[Arquivado] wlcomm.exe virus

[gugabrasil 0]

Ola galera

sou novo aqui no forum , enfelizmente estou com um grande poblema

peguei um virus wlcomm.exe basicamente quando abre o msn

ocupa 99%do processador , tentei deletar

reinstalei msn ,

passei Malwarebytes' Anti-Malware e nada de resolver o poblema

basta utilizar por 3min msn que ele começa a trabalhar . utilizando todo processador

se alguem poder me ajudar

desde ja agradeço

[PedroN 1]

Léia a regra numero 2 da nossa área.

 

Regra Nº 02 - Utilizando O Hijackthis.

[gugabrasil 0]

utilizei o HiJackThis.exe

XD

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 04:44:41, on 6/4/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\RunDLL32.exe

C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

C:\Documents and Settings\MAX\Desktop\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O1 - Hosts: 66.98.148.65 auto.search.msn.com

O1 - Hosts: 66.98.148.65 auto.search.msn.es

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [ares] "C:\Arquivos de programas\Ares\Ares.exe" -h

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Arquivos de programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1009857706703

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveSystemServices.dll

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

--

End of file - 5833 bytes

[PedroN 1]

• Baixe: < ComboFix.exe >

• Salve-o no Desktop!

• Desabilite as proteções residente de: antivírus,antispywares e firewall. ( Menos o do Windows! )

• Feche todas as janelas e execute a ferramenta!

• Na solicitação: "Negação de garantia de software" --> Clique em Sim!

• Não possuindo o "Console de Recuperação",aceite optar pela instalação do mesmo!

 

<!> Caso aconteça a notificação de: Aplicativo Win32 inválido,delete a ferramenta e faça,novamente,o download.

-- Salve-a no desktop,renomeada como: Kombo.exe

-- Ps: Nomeie durante o salvamento,e não após salvá-la!

-- Ps: Surgindo alguma mensagem de erro,rode o ComboFix.exe em Modo de Segurança.

-- Ps: Para completar as remoções,talvez haja necessidade da ferramenta reiniciar o computador. <-- Aguarde!

-- Ps: Evite executar,voluntariamente,esta ferramenta!Siga,àcima,todas as recomendações propostas.

• Abrir-se-á a janela Auto Scan. --> Aguarde!

• Àfim de completar as remoções,o ComboFix poderá reiniciar o computador.

• Se houver necessidade,digite a opção para continuar! --> ( 1 ) --> Aperte Enter.

• Aguarde a conclusão!

• Durante o scan,evite manusear o mouse ou teclado! <-- Importante!

• Para parar ou sair do ComboFix,tecle "N" --> Enter.

----------------------

• Terminando,poste os relatórios: C:\ComboFix.txt + HijackThis,atualizado.

[gugabrasil 0]

relatorio combofix

 

 

ComboFix 09-04-04.01 - MAX 2009-04-06 15:37:30.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1046.18.1023.661 [GMT -3:00]

Executando de: c:\documents and settings\MAX\Desktop\ComboFix.exe

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

* Criado um novo ponto de restauro

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\system\oeminfo.ini

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_IPRIP

 

 

(((((((((((((((( Arquivos/Ficheiros criados de 2009-03-06 to 2009-04-06 ))))))))))))))))))))))))))))

.

 

2009-04-06 14:34 . 2009-04-06 14:55 <DIR> d-------- c:\documents and settings\MAX\Dados de aplicativos\Spyware Terminator

2009-04-06 14:34 . 2009-04-06 15:12 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Spyware Terminator

2009-04-06 14:34 . 2009-04-06 15:12 <DIR> d-------- c:\arquivos de programas\Spyware Terminator

2009-04-06 14:34 . 2009-04-06 14:34 <DIR> d-------- c:\arquivos de programas\Crawler

2009-04-06 14:34 . 2009-04-06 14:34 142,592 --a------ c:\windows\system32\drivers\sp_rsdrv2.sys

2009-04-06 02:44 . 2009-04-06 02:44 <DIR> d-------- c:\documents and settings\MAX\Dados de aplicativos\Malwarebytes

2009-04-06 02:44 . 2009-04-06 02:44 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes

2009-04-06 02:44 . 2009-04-06 02:44 <DIR> d-------- c:\arquivos de programas\Malwarebytes' Anti-Malware

2009-04-06 02:44 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-06 02:44 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-04-06 02:09 . 2009-04-06 02:09 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Messenger Plus!

