[Resolvido!] Uw08.exe

[ebiancalana 0]

Bom dia a todos .

 

Estou tendo um problema parecido com outros colegas que foram infectados por virus onde aparece a msg referente ao " Uw08.exe " . No meu caso , a lentidão do PC nao eh percebida mas o mozilla firefox "some" .

Desde já , gradeço a ajuda da equipe e aguardo retorno .

grato!

[DigRam 144]

Bom dia a todos .

 

Estou tendo um problema parecido com outros colegas que foram infectados por virus onde aparece a msg referente ao " Uw08.exe " . No meu caso , a lentidão do PC nao eh percebida mas o mozilla firefox "some" .

Desde já , gradeço a ajuda da equipe e aguardo retorno .

grato!

<><><><><><><><><><>

Bom Dia! ebiancalana

 

 

<!> Poste o log do HijackThis,segundo este Tutorial.

 

< Regra Nº 02 - Utilizando O Hijackthis - LEIA ANTES DE POSTAR! >

 

Abraços!

[ebiancalana 0]

Bom dia a todos .

 

Estou tendo um problema parecido com outros colegas que foram infectados por virus onde aparece a msg referente ao " Uw08.exe " . No meu caso , a lentidão do PC nao eh percebida mas o mozilla firefox "some" .

Desde já , gradeço a ajuda da equipe e aguardo retorno .

grato!

<><><><><><><><><><>

Bom Dia! ebiancalana

 

 

<!> Poste o log do HijackThis,segundo este Tutorial.

 

< Regra Nº 02 - Utilizando O Hijackthis - LEIA ANTES DE POSTAR! >

 

Abraços!

 

boa tarde!! Lá vai :

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:24:01, on 11/4/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\Arquivos de programas\F-Secure\Anti-Virus\fsgk32st.exe

C:\Arquivos de programas\F-Secure\Anti-Virus\FSGK32.EXE

C:\Arquivos de programas\F-Secure\Common\FSMA32.EXE

C:\Arquivos de programas\F-Secure\Common\FSMB32.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Arquivos de programas\Arquivos comuns\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\UGS\License Servers\UGNXFLEXlm\lmgrd.exe

C:\Arquivos de programas\UGS\License Servers\UGNXFLEXlm\lmgrd.exe

C:\Arquivos de programas\UGS\License Servers\UGNXFLEXlm\uglmd.exe

C:\Arquivos de programas\F-Secure\Common\FCH32.EXE

C:\Arquivos de programas\F-Secure\Anti-Virus\fssm32.exe

C:\Arquivos de programas\F-Secure\Common\FAMEH32.EXE

C:\Arquivos de programas\F-Secure\Anti-Virus\fsqh.exe

C:\Arquivos de programas\F-Secure\Common\FNRB32.EXE

C:\Arquivos de programas\F-Secure\FSAUA\program\fsaua.exe

C:\Arquivos de programas\F-Secure\Common\FIH32.EXE

C:\Arquivos de programas\F-Secure\FWES\Program\fsdfwd.exe

C:\Arquivos de programas\F-Secure\Anti-Virus\fsav32.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\F-Secure\Common\FSM32.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Arquivos de programas\Vimicro Corporation\VMUVC\VMonitor.exe

C:\Arquivos de programas\F-Secure\FSGUI\fsguidll.exe

C:\WINDOWS\system32\Windows UpdateSP8.exe

C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

C:\Arquivos de programas\Syncplicity\Syncplicity.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe

C:\hijackthis\HiJackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.compartilhando.org/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Arquivos de programas\Windows Desktop Search\dsWebAllow.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\Arquivos de programas\GbPlugin\gbiehcef.dll (file missing)

O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\ARQUIV~1\GbPlugin\gbiehabn.dll (file missing)

O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Arquivos de programas\F-Secure\Common\FSM32.EXE" /splash

O4 - HKLM\..\Run: [F-Secure TNB] "C:\Arquivos de programas\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [REGSHAVE] C:\Arquivos de programas\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [VMonitorVMUVC] "C:\Arquivos de programas\Vimicro Corporation\VMUVC\VMonitor.exe" VMUVC

O4 - HKLM\..\Run: [Windows Update SP8] C:\WINDOWS\system32\Windows UpdateSP8.exe

O4 - HKLM\..\Run: [Windows Defender] VSFPNC

O4 - HKLM\..\RunOnce: [Windows Update SP8] C:\WINDOWS\system32\UW08.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [syncplicity] C:\Arquivos de programas\Syncplicity\Syncplicity.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')

O4 - Global Startup: msnmsgr_.exe

O4 - Global Startup: Windows UpdateSP8.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://www.compartilhando.org/

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: GbPluginAbn - C:\ARQUIV~1\GbPlugin\gbiehabn.dll (file missing)

O20 - Winlogon Notify: GbPluginCef - C:\Arquivos de programas\GbPlugin\gbiehcef.dll (file missing)

O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\ARQUIV~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Arquivos de programas\F-Secure\Anti-Virus\fsgk32st.exe

O23 - Service: Broker de solicitação de rede F-Secure (F-Secure Network Request Broker) - F-Secure Corporation - C:\Arquivos de programas\F-Secure\Common\FNRB32.EXE

O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Arquivos de programas\F-Secure\FSAUA\program\fsaua.exe

O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Arquivos de programas\F-Secure\FWES\Program\fsdfwd.exe

O23 - Service: Agente de Gerenciamento do F-Secure (FSMA) - F-Secure Corporation - C:\Arquivos de programas\F-Secure\Common\FSMA32.EXE

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\ARQUIV~1\GbPlugin\GbpSv.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Arquivos de programas\Arquivos comuns\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Arquivos de programas\Arquivos comuns\SolidWorks Shared\Service\SolidWorksLicensing.exe

O23 - Service: Unigraphics License Server (uglmd) - Macrovision Corporation - C:\Arquivos de programas\UGS\License Servers\UGNXFLEXlm\lmgrd.exe

 

--

End of file - 9535 bytes

[DigRam 144]

Boa Tarde! ebiancalana

 

<@> Abra o Spybot Search & Destroy!

<@> No menu superior,vá em Modo e selecione a opção Avançado. --> Confirme!

<@> Clique no botão Ferramentas e depois em Residente.

<@> Desmarque a opção: Ativar "TeaTimer" do Residente. ( Proteção geral das configurações de sistema )

<><><><><><><><><><><>

<@> Reinicie o computador,em Modo de Segurança.

<@> Abra o HijackThis --> Clique: Do a system scan only --> Marque,abaixo,estas entradas:

 

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

 

O4 - HKLM\..\Run: [Windows Update SP8] C:\WINDOWS\system32\Windows UpdateSP8.exe

 

O4 - HKLM\..\Run: [Windows Defender] VSFPNC

 

O4 - HKLM\..\RunOnce: [Windows Update SP8] C:\WINDOWS\system32\UW08.exe

 

O4 - Global Startup: msnmsgr_.exe

 

O4 - Global Startup: Windows UpdateSP8.exe

 

<@> Clique em Fix checked --> Sim! --> Reinicie!

<><><><><><><><><><><>

<@> Baixe: < OTMoveIt3 > ( ...by OldTimer Tools )

<@> Salve-o no desktop e,execute-o aí mesmo!

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

:Processes

explorer.exe

:Files

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Windows UpdateSP8.exe

c:\documents and settings\%UserProfile%\Menu Iniciar\Programas\Inicializar\Windows UpdateSP8.exe

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\msnmsgr_.exe

c:\documents and settings\%UserProfile%\Menu Iniciar\Programas\Inicializar\msnmsgr_.exe

c:\windows\system32\Windows UpdateSP8.exe

c:\windows\system32\wrm01.04.09UP.ini

c:\windows\system32\wrm31.03.09UP.ini

c:\windows\system32\wrm30.03.09UP.ini

c:\windows\system32\msnmsgr_.exe

c:\windows\system32\wgalog.dll

c:\windows\system32\UW08.exe

:Reg

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows UpdateSP8"=-

:Commands

[purity]

[emptytemp]

[start explorer]

[Reboot]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

<@> Copie e cole estas informações,entre os XXXXX...,para o campo ( clipboard ),da ferramenta.

<@> Ps: Área abaixo de "Paste Instructions for Items to be Moved".

<@> Clique em MoveIt.

<@> Na solicitação de reboot,confirme!

<@> Terminando,verifique o conteúdo texto da pasta: C:\_OTMoveIt\MovedFiles

<@> Copie e poste,seu relatório mais recente: C:\_OTMoveIt\MovedFiles\xxxx2009_xxxxxx.log <--

<@> Ps: Como a ferramenta não sobreescreve seus relatórios,devemos observar o que foi gerado logo após sua execução.

<@> Poste,também,HijackThis atualizado.

 

Abraços!

[ebiancalana 0]

Boa noite! Demorei um pouco pois tomei o cuidadô de fazer exatamte cfe instucoes . Antes , faco questao de mencionar o ocorrido fora do script :

1-Nao encontrei o :"O4 - HKLM\..\RunOnce: [Windows Update SP8] C:\WINDOWS\system32\UW08.exe"

2-Nao encontrei a pasta OTMoveit , entao copiei o descrito na janela "results" ao lado . Segue o que foi copiado do OTMoveit :

 

Files moved on Reboot...

File move failed. c:\windows\system32\Windows UpdateSP8.exe scheduled to be moved on reboot.

File move failed. c:\windows\system32\msnmsgr_.exe scheduled to be moved on reboot.

LoadLibrary failed for c:\windows\system32\wgalog.dll

c:\windows\system32\wgalog.dll NOT unregistered.

File move failed. c:\windows\system32\wgalog.dll scheduled to be moved on reboot.

File move failed. C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\Syncplicity.log scheduled to be moved on reboot.

File move failed. C:\WINDOWS\temp\spnserv.dat scheduled to be moved on reboot.

File move failed. C:\WINDOWS\temp\spserv.dat scheduled to be moved on reboot.

 

Resultado do Hijackthis :

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:46:15, on 11/4/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\Arquivos de programas\F-Secure\Anti-Virus\fsgk32st.exe

C:\Arquivos de programas\F-Secure\Common\FSMA32.EXE

C:\Arquivos de programas\F-Secure\Anti-Virus\FSGK32.EXE

C:\Arquivos de programas\F-Secure\Common\FSMB32.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Arquivos de programas\Arquivos comuns\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\UGS\License Servers\UGNXFLEXlm\lmgrd.exe

C:\Arquivos de programas\UGS\License Servers\UGNXFLEXlm\lmgrd.exe

C:\Arquivos de programas\UGS\License Servers\UGNXFLEXlm\uglmd.exe

C:\Arquivos de programas\F-Secure\Common\FCH32.EXE

C:\Arquivos de programas\F-Secure\Anti-Virus\fssm32.exe

C:\Arquivos de programas\F-Secure\Anti-Virus\fsqh.exe

C:\Arquivos de programas\F-Secure\Common\FNRB32.EXE

C:\Arquivos de programas\F-Secure\Common\FAMEH32.EXE

C:\Arquivos de programas\F-Secure\FSAUA\program\fsaua.exe

C:\Arquivos de programas\F-Secure\Common\FIH32.EXE

C:\Arquivos de programas\F-Secure\FWES\Program\fsdfwd.exe

C:\Arquivos de programas\F-Secure\Anti-Virus\fsav32.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\F-Secure\Common\FSM32.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Arquivos de programas\Vimicro Corporation\VMUVC\VMonitor.exe

C:\Arquivos de programas\Syncplicity\Syncplicity.exe

C:\Arquivos de programas\F-Secure\FSGUI\fsguidll.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\hijackthis\HiJackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.compartilhando.org/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Arquivos de programas\Windows Desktop Search\dsWebAllow.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\Arquivos de programas\GbPlugin\gbiehcef.dll (file missing)

O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\ARQUIV~1\GbPlugin\gbiehabn.dll (file missing)

O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Arquivos de programas\F-Secure\Common\FSM32.EXE" /splash

O4 - HKLM\..\Run: [F-Secure TNB] "C:\Arquivos de programas\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [REGSHAVE] C:\Arquivos de programas\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [VMonitorVMUVC] "C:\Arquivos de programas\Vimicro Corporation\VMUVC\VMonitor.exe" VMUVC

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [syncplicity] C:\Arquivos de programas\Syncplicity\Syncplicity.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://www.compartilhando.org/

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: GbPluginAbn - C:\ARQUIV~1\GbPlugin\gbiehabn.dll (file missing)

O20 - Winlogon Notify: GbPluginCef - C:\Arquivos de programas\GbPlugin\gbiehcef.dll (file missing)

O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\ARQUIV~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Arquivos de programas\F-Secure\Anti-Virus\fsgk32st.exe

O23 - Service: Broker de solicitação de rede F-Secure (F-Secure Network Request Broker) - F-Secure Corporation - C:\Arquivos de programas\F-Secure\Common\FNRB32.EXE

O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Arquivos de programas\F-Secure\FSAUA\program\fsaua.exe

O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Arquivos de programas\F-Secure\FWES\Program\fsdfwd.exe

O23 - Service: Agente de Gerenciamento do F-Secure (FSMA) - F-Secure Corporation - C:\Arquivos de programas\F-Secure\Common\FSMA32.EXE

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\ARQUIV~1\GbPlugin\GbpSv.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Arquivos de programas\Arquivos comuns\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Arquivos de programas\Arquivos comuns\SolidWorks Shared\Service\SolidWorksLicensing.exe

O23 - Service: Unigraphics License Server (uglmd) - Macrovision Corporation - C:\Arquivos de programas\UGS\License Servers\UGNXFLEXlm\lmgrd.exe

 

--

End of file - 8999 bytes

 

 

Aguardo retorno e obrigado por enqto!!!

[DigRam 144]

Boa Noite! ebiancalana

 

<@> Abra o OTMoveIt3 --> Clique em < > --> Aguarde! --> Yes!

<><><><><><><><><><><>

<@> Baixe: < DDS > ( ...by sUBs )

<@> Salve-o no desktop!

<@> Desabilite seus programas de proteção: antivírus,antimalware,antispyware ou firewall.

<@> Estando desconectado,execute a ferramenta! --> Duplo clique em dds.scr.

<@> Aguarde o término do scan,até obtermos o relatório. ( DDS.txt ) <--

<@> Surgirá,também,uma nova janela: "D.D.S - Optional_Scan" --> Clique em Sim.

<@> O Bloco de Notas irá abrir,com outro relatório. ( Attach.txt ) <--

<@> Ps: Caso o relatório seja incompreensível,renomeie o executável para DDS.exe e repita o scan.

<@> Outra janela,finalmente,abrir-se-à! --> Clique em OK.

<@> Salve os relatórios: DDS.txt + Attach.txt <-- Poste-os!

 

Abraços!

[ebiancalana 0]

Boa noite ! Fiz e correu tudo ok , veja:

 

-DDS.TXT :

 

DDS (Ver_09-03-16.01) - NTFSx86

Run by Administrador at 23:17:18,39 on s b 11/04/2009

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07

Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.2046.1625 [GMT -3:00]

 

 

============== Running Processes ===============

 

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Arquivos de programas\Vimicro Corporation\VMUVC\VMonitor.exe

C:\Arquivos de programas\Syncplicity\Syncplicity.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Arquivos de programas\Arquivos comuns\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Arquivos de programas\UGS\License Servers\UGNXFLEXlm\lmgrd.exe

C:\Arquivos de programas\UGS\License Servers\UGNXFLEXlm\lmgrd.exe

C:\Arquivos de programas\UGS\License Servers\UGNXFLEXlm\uglmd.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Administrador\Desktop\dds.exe

 

============== Pseudo HJT Report ===============

 

uSearch Page = hxxp://www.google.com

uStart Page = hxxp://www.google.com.br/

uSearch Bar = hxxp://www.google.com/ie

mDefault_Page_URL = hxxp://www.compartilhando.org/

mDefault_Search_URL = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: Barra de Ferramentas do Yahoo! com bloqueador de pop-up: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\arquivos de programas\yahoo!\companion\installs\cpn\yt.dll

mWinlogon: SfcDisable=-99 (0xffffff9d)

BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\arquivos de programas\yahoo!\companion\installs\cpn\yt.dll

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\arquivos de programas\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: dsWebAllowBHO Class: {2f85d76c-0569-466f-a488-493e6bd0e955} - c:\arquivos de programas\windows desktop search\dsWebAllow.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\arquiv~1\spybot~1\SDHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\arquivos de programas\java\jre1.6.0_07\bin\ssv.dll

BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

BHO: GbIehObj Class: {c41a1c0e-ea6c-11d4-b1b8-444553540003} - c:\arquivos de programas\gbplugin\gbiehcef.dll

BHO: GbIehObj Class: {c41a1c0e-ea6c-11d4-b1b8-444553540007} - c:\arquiv~1\gbplugin\gbiehabn.dll

TB: Barra de Ferramentas do Yahoo! com bloqueador de pop-up: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\arquivos de programas\yahoo!\companion\installs\cpn\yt.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

uRun: [syncplicity] c:\arquivos de programas\syncplicity\Syncplicity.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [REGSHAVE] c:\arquivos de programas\regshave\REGSHAVE.EXE /AUTORUN

mRun: [VMonitorVMUVC] "c:\arquivos de programas\vimicro corporation\vmuvc\VMonitor.exe" VMUVC

mRun: [QuickTime Task] "c:\arquivos de programas\k-lite codec pack\quicktime\qttask.exe" -atboottime

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [MsnMsgr] "c:\arquivos de programas\msn messenger\MsnMsgr.Exe" /background

dRunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"

dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe

dRunOnce: [3DxAssociateFileExts] c:\arquivos de programas\3dconnexion\3dconnexion 3dxsoftware\3dxviewer\register.exe "FileExts"

mPolicies-explorer: ForceClassicControlPanel = 1 (0x1)

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\micros~1\office11\EXCEL.EXE/3000

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\arquivos de programas\java\jre1.6.0_07\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\arquiv~1\micros~1\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\arquiv~1\spybot~1\SDHelper.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} - hxxps://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\arquiv~1\arquiv~1\skype\SKYPE4~1.DLL

Notify: GbPluginAbn - c:\arquiv~1\gbplugin\gbiehabn.dll

Notify: GbPluginCef - c:\arquivos de programas\gbplugin\gbiehcef.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\arquivos de programas\windows desktop search\MSNLNamespaceMgr.dll

SEH: GbPluginObj Class: {e37cb5f0-51f5-4395-a808-5fa49e399007} - c:\arquiv~1\gbplugin\gbiehabn.dll

SEH: GbPluginObj Class: {e37cb5f0-51f5-4395-a808-5fa49e399003} - c:\arquivos de programas\gbplugin\gbiehcef.dll

 

============= SERVICES / DRIVERS ===============

 

R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\GbpKm.sys [2009-1-24 31296]

R0 MPRIFL;MPRIFL;c:\windows\system32\drivers\mprifl.sys [2008-5-10 17264]

R1 dk2drv;DK2 WindowsNT Driver;c:\windows\system32\drivers\dk2drv.sys [2008-1-27 49720]

R2 Unigraphics License Server (uglmd);Unigraphics License Server (uglmd);c:\arquivos de programas\ugs\license servers\ugnxflexlm\lmgrd.exe [2005-10-27 962560]

R3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\drivers\VMUVC.sys [2009-2-3 250752]

R3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\system32\drivers\vvftUVC.sys [2009-2-3 398720]

S0 mjaqg;mjaqg;c:\windows\system32\drivers\nbjekmx.sys --> c:\windows\system32\drivers\nbjekmx.sys [?]

S2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;c:\arquiv~1\ansysi~1\shared~1\licens~1\intel\lmgrd.exe [2007-7-5 909312]

S2 GbpSv;Gbp Service;c:\arquiv~1\gbplugin\gbpsv.exe --> c:\arquiv~1\gbplugin\GbpSv.exe [?]

 

=============== Created Last 30 ================

 

2009-04-11 17:30 368,128 a------- c:\windows\BOOTL6661.BAK

2009-04-11 16:21 <DIR> --d----- C:\hijackthis

2009-04-11 08:24 188,928 a------- c:\windows\system32\msnmsgr_.exe

2009-04-11 08:24 49 a------- c:\windows\system32\wrm11.04.09UP.ini

2009-04-10 07:18 49 a------- c:\windows\system32\wrm10.04.09UP.ini

2009-04-09 06:40 49 a------- c:\windows\system32\wrm09.04.09UP.ini

2009-04-08 05:37 49 a------- c:\windows\system32\wrm08.04.09UP.ini

2009-04-06 04:59 49 a------- c:\windows\system32\wrm06.04.09UP.ini

2009-04-05 11:15 49 a------- c:\windows\system32\wrm05.04.09UP.ini

2009-04-04 06:14 49 a------- c:\windows\system32\wrm04.04.09UP.ini

2009-04-03 05:09 49 a------- c:\windows\system32\wrm03.04.09UP.ini

2009-04-02 19:20 49 a------- c:\windows\system32\wrm02.04.09UP.ini

2009-04-02 06:15 2,791,424 a------- c:\windows\system32\wgalog.dll

2009-03-31 06:59 368,128 a------- c:\windows\system32\Windows UpdateSP8.exe

 

==================== Find3M ====================

 

2009-04-11 23:08 457,198 a------- c:\windows\system32\perfh016.dat

2009-04-11 23:08 74,042 a------- c:\windows\system32\perfc016.dat

2009-04-06 23:08 204,840 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1046.dat

2009-02-09 10:55 1,847,552 a------- c:\windows\system32\win32k.sys

2009-02-09 10:55 1,847,552 -------- c:\windows\system32\dllcache\win32k.sys

2007-12-11 19:55 32 a------- c:\docume~1\alluse~1\dadosd~1\ezsid.dat

 

============= FINISH: 23:17:42,76 ===============

 

ATTACH.TXT:

 

 

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

 

DDS (Ver_09-03-16.01)

 

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 26/6/2007 17:54:58

System Uptime: 4/11/2009 23:12:31 (-4968 hours ago)

 

Motherboard: Intel Corporation | | D945GTP

Processor: Intel® Pentium® D CPU 2.80GHz | J3E1 | 2799/200mhz

Processor: Intel® Pentium® D CPU 2.80GHz | J3E1 | 2799/200mhz

 

==== Disk Partitions =========================

 

C: is FIXED (NTFS) - 32 GiB total, 7,762 GiB free.

D: is FIXED (NTFS) - 117 GiB total, 4,074 GiB free.

E: is CDROM ()

F: is FIXED (NTFS) - 98 GiB total, 97,568 GiB free.

G: is FIXED (NTFS) - 135 GiB total, 108,406 GiB free.

 

==== Disabled Device Manager Items =============

 

==== System Restore Points ===================

 

RP392: 15/2/2009 08:38:23 - Ponto de verificação do sistema

RP393: 16/2/2009 12:37:33 - Ponto de verificação do sistema

RP394: 17/2/2009 14:18:34 - Ponto de verificação do sistema

RP395: 18/2/2009 15:00:46 - Ponto de verificação do sistema

RP396: 19/2/2009 15:21:49 - Ponto de verificação do sistema

RP397: 20/2/2009 20:00:16 - Ponto de verificação do sistema

RP398: 21/2/2009 22:22:55 - Ponto de verificação do sistema

RP399: 23/2/2009 12:11:13 - Ponto de verificação do sistema

RP400: 24/2/2009 12:19:05 - Ponto de verificação do sistema

RP401: 25/2/2009 03:00:18 - Software Distribution Service 3.0

RP402: 26/2/2009 12:18:49 - Ponto de verificação do sistema

RP403: 28/2/2009 11:49:34 - Ponto de verificação do sistema

RP404: 2/3/2009 13:37:49 - Ponto de verificação do sistema

RP405: 2/3/2009 19:21:12 - Installed MoldWorks 2008

RP406: 5/3/2009 04:01:57 - Ponto de verificação do sistema

RP407: 6/3/2009 09:25:02 - Ponto de verificação do sistema

RP408: 7/3/2009 17:20:16 - Installed Syncplicity

RP409: 8/3/2009 17:37:06 - Ponto de verificação do sistema

RP410: 9/3/2009 18:31:56 - Ponto de verificação do sistema

RP411: 10/3/2009 19:30:42 - Ponto de verificação do sistema

RP412: 11/3/2009 03:00:19 - Software Distribution Service 3.0

RP413: 12/3/2009 17:04:08 - Ponto de verificação do sistema

RP414: 14/3/2009 11:45:41 - Ponto de verificação do sistema

RP415: 15/3/2009 11:50:20 - Ponto de verificação do sistema

RP416: 16/3/2009 13:04:19 - Ponto de verificação do sistema

RP417: 17/3/2009 14:00:28 - Ponto de verificação do sistema

RP418: 18/3/2009 14:21:09 - Ponto de verificação do sistema

RP419: 19/3/2009 18:14:34 - Ponto de verificação do sistema

RP420: 22/3/2009 11:44:03 - Ponto de verificação do sistema

RP421: 23/3/2009 12:30:36 - Ponto de verificação do sistema

RP422: 24/3/2009 21:42:28 - Ponto de verificação do sistema

RP423: 26/3/2009 17:34:57 - Ponto de verificação do sistema

RP424: 28/3/2009 12:07:28 - Ponto de verificação do sistema

RP425: 29/3/2009 12:31:46 - Ponto de verificação do sistema

RP426: 31/3/2009 00:37:26 - Ponto de verificação do sistema

RP427: 1/4/2009 00:44:20 - Ponto de verificação do sistema

RP428: 4/4/2009 15:51:06 - Removido Google Earth.

RP429: 6/4/2009 18:46:41 - Ponto de verificação do sistema

RP430: 6/4/2009 23:06:13 - Removed MoldWorks 2008

RP431: 10/4/2009 19:42:30 - Ponto de verificação do sistema

RP432: 11/4/2009 20:41:36 - Ponto de verificação do sistema

RP433: 11/4/2009 23:07:57 - Removed F-Secure Client Security

 

==== Installed Programs ======================

 

3Dconnexion 3DxSoftware (Personal Edition)

3Dconnexion 3DxWare

3Dconnexion Add-In for AutoCAD 2007

3Dconnexion Add-In for Inventor

3Dconnexion Add-In for Solid Edge

3Dconnexion Add-In for SolidWorks

3Dconnexion Add-On for XSI

3Dconnexion Extension for SketchUp

3Dconnexion Picture Viewer

3Dconnexion Plug-In for 3ds max 6 - 8

3Dconnexion Plug-In for 3ds Max 9

3Dconnexion Plug-in for Acrobat 3D

3Dconnexion Plug-In for Maya 6

3Dconnexion Plug-In for Maya 6.5

3Dconnexion Plug-In for Maya 7

3Dconnexion Plug-In for Maya 8

3Dconnexion Plug-In for Maya 8.5

3Dconnexion Plug-In for NX

3Dconnexion Plug-In for Pro/ENGINEER

Adobe Flash Player 10 Plugin

Adobe Flash Player ActiveX

Adobe Reader 7.0 - Português

Adobe Reader Korean Fonts

Adobe Reader Multimedia Package

Adobe® Photoshop® Album Starter Edition 3.2

AiO_Scan_CDA

AiOSoftwareNPI

Apple Software Update

Arquivo do WinRAR

Atualização Crítica para o Windows Media Player 11 (KB959772)

Atualização de Segurança para o Windows Media Player (KB952069)

Atualização de Segurança para o Windows Media Player 11 (KB936782)

Atualização de Segurança para o Windows Media Player 11 (KB954154)

Atualização de Segurança para Windows XP (KB923191)

Atualização de Segurança para Windows XP (KB924191)

Atualização de Segurança para Windows XP (KB924496)

Atualização de Segurança para Windows XP (KB938464)

Atualização de Segurança para Windows XP (KB941569)

Atualização de Segurança para Windows XP (KB944338-v2)

Atualização de Segurança para Windows XP (KB950749)

Atualização de Segurança para Windows XP (KB950762)

Atualização de Segurança para Windows XP (KB950974)

Atualização de Segurança para Windows XP (KB951066)

Atualização de Segurança para Windows XP (KB951376-v2)

Atualização de Segurança para Windows XP (KB951698)

Atualização de Segurança para Windows XP (KB951748)

Atualização de Segurança para Windows XP (KB952954)

Atualização de Segurança para Windows XP (KB953838)

Atualização de Segurança para Windows XP (KB953839)

Atualização de Segurança para Windows XP (KB954211)

Atualização de Segurança para Windows XP (KB954600)

Atualização de Segurança para Windows XP (KB955069)

Atualização de Segurança para Windows XP (KB956390)

Atualização de Segurança para Windows XP (KB956391)

Atualização de Segurança para Windows XP (KB956802)

Atualização de Segurança para Windows XP (KB956803)

Atualização de Segurança para Windows XP (KB956841)

Atualização de Segurança para Windows XP (KB957095)

Atualização de Segurança para Windows XP (KB957097)

Atualização de Segurança para Windows XP (KB958215)

Atualização de Segurança para Windows XP (KB958644)

Atualização de Segurança para Windows XP (KB958687)

Atualização de Segurança para Windows XP (KB958690)

Atualização de Segurança para Windows XP (KB960225)

Atualização de Segurança para Windows XP (KB960714)

Atualização de Segurança para Windows XP (KB960715)

Atualização para Windows XP (KB925720)

Atualização para Windows XP (KB951072-v2)

Atualização para Windows XP (KB955839)

Atualização para Windows XP (KB967715)

AutoCAD 2007 - English

Autodesk DWF Viewer

Autodesk Express Viewer

Barra de Ferramentas do Yahoo! com bloqueador de pop-up

BufferChm

CCleaner (remove only)

Cimatron E 7.0

Cimatron it

Cobian Backup 8

COSMOSMotion 2007 SP0

COSMOSWorks 2007 SP0

CustomerResearchQFolder

Delcam Exchange530105 (remove only)

Delcam PowerSHAPE6060

Delcam PowerSHAPE7350

Delcam PS-Exchange440504 (remove only)

Delcam PSLang6060

Delcam PSMoldmaker6060

Delcam Toolmaker7350

Destinations

DeviceManagementQFolder

DK2 DESkey Drivers v7.14.0.25

DWGeditor

eDrawings 2007

eMule

EncryptOnClick

eSupportQFolder

F300

F300_Help

Fax_CDA

FUJIFILM USB Driver

High Definition Audio Driver Package - KB835221

HijackThis 2.0.2

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows XP (KB926239)

Hotfix para o Windows Media Player 11 (KB939683)

Hotfix para Windows XP (KB952287)

HP Customer Participation Program 7.0

HP Imaging Device Functions 7.0

HP Photosmart Essential

HP Photosmart, Officejet and Deskjet 7.0.A

HP Software Update

HP Solution Center 7.0

HPPhotoSmartExpress

HPProductAssistant

Ind Photobook Desktop

InstantShareDevicesMFC

Intel Audio Studio 2.0

Intel® Graphics Media Accelerator Driver

Intel® PRO Network Connections Drivers

iTunes

J2SE Runtime Environment 5.0 Update 5

Java 6 Update 7

Java SE Runtime Environment 6 Update 1

K-Lite Mega Codec Pack 1.38

LimeWire 4.16.6

Macromedia Flash Player 8

MarketResearch

Mechanical Desktop 2004

Microsoft .NET Framework 2.0

Microsoft .NET Framework 3.0

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft IntelliPoint 5.2

Microsoft IntelliType Pro 5.2

Microsoft Office Professional Edição 2003

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 Redistributable

Mozilla Firefox (3.0.8)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 Parser and SDK

MSXML 6 Service Pack 2 (KB954459)

My Lockbox 1.2 for Windows 2000/XP

Nero Suite

NewCopy_CDA

NVIDIA Drivers

Palpites para a Mega Sena 1.0

PCLinkLE

Pdf995

Pro/ENGINEER Release Wildfire 2.0 Datecode M010

ProductContextNPI

QuickTime

Readme

SafeCast Shared Components

Samsung USB Driver (MCCI 4.24)

Scan

ScannerCopy

SigmaTel Audio

Skype™ 3.8

Solid Edge V19

SolidWorks 2007 SP0

SolidWorks Explorer 2007 sp0

SolidWorks Installation Manager

SolutionCenter

Spybot - Search & Destroy

Spybot - Search & Destroy 1.5.2.20

Status

Syncplicity

Toolbox

TrayApp

UGS NX 4.0

UGS NX 4.0 Documentation

UGS NX 4.0 FLEXlm

UGS NX 4.0 Translators

Vimicro USB2.0 UVC PC Camera

VISI : VISI 15.0

WebFldrs XP

WebReg

Windows Communication Foundation

Windows Desktop Search

Windows Desktop Search Multilingual User Interface Pack

Windows Imaging Component

Windows Live Messenger

Windows Media Format 11 runtime

Windows Media Player 11

Windows Presentation Foundation

Windows Workflow Foundation

WinZip

XML Paper Specification Shared Components Pack 1.0

Yahoo! Toolbar

 

==== End Of File ===========================

 

Obrigado por enqto!!aguardo retorno!!

 

abcs

[DigRam 144]

Boa Noite! ebiancalana

 

<@> Baixe: < > ( ...by sUBs )

<@> Salve-o no desktop!

<@> Desabilite as proteções residente de: antivírus,antispywares e firewall. ( Menos o do Windows! )

<@> Feche todas as janelas e execute a ferramenta!

<@> Na solicitação: "Negação de garantia de software" --> Clique em Sim!

<@> Não possuindo o "Console de Recuperação",aceite optar pela instalação do mesmo!

 

<!> Caso aconteça a notificação de: Aplicativo Win32 inválido,delete a ferramenta e faça,novamente,o download.

<!> Salve-a no desktop,renomeada como: Kombo.exe

<!> Ps: Nomeie durante o salvamento,e não após salvá-la!

<!> Ps: Surgindo alguma mensagem de erro,rode o ComboFix.exe em Modo de Segurança. <-- Link!

<!> Ps: Para completar as remoções,talvez haja necessidade da ferramenta reiniciar o computador. <-- Aguarde!

<!> Ps: Evite executar,voluntariamente,esta ferramenta!

<!> Ps: Para evitar problemas,siga todas as recomendações propostas.

<!> Ps: O ComboFix é uma ferramenta que pode danificar o sistema. Utilize-o,somente,sob supervisão profissional.

<@> Abrir-se-á a janela Auto Scan. --> Aguarde!

<@> Àfim de completar as remoções,o ComboFix poderá reiniciar o computador.

<@> Se houver necessidade,digite a opção para continuar! --> ( 1 ) --> Aperte Enter! --> Aguarde a conclusão!

<@> Durante o scan,evite manusear o mouse ou teclado! <-- Importante!

<@> Para parar ou sair do ComboFix,tecle "N" ou "2" --> Aperte Enter!

<><><><><><><><><><><><>

<@> Terminando,poste os relatórios: C:\ComboFix\ComboFix.txt + HijackThis,atualizado.

 

Abraços!

[ebiancalana 0]

Bom dia ! procedimento realizado cfe instrucoes , segue :

 

COMBOFIX :

 

ComboFix 09-04-04.01 - Administrador 2009-04-12 7:59:23.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.2046.1598 [GMT -3:00]

Executando de: c:\documents and settings\Administrador\Desktop\ComboFix.exe

* Criado um novo ponto de restauro

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_GBPSV

-------\Service_GbpSv

 

 

(((((((((((((((( Arquivos/Ficheiros criados de 2009-03-12 to 2009-04-12 ))))))))))))))))))))))))))))

.

 

2009-04-12 08:01 . 2009-04-12 08:01 <DIR> d-------- c:\windows\system32\xircom

2009-04-12 08:01 . 2009-04-12 08:01 <DIR> d-------- c:\windows\system32\oobe

2009-04-12 08:01 . 2009-04-12 08:01 <DIR> d-------- c:\arquivos de programas\microsoft frontpage

2009-04-11 17:30 . 2009-03-31 06:58 368,128 --a------ c:\windows\BOOTL6661.BAK

2009-04-11 16:21 . 2009-04-11 18:44 <DIR> d-------- C:\hijackthis

2009-04-11 08:24 . 2009-04-11 08:24 188,928 --a------ c:\windows\system32\msnmsgr_.exe

2009-04-11 08:24 . 2009-04-11 08:24 49 --a------ c:\windows\system32\wrm11.04.09UP.ini

2009-04-10 07:18 . 2009-04-10 07:18 49 --a------ c:\windows\system32\wrm10.04.09UP.ini

2009-04-09 06:40 . 2009-04-09 06:40 49 --a------ c:\windows\system32\wrm09.04.09UP.ini

2009-04-08 05:37 . 2009-04-08 05:37 49 --a------ c:\windows\system32\wrm08.04.09UP.ini

2009-04-06 04:59 . 2009-04-06 04:59 49 --a------ c:\windows\system32\wrm06.04.09UP.ini

2009-04-05 11:15 . 2009-04-05 11:15 49 --a------ c:\windows\system32\wrm05.04.09UP.ini

2009-04-04 06:14 . 2009-04-04 06:14 49 --a------ c:\windows\system32\wrm04.04.09UP.ini

2009-04-03 05:09 . 2009-04-03 05:09 49 --a------ c:\windows\system32\wrm03.04.09UP.ini

2009-04-02 19:20 . 2009-04-02 19:20 49 --a------ c:\windows\system32\wrm02.04.09UP.ini

2009-04-02 06:15 . 2009-04-02 06:15 2,791,424 --a------ c:\windows\system32\wgalog.dll

2009-03-31 06:59 . 2009-03-31 06:58 368,128 --a------ c:\windows\system32\Windows UpdateSP8.exe

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-12 02:12 --------- d-----w c:\arquivos de programas\F-Secure

2009-04-12 02:08 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\F-Secure

2009-04-11 22:21 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\pshape7

2009-04-10 22:25 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\Skype

2009-04-10 22:24 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\skypePM

2009-04-06 08:35 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\Image Zone Express

2009-04-04 18:52 --------- d-----w c:\arquivos de programas\Google

2009-04-02 09:13 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\F-Secure

2009-04-01 02:42 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\GbPlugin

2009-03-30 07:10 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\pdf995

2009-03-15 00:02 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\SolidWorks

2009-03-07 20:20 --------- d-----w c:\arquivos de programas\Syncplicity

2007-12-11 22:55 32 ----a-w c:\documents and settings\All Users\Dados de aplicativos\ezsid.dat

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Syncplicity Icon Overlay (Folder)]

@="{02FCECC2-84DC-4FAA-A718-C41FFCA5B8D1}"

[HKEY_CLASSES_ROOT\CLSID\{02FCECC2-84DC-4FAA-A718-C41FFCA5B8D1}]

2009-02-14 14:05 38400 --a------ c:\arquivos de programas\Syncplicity\SyncplicityShellExt.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Syncplicity Icon Overlay (Fully Synced)]

@="{CA4FCCBF-F4B7-4DD1-861E-1F42AAD396D1}"

[HKEY_CLASSES_ROOT\CLSID\{CA4FCCBF-F4B7-4DD1-861E-1F42AAD396D1}]

2009-02-14 14:05 38400 --a------ c:\arquivos de programas\Syncplicity\SyncplicityShellExt.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Syncplicity Icon Overlay (Not Latest Version)]

@="{284C090F-EB1D-4A6E-872E-6DB72E417E24}"

[HKEY_CLASSES_ROOT\CLSID\{284C090F-EB1D-4A6E-872E-6DB72E417E24}]

2009-02-14 14:05 38400 --a------ c:\arquivos de programas\Syncplicity\SyncplicityShellExt.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Syncplicity Icon Overlay (Shared Folder)]

@="{3DFC86AD-F2CC-4AdA-98DD-AC5DC84119CC}"

[HKEY_CLASSES_ROOT\CLSID\{3DFC86AD-F2CC-4AdA-98DD-AC5DC84119CC}]

2009-02-14 14:05 38400 --a------ c:\arquivos de programas\Syncplicity\SyncplicityShellExt.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Syncplicity"="c:\arquivos de programas\Syncplicity\Syncplicity.exe" [2009-03-06 612864]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]

"REGSHAVE"="c:\arquivos de programas\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]

"VMonitorVMUVC"="c:\arquivos de programas\Vimicro Corporation\VMUVC\VMonitor.exe" [2008-03-26 135168]

"QuickTime Task"="c:\arquivos de programas\K-Lite Codec Pack\QuickTime\qttask.exe" [2007-04-27 282624]

"nwiz"="nwiz.exe" [2007-06-28 c:\windows\system32\nwiz.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

"MsnMsgr"="c:\arquivos de programas\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nlsf"="move" [X]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\arquivos de programas\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.DIV3"= DivXc32.dll

"vidc.DIV4"= DivXc32f.dll

"vidc.3iv2"= 3ivxVfWCodec.dll

"msacm.divxa32"= divxa32.acm

"VIDC.HFYU"= huffyuv.dll

"VIDC.i263"= i263_32.drv

"msacm.imc"= imc32.acm

"VIDC.VP31"= vp31vfw.dll

"msacm.avis"= ff_acm.acm

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ masterx autocheck autochk *

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^AutoCAD Startup Accelerator.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\AutoCAD Startup Accelerator.lnk

backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Start 3DxWare.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Start 3DxWare.lnk

backup=c:\windows\pss\Start 3DxWare.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Windows Desktop Search.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Windows Desktop Search.lnk

backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

--a------ 2007-03-09 11:09 63712 c:\arquivos de programas\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cobian Backup 8]

--a------ 2007-09-27 12:37 501248 c:\arquivos de programas\Cobian Backup 8\Cobian.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

--a------ 2004-08-04 00:45 15360 c:\windows\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\flockbox]

--a------ 2007-12-14 16:59 1071472 c:\arquivos de programas\My Lockbox\flockbox.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2006-02-19 01:41 49152 c:\arquivos de programas\HP\HP Software Update\hpwuSchd2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]

-ra------ 2005-07-19 15:06 77824 c:\windows\system32\hkcmd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]

-ra------ 2005-07-19 15:10 114688 c:\windows\system32\igfxpers.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]

-ra------ 2005-07-19 15:09 94208 c:\windows\system32\igfxtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio]

--a------ 2005-08-09 17:35 8597586 c:\arquivos de programas\Intel Audio Studio\IntelAudioStudio.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]

--a------ 2004-06-03 05:50 204800 c:\arquivos de programas\Microsoft IntelliPoint\point32.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2007-05-26 12:45 257088 c:\arquivos de programas\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2007-04-27 09:41 282624 c:\arquivos de programas\K-Lite Codec Pack\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2008-06-10 04:27 144784 c:\arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]

--a------ 2004-06-03 05:51 172032 c:\arquivos de programas\Microsoft IntelliType Pro\type32.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2007-06-28 13:43 1626112 c:\windows\system32\nwiz.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UacDisableNotify"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

"c:\\Arquivos de programas\\proeWildfire 2.0\\i486_nt\\obj\\xtop.exe"=

"c:\\Arquivos de programas\\proeWildfire 2.0\\i486_nt\\obj\\pro_comm_msg.exe"=

"c:\\Arquivos de programas\\proeWildfire 2.0\\i486_nt\\nms\\nmsd.exe"=

"c:\\Arquivos de programas\\LimeWire\\LimeWire.exe"=

"c:\\Arquivos de programas\\UGS\\NX 4.0\\UGII\\ugraf.exe"=

"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

 

R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\GbpKm.sys [2009-01-24 31296]

R0 MPRIFL;MPRIFL;c:\windows\system32\drivers\mprifl.sys [2008-05-10 17264]

R1 dk2drv;DK2 WindowsNT Driver;c:\windows\system32\drivers\dk2drv.sys [2008-01-27 49720]

R2 Unigraphics License Server (uglmd);Unigraphics License Server (uglmd);c:\arquivos de programas\UGS\License Servers\UGNXFLEXlm\lmgrd.exe [2005-10-27 962560]

R3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\drivers\VMUVC.sys [2009-02-03 250752]

R3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\system32\drivers\vvftUVC.sys [2009-02-03 398720]

S0 mjaqg;mjaqg;c:\windows\system32\drivers\nbjekmx.sys --> c:\windows\system32\drivers\nbjekmx.sys [?]

S2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;c:\arquiv~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe [2007-07-05 909312]

.

Conteúdo da pasta 'Tarefas Agendadas'

 

2009-03-23 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\arquivos de programas\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

.

- - - - ORFÃOS REMOVIDOS - - - -

 

HKU-Default-RunOnce-3DxAssociateFileExts - c:\arquivos de programas\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe

ShellExecuteHooks-{E37CB5F0-51F5-4395-A808-5FA49E399007} - c:\arquiv~1\GbPlugin\gbiehabn.dll

ShellExecuteHooks-{E37CB5F0-51F5-4395-A808-5FA49E399003} - c:\arquivos de programas\GbPlugin\gbiehcef.dll

MSConfigStartUp-AVG8_TRAY - c:\arquiv~1\AVG\AVG8\avgtray.exe

MSConfigStartUp-Photozig Albums Media Detector - c:\arquivos de programas\Photozig Albums\pzAlbumsDetect.exe

MSConfigStartUp-SigmatelSysTrayApp - sttray.exe

 

 

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.google.com.br/

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} - hxxps://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab

.

 

**************************************************************************

 

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-12 08:02:16

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

@DACL=(02 0000)

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ GbPluginAbn]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"DllName"="c:\\ARQUIV~1\\GbPlugin\\gbiehabn.dll"

"Impersonate"=dword:00000000

"MaxWait"=dword:00000102

"Startup"="GbPluginEventStartup"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]

@DACL=(02 0000)

@=""

"DLLName"="igfxdev.dll"

"Asynchronous"=dword:00000001

"Impersonate"=dword:00000001

"Unlock"="WinlogonUnlockEvent"

.

------------------------ Outros Processos em Execução ------------------------

.

c:\windows\system32\drivers\CDAC11BA.EXE

c:\windows\system32\nvsvc32.exe

c:\windows\system32\HPZipm12.exe

c:\arquivos de programas\Arquivos comuns\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

c:\arquivos de programas\UGS\License Servers\UGNXFLEXlm\uglmd.exe

c:\windows\system32\rundll32.exe

.

**************************************************************************

.

Tempo para conclusão: 2009-04-12 8:05:56 - Máquina reiniciou

ComboFix-quarantined-files.txt 2009-04-12 11:05:53

 

Pré-execução: 8.197.050.368 bytes disponíveis

Pós execução: 8,309,051,392 bytes disponíveis

 

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

 

240 --- E O F --- 2009-03-11 06:00:53

 

 

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XX

 

HIJACKTHIS:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 08:11:47, on 12/4/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Arquivos de programas\Arquivos comuns\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\UGS\License Servers\UGNXFLEXlm\lmgrd.exe

C:\Arquivos de programas\UGS\License Servers\UGNXFLEXlm\lmgrd.exe

C:\Arquivos de programas\UGS\License Servers\UGNXFLEXlm\uglmd.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Arquivos de programas\Vimicro Corporation\VMUVC\VMonitor.exe

C:\Arquivos de programas\Syncplicity\Syncplicity.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\hijackthis\HiJackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Arquivos de programas\Windows Desktop Search\dsWebAllow.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\Arquivos de programas\GbPlugin\gbiehcef.dll (file missing)

O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\ARQUIV~1\GbPlugin\gbiehabn.dll (file missing)

O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [REGSHAVE] C:\Arquivos de programas\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [VMonitorVMUVC] "C:\Arquivos de programas\Vimicro Corporation\VMUVC\VMonitor.exe" VMUVC

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKCU\..\Run: [syncplicity] C:\Arquivos de programas\Syncplicity\Syncplicity.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://www.compartilhando.org/

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\ARQUIV~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Arquivos de programas\Arquivos comuns\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Arquivos de programas\Arquivos comuns\SolidWorks Shared\Service\SolidWorksLicensing.exe

O23 - Service: Unigraphics License Server (uglmd) - Macrovision Corporation - C:\Arquivos de programas\UGS\License Servers\UGNXFLEXlm\lmgrd.exe

 

--

End of file - 6620 bytes

 

grato pela ajuda ..aguardo intrucoes++

 

abc!!

[DigRam 144]

Bom Dia! ebiancalana

 

<@> Selecione e copie,todo o conteúdo que está na área do QUOTE,para o Bloco de Notas.

<@> Salve-o,no Desktop,com o nome: CFScript.txt

 

Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000000

"UacDisableNotify"=dword:00000000

File::

c:\windows\system32\Windows UpdateSP8.exe

c:\windows\system32\wrm11.04.09UP.ini

c:\windows\system32\wrm10.04.09UP.ini

c:\windows\system32\wrm09.04.09UP.ini

c:\windows\system32\wrm08.04.09UP.ini

c:\windows\system32\wrm06.04.09UP.ini

c:\windows\system32\wrm05.04.09UP.ini

c:\windows\system32\wrm04.04.09UP.ini

c:\windows\system32\wrm03.04.09UP.ini

c:\windows\system32\wrm02.04.09UP.ini

c:\windows\system32\msnmsgr_.exe

c:\windows\system32\wgalog.dll

c:\windows\BOOTL6661.BAK

Rootkit::

c:\windows\system32\drivers\nbjekmx.sys

DDS::

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

Folder::

c:\arquiv~1\AVG\AVG8

c:\arquiv~1\AVG

Driver::

"mjaqg"

<@> Ps: Não utilizem este script em outra máquina!

<@> Arraste,o CFScript.txt para o ícone/interior do ComboFix.

<@> Veja a demonstração!

 

 

<@> Atenda à solicitação,que deverá surgir,para rodar o ComboFix.

<@> Ps: Faça o arraste,até surgir essa solicitação! ( janela )

<@> Terminando,poste os relatórios: C:\ComboFix.txt + HijackThis,atualizado.

 

Abraços!

[ebiancalana 0]

Bom dia ! Feito ...segue logs ..

 

obrigado por enqto!!!aguardo instrucoes :

 

COMBOFIX :

 

ComboFix 09-04-04.01 - Administrador 2009-04-12 10:05:39.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.2046.1643 [GMT -3:00]

Executando de: c:\documents and settings\Administrador\Desktop\ComboFix.exe

Comandos utilizados :: c:\documents and settings\Administrador\Desktop\CFScript.txt

* Criado um novo ponto de restauro

 

FILE ::

c:\windows\BOOTL6661.BAK

c:\windows\system32\msnmsgr_.exe

c:\windows\system32\wgalog.dll

c:\windows\system32\Windows UpdateSP8.exe

c:\windows\system32\wrm02.04.09UP.ini

c:\windows\system32\wrm03.04.09UP.ini

c:\windows\system32\wrm04.04.09UP.ini

c:\windows\system32\wrm05.04.09UP.ini

c:\windows\system32\wrm06.04.09UP.ini

c:\windows\system32\wrm08.04.09UP.ini

c:\windows\system32\wrm09.04.09UP.ini

c:\windows\system32\wrm10.04.09UP.ini

c:\windows\system32\wrm11.04.09UP.ini

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\BOOTL6661.BAK

c:\windows\system32\msnmsgr_.exe

c:\windows\system32\wgalog.dll

c:\windows\system32\Windows UpdateSP8.exe

c:\windows\system32\wrm02.04.09UP.ini

c:\windows\system32\wrm03.04.09UP.ini

c:\windows\system32\wrm04.04.09UP.ini

c:\windows\system32\wrm05.04.09UP.ini

c:\windows\system32\wrm06.04.09UP.ini

c:\windows\system32\wrm08.04.09UP.ini

c:\windows\system32\wrm09.04.09UP.ini

c:\windows\system32\wrm10.04.09UP.ini

c:\windows\system32\wrm11.04.09UP.ini

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Service_mjaqg

 

 

(((((((((((((((( Arquivos/Ficheiros criados de 2009-03-12 to 2009-04-12 ))))))))))))))))))))))))))))

.

 

2009-04-12 08:01 . 2009-04-12 08:01 <DIR> d-------- c:\windows\system32\xircom

2009-04-12 08:01 . 2009-04-12 08:01 <DIR> d-------- c:\windows\system32\oobe

2009-04-12 08:01 . 2009-04-12 08:01 <DIR> d-------- c:\arquivos de programas\microsoft frontpage

2009-04-11 16:21 . 2009-04-12 08:11 <DIR> d-------- C:\hijackthis

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-12 02:12 --------- d-----w c:\arquivos de programas\F-Secure

2009-04-12 02:08 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\F-Secure

2009-04-11 22:21 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\pshape7

2009-04-10 22:25 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\Skype

2009-04-10 22:24 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\skypePM

2009-04-06 08:35 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\Image Zone Express

2009-04-04 18:52 --------- d-----w c:\arquivos de programas\Google

2009-04-02 09:13 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\F-Secure

2009-04-01 02:42 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\GbPlugin

2009-03-30 07:10 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\pdf995

2009-03-15 00:02 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\SolidWorks

2009-03-07 20:20 --------- d-----w c:\arquivos de programas\Syncplicity

2007-12-11 22:55 32 ----a-w c:\documents and settings\All Users\Dados de aplicativos\ezsid.dat

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Syncplicity Icon Overlay (Folder)]

@="{02FCECC2-84DC-4FAA-A718-C41FFCA5B8D1}"

[HKEY_CLASSES_ROOT\CLSID\{02FCECC2-84DC-4FAA-A718-C41FFCA5B8D1}]

2009-02-14 14:05 38400 --a------ c:\arquivos de programas\Syncplicity\SyncplicityShellExt.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Syncplicity Icon Overlay (Fully Synced)]

@="{CA4FCCBF-F4B7-4DD1-861E-1F42AAD396D1}"

[HKEY_CLASSES_ROOT\CLSID\{CA4FCCBF-F4B7-4DD1-861E-1F42AAD396D1}]

2009-02-14 14:05 38400 --a------ c:\arquivos de programas\Syncplicity\SyncplicityShellExt.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Syncplicity Icon Overlay (Not Latest Version)]

@="{284C090F-EB1D-4A6E-872E-6DB72E417E24}"

[HKEY_CLASSES_ROOT\CLSID\{284C090F-EB1D-4A6E-872E-6DB72E417E24}]

2009-02-14 14:05 38400 --a------ c:\arquivos de programas\Syncplicity\SyncplicityShellExt.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Syncplicity Icon Overlay (Shared Folder)]

@="{3DFC86AD-F2CC-4AdA-98DD-AC5DC84119CC}"

[HKEY_CLASSES_ROOT\CLSID\{3DFC86AD-F2CC-4AdA-98DD-AC5DC84119CC}]

2009-02-14 14:05 38400 --a------ c:\arquivos de programas\Syncplicity\SyncplicityShellExt.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Syncplicity"="c:\arquivos de programas\Syncplicity\Syncplicity.exe" [2009-03-06 612864]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]

"REGSHAVE"="c:\arquivos de programas\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]

"VMonitorVMUVC"="c:\arquivos de programas\Vimicro Corporation\VMUVC\VMonitor.exe" [2008-03-26 135168]

"QuickTime Task"="c:\arquivos de programas\K-Lite Codec Pack\QuickTime\qttask.exe" [2007-04-27 282624]

"nwiz"="nwiz.exe" [2007-06-28 c:\windows\system32\nwiz.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

"MsnMsgr"="c:\arquivos de programas\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nlsf"="move" [X]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\arquivos de programas\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.DIV3"= DivXc32.dll

"vidc.DIV4"= DivXc32f.dll

"vidc.3iv2"= 3ivxVfWCodec.dll

"msacm.divxa32"= divxa32.acm

"VIDC.HFYU"= huffyuv.dll

"VIDC.i263"= i263_32.drv

"msacm.imc"= imc32.acm

"VIDC.VP31"= vp31vfw.dll

"msacm.avis"= ff_acm.acm

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ masterx autocheck autochk *

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^AutoCAD Startup Accelerator.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\AutoCAD Startup Accelerator.lnk

backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Start 3DxWare.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Start 3DxWare.lnk

backup=c:\windows\pss\Start 3DxWare.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Windows Desktop Search.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Windows Desktop Search.lnk

backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

--a------ 2007-03-09 11:09 63712 c:\arquivos de programas\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cobian Backup 8]

--a------ 2007-09-27 12:37 501248 c:\arquivos de programas\Cobian Backup 8\Cobian.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

--a------ 2004-08-04 00:45 15360 c:\windows\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\flockbox]

--a------ 2007-12-14 16:59 1071472 c:\arquivos de programas\My Lockbox\flockbox.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2006-02-19 01:41 49152 c:\arquivos de programas\HP\HP Software Update\hpwuSchd2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]

-ra------ 2005-07-19 15:06 77824 c:\windows\system32\hkcmd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]

-ra------ 2005-07-19 15:10 114688 c:\windows\system32\igfxpers.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]

-ra------ 2005-07-19 15:09 94208 c:\windows\system32\igfxtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio]

--a------ 2005-08-09 17:35 8597586 c:\arquivos de programas\Intel Audio Studio\IntelAudioStudio.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]

--a------ 2004-06-03 05:50 204800 c:\arquivos de programas\Microsoft IntelliPoint\point32.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2007-05-26 12:45 257088 c:\arquivos de programas\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2007-04-27 09:41 282624 c:\arquivos de programas\K-Lite Codec Pack\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2008-06-10 04:27 144784 c:\arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]

--a------ 2004-06-03 05:51 172032 c:\arquivos de programas\Microsoft IntelliType Pro\type32.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2007-06-28 13:43 1626112 c:\windows\system32\nwiz.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

"c:\\Arquivos de programas\\proeWildfire 2.0\\i486_nt\\obj\\xtop.exe"=

"c:\\Arquivos de programas\\proeWildfire 2.0\\i486_nt\\obj\\pro_comm_msg.exe"=

"c:\\Arquivos de programas\\proeWildfire 2.0\\i486_nt\\nms\\nmsd.exe"=

"c:\\Arquivos de programas\\LimeWire\\LimeWire.exe"=

"c:\\Arquivos de programas\\UGS\\NX 4.0\\UGII\\ugraf.exe"=

"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

 

R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\GbpKm.sys [2009-01-24 31296]

R0 MPRIFL;MPRIFL;c:\windows\system32\drivers\mprifl.sys [2008-05-10 17264]

R1 dk2drv;DK2 WindowsNT Driver;c:\windows\system32\drivers\dk2drv.sys [2008-01-27 49720]

R2 Unigraphics License Server (uglmd);Unigraphics License Server (uglmd);c:\arquivos de programas\UGS\License Servers\UGNXFLEXlm\lmgrd.exe [2005-10-27 962560]

R3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\drivers\VMUVC.sys [2009-02-03 250752]

R3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\system32\drivers\vvftUVC.sys [2009-02-03 398720]

S2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;c:\arquiv~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe [2007-07-05 909312]

.

Conteúdo da pasta 'Tarefas Agendadas'

 

2009-03-23 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\arquivos de programas\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

.

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.google.com.br/

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

.

 

**************************************************************************

 

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-12 10:09:51

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

@DACL=(02 0000)

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ GbPluginAbn]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"DllName"="c:\\ARQUIV~1\\GbPlugin\\gbiehabn.dll"

"Impersonate"=dword:00000000

"MaxWait"=dword:00000102

"Startup"="GbPluginEventStartup"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]

@DACL=(02 0000)

@=""

"DLLName"="igfxdev.dll"

"Asynchronous"=dword:00000001

"Impersonate"=dword:00000001

"Unlock"="WinlogonUnlockEvent"

.

------------------------ Outros Processos em Execução ------------------------

.

c:\windows\system32\drivers\CDAC11BA.EXE

c:\windows\system32\nvsvc32.exe

c:\windows\system32\HPZipm12.exe

c:\arquivos de programas\Arquivos comuns\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

c:\arquivos de programas\UGS\License Servers\UGNXFLEXlm\uglmd.exe

c:\windows\system32\rundll32.exe

.

**************************************************************************

.

Tempo para conclusão: 2009-04-12 10:13:39 - Máquina reiniciou [Administrador]

ComboFix-quarantined-files.txt 2009-04-12 13:13:37

ComboFix2.txt 2009-04-12 11:05:56

 

Pré-execução: 8.312.193.024 bytes disponíveis

Pós execução: 8,299,343,872 bytes disponíveis

 

236 --- E O F --- 2009-03-11 06:00:53

 

 

HIJACKTHIS

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:14:17, on 12/4/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Arquivos de programas\Arquivos comuns\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\UGS\License Servers\UGNXFLEXlm\lmgrd.exe

C:\Arquivos de programas\UGS\License Servers\UGNXFLEXlm\lmgrd.exe

C:\Arquivos de programas\UGS\License Servers\UGNXFLEXlm\uglmd.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Arquivos de programas\Vimicro Corporation\VMUVC\VMonitor.exe

C:\Arquivos de programas\Syncplicity\Syncplicity.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\hijackthis\HiJackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Arquivos de programas\Windows Desktop Search\dsWebAllow.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\Arquivos de programas\GbPlugin\gbiehcef.dll (file missing)

O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\ARQUIV~1\GbPlugin\gbiehabn.dll (file missing)

O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [REGSHAVE] C:\Arquivos de programas\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [VMonitorVMUVC] "C:\Arquivos de programas\Vimicro Corporation\VMUVC\VMonitor.exe" VMUVC

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKCU\..\Run: [syncplicity] C:\Arquivos de programas\Syncplicity\Syncplicity.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://www.compartilhando.org/

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\ARQUIV~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Arquivos de programas\Arquivos comuns\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Arquivos de programas\Arquivos comuns\SolidWorks Shared\Service\SolidWorksLicensing.exe

O23 - Service: Unigraphics License Server (uglmd) - Macrovision Corporation - C:\Arquivos de programas\UGS\License Servers\UGNXFLEXlm\lmgrd.exe

 

--

End of file - 6587 bytes

[DigRam 144]

Bom Dia! ebiancalana

 

<@> Vá em Iniciar --> Executar --> Digite ou cole: combofix.exe /u --> Clique OK.

<@> Abrir-se-á,a seguinte janela: ( Abrir arquivo - Aviso de Segurança )

<@> Clique em Executar --> Aguarde!

<@> Surgirá,finalmente,a mensagem: "ComboFix está desinstalado" --> Clique OK.

<@> Caso encontre,apague: C:\ComboFix <-- A pasta! + C:\ComboFix.txt <-- Relatório!

<><><><><><><><><><>

<@> Voçê está sem antivírus!

 

<!> Baixe: < http://www.baixaki.com.br/download/Avira-A...ion-Classic.htm >

 

<@> Instale o programa --> Atualize-o! --> Configure-o --> Execute-o!

<@> Poste,à seguir,o relatório e informe as condições do PC.

 

Abraços!

[ebiancalana 0]

Bom dia!!

 

Segue relatorio ! foram encontradas ameacas mas creio q sao todas relacionadas aos softwares p CAD q utilizo...o q vcs axam??

 

Avira AntiVir Personal

Report file date: domingo, 12 de abril de 2009 15:51

 

Scanning for 1347111 virus strains and unwanted programs.

 

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 2) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : ALANREIS

 

Version information:

BUILD.DAT : 9.0.0.387 17962 Bytes 24/3/2009 11:04:00

AVSCAN.EXE : 9.0.3.3 464641 Bytes 24/2/2009 15:13:28

AVSCAN.DLL : 9.0.3.0 40705 Bytes 27/2/2009 13:58:26

LUKE.DLL : 9.0.3.2 209665 Bytes 20/2/2009 14:35:50

LUKERES.DLL : 9.0.2.0 12033 Bytes 27/2/2009 13:58:54

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27/10/2008 15:30:38

ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 11/2/2009 23:33:28

ANTIVIR2.VDF : 7.1.3.0 1330176 Bytes 1/4/2009 18:47:59

ANTIVIR3.VDF : 7.1.3.42 169984 Bytes 11/4/2009 18:48:11

Engineversion : 8.2.0.138

AEVDF.DLL : 8.1.1.0 106868 Bytes 27/1/2009 20:36:42

AESCRIPT.DLL : 8.1.1.73 373114 Bytes 12/4/2009 18:48:47

AESCN.DLL : 8.1.1.10 127348 Bytes 12/4/2009 18:48:41

AERDL.DLL : 8.1.1.3 438645 Bytes 29/10/2008 21:24:42

AEPACK.DLL : 8.1.3.12 397687 Bytes 12/4/2009 18:48:40

AEOFFICE.DLL : 8.1.0.36 196987 Bytes 26/2/2009 23:01:58

AEHEUR.DLL : 8.1.0.114 1700214 Bytes 12/4/2009 18:48:29

AEHELP.DLL : 8.1.2.2 119158 Bytes 26/2/2009 23:01:58

AEGEN.DLL : 8.1.1.33 340340 Bytes 12/4/2009 18:48:14

AEEMU.DLL : 8.1.0.9 393588 Bytes 9/10/2008 17:32:40

AECORE.DLL : 8.1.6.7 176502 Bytes 12/4/2009 18:48:12

AEBB.DLL : 8.1.0.3 53618 Bytes 9/10/2008 17:32:40

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 11:48:00

AVPREF.DLL : 9.0.0.1 43777 Bytes 5/12/2008 13:32:16

AVREP.DLL : 8.0.0.3 155905 Bytes 20/1/2009 17:34:30

AVREG.DLL : 9.0.0.0 36609 Bytes 5/12/2008 13:32:10

AVARKT.DLL : 9.0.0.1 292609 Bytes 9/2/2009 10:52:26

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 30/1/2009 13:37:10

SQLITE3.DLL : 3.6.1.0 326401 Bytes 28/1/2009 18:03:50

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 11:21:34

NETNT.DLL : 9.0.0.0 11521 Bytes 5/12/2008 13:32:12

RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 9/2/2009 14:45:46

RCTEXT.DLL : 9.0.35.0 87297 Bytes 11/3/2009 18:55:14

 

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: c:\arquivos de programas\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:, D:, F:, G:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

 

Start of the scan: domingo, 12 de abril de 2009 15:51

 

Starting search for hidden objects.

'37685' objects were checked, '0' hidden objects were found.

 

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'msiexec.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'Syncplicity.exe' - '1' Module(s) have been scanned

Scan process 'VMonitor.exe' - '1' Module(s) have been scanned

Scan process 'rundll32.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'uglmd.exe' - '1' Module(s) have been scanned

Scan process 'lmgrd.exe' - '1' Module(s) have been scanned

Scan process 'lmgrd.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'spnsrvnt.exe' - '1' Module(s) have been scanned

Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned

Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned

Scan process 'CDAC11BA.EXE' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

31 processes with 31 modules were scanned

 

Starting master boot sector scan:

 

Start scanning boot sectors:

 

Starting to scan executable files (registry).

The registry was scanned ( '37' files ).

 

 

Starting the file scan:

 

Begin scan in 'C:\'

C:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\Arquivos de programas\UGS\NX 4.0\UGDOC\html_files\search\data_ugcatia5\qa_1.rds

[0] Archive type: GZ

--> qa_1

[1] Archive type: MacBinary

--> ugcatia5/02topic_1.html.info

[WARNING] The file could not be read!

[WARNING] The file could not be read!

C:\Documents and Settings\Administrador\Dados de aplicativos\Sun\Java\Deployment\cache\6.0\42\204545ea-439ab437

[0] Archive type: ZIP

--> Inicio.class

[DETECTION] Contains recognition pattern of the JAVA/Dldr.Agent.D Java virus

C:\hijackthis\backups\backup-20090411-180816-514-Windows UpdateSP8.exe

[DETECTION] Is the TR/Spy.Banker.Gen Trojan

Begin scan in 'D:\' <Meus Documentos>

D:\Instalações\DELCAM\PS7\PowerSHAPE7080-SP0-SP1-SP2-SP3-SP4-SP5.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

D:\Instalações\DELCAM\PS7\PowerSHAPE7080-SP0-SP1-SP2-SP3-SP4.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

D:\Instalações\DELCAM\PS7\PowerSHAPE7080-SP0-SP1-SP2-SP3.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

D:\Instalações\DELCAM\PS7\PowerSHAPE7080-SP5-SP6.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

D:\Instalações\DELCAM\PS7\PS-Moldmaker7080-SP0-SP1-SP2-SP3-SP4-SP5.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

D:\Instalações\DELCAM\PS7\PS-Moldmaker7080-SP0-SP1-SP2-SP3-SP4.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

D:\Instalações\DELCAM\PS7\PS-Moldmaker7080-SP0-SP1-SP2-SP3.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

D:\Instalações\DELCAM\PS7\PS-Moldmaker7080-SP5-SP6.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

D:\Instalações\DELCAM\Pshape_7.1.40\PowerSHAPE7140-SP1-SP3.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

D:\Instalações\DELCAM\Pshape_7.1.40\PS-Moldmaker7140-SP1-SP3.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

D:\Instalações\powershape_7350\CopyCAD7004\copycad7004_CB15809_crk_TuPis[1].part3.rar

[0] Archive type: RAR

--> dcam\config\pass\dcam.paf

[WARNING] No further files can be extracted from this archive. The archive will be closed

[WARNING] No further files can be extracted from this archive. The archive will be closed

D:\System Volume Information\_restore{D220C570-3D0A-4592-A452-2234EBF8E1CD}\RP17\A0003520.exe

[0] Archive type: CAB SFX (self extracting)

--> \Solid Edge\LightW~1.cab

[1] Archive type: CAB (Microsoft)

--> framework.mesg1

[WARNING] No further files can be extracted from this archive. The archive will be closed

--> \Solid Edge\Metric.cab

[WARNING] No further files can be extracted from this archive. The archive will be closed

[WARNING] No further files can be extracted from this archive. The archive will be closed

Begin scan in 'F:\'

Begin scan in 'G:\'

 

Beginning disinfection:

C:\Documents and Settings\Administrador\Dados de aplicativos\Sun\Java\Deployment\cache\6.0\42\204545ea-439ab437

[WARNING] The file was ignored!

C:\hijackthis\backups\backup-20090411-180816-514-Windows UpdateSP8.exe

[DETECTION] Is the TR/Spy.Banker.Gen Trojan

[WARNING] The file was ignored!

D:\Instalações\DELCAM\PS7\PowerSHAPE7080-SP0-SP1-SP2-SP3-SP4-SP5.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

[WARNING] The file was ignored!

D:\Instalações\DELCAM\PS7\PowerSHAPE7080-SP0-SP1-SP2-SP3-SP4.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

[WARNING] The file was ignored!

D:\Instalações\DELCAM\PS7\PowerSHAPE7080-SP0-SP1-SP2-SP3.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

[WARNING] The file was ignored!

D:\Instalações\DELCAM\PS7\PowerSHAPE7080-SP5-SP6.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

[WARNING] The file was ignored!

D:\Instalações\DELCAM\PS7\PS-Moldmaker7080-SP0-SP1-SP2-SP3-SP4-SP5.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

[WARNING] The file was ignored!

D:\Instalações\DELCAM\PS7\PS-Moldmaker7080-SP0-SP1-SP2-SP3-SP4.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

[WARNING] The file was ignored!

D:\Instalações\DELCAM\PS7\PS-Moldmaker7080-SP0-SP1-SP2-SP3.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

[WARNING] The file was ignored!

D:\Instalações\DELCAM\PS7\PS-Moldmaker7080-SP5-SP6.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

[WARNING] The file was ignored!

D:\Instalações\DELCAM\Pshape_7.1.40\PowerSHAPE7140-SP1-SP3.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

[WARNING] The file was ignored!

D:\Instalações\DELCAM\Pshape_7.1.40\PS-Moldmaker7140-SP1-SP3.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

[WARNING] The file was ignored!

 

 

End of the scan: segunda-feira, 13 de abril de 2009 00:24

Used time: 3:42:09 Hour(s)

 

The scan has been done completely.

 

16804 Scanned directories

2396507 Files were scanned

12 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

0 Files were moved to quarantine

0 Files were renamed

1 Files cannot be scanned

2396494 Files not concerned

12416 Archives were scanned

20 Warnings

1 Notes

37685 Objects were scanned with rootkit scan

0 Hidden objects were found

[DigRam 144]

Bom Dia! ebiancalana

 

Segue relatorio ! foram encontradas ameacas mas creio q sao todas relacionadas aos softwares p CAD q utilizo...o q vcs axam??

<!> Se foram quarantinados,delete somente a pasta de backups do HijackThis.

 

<!> C:\hijackthis\backups\backup-20090411-180816-514-Windows UpdateSP8.exe

[DETECTION] Is the TR/Spy.Banker.Gen Trojan

 

<><><><><><><><><><><><>

<@> Baixe: < > ( ...by Atribune )

<@> Salve-o no Desktop!

<@> Reinicie o computador,em Modo de Segurança!

<@> Clique em ATF-Cleaner.exe

<@> Em "Select Files To Delete",marque Select All.

<@> Clique em Empty Selected.

<@> Na janela Done Cleaning,dê o OK --> Exit

 

<@> Atenção: Se utiliza o Firefox:

 

* No topo,clique em Firefox e escolha: Select All --> Clique em Empty Selected.

 

<@> Atenção: Se utiliza o Opera:

 

* No topo,clique em Opera e escolha: Select All --> Clique em Empty Selected.

 

<@> Terminando,reinicie o computador!

<><><><><><><><><><><><>

<@> Agende,para o próximo boot,o scandisk.

<@> No Executar,digite: cmd --> Clique: OK

<@> Na janela DOS,digite: chkdsk /f --> Aperte Enter.

<@> Aguarde!

<@> Nas informações,que surgirem,escolha o scandisk para o próximo boot.

<@> Para sair,digite exit --> Aperte Enter.

<@> Reinicie o computador,para que tenha início o scandisk.

<><><><><><><><><><><><>

<!> O log está limpo!

<!> Tudo Ok?

 

Abraços!

[ebiancalana 0]

Bom dia!

 

Ainda não fiz o último procedimento postado pois estou em viagem....

 

O farei assim que retornar !!

 

Grato pela ajuda . Postarei assim que o fizer .

 

Abcs!

[DigRam 144]

Bom dia!

 

Ainda não fiz o último procedimento postado pois estou em viagem....

 

O farei assim que retornar !!

 

Grato pela ajuda . Postarei assim que o fizer .

 

Abcs!

<><><><><><><><><><><><><><><>

Boa Noite! ebiancalana

 

<!> E...ao retornar,aproveite e atualize o Java.

<><><><><><><><><><><><><><><>

<@> Atualize o Java.

<@> Versões antigas têm vulnerabilidades que,malwares,podem usar para infectar seu sistema.

<><><><><><><><><><><><><><><>

<@> Faça download da última versão do Java Runtime Environment (JRE) 6u13.

<@> Localize: "Java Runtime Environment (JRE) 6 Update 13"

<@> Clique no botão Download.

<@> Marque a opção que diz: "Accept License Agreement"

<@> A página será atualizada!

<@> Clique no link,para download do Windows Offline Installation --> Salve-o no desktop!

<@> Feche o IE ou Firefox + Programas que estejam sendo executados.

<@> Vá em Iniciar --> Painel de Controle.

<@> Em Adicionar ou Remover Programas;remova todas as antigas versões do Java.

<><><><><><><><><><><><><><><>

<@> Exemplos de antigas versões:

 

< > Java 2 Runtime Environment, SE v1.4.2

< > J2SE Runtime Environment 5.0

< > J2SE Runtime Environment 5.0 Update 6

 

<@> Selecione qualquer item com nome: Java Runtime Environment (JRE ou J2SE)

<@> Clique no botão Remover ou Alterar/Remover.

<@> Repita quantas vezes for necessária,para remover cada versão do Java.

<@> Concluindo,reinicie o computador!

<@> Instale a nova versão,com um duplo clique em jre-6u13-windows-i586-p.exe.

 

Abraços!

[ebiancalana 0]

Boa noite!!!

Finalmente realizei todos os procedimentos ...ao desinstalar as versoes anteriores do Java , notei que o Hijackthis esta instalado no meu PC ...devo desinstala-lo?

 

Grato pela ajuda!!

[DigRam 144]

Boa noite!!!

Finalmente realizei todos os procedimentos ...ao desinstalar as versoes anteriores do Java , notei que o Hijackthis esta instalado no meu PC ...devo desinstala-lo?

 

Grato pela ajuda!!

<><><><><><><><><>

Opa! ebiancalana

 

<!> Caso queira,pode desinstalar o HijackThis.

<><><><><><><><><>

<!> Eis,abaixo,o procedimento de desinstalação!

<!> Abra o HijackThis --> Clique: "Open the Misc Tools section".

<!> Estando no menu "Misc Tools",role a coluna e clique em "Uninstall HijackThis & exit".

 

Abraços!

[ebiancalana 0]

ok My friend!!!

 

Acho que agora dá pra dar o caso como encerrado neh?

 

Muito obrigado a você e todos da equipe!!!

 

Boa noiite! :thumbsup:

[DigRam 144]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.