a system scan only e selecione as linhas:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKCU\..\Run: [more tick] C:\DOCUME~1\Usuario\DADOSD~1\DRVPLA~1\math heart way.exe

O4 - HKCU\..\Run: [Windows Video Drivers] C:\RECYCLER\S-1-5-21-4585258326-2761105510-496851341-7808\winlogon.exe

O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe

Clique em Fix Checked

Feito isso Reinicie em modo normal e gere um novo log do Hijackthis.

 

Aguardo retorno.

[lgma-UFC 0]

log do hijack:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 09:32:11, on 9/3/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\AhnRpta.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Hijack\HiJackThis.exe

C:\WINDOWS\system32\wuauclt.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Long Internet Team Stupid] C:\Documents and Settings\All Users\Dados de aplicativos\comp two long internet\Help Math.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARQUIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{50AADCB4-E716-4134-9597-89395EBD86A7}: NameServer = 200.19.190.1,200.17.41.36

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

O24 - Desktop Component 0: (no name) - http://upload.wikimedia.org/wikipedia/en/1...acara-liops.jpg

 

--

End of file - 5235 bytes

[Silas Martins 0]

Repita alguns procedimentos pois algumas infecções ainda estão presentes.

Não se esqueça o Hijackthis tem que ser rodado em modo de segurança caso contrário não ira surtir efeito.

 

Siga as instruções abaixo:

 

Baixe o Killbox

Execute o KillBox,clique em Delete on Reboot.

Copie a lista abaixo:

C:\WINDOWS\AhnRpta.exe

C:\WINDOWS\system32\olhrwef.exe

 

Vá ao Killbox.E clique em File > Paste from clipboard. Clique em All Files.

 

Pressione "X". Responda "NÃO" à pergunta.

 

Reinicie

o computador em Modo Seguro (após reiniciar aperte a tecla F8 repetidamente até aparecer uma tela preta em DOS e escolha Modo Seguro).

 

Execute o HijackThis, clique em Do a system scan only e selecione as linhas:

O4 - HKLM\..\Run: [Long Internet Team Stupid] C:\Documents and Settings\All Users\Dados de aplicativos\comp two long internet\Help Math.exe

O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe

Clique em Fix Checked

Feito isso Reinicie em modo normal e gere um novo log do Hijackthis.

 

Aguardo retorno.

[lgma-UFC 0]

Tive que fazer o processo do hijack mais 3 vezes, pq eu apertava fix checked e no proximo log as infecçoes apareciam de novo

 

log:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:46:36, on 10/3/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\AhnRpta.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Hijack\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARQUIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{50AADCB4-E716-4134-9597-89395EBD86A7}: NameServer = 200.19.190.1,200.17.41.36

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

O24 - Desktop Component 0: (no name) - http://upload.wikimedia.org/wikipedia/en/1...acara-liops.jpg

 

--

End of file - 4952 bytes

[Silas Martins 0]

1. Faça o download da ferramenta The Avenger (by Swandog46)

 

2. Salve-o e descompacte na sua Área de trabalho;

 

3. Selecione e copie (CTRL+C) o texto abaixo indicado (inclusive a linha que onde diz “Files to delete”):

Files to delete:C:\WINDOWS\AhnRpta.exe

 

OBS: O código acima foi criado especificamente para este usuário. Se você não for ele, NÃO siga estas orientações, pois elas podem danificar o funcionamento do seu sistema

 

4. Agora, execute a ferramenta The Avenger, clicando duas vezes em seu ícone na sua Área de trabalho;

* Em "Script file to execute" escolha "Input Script Manually";

* Agora clique no ícone da Lupa onde abrirá uma nova janela chamada "View/edit script";

* Cole o texto copiado para esta janela pressionando (CTRL+V);

* Clique em "Done";

* Agora clique no ícone Sinal Verde para iniciar a execução do script;

* Responda "Yes" duas vezes quando solicitado.

5. The Avenger fará automaticamente o seguinte:

 

* Reiniciará seu computador; (em casos onde o código para executar contém "Drivers to Unload" o Avenger reiniciará o seu sistema duas vezes)

* No reboot, abrirá momentaneamente uma janela do Prompt de comando na sua Área de trabalho, isto é normal;

* Após o reinício, ele criará um arquivo log que deve abrir-se com os resultados das ações do Avenger. Este arquivo log ficará localizado em C:\avenger.txt;

* O Avenger fará também um backup de todos os arquivos e etc., que você pediu para deletar, e terá zipado eles e movido os arquivos .zip para C:\avenger\backup.zip.