2009-04-05 21:25 . 2009-04-05 21:25 <DIR> d-------- c:\arquivos de programas\Messenger Plus! Live

2009-04-04 18:23 . 2009-04-04 18:23 <DIR> d-------- c:\arquivos de programas\CAPCOM

2009-04-01 16:59 . 2009-04-01 16:59 <DIR> d-------- C:\Autodesk

2009-03-31 20:06 . 2009-03-31 20:06 <DIR> d--h----- c:\windows\PIF

2009-03-12 19:53 . 2009-03-31 03:38 69 --a------ c:\windows\NeroDigital.ini

2009-03-08 13:37 . 2009-03-08 13:37 <DIR> d-------- c:\arquivos de programas\Ares

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-06 05:50 --------- d-----w c:\arquivos de programas\Circle Deelopement

2009-04-05 23:09 --------- d-----w c:\arquivos de programas\Windows Live

2009-04-04 21:23 --------- d--h--w c:\arquivos de programas\InstallShield Installation Information

2009-03-29 02:23 --------- d-----w c:\documents and settings\MAX\Dados de aplicativos\Ahead

2009-03-12 06:03 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Microsoft Help

2009-03-04 16:35 --------- d-----w c:\arquivos de programas\Circle Dvelopement

2009-03-02 13:53 2,481,067 ----a-w c:\windows\Resident Evil 4.scr

2009-03-02 06:04 --------- d-----w c:\arquivos de programas\Microsoft CAPICOM 2.1.0.2

2009-03-01 18:26 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\NVIDIA

2009-03-01 05:57 --------- d-----w c:\arquivos de programas\Windows Live SkyDrive

2009-03-01 05:57 --------- d-----w c:\arquivos de programas\Microsoft

2009-03-01 05:31 --------- d-----w c:\arquivos de programas\Arquivos comuns\Ahead

2009-03-01 05:25 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Nero

2009-03-01 05:25 --------- d-----w c:\arquivos de programas\Nero

2009-02-28 21:11 60,416 ----a-w c:\windows\ALCFDRTM.EXE

2009-02-28 21:07 --------- d-----w c:\arquivos de programas\Arquivos comuns\InstallShield

2009-02-28 21:06 --------- d-----w c:\arquivos de programas\AMD

2009-02-28 20:52 --------- d-----w c:\arquivos de programas\Windows Media Connect 2

2009-02-28 20:49 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Office Genuine Advantage

2009-02-28 20:43 --------- d-----w c:\arquivos de programas\Arquivos comuns\Adobe

2009-02-28 20:38 --------- d-----w c:\arquivos de programas\microsoft frontpage

2009-02-28 20:37 --------- d-----w c:\arquivos de programas\Serviços on-line

2009-02-28 20:36 --------- d-----w c:\arquivos de programas\Arquivos comuns\Serviços

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]

"msnmsgr"="c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

"ares"="c:\arquivos de programas\Ares\Ares.exe" [2009-02-03 1004544]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-12 7630848]

"avgnt"="c:\arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"GrooveMonitor"="c:\arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

"NeroFilterCheck"="c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"nwiz"="nwiz.exe" [2006-08-12 c:\windows\system32\nwiz.exe]

"SoundMan"="SOUNDMAN.EXE" [2005-07-26 c:\windows\SOUNDMAN.EXE]

"NvMediaCenter"="NvMCTray.dll" [2006-08-12 c:\windows\system32\nvmctray.dll]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

 

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

Adobe Reader Speed Launch.lnk - c:\arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]

Adobe Reader Synchronizer.lnk - c:\arquivos de programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Arquivos de programas\\Ares\\Ares.exe"=

"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3587:TCP"= 3587:TCP:Agrupamento de Mesmo Nível do Windows

"3540:UDP"= 3540:UDP:Protocolo PNRP (Peer Name Resolution Protocol)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a642344a-05d8-11de-baa2-806d6172696f}]

\Shell\AutoRun\command - E:\setup.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c46fe46d-1951-11de-9d1c-0013d48e77a5}]

\Shell\AutoRun\command - wmwzwj.exe

\Shell\explore\Command - wmwzwj.exe

\Shell\open\Command - wmwzwj.exe

.

- - - - ORFÃOS REMOVIDOS - - - -

 

Notify-WgaLogon - (no file)

 

 

.

------- Scan Suplementar -------

.

IE: Crawler Search - tbr:iemenu

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office12\EXCEL.EXE/3000

Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\arquiv~1\Crawler\Toolbar\ctbr.dll

FF - ProfilePath - c:\documents and settings\MAX\Dados de aplicativos\Mozilla\Firefox\Profiles\kieky9ex.default\

FF - prefs.js: browser.search.selectedEngine -

FF - prefs.js: keyword.URL - hxxp://www.crawler.com/search/dispatcher.aspx?tp=aus&tbid=60341&qkw=

FF - component: c:\arquivos de programas\Crawler\Toolbar\firefox\components\xcomm.dll

FF - component: c:\arquivos de programas\Crawler\Toolbar\firefox\components\xshared.dll

FF - component: c:\arquivos de programas\Crawler\Toolbar\firefox\components\xsupport.dll

FF - component: c:\arquivos de programas\Crawler\Toolbar\firefox\components\xwsg.dll

FF - component: c:\documents and settings\MAX\Dados de aplicativos\Mozilla\Firefox\Profiles\kieky9ex.default\extensions\piclens@cooliris.com\components\coolirisstub.dll

 

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

 

**************************************************************************

 

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-06 15:41:45

Windows 5.1.2600 Service Pack 3 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

.

------------------------ Outros Processos em Execução ------------------------

.

c:\arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

c:\windows\system32\rundll32.exe

c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe

c:\arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

c:\arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\mdm.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\tcpsvcs.exe

c:\arquivos de programas\Spyware Terminator\sp_rsser.exe

c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

.

**************************************************************************

.

Tempo para conclusão: 2009-04-06 15:43:45 - Máquina reiniciou

ComboFix-quarantined-files.txt 2009-04-06 18:43:43

 

Pré-execução: 12 pasta(s) 18.366.746.624 bytes disponíveis

Pós execução: 11 pasta(s) 18,552,639,488 bytes disponíveis

 

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

 

163 --- E O F --- 2009-04-05 22:38:29

 

 

 

 

HijackThis relatorio

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:44:58, on 6/4/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\RunDLL32.exe

C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe

C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\Arquivos de programas\Spyware Terminator\sp_rsser.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\imapi.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\MAX\Desktop\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60341

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60341

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\ARQUIV~1\Crawler\Toolbar\ctbr.dll

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\ARQUIV~1\Crawler\Toolbar\ctbr.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Barra de Ferramentas &Crawler - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\ARQUIV~1\Crawler\Toolbar\ctbr.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [ares] "C:\Arquivos de programas\Ares\Ares.exe" -h

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Arquivos de programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O8 - Extra context menu item: Crawler Search - tbr:iemenu

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1009857706703

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\ARQUIV~1\Crawler\Toolbar\ctbr.dll

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Arquivos de programas\Spyware Terminator\sp_rsser.exe

 

--

End of file - 7068 bytes

[PedroN 1]

Sugiro que imprima ou salve os procedimentos abaixo, e não use a internet até terminado o procedimento.

 

Selecione e copie o texto dentro do QUOTE (caixa cinza) abaixo. Abra o Bloco de notas e cole o que copiou. Salve então, na área de trabalho, com o nome de CFScript.txt.

 

File::

E:\setup.exe

Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a642344a-05d8-11de-baa2-806d6172696f}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c46fe46d-1951-11de-9d1c-0013d48e77a5}]

 

Esse script foi elaborado somente para este computador, de acordo com os arquivos e chaves presentes não use-o em outro computador, pos pode trazer danos.

 

Arraste agora o CFScript.txt para o ComboFix conforme a demonstração abaixo.

 

 

O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção.

 

IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando.

 

Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.

 

Poste-o junto com o novo log do hijackthis

[gugabrasil 0]

segui todos os passos sugeridos .

desculpa demora para responder

esse eo novo log HiJackThis

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:54:29, on 9/4/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\RunDLL32.exe

C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\Arquivos de programas\Spyware Terminator\sp_rsser.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

C:\Arquivos de programas\Windows Media Player\wmplayer.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\MAX\Desktop\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60341

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60341

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\ARQUIV~1\Crawler\Toolbar\ctbr.dll

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\ARQUIV~1\Crawler\Toolbar\ctbr.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Barra de Ferramentas &Crawler - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\ARQUIV~1\Crawler\Toolbar\ctbr.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [ares] "C:\Arquivos de programas\Ares\Ares.exe" -h

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Arquivos de programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O8 - Extra context menu item: Crawler Search - tbr:iemenu

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1009857706703

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\ARQUIV~1\Crawler\Toolbar\ctbr.dll

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Arquivos de programas\Spyware Terminator\sp_rsser.exe

 

--

End of file - 6978 bytes

 

 

Log ComboFix

 

 

ComboFix 09-04-04.01 - MAX 2009-04-09 13:48:38.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1046.18.1023.676 [GMT -3:00]

Executando de: c:\documents and settings\MAX\Desktop\ComboFix.exe

Comandos utilizados :: c:\documents and settings\MAX\Desktop\CFScript.txt

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

* Criado um novo ponto de restauro

 

FILE ::

E:\setup.exe

.

 

(((((((((((((((( Arquivos/Ficheiros criados de 2009-03-09 to 2009-04-09 ))))))))))))))))))))))))))))

.

 

2009-04-06 14:34 . 2009-04-06 15:57 <DIR> d-------- c:\documents and settings\MAX\Dados de aplicativos\Spyware Terminator

2009-04-06 14:34 . 2009-04-06 15:53 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Spyware Terminator

2009-04-06 14:34 . 2009-04-06 15:50 <DIR> d-------- c:\arquivos de programas\Spyware Terminator

2009-04-06 14:34 . 2009-04-06 14:34 <DIR> d-------- c:\arquivos de programas\Crawler

2009-04-06 14:34 . 2009-04-06 14:34 142,592 --a------ c:\windows\system32\drivers\sp_rsdrv2.sys

2009-04-06 02:44 . 2009-04-06 02:44 <DIR> d-------- c:\documents and settings\MAX\Dados de aplicativos\Malwarebytes

2009-04-06 02:44 . 2009-04-06 02:44 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes

2009-04-06 02:44 . 2009-04-06 02:44 <DIR> d-------- c:\arquivos de programas\Malwarebytes' Anti-Malware

2009-04-06 02:44 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-06 02:44 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-04-06 02:09 . 2009-04-06 02:09 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Messenger Plus!

2009-04-05 21:25 . 2009-04-05 21:25 <DIR> d-------- c:\arquivos de programas\Messenger Plus! Live

2009-04-04 18:23 . 2009-04-04 18:23 <DIR> d-------- c:\arquivos de programas\CAPCOM

2009-04-01 16:59 . 2009-04-01 16:59 <DIR> d-------- C:\Autodesk

2009-03-31 20:06 . 2009-03-31 20:06 <DIR> d--h----- c:\windows\PIF

2009-03-12 19:53 . 2009-03-31 03:38 69 --a------ c:\windows\NeroDigital.ini

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-06 05:50 --------- d-----w c:\arquivos de programas\Circle Deelopement

2009-04-05 23:09 --------- d-----w c:\arquivos de programas\Windows Live

2009-04-04 21:23 --------- d--h--w c:\arquivos de programas\InstallShield Installation Information

2009-03-29 02:23 --------- d-----w c:\documents and settings\MAX\Dados de aplicativos\Ahead

2009-03-12 06:03 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Microsoft Help

2009-03-08 16:37 --------- d-----w c:\arquivos de programas\Ares

2009-03-04 16:35 --------- d-----w c:\arquivos de programas\Circle Dvelopement

2009-03-02 13:53 2,481,067 ----a-w c:\windows\Resident Evil 4.scr

2009-03-02 06:04 --------- d-----w c:\arquivos de programas\Microsoft CAPICOM 2.1.0.2

2009-03-01 18:26 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\NVIDIA

2009-03-01 05:57 --------- d-----w c:\arquivos de programas\Windows Live SkyDrive

2009-03-01 05:57 --------- d-----w c:\arquivos de programas\Microsoft

2009-03-01 05:31 --------- d-----w c:\arquivos de programas\Arquivos comuns\Ahead

2009-03-01 05:25 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Nero

2009-03-01 05:25 --------- d-----w c:\arquivos de programas\Nero

2009-02-28 21:11 60,416 ----a-w c:\windows\ALCFDRTM.EXE

2009-02-28 21:07 --------- d-----w c:\arquivos de programas\Arquivos comuns\InstallShield

2009-02-28 21:06 --------- d-----w c:\arquivos de programas\AMD

2009-02-28 20:52 --------- d-----w c:\arquivos de programas\Windows Media Connect 2

2009-02-28 20:49 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Office Genuine Advantage

2009-02-28 20:43 --------- d-----w c:\arquivos de programas\Arquivos comuns\Adobe

2009-02-28 20:38 --------- d-----w c:\arquivos de programas\microsoft frontpage

2009-02-28 20:37 --------- d-----w c:\arquivos de programas\Serviços on-line

2009-02-28 20:36 --------- d-----w c:\arquivos de programas\Arquivos comuns\Serviços

2009-02-09 14:06 1,846,912 ----a-w c:\windows\system32\win32k.sys

2009-02-06 21:52 49,504 ----a-w c:\windows\system32\sirenacm.dll

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]

"msnmsgr"="c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

"ares"="c:\arquivos de programas\Ares\Ares.exe" [2009-02-03 1004544]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-12 7630848]

"avgnt"="c:\arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"GrooveMonitor"="c:\arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

"NeroFilterCheck"="c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"nwiz"="nwiz.exe" [2006-08-12 c:\windows\system32\nwiz.exe]

"SoundMan"="SOUNDMAN.EXE" [2005-07-26 c:\windows\SOUNDMAN.EXE]

"NvMediaCenter"="NvMCTray.dll" [2006-08-12 c:\windows\system32\nvmctray.dll]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

 

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

Adobe Reader Speed Launch.lnk - c:\arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]

Adobe Reader Synchronizer.lnk - c:\arquivos de programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Arquivos de programas\\Ares\\Ares.exe"=

"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"d:\\Steam\\SteamApps\\opguga\\counter-strike source\\hl2.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3587:TCP"= 3587:TCP:Agrupamento de Mesmo Nível do Windows

"3540:UDP"= 3540:UDP:Protocolo PNRP (Peer Name Resolution Protocol)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

 

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-04-06 142592]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.

.

------- Scan Suplementar -------

.

IE: Crawler Search - tbr:iemenu

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office12\EXCEL.EXE/3000

Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\arquiv~1\Crawler\Toolbar\ctbr.dll

FF - ProfilePath - c:\documents and settings\MAX\Dados de aplicativos\Mozilla\Firefox\Profiles\kieky9ex.default\

FF - prefs.js: browser.search.selectedEngine -

FF - prefs.js: keyword.URL - hxxp://www.crawler.com/search/dispatcher.aspx?tp=aus&tbid=60341&qkw=

FF - component: c:\arquivos de programas\Crawler\Toolbar\firefox\components\xcomm.dll

FF - component: c:\arquivos de programas\Crawler\Toolbar\firefox\components\xshared.dll

FF - component: c:\arquivos de programas\Crawler\Toolbar\firefox\components\xsupport.dll

FF - component: c:\arquivos de programas\Crawler\Toolbar\firefox\components\xwsg.dll

FF - component: c:\documents and settings\MAX\Dados de aplicativos\Mozilla\Firefox\Profiles\kieky9ex.default\extensions\piclens@cooliris.com\components\coolirisstub.dll

 

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

 

**************************************************************************

 

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-09 13:49:47

Windows 5.1.2600 Service Pack 3 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

.

Tempo para conclusão: 2009-04-09 13:50:37

ComboFix-quarantined-files.txt 2009-04-09 16:50:35

ComboFix2.txt 2009-04-06 18:43:46

 

Pré-execução: 12 pasta(s) 18.499.350.528 bytes disponíveis

Pós execução: 11 pasta(s) 18,500,632,576 bytes disponíveis

 

135 --- E O F --- 2009-04-05 22:38:29

[PedroN 1]

Como estar o PC?

 

o arquivo wlcomm.exe se encontra no micro? :huh:

[gugabrasil 0]

Pior que ainda continua . eu criei outro msn novo e nao da esse poblema . deve ta escondido em algum registro da minha acc antiga. :(

[PedroN 1]

Siga meus procedimentos na sequencia para não haver nenhum problema.

 

1)

 

 

- Faça o download do SDFIX

 

Reinicie seu computador, e aperte a tecla F8 (F5 em alguns casos) intermitentemente durante a inicialização, até aparecer um menu onde você deverá escolher a opção Modo Seguro

 

1. Entre na pasta SDFix que foi instalada no seu computador e dê um duplo clique no arquivo RunThis.bat

2. Tecle Y para que a ferramenta inicie o processo de remoção

3. Quando tudo terminar, você verá um aviso dizendo para apertar qualquer tecla para continuar. Ao pressionar qualquer tecla, o computador será reiniciado automaticamente

4. Após reiniciar, a ferramenta ainda será executada novamente e irá terminar o seu trabalho e a palavra Finished irá aparecer. Pressione qualquer tecla.

5. Uma janela com o relatório do SDFix irá aparecer.

6. Copie e cole este relatório na sua resposta . Caso você tenha fechado a janela, uma cópia do relatório estará na pasta SDFix com o nome Report.txt.

 

2)

 

Faça o download do Random's System Information Tool (RSIT)

http://images.malwareremoval.com/random/RSIT.exe

Salve na sua área de trabalho.

 

◘ Execute o RSIT.exe.

◘ Haverá uma janela informativa:

◘ List files/folders created or modified in the last: 1 month

◘ Clique em Continue.

 

Quando terminar, dois blocos de notas serão abertos:

log.txt -> abrirá maximizado

info.txt -> abrirá minimizado.

 

poste o arquivo log.txt na sua proxima resposta.

 

Uma cópia desses arquivos ficará salva na pasta C:\RSIT

 

Obs: Se o seu firewall alertar sobre o arquivo rsit.exe tentando se conectar, certifique-se de permitir (allow).

[Mário Monteiro 179]

Tópico Arquivado

 

Como o autor não respondeu por mais de 30 dias, o tópico foi arquivado.

 

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura.