[Arquivado] Não consigo instalar nenhum anti virus

[Thomas Anderson 0]

Olá, estou com um problema sério no meu pc, não consigo instalar nenhum anti virus, já tentei kaspersky, avg, avast, avira, panda, até usar o combofix, enfim, o avast por exemplo só em clicar sobre o executavel pra instalar já reinicia, sem falar que quando clico em algum link pra um arquivo .exe reinicia, pesquisas no google que contenham '.exe' no meio tbm reiniciam o pc, até a opção de mostrar pastas e arquivos ocultos não funciona, pesquisei no google sobre isso e vi que tem um tutorial ensinando como remover, mas os programas não estão mais disponiveis pra download e alguns não funcionam... O problema em formatar meu pc é a minha internet que é via rádio e tenho que chamar o dono pra vim configurar denovo, socorrooooooooo

 

obrigado desde já.

 

Log do hijackThis

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:12:55, on 16/4/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.exe

C:\SERV-N\apache\Apache.exe

C:\Arquivos de programas\Software WIDCOMM\Bluetooth\bin\btwdins.exe

C:\SERV-N\apache\mysql\bin\mysqld-nt.exe

C:\Arquivos de programas\Arquivos comuns\Protexis\License Service\PSIService.exe

C:\WINDOWS\system32\svchost.exe

C:\SERV-N\apache\Apache.exe

C:\Arquivos de programas\Software WIDCOMM\Bluetooth\BTTray.exe

C:\Arquivos de programas\RALINK\Common\RaUI.exe

C:\Documents and Settings\Thomas\Configurações locais\Dados de aplicativos\winlogon.exe

C:\ARQUIV~1\SOFTWA~1\BLUETO~1\BTSTAC~1.EXE

C:\Documents and Settings\Thomas\Configurações locais\Dados de aplicativos\services.exe

C:\Documents and Settings\Thomas\Configurações locais\Dados de aplicativos\lsass.exe

C:\Arquivos de programas\internet explorer\iexplore.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\DOCUME~1\Thomas\CONFIG~1\Temp\wingsffy.exe

C:\WINDOWS\system32\ping.exe

C:\WINDOWS\system32\ping.exe

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\eksplorasi.exe"

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe, explorer.exe

O1 - Hosts: 127.4.7.4 mcafee.com

O1 - Hosts: 127.4.7.4 www.mcafee.com

O1 - Hosts: 127.4.7.4 mcafeesecurity.com

O1 - Hosts: 127.4.7.4 www.mcafeesecurity.com

O1 - Hosts: 127.4.7.4 mcafeeb2b.com

O1 - Hosts: 127.4.7.4 www.mcafeeb2b.com

O1 - Hosts: 127.4.7.4 nai.com

O1 - Hosts: 127.4.7.4 www.nai.com

O1 - Hosts: 127.4.7.4 vil.nai.com

O1 - Hosts: 127.4.7.4 grisoft.com

O1 - Hosts: 127.4.7.4 www.grisoft.com

O1 - Hosts: 127.4.7.4 kaspersky-labs.com

O1 - Hosts: 127.4.7.4 www.kaspersky-labs.com

O1 - Hosts: 127.4.7.4 kaspersky.com

O1 - Hosts: 127.4.7.4 www.kaspersky.com

O1 - Hosts: 127.4.7.4 downloads1.kaspersky-labs.com

O1 - Hosts: 127.4.7.4 downloads2.kaspersky-labs.com

O1 - Hosts: 127.4.7.4 downloads3.kaspersky-labs.com

O1 - Hosts: 127.4.7.4 downloads4.kaspersky-labs.com

O1 - Hosts: 127.4.7.4 download.mcafee.com

O1 - Hosts: 127.4.7.4 grisoft.cz

O1 - Hosts: 127.4.7.4 www.grisoft.cz

O1 - Hosts: 127.4.7.4 norton.com

O1 - Hosts: 127.4.7.4 www.norton.com

O1 - Hosts: 127.4.7.4 symantec.com

O1 - Hosts: 127.4.7.4 www.symantec.com

O1 - Hosts: 127.4.7.4 liveupdate.symantecliveupdate.com

O1 - Hosts: 127.4.7.4 liveupdate.symantec.com

O1 - Hosts: 127.4.7.4 update.symantec.com

O1 - Hosts: 127.4.7.4 securityresponse.symantec.com

O1 - Hosts: 127.4.7.4 sarc.com

O1 - Hosts: 127.4.7.4 www.sarc.com

O1 - Hosts: 127.4.7.4 norman.com

O1 - Hosts: 127.4.7.4 www.norman.com

O1 - Hosts: 127.4.7.4 trendmicro.com

O1 - Hosts: 127.4.7.4 www.trendmicro.com

O1 - Hosts: 127.4.7.4 trendmicro.co.jp

O1 - Hosts: 127.4.7.4 www.trendmicro.co.jp

O1 - Hosts: 127.4.7.4 trendmicro-europe.com

O1 - Hosts: 127.4.7.4 www.trendmicro-europe.com

O1 - Hosts: 127.4.7.4 ae.trendmicro-europe.com

O1 - Hosts: 127.4.7.4 it.trendmicro-europe.com

O1 - Hosts: 127.4.7.4 secunia.com

O1 - Hosts: 127.4.7.4 www.secunia.com

O1 - Hosts: 127.4.7.4 winantivirus.com

O1 - Hosts: 127.4.7.4 www.winantivirus.com

O1 - Hosts: 127.4.7.4 pandasoftware.com

O1 - Hosts: 127.4.7.4 www.pandasoftware.com

O1 - Hosts: 127.4.7.4 esafe.com

O1 - Hosts: 127.4.7.4 www.esafe.com

O1 - Hosts: 127.4.7.4 f-secure.com

O1 - Hosts: 127.4.7.4 www.f-secure.com

O1 - Hosts: 127.4.7.4 europe.f-secure.com

O1 - Hosts: 127.4.7.4 bhs.com

O1 - Hosts: 127.4.7.4 www.bhs.com

O1 - Hosts: 127.4.7.4 datafellows.com

O1 - Hosts: 127.4.7.4 www.datafellows.com

O1 - Hosts: 127.4.7.4 cheyenne.com

O1 - Hosts: 127.4.7.4 www.cheyenne.com

O1 - Hosts: 127.4.7.4 ontrack.com

O1 - Hosts: 127.4.7.4 www.ontrack.com

O1 - Hosts: 127.4.7.4 sands.com

O1 - Hosts: 127.4.7.4 www.sands.com

O1 - Hosts: 127.4.7.4 sophos.com

O1 - Hosts: 127.4.7.4 www.sophos.com

O1 - Hosts: 127.4.7.4 icubed.com

O1 - Hosts: 127.4.7.4 www.icubed.com

O1 - Hosts: 127.4.7.4 perantivirus.com

O1 - Hosts: 127.4.7.4 www.perantivirus.com

O1 - Hosts: 127.4.7.4 virusalert.nl

O1 - Hosts: 127.4.7.4 www.virusalert.nl

O1 - Hosts: 127.4.7.4 pagina.nl

O1 - Hosts: 127.4.7.4 www.pagina.nl

O1 - Hosts: 127.4.7.4 antivirus.pagina.nl

O1 - Hosts: 127.4.7.4 castlecops.com

O1 - Hosts: 127.4.7.4 www.castlecops.com

O1 - Hosts: 127.4.7.4 virustotal.com

O1 - Hosts: 127.4.7.4 www.virustotal.com

O1 - Hosts: 127.4.7.4 vaksin.com

O1 - Hosts: 127.4.7.4 www.vaksin.com

O1 - Hosts: 127.4.7.4 forum.vaksin.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [bron-Spizaetus] "C:\WINDOWS\ShellNew\bronstab.exe"

O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\Thomas\Configurações locais\Dados de aplicativos\smss.exe"

O4 - Startup: Empty.pif = ?

O4 - Global Startup: BTTray.lnk = ?

O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Arquivos de programas\RALINK\Common\RaUI.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Estatísticas do Anti-vírus de Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Arquivos de programas\Software WIDCOMM\Bluetooth\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Arquivos de programas\Software WIDCOMM\Bluetooth\btsendto_ie.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O17 - HKLM\System\CCS\Services\Tcpip\..\{BC183F1A-2A70-4C7A-8D1B-E6CEAB20B143}: NameServer = 192.168.0.1

O20 - AppInit_DLLs: C:\ARQUIV~1\KASPER~1\KASPER~1.0\adialhk.dll

O23 - Service: Apache - Unknown owner - C:\SERV-N\apache\Apache.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Arquivos de programas\Software WIDCOMM\Bluetooth\bin\btwdins.exe

O23 - Service: MySQL - Unknown owner - \SERV-N\apache\mysql\bin\mysqld-nt.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Protexis\License Service\PSIService.exe

 

--

End of file - 8149 bytes

[DigRam 144]

Boa Tarde! Thomas Anderson

 

<!> Baixe: < HostsXpert >

<@> Ela colocará o Hosts,no padrão!

<@> Ocorrendo algum erro,em sua execução,clique em Make Writable e repita o procedimento.

<><><><><><><><><><><>

<@> Salve-a no Desktop!

<@> Descompacte-a e execute: HostsXpert.exe

<@> Feche todas as janelas e o navegador!

<@> Clique em Restore Microsoft's Hosts file --> Ok.

<@> Finalize o programa e reinicie o computador!

<><><><><><><><><><><>

<@> Baixe: < FindyKill > ( ...par Chiquitine29 )

<@> Salve-a em Arquivos de Programas!

<@> Feche programas que estejam abertos.

<@> Desabilite a proteção residente de antivírus e antispywares.

<@> Ps: A detecção dessa ferramenta,por antivírus,é um falso positivo!

<@> Instale a ferramenta,e aceite todas as condições pedidas.

<@> Terminando;execute a ferramenta com um duplo-clique,em: C:\Arquivos de Programas\FindyKill\FindyKill.bat <--

<@> No prompt,aperte o C. --> Enter. <-- Opção de linguas!

<@> À seguir,aperte o 2. ( "Eliminar los ficheros infectados" )

<@> Aperte Enter --> O computador vai reiniciar,por duas vezes! --> Aguarde!

<@> Terminando,clique em uma área vazia do prompt! --> Aperte Enter.