 

6. Copie e cole o conteúdo do arquivo c:\avenger.txt na sua próxima resposta.

Gere um novo log do Hijackthis e poste na sua próxima resposta.

 

Aguardo o retorno

[lgma-UFC 0]

log do avenger:

 

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

 

Platform: Windows XP

 

*******************

 

Script file opened successfully.

Script file read successfully.

 

Backups directory opened successfully at C:\Avenger

 

*******************

 

Beginning to process script file:

 

Rootkit scan active.

No rootkits found!

 

File "C:\WINDOWS\AhnRpta.exe" deleted successfully.

 

Completed script processing.

 

*******************

 

Finished! Terminate.

 

 

log do hijack:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:56:11, on 11/3/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\AhnRpta.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Hijack\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe

O4 - HKCU\..\Run: [more tick] C:\DOCUME~1\Usuario\DADOSD~1\DRVPLA~1\math heart way.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARQUIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{50AADCB4-E716-4134-9597-89395EBD86A7}: NameServer = 200.19.190.1,200.17.41.36

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

O24 - Desktop Component 0: (no name) - http://upload.wikimedia.org/wikipedia/en/1...acara-liops.jpg

 

--

End of file - 5306 bytes

 

acho que as infecçoes voltaram de novo :\

[Silas Martins 0]

Baixe o ComboFix em:

ComboFix

 

1) Desabilite o seu anti-vírus temporariamente;

 

2) Dê um duplo-clique no combofix.exe e aguarde (o processo total demora cerca de 10 minutos);

 

3) A janela de “NEGAÇÃO DE GARANTIA DO SOFTWARE” abrir-se-á. Leia atentamente o texto contido nesta janela e clique sobre “SIM” para continuar.

 

PS.: Caso não concorde com os termos clique sobre “NÃO” para sair do software, cabendo lembrar que o processo de desinfecção não será possível sem a continuidade do ComboFix.

 

4) Outra janela irá abrir, caso a sua máquina não possua o CONSOLE DE RECUPERAÇÃO DO WINDOWS. É recomendável executar a instalação do console ante de dar continuidade ao processo, pois tal ação proporcionará a garantia de que o sistema poderá ser recuperado em caso de problemas durante a varredura.

 

Clique sobre “SIM” e aguarde, pois o processo de instalação do console dar-se-á automaticamente através do próprio ComboFix. Ele poderá demorar alguns minutos (dependerá da velocidade de sua conexão), portanto seja paciente.

 

Quando a janela “INSTALANDO O CONSOLE DE RECUPERAÇÃO” aparecer clique em “OK”, depois clique sobre “SIM” para aceitar a licença EULA.

 

Ao término da instalação do console de recuperação abrir-se-á uma janela avisando que “O CONSOLE DE RECUPERAÇÃO FOI INSTALADA COM SUCESSO”.

 

Clique sobre “SIM” para continuar a varredura.

 

5) O ComboFix iniciará o AUTOSCAN (aguarde).

 

ATENÇÃO: Não clique na janela do ComboFix, nem termine o processo abruptamente enquanto a ferramenta estiver sendo executada, pois isto implicará na desconfiguração de seu desktop (ele ficará todo branco).

 

Ao término do processo a máquina será reiniciada para a emissão do relatório.

 

6) Ao reiniciar a máquina o ComboFix irá executar o FIND3M para a criação do relatório final da varredura. O log ficará alocado em C:\ComboFix.txt.

 

7) Reabilite o seu anti-vírus;

 

8) Preciso que você cole o conteúdo do ComboFix.txt e do novo log Hijackthis em sua próxima resposta.

 

OBS.1: Caso apareça uma mensagem avisando que ESTE NÃO É UM APLICATIVO WIN 32 VÁLIDO baixe o ComboFix novamente, mas salve-o em seu Desktop como KomboFix. Em último caso, tente utilizar o ComboFix em MODO SEGURO.

 

OBS.2: Caso haja um clique sobre a janela do ComboFix em execução, ela irá MAXIMIZAR, sobrepondo-se sobre as demais. Para minimizá-la novamente basta utilizar a combinação ALT + TAB.

[lgma-UFC 0]

ComboFix 09-03-10.03 - Usuario 2009-03-12 12:10:41.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.1023.635 [GMT -3:00]

Executando de: c:\documents and settings\Usuario\Desktop\ComboFix.exe

AV: AVG 7.5.552 *On-access scanning enabled* (Outdated)

* Criado um novo ponto de restauro

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\2.bat

C:\a1agmur.cmd

C:\Autorun.inf

C:\dbrxubcw.com

c:\documents and settings\Usuario\ravmonlog

C:\i6g6x.cmd

C:\o.exe

c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013

c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini

C:\u.com

c:\windows\IE4 Error Log.txt

c:\windows\system32\nmdfgds0.dll

c:\windows\system32\nmdfgds1.dll

c:\windows\system32\olhrwef.exe

E:\autorun.inf

E:\u.com

 

.

(((((((((((((((( Arquivos/Ficheiros criados de 2009-02-12 to 2009-03-12 ))))))))))))))))))))))))))))

.

 

2009-03-11 15:53 . 2004-08-04 00:45 70,144 --a------ c:\windows\AhnRpta.exe

2009-03-10 13:02 . 2009-03-11 15:54 107,190 -r-hs---- C:\cb.exe

2009-03-09 10:12 . 2009-03-09 09:20 108,664 -r-hs---- C:\i.com

2009-03-09 09:24 . 2009-03-10 12:39 <DIR> d-------- C:\!KillBox

2009-03-05 08:42 . 2009-03-05 08:43 <DIR> d-------- C:\LinhaDefensiva

2009-03-02 10:49 . 2009-03-11 15:56 <DIR> d-------- C:\Hijack

2009-02-19 10:03 . 2009-02-19 10:03 28,160 --a------ C:\planilha de controle. Projeto GRANMAR.xls

2009-02-16 13:34 . 2009-03-03 09:39 129,536 --------- c:\windows\system32\mkfght1.dll

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-10 12:05 --------- d-----w c:\documents and settings\Usuario\Dados de aplicativos\AVG7

2009-03-10 11:17 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\avg7

2009-02-05 14:46 --------- d-----w c:\arquivos de programas\Marcos Velasco Security

2009-02-02 11:44 --------- d-----w c:\documents and settings\Usuario\Dados de aplicativos\drvplanbalm

2009-02-02 11:43 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\comp two long internet

2009-02-02 11:43 --------- d-----w c:\arquivos de programas\drvplanbalm

2009-01-23 21:07 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Zylom

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"more tick"="c:\docume~1\Usuario\DADOSD~1\DRVPLA~1\math heart way.exe" [2009-02-02 615936]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-19 86016]

"RemoteControl"="c:\arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]

"LanguageShortcut"="c:\arquivos de programas\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]

"NeroFilterCheck"="c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]

"AVG7_CC"="c:\arquiv~1\Grisoft\AVG7\avgcc.exe" [2008-10-18 590848]

"!AVG Anti-Spyware"="c:\arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 6731312]

"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"nwiz"="nwiz.exe" [2007-04-19 c:\windows\system32\nwiz.exe]

"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 c:\windows\RTHDCPL.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

"AVG7_Run"="c:\arquiv~1\Grisoft\AVG7\avgw.exe" [2008-02-19 219136]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{BB4C402F-882A-4526-8C08-51278EA437C1}"= "c:\windows\system32\afmain1.dll" [2007-06-13 78848]

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Grisoft\\AVG7\\avginet.exe"=

"c:\\Arquivos de programas\\Grisoft\\AVG7\\avgamsvr.exe"=

"c:\\Arquivos de programas\\Grisoft\\AVG7\\avgcc.exe"=

"c:\\Arquivos de programas\\Grisoft\\AVG7\\avgemc.exe"=

"c:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"18715:TCP"= 18715:TCP:NortonAV

"18753:TCP"= 18753:TCP:NortonAV

"14240:TCP"= 14240:TCP:NortonAV

 

R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;c:\windows\system32\drivers\l251x86.sys [2008-02-19 29696]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]

\Shell\AutoRun\command - C:\u.com

\Shell\open\Command - C:\u.com

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{192b2ef8-f450-11dc-aec3-001e8c0c8b36}]

\Shell\AutoRun\command - avc35.exe

\Shell\explore\command - avc35.exe explore

\Shell\find\command - avc35.exe

\Shell\open\command - avc35.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2bf2952e-f11c-11dc-aebf-001e8c0c8b36}]

\Shell\auto\command - cmd /c @start k.exe

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL cmd /c @start k.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9cb9a7dc-bfa4-11dd-afc1-001e8c0c8b36}]

\Shell\auto\command - cmd /c @start k.exe

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL cmd /c @start k.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9cb9a7dd-bfa4-11dd-afc1-001e8c0c8b36}]

\Shell\AutoRun\command - avc35.exe

\Shell\explore\command - avc35.exe explore

\Shell\find\command - avc35.exe

\Shell\open\command - avc35.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9db4e0f8-865f-11dd-af5f-001e8c0c8b36}]

\Shell\AutoRun\command - il0byu3h.com

\Shell\open\Command - il0byu3h.com

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3350cec-b0b1-11dd-afa6-001e8c0c8b36}]

\Shell\auto\command - cmd /c @start k.exe

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL cmd /c @start k.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b4a4edb0-eada-11dc-aeb4-001e8c0c8b36}]

\Shell\Auto\command - bittorrent.exe e

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e

.

Conteúdo da pasta 'Tarefas Agendadas'

 

2009-03-12 c:\windows\Tasks\AF0B458E9184FE5E.job

- c:\docume~1\usuario\dadosd~1\drvpla~1\ViewCloseOnline.exe [2009-02-02 08:44]

.

- - - - ORFÃOS REMOVIDOS - - - -

 

HKCU-Run-cdoosoft - c:\windows\system32\olhrwef.exe

 

 

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.google.com.br/

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: {50AADCB4-E716-4134-9597-89395EBD86A7} = 200.19.190.1,200.17.41.36

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-12 12:13:20

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

.

------------------------ Outros Processos em Execução ------------------------

.

c:\windows\AhnRpta.exe

c:\arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe

c:\arquiv~1\Grisoft\AVG7\avgamsvr.exe

c:\arquiv~1\Grisoft\AVG7\avgupsvc.exe

c:\arquiv~1\Grisoft\AVG7\avgemc.exe

c:\arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\mdm.exe

c:\windows\system32\nvsvc32.exe

c:\arquivos de programas\CyberLink\Shared Files\RichVideo.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\rundll32.exe

c:\arquivos de programas\Internet Explorer\IEXPLORE.EXE

c:\arquivos de programas\Internet Explorer\IEXPLORE.EXE

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Tempo para conclusão: 2009-03-12 12:14:19 - Máquina reiniciou

ComboFix-quarantined-files.txt 2009-03-12 15:14:17

 

Pré-execução: 18 pasta(s) 226,274,365,440 bytes disponíveis

Pós execução: 18 pasta(s) 226,475,692,032 bytes disponíveis

 

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=alwaysoff /fastdetect

 

169 --- E O F --- 2009-03-11 20:28:37

 

 

log do hijack:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:17:53, on 12/3/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\AhnRpta.exe

C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\Arquivos de programas\internet explorer\iexplore.exe

C:\Hijack\HiJackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [more tick] C:\DOCUME~1\Usuario\DADOSD~1\DRVPLA~1\math heart way.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\ARQUIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{50AADCB4-E716-4134-9597-89395EBD86A7}: NameServer = 200.19.190.1,200.17.41.36

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

O24 - Desktop Component 0: (no name) - http://upload.wikimedia.org/wikipedia/en/1...acara-liops.jpg

 

--

End of file - 5199 bytes

[Silas Martins 0]

Copie,todo conteúdo citado abaixo e cole no Bloco de Notas.

Salve o arquivo na área de trabalho com o nome de: CFScript.txt

File::

C:\DOCUME~1\Usuario\DADOSD~1\DRVPLA~1\math heart way.exe

c:\windows\AhnRpta.exe

c:\windows\system32\olhrwef.exe

c:\windows\system32\nmdfgds0.dll

c:\windows\system32\nmdfgds1.dll

c:\windows\system32\mkfght1.dll

Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{192b2ef8-f450-11dc-aec3-001e8c0c8b36}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b4a4edb0-eada-11dc-aeb4-001e8c0c8b36}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9db4e0f8-865f-11dd-af5f-001e8c0c8b36}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9cb9a7dc-bfa4-11dd-afc1-001e8c0c8b36}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2bf2952e-f11c-11dc-aebf-001e8c0c8b36}]

Folder::

C:\DOCUME~1\Usuario\DADOSD~1\DRVPLA~1

Arraste o CFScript.txt até o ícone do Combofix, conforme ilustração abaixo:

 

Atenda à solicitação,que deverá surgir,para rodar o ComboFix

OBS: Arraste o CFScript até para o ícone até que apareça a janela(pequena) do combofix

Ao final poste o ComboFix.txt juntamente com o novo log do hijackthis

 

Obs.: Execute a ação com o seu pendrive conectado ao PC.

 

Aguardo retorno

[lgma-UFC 0]

O chefe aqui do laboratório, o qual pertence o computador, resolveu formatar de uma vez todos os pcs inclusive esse. Obrigado pela ajudar :D

[Silas Martins 0]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.