<@> Abrir-se-à o Bloco de Notas,com o relatório: C:\FindyKill.txt <-- Rapport!

<><><><><><><><><><><>

<@> Baixe: < >

<@> Salve-o no desktop!

<@> Reinicie o computador em Modo de Segurança.

<@> Inicie a instalação/execução,com um duplo-clique em drweb-cureit.

<@> Na janela que abrir,clique em Iniciar --> OK.

<@> Será dado início a "Verificação rápida" --> Feche a janela de propaganda!

<@> Terminando,marque a caixa de "Verificação Completa".

<@> Click em "Options" --> Em Change settings,desmarque a "Heuristic analysis".

 

Neste modo são verificados os seguintes objectos:

 

* Sectores de Arranque de Todos os Discos. <--

 

* Todas as Unidades Removíveis. <--

 

* Todos os Discos Locais. <--

<@> Clique em "Iniciar verificação" --> Aguarde!

<@> Surgindo mensagens para mover ou desinfectar arquivos,clique em Sim.

<@> Terminando,clique em "Ficheiro" --> "Guardar lista de relatórios".

<@> Procure salvá-lo em um local adequado. ( DrWeb.csv ) <-- Texto!

<@> Poste: DrWeb.csv + HijackThis,atualizado.

 

Abraços!

[Thomas Anderson 0]

alguem aí que tiver visitando esse tópico, faz um favor pra mim T.T baixa esse findykill compacta e joga em algum servidor, rapidshare, easyshare, 4shared, tanto faz, mas é eu clicar nesse link e o pc reinicia na hora, nem dah tempo salvar =/ só pq o arquivo é .exe, até pediria pra alguem no msn, mas o papo é o msm

 

-faz um favor pra mim, baixa esse arquivo, compacta e me envia.

-perai beleza?

(uma hora depois)

-e aí, pode me enviar?

-to ocupado(a) aki daki a poko...

 

rsrsrsrs, enfim parece mentira, mas td que tem a ver com '.exe' no navegador reinicia :(

[DigRam 144]

alguem aí que tiver visitando esse tópico, faz um favor pra mim T.T baixa esse findykill compacta e joga em algum servidor, rapidshare, easyshare, 4shared, tanto faz, mas é eu clicar nesse link e o pc reinicia na hora, nem dah tempo salvar =/ só pq o arquivo é .exe, até pediria pra alguem no msn, mas o papo é o msm

 

-faz um favor pra mim, baixa esse arquivo, compacta e me envia.

-perai beleza?

(uma hora depois)

-e aí, pode me enviar?

-to ocupado(a) aki daki a poko...

 

rsrsrsrs, enfim parece mentira, mas td que tem a ver com '.exe' no navegador reinicia :(

<><><><><><><><><><>

Opa! Thomas Anderson

 

<!> Hospedei no site Badongo: < FindyKill >

<!> O arquivo está compactado! Tire-o do zip,ao utilizá-lo.

 

Abraços!

[Thomas Anderson 0]

aewwwww td normal no pc agora, o Findkill tirou o problema com .exe's e o modo de segurança que não queria entrar, deixou 100%, e esse DrWeb então, deixou o pc 200% pq ele varre td, só que fiz uma burrada de colocar pra escanear 22:30 esperando terminar 23:30 daí 23:10 só tinha escaneado 10% de todos os arquivos e precisei desligar o pc, msm assim detectou 90 virus... amanha (sábado) passo o DrWeb por completo, muito obrigado DigRam, excelente tutorial, não sei o que faria se não conseguisse remover esse virus, brigadão msm. Mais uma coisa... que anti virus você me recomenda usar? ps, só tenho 256 de ram ^^ vlwwwwwwwwwwwwwwwwwwwwwwwwwwwwww

 

Log DrWeb

 

Log do Hijackthis:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 08:04:48, on 13/4/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Software WIDCOMM\Bluetooth\BTTray.exe

C:\Arquivos de programas\RALINK\Common\RaUI.exe

C:\SERV-N\apache\Apache.exe

C:\Arquivos de programas\Software WIDCOMM\Bluetooth\bin\btwdins.exe

C:\SERV-N\apache\mysql\bin\mysqld-nt.exe

C:\SERV-N\apache\Apache.exe

C:\Arquivos de programas\Arquivos comuns\Protexis\License Service\PSIService.exe

C:\WINDOWS\system32\svchost.exe

C:\ARQUIV~1\SOFTWA~1\BLUETO~1\BTSTAC~1.EXE

C:\Arquivos de programas\Gilly Messenger\GillyMessenger.exe

C:\Arquivos de programas\internet explorer\iexplore.exe

C:\DOCUME~1\Thomas\CONFIG~1\Temp\igab.exe

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

F2 - REG:system.ini: Shell=explorer.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe, explorer.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start

O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\Thomas\Configurações locais\Dados de aplicativos\smss.exe"

O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe

O4 - Global Startup: BTTray.lnk = ?

O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Arquivos de programas\RALINK\Common\RaUI.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Estatísticas do Anti-vírus de Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Arquivos de programas\Software WIDCOMM\Bluetooth\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Arquivos de programas\Software WIDCOMM\Bluetooth\btsendto_ie.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O17 - HKLM\System\CCS\Services\Tcpip\..\{BC183F1A-2A70-4C7A-8D1B-E6CEAB20B143}: NameServer = 192.168.0.1

O20 - AppInit_DLLs: C:\ARQUIV~1\KASPER~1\KASPER~1.0\adialhk.dll

O23 - Service: Apache - Unknown owner - C:\SERV-N\apache\Apache.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Arquivos de programas\Software WIDCOMM\Bluetooth\bin\btwdins.exe

O23 - Service: MySQL - Unknown owner - \SERV-N\apache\mysql\bin\mysqld-nt.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Protexis\License Service\PSIService.exe

 

--

End of file - 4553 bytes

[DigRam 144]

Boa Noite! Thomas Anderson

 

Mais uma coisa... que anti virus você me recomenda usar? ps, só tenho 256 de ram ^^ vlwwwwwwwwwwwwwwwwwwwwwwwwwwwwww

<!> Recomendo: < Avira >

<><><><><><><><><><><>

<@> Baixe: < Kaspersky Virus Removal Tool >

<@> Salve-o em Arquivos de Programas,e instale-o aí mesmo!

<@> Reinicie o computador,em Modo de Segurança! <-- Importante!

<@> Dê início ao exame,clicando em "Scan".

<@> A verificação é muito demorada. <-- Aguarde!

<@> Caso seja encontrada infecções,clique em "disinfect".

<@> Terminando,clique na aba Events.

<@> Desmarque a caixa de seleção "Show all events".

<@> Clique em "Save to file".

<@> Nomeie-o e salve-o no desktop! <-- Relatório para postagem!

<@> Poste,também,HijackThis atualizado.

 

Abraços!

[Thomas Anderson 0]

com mil demonios... já não entra mais no modo de segurança pra passar o kaspersky, o findkill não resolve, e o drweb "sumiu" do pc, e quando pesquisa por ele no google ou em algum site de download fecha o navegador, o kaspersky em modo normal detecta os virus, mas não desinfecta...

amigo, valeu pela ajuda, mas acho que só formatando aqui msm...

 

se servir pra alguma coisa...

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 09:14:15, on 21/4/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\spoolsv.exe

C:\SERV-N\apache\Apache.exe

C:\Arquivos de programas\Software WIDCOMM\Bluetooth\bin\btwdins.exe

C:\SERV-N\apache\mysql\bin\mysqld-nt.exe

C:\Arquivos de programas\Arquivos comuns\Protexis\License Service\PSIService.exe

C:\SERV-N\apache\Apache.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe

C:\Arquivos de programas\Software WIDCOMM\Bluetooth\BTTray.exe

C:\Arquivos de programas\RALINK\Common\RaUI.exe

C:\ARQUIV~1\SOFTWA~1\BLUETO~1\BTSTAC~1.EXE

C:\Arquivos de programas\internet explorer\iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

F2 - REG:system.ini: Shell=explorer.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe, explorer.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start

O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\Thomas\Configurações locais\Dados de aplicativos\smss.exe"

O4 - Global Startup: BTTray.lnk = ?

O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Arquivos de programas\RALINK\Common\RaUI.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Arquivos de programas\Software WIDCOMM\Bluetooth\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Arquivos de programas\Software WIDCOMM\Bluetooth\btsendto_ie.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O17 - HKLM\System\CCS\Services\Tcpip\..\{BC183F1A-2A70-4C7A-8D1B-E6CEAB20B143}: NameServer = 192.168.0.1

O23 - Service: Apache - Unknown owner - C:\SERV-N\apache\Apache.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Arquivos de programas\Software WIDCOMM\Bluetooth\bin\btwdins.exe

O23 - Service: MySQL - Unknown owner - \SERV-N\apache\mysql\bin\mysqld-nt.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Protexis\License Service\PSIService.exe

 

--

End of file - 4216 bytes

[DigRam 144]

Bom Dia! Thomas Anderson

 

<@> Baixe: < FixPolicies >

<@> Salve-o no Desktop!

<@> Esteja logado como Administrador.

<@> Execute o arquivo FixPolicies.exe,com um duplo-clique.

<@> Clique em Install.

<@> Abra a pasta FixPolicies --> Clique em Fix_policies.cmd --> Enter.

<@> Dê permissão ao reparo,caso seja negada por programas de proteção.

<@> Aguarde o término da verificação!

<><><><><><><><><><><>

<@> Baixe: < SafeBootKeyRepair >

<@> Salve-a,diretamente,no Disco-local ©.

<@> Execute-a!E,ao terminar,gerará um relatório: C:\SafeBoot_Repair.txt <-- Não poste!

<@> Verifique se já pode entrar,em Modo de Segurança!

<><><><><><><><><><><>

<@> Baixe: < > ( ...by sUBs )

<@> Salve-o no desktop!

<@> Desabilite as proteções residente de: antivírus,antispywares e firewall. ( Menos o do Windows! )

<@> Feche todas as janelas e execute a ferramenta!

<@> Na solicitação: "Negação de garantia de software" --> Clique em Sim!

<@> Não possuindo o "Console de Recuperação",aceite optar pela instalação do mesmo!

 

<!> Caso aconteça a notificação de: Aplicativo Win32 inválido,delete a ferramenta e faça,novamente,o download.

<!> Salve-a no desktop,renomeada como: Kombo.exe

<!> Ps: Nomeie durante o salvamento,e não após salvá-la!

<!> Ps: Surgindo alguma mensagem de erro,rode o ComboFix.exe em Modo de Segurança. <-- Link!

<!> Ps: Para completar as remoções,talvez haja necessidade da ferramenta reiniciar o computador. <-- Aguarde!

<!> Ps: Evite executar,voluntariamente,esta ferramenta!

<!> Ps: Para evitar problemas,siga todas as recomendações propostas.

<!> Ps: O ComboFix é uma ferramenta que pode danificar o sistema. Utilize-o,somente,sob supervisão profissional.

<@> Abrir-se-á a janela Auto Scan. --> Aguarde!

<@> Àfim de completar as remoções,o ComboFix poderá reiniciar o computador.

<@> Se houver necessidade,digite a opção para continuar! --> ( 1 ) --> Aperte Enter! --> Aguarde a conclusão!

<@> Durante o scan,evite manusear o mouse ou teclado! <-- Importante!

<@> Para parar ou sair do ComboFix,tecle "N" ou "2" --> Aperte Enter!

<><><><><><><><><><><>

<@> Terminando,poste os relatórios: C:\ComboFix\ComboFix.txt + HijackThis,atualizado.

 

Abraços!

[Thomas Anderson 0]

modo de segurança habilitado denovo \o/

 

Log Combofix

-----------------------------------------

ComboFix 09-04-21.A2 - Thomas 21/04/2009 10:42.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.254.82 [GMT -3:00]

Executando de: c:\documents and settings\Thomas\Desktop\ComboFix.exe

AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated)

FW: Kaspersky Internet Security *disabled*

* Criado um novo ponto de restauro

 

ATENÇAO - ESTA MAQUINA NAO TEM O CONSOLE DE RECUPERAÇÃO INSTALADA !!

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\Administrador.THOMAS\Configurações locais\Dados de aplicativos\inetinfo.exe

c:\documents and settings\Administrador.THOMAS\Configurações locais\Dados de aplicativos\lsass.exe

c:\documents and settings\Administrador.THOMAS\Configurações locais\Dados de aplicativos\services.exe

c:\documents and settings\Administrador.THOMAS\Configurações locais\Dados de aplicativos\winlogon.exe

c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\inetinfo.exe

c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013

c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_ASC3360PR

-------\Service_asc3360pr

 

 

(((((((((((((((( Arquivos/Ficheiros criados de 2009-03-21 to 2009-04-21 ))))))))))))))))))))))))))))

.

 

2009-04-21 13:23 . 2009-04-21 13:23 288654 ----a-w C:\SafeBootKeyRepair.exe

2009-04-21 13:20 . 2009-04-21 13:20 244 ---ha-w C:\sqmnoopt10.sqm

2009-04-21 13:20 . 2009-04-21 13:20 232 ---ha-w C:\sqmdata10.sqm

2009-04-16 14:03 . 2009-04-16 14:03 244 ---ha-w C:\sqmnoopt00.sqm

2009-04-16 14:03 . 2009-04-16 14:03 232 ---ha-w C:\sqmdata00.sqm

2009-04-16 11:37 . 2009-04-16 11:38 -------- d--h--w c:\windows\system32\GroupPolicy

2009-04-16 09:57 . 2009-04-16 09:57 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok-10-16

2009-04-15 19:22 . 2009-04-21 11:54 -------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Kaspersky Lab

2009-04-15 17:27 . 2009-04-15 17:27 -------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Kaspersky Lab Setup Files

2009-04-15 11:43 . 2009-04-15 12:34 -------- d-----w c:\documents and settings\Thomas\Contacts

2009-04-15 11:42 . 2009-04-15 11:42 -------- dc----w c:\windows\system32\DRVSTORE

2009-04-15 09:03 . 2009-04-15 09:03 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok-10-15

2009-04-14 18:52 . 2009-04-14 18:52 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Adobe

2009-04-13 18:16 . 2009-04-13 18:16 244 ---ha-w C:\sqmnoopt09.sqm

2009-04-13 18:16 . 2009-04-13 18:16 232 ---ha-w C:\sqmdata09.sqm

2009-04-13 18:09 . 2009-04-13 18:09 244 ---ha-w C:\sqmnoopt08.sqm

2009-04-13 18:09 . 2009-04-13 18:09 232 ---ha-w C:\sqmdata08.sqm

2009-04-13 18:08 . 2009-04-13 18:08 244 ---ha-w C:\sqmnoopt07.sqm

2009-04-13 18:08 . 2009-04-13 18:08 232 ---ha-w C:\sqmdata07.sqm

2009-04-13 11:21 . 2009-04-13 11:21 244 ---ha-w C:\sqmnoopt06.sqm

2009-04-13 11:21 . 2009-04-13 11:21 232 ---ha-w C:\sqmdata06.sqm

2009-04-13 11:14 . 2009-04-13 11:14 244 ---ha-w C:\sqmnoopt05.sqm

2009-04-13 11:14 . 2009-04-13 11:14 232 ---ha-w C:\sqmdata05.sqm

2009-04-13 11:09 . 2009-04-13 11:09 244 ---ha-w C:\sqmnoopt04.sqm

2009-04-13 11:09 . 2009-04-13 11:09 232 ---ha-w C:\sqmdata04.sqm

2009-04-13 11:08 . 2009-04-13 11:08 244 ---ha-w C:\sqmnoopt03.sqm

2009-04-13 11:08 . 2009-04-13 11:08 232 ---ha-w C:\sqmdata03.sqm

2009-04-13 11:07 . 2009-04-13 11:07 244 ---ha-w C:\sqmnoopt02.sqm

2009-04-13 11:07 . 2009-04-13 11:07 232 ---ha-w C:\sqmdata02.sqm

2009-04-13 09:45 . 2009-04-13 09:45 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok-10-13

2009-04-12 10:09 . 2009-04-12 10:09 -------- d--h--w c:\windows\PIF

2009-04-12 09:33 . 2009-04-12 09:33 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok-10-12

2009-04-11 09:07 . 2009-04-11 09:07 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok-10-11

2009-04-10 19:57 . 2009-04-16 12:56 -------- d-----w c:\documents and settings\Thomas\Pavark

2009-04-10 10:23 . 2009-04-10 10:23 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok-10-10

2009-04-09 09:38 . 2009-04-09 09:38 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok-10-9

2009-04-08 09:28 . 2009-04-08 09:28 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok-10-8

2009-04-06 13:55 . 2009-04-06 13:55 -------- d-----w c:\documents and settings\Administrador\Mis documentos

2009-04-06 13:55 . 2009-04-06 13:55 -------- d-----w c:\documents and settings\Administrador

2009-04-05 17:59 . 2009-04-05 17:59 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Google

2009-03-31 20:47 . 2009-04-14 19:07 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\WinAVI

2009-03-31 13:18 . 2009-03-31 13:18 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok-10-31

2009-03-30 11:40 . 2009-03-30 11:40 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok-10-30

2009-03-29 10:40 . 2009-03-29 10:40 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok-10-29

2009-03-22 21:22 . 2004-12-21 00:01 690 ----a-w c:\windows\my.ini.old

2009-03-22 19:14 . 2004-12-21 00:01 690 ----a-w c:\windows\my.ini

2009-03-22 19:13 . 2009-03-22 19:13 -------- d-----w C:\SERV-N

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-21 13:24 . 2009-04-21 13:24 13916 ----a-w C:\SAFEBOOT_REPAIR.TXT

2009-04-21 11:51 . 2009-04-21 11:44 2512 ----a-w C:\FindyKill.txt

2009-04-20 19:52 . 2009-02-07 12:58 2828 --sha-w c:\windows\system32\KGyGaAvL.sys

2009-04-20 19:50 . 2009-04-20 19:49 -------- d-----w c:\arquivos de programas\Visual Business Cards

2009-04-17 23:30 . 2008-04-12 19:30 1699447 ----a-w c:\arquivos de programas\FindyKill.exe

2009-04-16 14:12 . 2009-04-16 14:12 -------- d-----w c:\arquivos de programas\Trend Micro

2009-04-16 13:23 . 2009-04-16 13:23 -------- d-----w c:\arquivos de programas\Sophos

2009-04-15 19:45 . 2008-10-01 13:21 42065 ----a-w c:\windows\system32\Thomas's Setting.scr

2009-04-15 19:45 . 2008-10-01 13:21 42065 ----a-w c:\windows\system32\Administrador.THOMAS's Setting.scr

2009-04-15 19:45 . 2008-10-01 13:21 42065 ----a-w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\csrss.exe

2009-04-15 19:45 . 2008-10-01 13:21 42065 ----a-w c:\documents and settings\Administrador.THOMAS\Configurações locais\Dados de aplicativos\csrss.exe

2009-04-15 11:47 . 2009-04-15 11:46 -------- d-----w c:\arquivos de programas\Gilly Messenger

2009-04-15 11:42 . 2009-04-15 11:42 -------- d-----w c:\arquivos de programas\MSN Messenger

2009-04-05 17:43 . 2009-04-05 17:43 -------- d-----w c:\arquivos de programas\Google

2009-03-31 21:10 . 2009-03-31 21:10 -------- d-----w c:\arquivos de programas\NeXus RV10 & MKV Filtres

2009-03-31 20:47 . 2009-03-31 20:47 -------- d-----w c:\arquivos de programas\WinAVI Video Converter

2009-03-22 19:23 . 2009-03-22 19:23 -------- d-----w c:\arquivos de programas\Arquivos comuns\Macromedia

2009-03-22 19:23 . 2009-03-22 19:22 -------- d-----w c:\arquivos de programas\Macromedia

2009-03-22 19:23 . 2009-02-07 12:36 -------- d--h--w c:\arquivos de programas\InstallShield Installation Information

2009-03-22 18:44 . 2009-02-11 21:43 -------- d-----w c:\arquivos de programas\Mu-Lande

2009-03-14 20:35 . 2009-03-14 20:35 -------- d-----w c:\documents and settings\Thomas\Dados de aplicativos\IObit

2009-03-14 20:35 . 2009-03-14 20:35 -------- d-----w c:\arquivos de programas\IObit

2009-03-11 14:17 . 2009-03-11 14:17 -------- d-----w c:\documents and settings\Thomas\Dados de aplicativos\Browzar

2009-03-10 09:46 . 2009-03-10 09:46 -------- d-----w c:\arquivos de programas\GNU

2009-02-26 18:49 . 2009-02-26 18:49 -------- d-----w c:\arquivos de programas\Audacity

2009-02-25 15:12 . 2009-02-25 15:12 -------- d-----w c:\documents and settings\Thomas\Dados de aplicativos\Thinstall

2009-02-20 23:24 . 2009-02-20 23:24 -------- d-----w c:\arquivos de programas\Software WIDCOMM

2009-02-16 20:49 . 2009-02-07 12:58 46664 ----a-w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\GDIPFONTCACHEV1.DAT

2009-02-09 21:31 . 2009-02-07 12:15 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-02-07 12:36 . 2009-02-07 12:36 90 ----a-w C:\CDSetup.log

2009-02-07 12:11 . 2009-02-07 12:11 21844 ----a-w c:\windows\system32\emptyregdb.dat

2008-04-12 19:26 . 2008-04-12 19:26 7 ----a-w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok.A10.em.bin

2004-10-01 17:00 . 2009-02-07 13:06 40960 ----a-w c:\arquivos de programas\Uninstall_CDS.exe

2004-08-04 03:45 . 2004-08-04 03:45 164583 --sha-r c:\windows\system32\pxeqog.dll

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSScheduler"="c:\arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" [2005-02-16 159744]

 

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

BTTray.lnk - c:\arquivos de programas\Software WIDCOMM\Bluetooth\BTTray.exe [2005-10-9 679997]

Ralink Wireless Utility.lnk - c:\arquivos de programas\RALINK\Common\RaUI.exe [2009-2-9 659456]

 

[HKLM\~\startupfolder\C:^Documents and Settings^Thomas^Menu Iniciar^Programas^Inicializar^Empty.pif]

backup=c:\windows\pss\Empty.pifStartup

path=c:\documents and settings\Thomas\Menu Iniciar\Programas\Inicializar\Empty.pif

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

"d:\\Softwares\\torrent\\utorrent\\utorrent.exe"=

"c:\\Arquivos de programas\\Arquivos comuns\\InstallShield\\UpdateService\\issch.exe"=

"c:\\WINDOWS\\system32\\taskmgr.exe"=

"c:\\WINDOWS\\system32\\ping.exe"=

"c:\\Documents and Settings\\Thomas\\Configurações locais\\Dados de aplicativos\\csrss.exe"=

"c:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

"c:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"=

"c:\\Arquivos de programas\\Software WIDCOMM\\Bluetooth\\BTTray.exe"=

"c:\\Arquivos de programas\\RALINK\\Common\\RaUI.exe"=

"c:\\WINDOWS\\system32\\dwwin.exe"=

"c:\\Arquivos de programas\\Microsoft Office\\OFFICE11\\EXCEL.EXE"=

"c:\\FindyKill\\Tools\\winupgro.exe"=

"c:\\FindyKill\\Tools\\Process.exe"=

"c:\\WINDOWS\\system32\\cmd.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"4154:TCP"= 4154:TCP:gupmuu

 

R1 avfwot;avfwot; [x]

R2 anajxpcfh;Microsoft Update;c:\windows\system32\svchost.exe [2004-08-04 14336]

R3 avfwim;AvFw Packet Filter Miniport; [x]

R3 MEMSWEEP2;MEMSWEEP2; [x]

 

 

--- ---

 

*NewlyCreated* - ASC3360PR

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

anajxpcfh

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d3d224a-29e9-11de-b993-00059e85e080}]

\sHell\AutopLay\COmmand - F:\lspb.exe

\sHell\AutoRun\command - F:\lspb.exe

\sHell\eXPloRe\CommANd - F:\lspb.exe

\sHell\open\comMaNd - F:\lspb.exe

.

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.google.com.br/

IE: c:\arquivos de programas\Software WIDCOMM\Bluetooth\btsendto_ie_ctx.htm

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: {BC183F1A-2A70-4C7A-8D1B-E6CEAB20B143} = 192.168.0.1

FF - ProfilePath - c:\documents and settings\Thomas\Dados de aplicativos\Mozilla\Firefox\Profiles\jomn7qa6.default\

 

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

 

**************************************************************************

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos:

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\2.tmp"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]

"ImagePath"="\SERV-N\apache\mysql\bin\mysqld-nt --defaults-file=\SERV-N\apache\mysql\bin\my.cnf MySQL"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\anajxpcfh]

"ServiceDll"="c:\windows\system32\pxeqog.dll"

.

------------------------ Outros Processos em Execução ------------------------

.

c:\serv-n\apache\Apache.exe

c:\arquivos de programas\Software WIDCOMM\Bluetooth\bin\btwdins.exe

c:\serv-n\apache\mysql\bin\mysqld-nt.exe

c:\arquivos de programas\Arquivos comuns\Protexis\License Service\PSIService.exe

c:\serv-n\apache\Apache.exe

c:\arquivos de programas\Software WIDCOMM\Bluetooth\BTStackServer.exe

.

**************************************************************************

.

Tempo para conclusão: 2009-04-21 10:49 - Máquina reiniciou

ComboFix-quarantined-files.txt 2009-04-21 13:49

ComboFix2.txt 2009-03-14 20:26

 

Pré-execução: 12 pasta(s) 27.223.056.384 bytes disponíveis

Pós execução: 11 pasta(s) 27.125.526.528 bytes disponíveis

 

200

-----------------------------------------

HijackThis

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:56:02, on 21/4/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\SERV-N\apache\Apache.exe

C:\Arquivos de programas\Software WIDCOMM\Bluetooth\bin\btwdins.exe

C:\SERV-N\apache\mysql\bin\mysqld-nt.exe

C:\Arquivos de programas\Arquivos comuns\Protexis\License Service\PSIService.exe

C:\WINDOWS\system32\svchost.exe

C:\SERV-N\apache\Apache.exe

C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe

C:\Arquivos de programas\Software WIDCOMM\Bluetooth\BTTray.exe

C:\ARQUIV~1\SOFTWA~1\BLUETO~1\BTSTAC~1.EXE

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\DOCUME~1\Thomas\CONFIG~1\Temp\winffcil.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\notepad.exe

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start

O4 - Global Startup: BTTray.lnk = ?

O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Arquivos de programas\RALINK\Common\RaUI.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Arquivos de programas\Software WIDCOMM\Bluetooth\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Arquivos de programas\Software WIDCOMM\Bluetooth\btsendto_ie.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O17 - HKLM\System\CCS\Services\Tcpip\..\{BC183F1A-2A70-4C7A-8D1B-E6CEAB20B143}: NameServer = 192.168.0.1

O23 - Service: Apache - Unknown owner - C:\SERV-N\apache\Apache.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Arquivos de programas\Software WIDCOMM\Bluetooth\bin\btwdins.exe

O23 - Service: MySQL - Unknown owner - \SERV-N\apache\mysql\bin\mysqld-nt.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Protexis\License Service\PSIService.exe

 

--

End of file - 3919 bytes

[DigRam 144]

Boa Tarde! Thomas Anderson

 

<!> Poste o relatório do FindyKill e instale mais um pente de memória no seu PC. ( +256Mb )

<><><><><><><><><><><>

Insira sua(s) unidade(s) removíveis,caso às possua,na entrada USB. ( pendrive,mp3,mp4,iPods,etc... )

<@> Selecione e copie,todo o conteúdo que está na área do QUOTE,para o Bloco de Notas.

<@> Salve-o,no Desktop,com o nome: CFScript.txt

 

Driver::

"avfwot"

"anajxpcfh"

"avfwim"

"MEMSWEEP2"

"ASC3360PR"

Netsvc::

"anajxpcfh"

File::

c:\documents and settings\Administrador.THOMAS\Configurações locais\Dados de aplicativos\csrss.exe

c:\Documents and Settings\Thomas\Configurações locais\Dados de aplicativos\csrss.exe

C:\Documents and Settings\Thomas\Configurações locais\Dados de aplicativos\smss.exe

c:\documents and settings\Thomas\Menu Iniciar\Programas\Inicializar\Empty.pif

c:\windows\system32\Administrador.THOMAS's Setting.scr

C:\DOCUME~1\Thomas\CONFIG~1\Temp\winffcil.exe

c:\windows\system32\Thomas's Setting.scr

c:\windows\pss\Empty.pifStartup

c:\FindyKill\Tools\winupgro.exe

c:\windows\system32\pxeqog.dll

c:\windows\system32\2.tmp

F:\lspb.exe

Folder::

c:\FindyKill\Tools

c:\FindyKill

Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d3d224a-29e9-11de-b993-00059e85e080}]

[-HKLM\~\startupfolder\C:^Documents and Settings^Thomas^Menu Iniciar^Programas^Inicializar^Empty.pif]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"4154:TCP"=""

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\anajxpcfh]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:0000000

"FirewallOverride"=dword:00000000

<@> Ps: Não utilizem este script em outra máquina!

<@> Arraste,o CFScript.txt para o ícone/interior do ComboFix.

<@> Veja a demonstração!

 

 

<@> Atenda à solicitação,que deverá surgir,para rodar o ComboFix.

<@> Ps: Faça o arraste,até surgir essa solicitação! ( janela )

<@> Terminando,poste os relatórios: C:\ComboFix.txt + HijackThis,atualizado.

 

Abraços!

[Thomas Anderson 0]

esse script do combofix fez reaparecer duas mensagens que não via a semanas, atualizações do windows e firewal

 

FINDYKILL

 

############################## [ FindyKill V4.724 ]

 

# User : Thomas (Administradores) # THOMAS

# Update on 15/04/09 by Chiquitine29

# Start at: 05:03:34 | 26/4/2009

# Website : http://pagesperso-orange.fr/FindyKill.Ad.Remover/

 

# Intel® Celeron® CPU 1.80GHz

# Microsoft Windows XP Professional (5.1.2600 32-bit) # Service Pack 2

# Internet Explorer 6.0.2900.2180

# Windows Firewall Status : Enabled

# AV : Kaspersky Internet Security 7.0.0.125 [ (!) Disabled | (!) Outdated ]

# FW : Kaspersky Internet Security[ (!) Disabled ]7.0.0.125

 

# A:\ # Unidade de disquete de 3 1/2 polegadas

# C:\ # Disco fixo local # 38,28 Go (26,2 Go free) # NTFS

# D:\ # Disco fixo local # 74,52 Go (25,95 Go free) # NTFS

# E:\ # Disco CD-ROM

# F:\ # Disco removível # 1,87 Go (976,12 Mo free) # FAT

 

############################## [ Active Processes ]

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\logonui.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\userinit.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\SERV-N\apache\Apache.exe

C:\Arquivos de programas\Software WIDCOMM\Bluetooth\bin\btwdins.exe

C:\SERV-N\apache\mysql\bin\mysqld-nt.exe

C:\Arquivos de programas\Arquivos comuns\Protexis\License Service\PSIService.exe

C:\SERV-N\apache\Apache.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

################## [ C:\WINDOWS # C:\WINDOWS\Prefetch ]

 

Deleted ! C:\WINDOWS\Prefetch\PATCH CRACK.EXE-1D54A9BE.pf

 

################## [ C:\WINDOWS\System32... ]

 

 

################## [ C:\Users\...\AppData\Roaming ]

 

 

################## [ Cleaning .. Temp Files... ]

 

 

################## [ Registry / Infected keys ]

 

 

################## [ Cleaning Removable drives ]

 

# Deleting Files :

 

 

Deleted ! F:\autorun.inf

Deleted ! F:\fooool.exe

 

################## [ Registry / Mountpoint2 ]

 

Deleted ! HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bce2403e-2f78-11de-b9c5-00059e85e080}\Shell\AutoRun\command

Deleted ! HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bce2403e-2f78-11de-b9c5-00059e85e080}\Shell\explore\Command

Deleted ! HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bce2403e-2f78-11de-b9c5-00059e85e080}\Shell\open\Command

 

################## [ States / Restarting of services ]

 

# Services : [ Auto=2 / Request=3 / Disable=4 ]

 

# Ndisuio -> # Type of startup =3

# Ip6Fw -> # Type of startup =2

# SharedAccess -> # Type of startup =2

# wuauserv -> # Type of startup =2

# wscsvc -> # Type of startup =2

 

################## [ Searching Other Infections ]

 

# Références de comparaison Bagle MD5 :

 

File ... : C:\Qoobox\Quarantine\C\FindyKill\Tools\winupgro.exe.vir

CRC32 .. : 6ee512dd

MD5 .... : 3fb5b824b442bf26fa87974dbe894c29

 

# -> Nothing found.

 

################## [ ! End of Report # FindyKill V4.724 ! ]

 

 

 

COMBOFIX

 

ComboFix 09-04-25.A3 - Thomas 26/04/2009 4:51.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.254.75 [GMT -3:00]

Executando de: c:\documents and settings\Thomas\Desktop\ComboFix.exe

Comandos utilizados :: c:\documents and settings\Thomas\Desktop\CFScript.txt

AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated)

FW: Kaspersky Internet Security *disabled*

* Criado um novo ponto de restauro

 

ATENÇAO - ESTA MAQUINA NAO TEM O CONSOLE DE RECUPERAÇÃO INSTALADA !!

 

FILE ::

c:\docume~1\Thomas\CONFIG~1\Temp\winffcil.exe

c:\documents and settings\Administrador.THOMAS\Configurações locais\Dados de aplicativos\csrss.exe

c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\csrss.exe

c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\smss.exe

c:\documents and settings\Thomas\Menu Iniciar\Programas\Inicializar\Empty.pif

c:\findykill\Tools\winupgro.exe

c:\windows\pss\Empty.pifStartup

c:\windows\system32\2.tmp

c:\windows\system32\Administrador.THOMAS's Setting.scr

c:\windows\system32\pxeqog.dll

c:\windows\system32\Thomas's Setting.scr

F:\lspb.exe

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\Administrador.THOMAS\Configurações locais\Dados de aplicativos\csrss.exe

c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\csrss.exe

c:\FindyKill

c:\findykill\FindyKill.cmd

c:\findykill\Tools\7-zip32.dll

c:\findykill\Tools\7z.exe

c:\findykill\Tools\Avert_C.vbs

c:\findykill\Tools\Avert_E.vbs

c:\findykill\Tools\Avert_F.vbs

c:\findykill\Tools\Fdc.reg

c:\findykill\Tools\fsum.exe

c:\findykill\Tools\FyK.ico

c:\findykill\Tools\FYKS.exe

c:\findykill\Tools\GREP.EXE

c:\findykill\Tools\Header.vbs

c:\findykill\Tools\IZARCE.exe

c:\findykill\Tools\Limpia

c:\findykill\Tools\Process.exe

c:\findykill\Tools\REFMD5.def

c:\findykill\Tools\RegB.reg

c:\findykill\Tools\SP2.reg

c:\findykill\Tools\SP3.reg

c:\findykill\Tools\swreg.exe

c:\findykill\Tools\Uac.reg

c:\findykill\Tools\unrar.dll

c:\findykill\Tools\Usb_C.vbs

c:\findykill\Tools\Usb_E.vbs

c:\findykill\Tools\Usb_F.vbs

c:\findykill\Tools\Vista.reg

c:\findykill\Tools\winupgro.exe

c:\findykill\Uninstal.exe

c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013

c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini

c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe

c:\windows\pss\Empty.pifStartup

c:\windows\system32\Administrador.THOMAS's Setting.scr

c:\windows\system32\explorer.exe

c:\windows\system32\pxeqog.dll

c:\windows\system32\Thomas's Setting.scr

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_ANAJXPCFH

-------\Legacy_ASC3360PR

-------\Legacy_AVFWOT

-------\Legacy_MEMSWEEP2

-------\Service_anajxpcfh

-------\Service_asc3360pr

-------\Service_avfwim

-------\Service_avfwot

 

 

(((((((((((((((( Arquivos/Ficheiros criados de 2009-05-26 to 2009-4-26 ))))))))))))))))))))))))))))

.

 

2009-12-26 15:19 . 2009-12-26 15:19 -------- d-----w c:\documents and settings\All Users\Dados de aplicativos\ConeXware

2009-12-25 16:32 . 2009-12-25 16:32 36232 ---ha-w c:\windows\system32\mlfcache.dat

2009-04-24 01:34 . 2009-12-27 06:43 -------- d-----w c:\documents and settings\Thomas\Dados de aplicativos\mIRC

2009-04-24 01:34 . 2009-12-27 04:51 -------- d-----w c:\arquivos de programas\mIRC

2009-04-22 20:04 . 2006-11-25 13:11 2560 --sh--r c:\windows\system32\fooool.exe

2009-04-21 13:52 . 2009-04-21 13:52 244 ---ha-w C:\sqmnoopt15.sqm

2009-04-21 13:52 . 2009-04-21 13:52 232 ---ha-w C:\sqmdata15.sqm

2009-04-21 13:52 . 2009-04-21 13:52 244 ---ha-w C:\sqmnoopt14.sqm

2009-04-21 13:52 . 2009-04-21 13:52 232 ---ha-w C:\sqmdata14.sqm

2009-04-21 13:52 . 2009-04-21 13:52 244 ---ha-w C:\sqmnoopt13.sqm

2009-04-21 13:52 . 2009-04-21 13:52 232 ---ha-w C:\sqmdata13.sqm

2009-04-21 13:51 . 2009-04-21 13:51 244 ---ha-w C:\sqmnoopt12.sqm

2009-04-21 13:51 . 2009-04-21 13:51 232 ---ha-w C:\sqmdata12.sqm

2009-04-21 13:50 . 2009-04-21 13:50 244 ---ha-w C:\sqmnoopt11.sqm

2009-04-21 13:50 . 2009-04-21 13:50 232 ---ha-w C:\sqmdata11.sqm

2009-04-21 13:23 . 2009-04-21 13:23 288654 ----a-w C:\SafeBootKeyRepair.exe

2009-04-21 13:20 . 2009-04-21 13:20 244 ---ha-w C:\sqmnoopt10.sqm

2009-04-21 13:20 . 2009-04-21 13:20 232 ---ha-w C:\sqmdata10.sqm

2009-04-20 19:49 . 2009-04-20 19:50 -------- d-----w c:\arquivos de programas\Visual Business Cards

2009-04-16 14:12 . 2009-04-16 14:12 -------- d-----w c:\arquivos de programas\Trend Micro

2009-04-16 14:03 . 2009-04-16 14:03 244 ---ha-w C:\sqmnoopt00.sqm

2009-04-16 14:03 . 2009-04-16 14:03 232 ---ha-w C:\sqmdata00.sqm

2009-04-16 13:23 . 2009-04-16 13:23 -------- d-----w c:\arquivos de programas\Sophos

2009-04-16 11:37 . 2009-04-16 11:38 -------- d--h--w c:\windows\system32\GroupPolicy

2009-04-16 09:57 . 2009-04-16 09:57 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok-10-16

2009-04-15 19:22 . 2009-04-21 14:11 -------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Kaspersky Lab

2009-04-15 17:27 . 2009-04-15 17:27 -------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Kaspersky Lab Setup Files

2009-04-15 11:46 . 2009-04-15 11:47 -------- d-----w c:\arquivos de programas\Gilly Messenger

2009-04-15 11:43 . 2009-04-15 12:34 -------- d-----w c:\documents and settings\Thomas\Contacts

2009-04-15 11:42 . 2009-04-15 11:42 -------- dc----w c:\windows\system32\DRVSTORE

2009-04-15 11:42 . 2009-04-15 11:42 -------- d-----w c:\arquivos de programas\MSN Messenger

2009-04-15 09:03 . 2009-04-15 09:03 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok-10-15

2009-04-14 18:52 . 2009-04-14 18:52 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Adobe

2009-04-13 18:16 . 2009-04-13 18:16 244 ---ha-w C:\sqmnoopt09.sqm

2009-04-13 18:16 . 2009-04-13 18:16 232 ---ha-w C:\sqmdata09.sqm

2009-04-13 18:09 . 2009-04-13 18:09 244 ---ha-w C:\sqmnoopt08.sqm

2009-04-13 18:09 . 2009-04-13 18:09 232 ---ha-w C:\sqmdata08.sqm

2009-04-13 18:08 . 2009-04-13 18:08 244 ---ha-w C:\sqmnoopt07.sqm

2009-04-13 18:08 . 2009-04-13 18:08 232 ---ha-w C:\sqmdata07.sqm

2009-04-13 11:21 . 2009-04-13 11:21 244 ---ha-w C:\sqmnoopt06.sqm

2009-04-13 11:21 . 2009-04-13 11:21 232 ---ha-w C:\sqmdata06.sqm

2009-04-13 11:14 . 2009-04-13 11:14 244 ---ha-w C:\sqmnoopt05.sqm

2009-04-13 11:14 . 2009-04-13 11:14 232 ---ha-w C:\sqmdata05.sqm

2009-04-13 11:09 . 2009-04-13 11:09 244 ---ha-w C:\sqmnoopt04.sqm

2009-04-13 11:09 . 2009-04-13 11:09 232 ---ha-w C:\sqmdata04.sqm

2009-04-13 11:08 . 2009-04-13 11:08 244 ---ha-w C:\sqmnoopt03.sqm

2009-04-13 11:08 . 2009-04-13 11:08 232 ---ha-w C:\sqmdata03.sqm

2009-04-13 11:07 . 2009-04-13 11:07 244 ---ha-w C:\sqmnoopt02.sqm

2009-04-13 11:07 . 2009-04-13 11:07 232 ---ha-w C:\sqmdata02.sqm

2009-04-13 09:45 . 2009-04-13 09:45 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok-10-13

2009-04-12 10:09 . 2009-04-12 10:09 -------- d--h--w c:\windows\PIF

2009-04-12 09:33 . 2009-04-12 09:33 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok-10-12

2009-04-11 09:07 . 2009-04-11 09:07 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok-10-11

2009-04-10 19:57 . 2009-04-16 12:56 -------- d-----w c:\documents and settings\Thomas\Pavark

2009-04-10 10:23 . 2009-04-10 10:23 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok-10-10

2009-04-09 09:38 . 2009-04-09 09:38 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok-10-9

2009-04-08 09:28 . 2009-04-08 09:28 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok-10-8

2009-04-06 13:55 . 2009-04-06 13:55 -------- d-----w c:\documents and settings\Administrador\Mis documentos

2009-04-06 13:55 . 2009-04-06 13:55 -------- d-----w c:\documents and settings\Administrador

2009-04-05 17:59 . 2009-04-05 17:59 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Google

2009-04-05 17:43 . 2009-04-05 17:43 -------- d-----w c:\arquivos de programas\Google

2009-03-31 21:10 . 2009-03-31 21:10 -------- d-----w c:\arquivos de programas\NeXus RV10 & MKV Filtres

2009-03-31 20:47 . 2009-04-14 19:07 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\WinAVI

2009-03-31 20:47 . 2009-03-31 20:47 -------- d-----w c:\arquivos de programas\WinAVI Video Converter

2009-03-31 13:18 . 2009-03-31 13:18 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok-10-31

2009-03-30 11:40 . 2009-03-30 11:40 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok-10-30

2009-03-29 10:40 . 2009-03-29 10:40 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok-10-29

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-26 13:44 . 2009-02-07 12:58 2828 --sha-w c:\windows\system32\KGyGaAvL.sys

2009-04-21 13:24 . 2009-04-21 13:24 13916 ----a-w C:\SAFEBOOT_REPAIR.TXT

2009-04-21 11:51 . 2009-04-21 11:44 2512 ----a-w C:\FindyKill.txt

2009-04-17 23:30 . 2008-04-12 19:30 1699447 ----a-w c:\arquivos de programas\FindyKill.exe

2009-03-22 19:23 . 2009-03-22 19:23 -------- d-----w c:\arquivos de programas\Arquivos comuns\Macromedia

2009-03-22 19:23 . 2009-03-22 19:22 -------- d-----w c:\arquivos de programas\Macromedia

2009-03-22 19:23 . 2009-02-07 12:36 -------- d--h--w c:\arquivos de programas\InstallShield Installation Information

2009-03-22 18:44 . 2009-02-11 21:43 -------- d-----w c:\arquivos de programas\Mu-Lande

2009-03-14 20:35 . 2009-03-14 20:35 -------- d-----w c:\documents and settings\Thomas\Dados de aplicativos\IObit

2009-03-14 20:35 . 2009-03-14 20:35 -------- d-----w c:\arquivos de programas\IObit

2009-03-11 14:17 . 2009-03-11 14:17 -------- d-----w c:\documents and settings\Thomas\Dados de aplicativos\Browzar

2009-03-10 09:46 . 2009-03-10 09:46 -------- d-----w c:\arquivos de programas\GNU

2009-02-26 18:49 . 2009-02-26 18:49 -------- d-----w c:\arquivos de programas\Audacity

2009-02-25 15:12 . 2009-02-25 15:12 -------- d-----w c:\documents and settings\Thomas\Dados de aplicativos\Thinstall

2009-02-16 20:49 . 2009-02-07 12:58 46664 ----a-w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\GDIPFONTCACHEV1.DAT

2009-02-09 21:31 . 2009-02-07 12:15 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-02-07 12:36 . 2009-02-07 12:36 90 ----a-w C:\CDSetup.log

2009-02-07 12:11 . 2009-02-07 12:11 21844 ----a-w c:\windows\system32\emptyregdb.dat

2008-04-12 19:26 . 2008-04-12 19:26 7 ----a-w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok.A10.em.bin

2004-10-01 17:00 . 2009-02-07 13:06 40960 ----a-w c:\arquivos de programas\Uninstall_CDS.exe

2006-11-25 13:11 . 2009-04-22 20:04 2560 --sh--r c:\windows\system32\fooool.exe

.

 

((((((((((((((((((((((((((((( SnapShot@2009-04-21_13.47.40 )))))))))))))))))))))))))))))))))))))))))

.

- 2001-10-28 18:07 . 2008-04-12 19:43 49804 c:\windows\system32\perfc016.dat

+ 2001-10-28 18:07 . 1794-12-25 11:24 49804 c:\windows\system32\perfc016.dat

- 2001-10-28 18:07 . 2008-04-12 19:43 40972 c:\windows\system32\perfc009.dat

+ 2001-10-28 18:07 . 1794-12-25 11:24 40972 c:\windows\system32\perfc009.dat

+ 2009-02-07 12:10 . 2001-10-28 18:07 19429 c:\windows\system32\MsDtc\Trace\msdtcvtr.bat

+ 2009-12-26 15:19 . 2009-12-26 15:19 65952 c:\windows\Installer\{BFED0415-14A8-40D9-A4D0-F749606E63D2}\POWERARC.exe

- 2001-10-28 18:07 . 2008-04-12 19:43 347648 c:\windows\system32\perfh016.dat

+ 2001-10-28 18:07 . 1794-12-25 11:24 347648 c:\windows\system32\perfh016.dat

+ 2001-10-28 18:07 . 1794-12-25 11:24 314644 c:\windows\system32\perfh009.dat

- 2001-10-28 18:07 . 2008-04-12 19:43 314644 c:\windows\system32\perfh009.dat

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSScheduler"="c:\arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" [2005-02-16 163840]

"ISUSPM Startup"="c:\arquiv~1\arquiv~1\instal~1\update~1\isuspm.exe" [2005-02-16 290816]

"Barsaka"="explorer.exe" - c:\windows\explorer.exe [2004-08-04 1034240]

 

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

BTTray.lnk - c:\arquivos de programas\Software WIDCOMM\Bluetooth\BTTray.exe [2005-10-9 679997]

Ralink Wireless Utility.lnk - c:\arquivos de programas\RALINK\Common\RaUI.exe [2009-2-9 671744]

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

"d:\\Softwares\\torrent\\utorrent\\utorrent.exe"=

"c:\\Arquivos de programas\\Arquivos comuns\\InstallShield\\UpdateService\\issch.exe"=

"c:\\WINDOWS\\system32\\taskmgr.exe"=

"c:\\WINDOWS\\system32\\ping.exe"=

"c:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

"c:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"=

"c:\\Arquivos de programas\\Software WIDCOMM\\Bluetooth\\BTTray.exe"=

"c:\\Arquivos de programas\\RALINK\\Common\\RaUI.exe"=

"c:\\WINDOWS\\system32\\dwwin.exe"=

"c:\\Arquivos de programas\\Microsoft Office\\OFFICE11\\EXCEL.EXE"=

"c:\\WINDOWS\\system32\\cmd.exe"=

"d:\\Softwares\\Anti virus\\Virus Removal Tool\\400000700002i\\Splash.exe"=

"c:\\arquiv~1\\arquiv~1\\instal~1\\update~1\\isuspm.exe"=

"c:\\Arquivos de programas\\mIRC\\mirc.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"4154:TCP"=

 

--- ---

 

*NewlyCreated* - ASC3360PR

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bce2403e-2f78-11de-b9c5-00059e85e080}]

\Shell\AutoRun\command - F:\fooool.exe

\Shell\explore\Command - F:\fooool.exe

\Shell\open\Command - F:\fooool.exe

.

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.google.com.br/

IE: c:\arquivos de programas\Software WIDCOMM\Bluetooth\btsendto_ie_ctx.htm

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: {BC183F1A-2A70-4C7A-8D1B-E6CEAB20B143} = 192.168.0.1

FF - ProfilePath - c:\documents and settings\Thomas\Dados de aplicativos\Mozilla\Firefox\Profiles\jomn7qa6.default\

 

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-26 04:56

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]

"ImagePath"="\SERV-N\apache\mysql\bin\mysqld-nt --defaults-file=\SERV-N\apache\mysql\bin\my.cnf MySQL"

.

------------------------ Outros Processos em Execução ------------------------

.

c:\serv-n\apache\Apache.exe

c:\arquivos de programas\Software WIDCOMM\Bluetooth\bin\btwdins.exe

c:\serv-n\apache\mysql\bin\mysqld-nt.exe

c:\arquivos de programas\Arquivos comuns\Protexis\License Service\PSIService.exe

c:\serv-n\apache\Apache.exe

c:\windows\system32\wscntfy.exe

c:\arquivos de programas\Software WIDCOMM\Bluetooth\BTStackServer.exe

c:\docume~1\Thomas\CONFIG~1\temp\uiqoo.exe

.

**************************************************************************

.

Tempo para conclusão: 2009-04-26 5:00 - Máquina reiniciou

ComboFix-quarantined-files.txt 2009-04-26 08:00

ComboFix2.txt 2009-04-21 13:49

ComboFix3.txt 2009-03-14 20:26

 

Pré-execução: 12 pasta(s) 28.102.180.864 bytes disponíveis

Pós execução: 10 pasta(s) 28.115.300.352 bytes disponíveis

 

263

 

 

HIJACKTHIS

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 05:31:11, on 26/4/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\SERV-N\apache\Apache.exe

C:\Arquivos de programas\Software WIDCOMM\Bluetooth\bin\btwdins.exe

C:\SERV-N\apache\mysql\bin\mysqld-nt.exe

C:\Arquivos de programas\Arquivos comuns\Protexis\License Service\PSIService.exe

C:\SERV-N\apache\Apache.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\internet explorer\iexplore.exe

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [barsaka] explorer.exe

O4 - HKLM\..\Run: [iSUSPM Startup] c:\arquiv~1\arquiv~1\instal~1\update~1\isuspm.exe -startup

O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe

O4 - Global Startup: BTTray.lnk = ?

O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Arquivos de programas\RALINK\Common\RaUI.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Arquivos de programas\Software WIDCOMM\Bluetooth\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Arquivos de programas\Software WIDCOMM\Bluetooth\btsendto_ie.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O17 - HKLM\System\CCS\Services\Tcpip\..\{BC183F1A-2A70-4C7A-8D1B-E6CEAB20B143}: NameServer = 192.168.0.1

O23 - Service: Apache - Unknown owner - C:\SERV-N\apache\Apache.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Arquivos de programas\Software WIDCOMM\Bluetooth\bin\btwdins.exe

O23 - Service: MySQL - Unknown owner - \SERV-N\apache\mysql\bin\mysqld-nt.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Protexis\License Service\PSIService.exe

 

--

End of file - 3916 bytes

 

vlw

[DigRam 144]

Boa Tarde! Thomas Anderson

 

<@> Baixe: < PureRa 1.3 > ( ...by RaProducts' )

<@> Salve-o no desktop! <-- Tire-o do zip!

<@> Execute: PureRa.exe --> Clique em Clean.

<@> Á direita,marque a opção: "Check All"

<@> Clique no botão Clean Selected --> Aguarde!

<@> Terminando ( Finished ),clique em Exit.

<><><><><><><><><><><>

Insira sua(s) unidade(s) removíveis,caso às possua,na entrada USB. ( pendrive,mp3,mp4,iPods,etc... )

<@> Selecione e copie,todo o conteúdo que está na área do QUOTE,para o Bloco de Notas.

<@> Salve-o,no Desktop,com o nome: CFScript.txt

 

Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bce2403e-2f78-11de-b9c5-00059e85e080}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Barsaka"=-

Dirlook::

c:\windows\system32\GroupPolicy

File::

c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok.A10.em.bin

c:\docume~1\Thomas\CONFIG~1\temp\uiqoo.exe

c:\windows\system32\explorer.exe

c:\windows\system32\fooool.exe

F:\fooool.exe

Driver::

"ASC3360PR"

<@> Ps: Não utilizem este script em outra máquina!

<@> Arraste,o CFScript.txt para o ícone/interior do ComboFix.

<@> Veja a demonstração!

 

 

<@> Atenda à solicitação,que deverá surgir,para rodar o ComboFix.

<@> Ps: Faça o arraste,até surgir essa solicitação! ( janela )

<@> Terminando,poste os relatórios: C:\ComboFix.txt + HijackThis,atualizado.

 

Abraços!

[Thomas Anderson 0]

nuss o pc tava explodindo de virus pelo geito neh.... ^^

 

COMBOFIX ----------------------------------------------------------------------------------------------------------------------------------------------------

 

ComboFix 09-04-25.A3 - Thomas 27/04/2009 3:19.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.254.85 [GMT -3:00]

Executando de: c:\documents and settings\Thomas\Desktop\ComboFix.exe

Comandos utilizados :: c:\documents and settings\Thomas\Desktop\CFScript.txt

AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated)

FW: Kaspersky Internet Security *disabled*

* Criado um novo ponto de restauro

 

ATENÇAO - ESTA MAQUINA NAO TEM O CONSOLE DE RECUPERAÇÃO INSTALADA !!

 

FILE ::

c:\docume~1\Thomas\CONFIG~1\temp\uiqoo.exe

c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok.A10.em.bin

c:\windows\system32\explorer.exe

c:\windows\system32\fooool.exe

F:\fooool.exe

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok.A10.em.bin

c:\windows\system32\fooool.exe

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_ASC3360PR

-------\Service_asc3360pr

 

 

(((((((((((((((( Arquivos/Ficheiros criados de 2009-05-27 to 2009-4-27 ))))))))))))))))))))))))))))

.

 

2009-12-26 15:19 . 2009-12-26 15:19 -------- d-----w c:\documents and settings\All Users\Dados de aplicativos\ConeXware

2009-12-25 16:32 . 2009-12-25 16:32 36232 ---ha-w c:\windows\system32\mlfcache.dat

2009-04-26 08:01 . 2009-04-26 08:09 -------- d-----w C:\FindyKill

2009-04-24 01:34 . 2009-04-26 08:51 -------- d-----w c:\documents and settings\Thomas\Dados de aplicativos\mIRC

2009-04-24 01:34 . 2009-04-26 08:43 -------- d-----w c:\arquivos de programas\mIRC

2009-04-21 13:23 . 2009-04-21 13:23 288654 ----a-w C:\SafeBootKeyRepair.exe

2009-04-20 19:49 . 2009-04-20 19:50 -------- d-----w c:\arquivos de programas\Visual Business Cards

2009-04-16 14:12 . 2009-04-16 14:12 -------- d-----w c:\arquivos de programas\Trend Micro

2009-04-16 13:23 . 2009-04-16 13:23 -------- d-----w c:\arquivos de programas\Sophos

2009-04-16 11:37 . 2009-04-16 11:38 -------- d--h--w c:\windows\system32\GroupPolicy

2009-04-16 09:57 . 2009-04-16 09:57 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok-10-16

2009-04-15 19:22 . 2009-04-21 14:11 -------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Kaspersky Lab

2009-04-15 17:27 . 2009-04-15 17:27 -------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Kaspersky Lab Setup Files

2009-04-15 11:46 . 2009-04-15 11:47 -------- d-----w c:\arquivos de programas\Gilly Messenger

2009-04-15 11:43 . 2009-04-15 12:34 -------- d-----w c:\documents and settings\Thomas\Contacts

2009-04-15 11:42 . 2009-04-15 11:42 -------- dc----w c:\windows\system32\DRVSTORE

2009-04-15 11:42 . 2009-04-15 11:42 -------- d-----w c:\arquivos de programas\MSN Messenger

2009-04-15 09:03 . 2009-04-15 09:03 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok-10-15

2009-04-14 18:52 . 2009-04-14 18:52 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Adobe

2009-04-13 09:45 . 2009-04-13 09:45 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok-10-13

2009-04-12 10:09 . 2009-04-12 10:09 -------- d--h--w c:\windows\PIF

2009-04-12 09:33 . 2009-04-12 09:33 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok-10-12

2009-04-11 09:07 . 2009-04-11 09:07 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok-10-11

2009-04-10 19:57 . 2009-04-16 12:56 -------- d-----w c:\documents and settings\Thomas\Pavark

2009-04-10 10:23 . 2009-04-10 10:23 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok-10-10

2009-04-09 09:38 . 2009-04-09 09:38 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok-10-9

2009-04-08 09:28 . 2009-04-08 09:28 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok-10-8

2009-04-06 13:55 . 2009-04-06 13:55 -------- d-----w c:\documents and settings\Administrador\Mis documentos

2009-04-06 13:55 . 2009-04-06 13:55 -------- d-----w c:\documents and settings\Administrador

2009-04-05 17:59 . 2009-04-05 17:59 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Google

2009-04-05 17:43 . 2009-04-05 17:43 -------- d-----w c:\arquivos de programas\Google

2009-03-31 21:10 . 2009-03-31 21:10 -------- d-----w c:\arquivos de programas\NeXus RV10 & MKV Filtres

2009-03-31 20:47 . 2009-04-14 19:07 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\WinAVI

2009-03-31 20:47 . 2009-03-31 20:47 -------- d-----w c:\arquivos de programas\WinAVI Video Converter

2009-03-31 13:18 . 2009-03-31 13:18 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok-10-31

2009-03-30 11:40 . 2009-03-30 11:40 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok-10-30

2009-03-29 10:40 . 2009-03-29 10:40 -------- d-----w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\Bron.tok-10-29

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-27 06:14 . 2009-04-27 06:13 41526 ----a-w C:\PureRa.txt

2009-04-26 15:40 . 2009-02-07 12:58 2828 --sha-w c:\windows\system32\KGyGaAvL.sys

2009-04-26 08:09 . 2009-04-26 08:03 3317 ----a-w C:\FindyKill.txt

2009-04-26 07:57 . 2001-10-28 18:07 49804 ----a-w c:\windows\system32\perfc016.dat

2009-04-26 07:57 . 2001-10-28 18:07 347648 ----a-w c:\windows\system32\perfh016.dat

2009-04-21 13:24 . 2009-04-21 13:24 13916 ----a-w C:\SAFEBOOT_REPAIR.TXT

2009-04-17 23:30 . 2008-04-12 19:30 1699447 ----a-w c:\arquivos de programas\FindyKill.exe

2009-03-22 19:23 . 2009-03-22 19:23 -------- d-----w c:\arquivos de programas\Arquivos comuns\Macromedia

2009-03-22 19:23 . 2009-03-22 19:22 -------- d-----w c:\arquivos de programas\Macromedia

2009-03-22 19:23 . 2009-02-07 12:36 -------- d--h--w c:\arquivos de programas\InstallShield Installation Information

2009-03-22 18:44 . 2009-02-11 21:43 -------- d-----w c:\arquivos de programas\Mu-Lande

2009-03-14 20:35 . 2009-03-14 20:35 -------- d-----w c:\documents and settings\Thomas\Dados de aplicativos\IObit

2009-03-14 20:35 . 2009-03-14 20:35 -------- d-----w c:\arquivos de programas\IObit

2009-03-11 14:17 . 2009-03-11 14:17 -------- d-----w c:\documents and settings\Thomas\Dados de aplicativos\Browzar

2009-03-10 09:46 . 2009-03-10 09:46 -------- d-----w c:\arquivos de programas\GNU

2009-02-26 18:49 . 2009-02-26 18:49 -------- d-----w c:\arquivos de programas\Audacity

2009-02-16 20:49 . 2009-02-07 12:58 46664 ----a-w c:\documents and settings\Thomas\Configurações locais\Dados de aplicativos\GDIPFONTCACHEV1.DAT

2009-02-09 21:31 . 2009-02-07 12:15 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-02-07 12:36 . 2009-02-07 12:36 90 ----a-w C:\CDSetup.log

2009-02-07 12:11 . 2009-02-07 12:11 21844 ----a-w c:\windows\system32\emptyregdb.dat

2004-10-01 17:00 . 2009-02-07 13:06 40960 ----a-w c:\arquivos de programas\Uninstall_CDS.exe

.

 

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

---- Directory of c:\windows\system32\GroupPolicy ----

 

2009-04-16 11:40 . 2009-04-16 12:58 390 ----a-w c:\windows\system32\GroupPolicy\User\Registry.pol

2009-04-16 11:38 . 2004-07-17 14:40 44940 ----a-w c:\windows\system32\GroupPolicy\Adm\wuau.adm

2009-04-16 11:38 . 2004-07-17 14:40 72272 ----a-w c:\windows\system32\GroupPolicy\Adm\wmplayer.adm

2009-04-16 11:38 . 2004-07-17 14:40 43086 ----a-w c:\windows\system32\GroupPolicy\Adm\conf.adm

2009-04-16 11:38 . 2004-07-24 00:42 1511114 ----a-w c:\windows\system32\GroupPolicy\Adm\inetres.adm

2009-04-16 11:38 . 2009-04-16 11:38 81 ---h--w c:\windows\system32\GroupPolicy\Adm\admfiles.ini

2009-04-16 11:38 . 2004-07-18 01:57 1913876 ----a-w c:\windows\system32\GroupPolicy\Adm\system.adm

2009-04-16 11:37 . 2009-04-16 12:58 157 ----a-w c:\windows\system32\GroupPolicy\gpt.ini

 

 

((((((((((((((((((((((((((((( SnapShot@2009-04-21_13.47.40 )))))))))))))))))))))))))))))))))))))))))

.

- 2001-10-28 18:07 . 2008-04-12 19:43 40972 c:\windows\system32\perfc009.dat

+ 2001-10-28 18:07 . 2009-04-26 07:57 40972 c:\windows\system32\perfc009.dat

+ 2009-02-07 12:10 . 2001-10-28 18:07 19429 c:\windows\system32\MsDtc\Trace\msdtcvtr.bat

+ 2009-12-26 15:19 . 2009-12-26 15:19 65952 c:\windows\Installer\{BFED0415-14A8-40D9-A4D0-F749606E63D2}\POWERARC.exe

+ 2001-10-28 18:07 . 2009-04-26 07:57 314644 c:\windows\system32\perfh009.dat

- 2001-10-28 18:07 . 2008-04-12 19:43 314644 c:\windows\system32\perfh009.dat

+ 2009-04-27 06:23 . 2009-04-27 06:23 200144 c:\windows\system32\FNTCACHE.DAT

- 2009-02-07 10:02 . 2009-02-15 11:36 200144 c:\windows\system32\FNTCACHE.DAT

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSScheduler"="c:\arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" [2005-02-16 163840]

"ISUSPM Startup"="c:\arquiv~1\arquiv~1\instal~1\update~1\isuspm.exe" [2005-02-16 290816]

 

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

BTTray.lnk - c:\arquivos de programas\Software WIDCOMM\Bluetooth\BTTray.exe [2005-10-9 679997]

Ralink Wireless Utility.lnk - c:\arquivos de programas\RALINK\Common\RaUI.exe [2009-2-9 671744]

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

"d:\\Softwares\\torrent\\utorrent\\utorrent.exe"=

"c:\\Arquivos de programas\\Arquivos comuns\\InstallShield\\UpdateService\\issch.exe"=

"c:\\WINDOWS\\system32\\taskmgr.exe"=

"c:\\WINDOWS\\system32\\ping.exe"=

"c:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

"c:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"=

"c:\\Arquivos de programas\\Software WIDCOMM\\Bluetooth\\BTTray.exe"=

"c:\\Arquivos de programas\\RALINK\\Common\\RaUI.exe"=

"c:\\WINDOWS\\system32\\dwwin.exe"=

"c:\\Arquivos de programas\\Microsoft Office\\OFFICE11\\EXCEL.EXE"=

"c:\\WINDOWS\\system32\\cmd.exe"=

"d:\\Softwares\\Anti virus\\Virus Removal Tool\\400000700002i\\Splash.exe"=

"c:\\arquiv~1\\arquiv~1\\instal~1\\update~1\\isuspm.exe"=

"c:\\Arquivos de programas\\mIRC\\mirc.exe"=

"c:\\Arquivos de programas\\Trend Micro\\HijackThis\\HijackThis.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"4154:TCP"=

 

--- ---

 

*NewlyCreated* - ASC3360PR

.

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.google.com.br/

IE: c:\arquivos de programas\Software WIDCOMM\Bluetooth\btsendto_ie_ctx.htm

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: {BC183F1A-2A70-4C7A-8D1B-E6CEAB20B143} = 192.168.0.1

FF - ProfilePath - c:\documents and settings\Thomas\Dados de aplicativos\Mozilla\Firefox\Profiles\jomn7qa6.default\

 

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-27 03:23

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]

"ImagePath"="\SERV-N\apache\mysql\bin\mysqld-nt --defaults-file=\SERV-N\apache\mysql\bin\my.cnf MySQL"

.

------------------------ Outros Processos em Execução ------------------------

.

c:\serv-n\apache\Apache.exe

c:\arquivos de programas\Software WIDCOMM\Bluetooth\bin\btwdins.exe

c:\serv-n\apache\mysql\bin\mysqld-nt.exe

c:\arquivos de programas\Arquivos comuns\Protexis\License Service\PSIService.exe

c:\serv-n\apache\Apache.exe

c:\windows\system32\wscntfy.exe

c:\arquivos de programas\Software WIDCOMM\Bluetooth\BTStackServer.exe

c:\docume~1\Thomas\CONFIG~1\temp\nhac.exe

.

**************************************************************************

.

Tempo para conclusão: 2009-04-27 3:27 - Máquina reiniciou

ComboFix-quarantined-files.txt 2009-04-27 06:27

ComboFix2.txt 2009-04-26 08:00

ComboFix3.txt 2009-04-21 13:49

ComboFix4.txt 2009-03-14 20:26

 

Pré-execução: 12 pasta(s) 27.823.816.704 bytes disponíveis

Pós execução: 11 pasta(s) 27.729.776.640 bytes disponíveis

 

189

 

/COMBOFIX ---------------------------------------------------------------------------------------------------------------------------------------

 

HIJACKTHIS ---------------------------------------------------------------------------------------------------------------------------------------

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 03:33:15, on 27/4/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\SERV-N\apache\Apache.exe

C:\Arquivos de programas\Software WIDCOMM\Bluetooth\bin\btwdins.exe

C:\SERV-N\apache\mysql\bin\mysqld-nt.exe

C:\Arquivos de programas\Arquivos comuns\Protexis\License Service\PSIService.exe

C:\SERV-N\apache\Apache.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe

C:\Arquivos de programas\Software WIDCOMM\Bluetooth\BTTray.exe

C:\ARQUIV~1\SOFTWA~1\BLUETO~1\BTSTAC~1.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\DOCUME~1\Thomas\CONFIG~1\Temp\nhac.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [iSUSPM Startup] c:\arquiv~1\arquiv~1\instal~1\update~1\isuspm.exe -startup

O4 - Global Startup: BTTray.lnk = ?

O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Arquivos de programas\RALINK\Common\RaUI.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Arquivos de programas\Software WIDCOMM\Bluetooth\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Arquivos de programas\Software WIDCOMM\Bluetooth\btsendto_ie.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O17 - HKLM\System\CCS\Services\Tcpip\..\{BC183F1A-2A70-4C7A-8D1B-E6CEAB20B143}: NameServer = 192.168.0.1

O23 - Service: Apache - Unknown owner - C:\SERV-N\apache\Apache.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Arquivos de programas\Software WIDCOMM\Bluetooth\bin\btwdins.exe

O23 - Service: MySQL - Unknown owner - \SERV-N\apache\mysql\bin\mysqld-nt.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Protexis\License Service\PSIService.exe

 

--

End of file - 4067 bytes

 

/HIJACKTHIS --------------------------------------------------------------------------------------------------------------------------------------------------------------

[DigRam 144]

Boa Tarde! Thomas Anderson

 

<@> Baixe: < Norman Malware Cleaner >

<@> Salve-o no desktop.

<@> Abra o arquivo e clique em Executar --> Accept.

<@> Clique em Add,para adicionar ou Remove,para remover unidades/setores à serem escaneados. ( C:\*.*,D:\*.*,E:\*.*,etc... )

<@> Clique em "Start scan" --> Aguarde!

<@> Terminando,poste o relatório,que estará no desktop. ( NFix_2009-xx-xx_yy-yy-yy.log ) <--

 

Abraços!

[Thomas Anderson 0]

Rápá to quase desistindo, desde a ultima postagem que baixo o AV todo dia e ele se auto-exclui...

[DigRam 144]

Rápá to quase desistindo, desde a ultima postagem que baixo o AV todo dia e ele se auto-exclui...

<><><><><><><><><>

Opa! Thomas Anderson

 

<!> Formate e,à seguir,poste um novo log do HijackThis.

 

Abraços!

[Mário Monteiro 179]

Tópico Arquivado

 

Como o autor não respondeu por mais de 30 dias, o tópico foi arquivado.

 

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura.