[Resolvido!] Provável malware no PC - relato de problemas

[DigRam 144]

Bom Dia! Carlos SP

 

<!> Ps: Voçê ainda tem o Norton,plenamente instalado?

<><><><><><><><><><>

<@> Selecione e copie,todo o conteúdo que está na área do QUOTE,para o Bloco de Notas.

<@> Salve-o,no Desktop,com o nome: CFScript.txt

 

File::

C:\kvcxcscl.exe

Regnull::

[HKEY_USERS\s-1-5-21-3748263854-567553014-1295907222-1007\Software\Microsoft\SystemCertificates\AddressBook*]

[HKEY_USERS\s-1-5-21-3748263854-567553014-1295907222-1007\Software\Policies\Microsoft\SystemCertificates\AddressBook*]

Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000000

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 1 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"6329:TCP"=-

Rootkit::

c:\windows\system32\drivers\c26d0c32.sys

Driver::

"EraserUtilRebootDrv"

"c26d0c32"

"bqrc6bf"

"msncache"

"gluyjwm"

Netsvc::

"msncache"

"gluyjwm"

<@> Ps: Não utilizem este script em outra máquina!

<@> Arraste,o CFScript.txt para o ícone/interior do ComboFix.

<@> Veja a demonstração!

 

 

<@> Atenda à solicitação,que deverá surgir,para rodar o ComboFix.

<@> Ps: Faça o arraste,até surgir essa solicitação! ( janela )

<@> Terminando,poste os relatórios: C:\ComboFix.txt + HijackThis,atualizado.

 

Abraços!

[Carlos SP 0]

Boa noite, DigRam!

 

<!> Ps: Voçê ainda tem o Norton,plenamente instalado?

 

Não. Tentei reinstalá-lo ontem, mas houve alguma falha que terminou o processo. A primeira desinstalação eu fiz sob orientação do pessoal da Symantec, mas depois disso não foi mais possível instalar o produto. A propósito, você poderia indicar algum programa antivírus (gratuito, de preferência)? No momento, estou meio desprotegido...

 

- Relatório ComboFix:

 

ComboFix 09-05-02.4 - Carlos 03/05/2009 23:48.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.55.1046.18.479.232 [GMT -3:00]

Executando de: c:\documents and settings\Carlos\Desktop\ComboFix.exe

Comandos utilizados :: c:\documents and settings\Carlos\Desktop\CFScript.txt

 

FILE ::

C:\kvcxcscl.exe

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\kvcxcscl.exe

c:\windows\system32\drivers\c26d0c32.sys

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_bqrc6bf

-------\Legacy_ERASERUTILREBOOTDRV

-------\Legacy_GLUYJWM

-------\Legacy_msncache

-------\Service_bqrc6bf

-------\Service_c26d0c32

-------\Service_EraserUtilRebootDrv

 

 

(((((((((((((((( Arquivos/Ficheiros criados de 2009-04-04 to 2009-05-04 ))))))))))))))))))))))))))))

.

 

2009-05-03 04:15 . 2009-05-03 05:53 -------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Symantec

2009-05-03 02:37 . 2009-05-03 02:37 -------- d-----w c:\documents and settings\Carlos\Dados de aplicativos\Malwarebytes

2009-05-03 02:37 . 2009-04-06 18:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-05-03 02:37 . 2009-04-06 18:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-05-03 02:37 . 2009-05-03 02:37 -------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes

2009-05-03 02:36 . 2009-05-03 02:37 -------- d-----w c:\arquivos de programas\Malwarebytes' Anti-Malware

2009-05-02 01:16 . 2009-05-02 01:23 -------- d-----w C:\Virut

2009-05-01 19:11 . 2009-05-01 20:02 -------- d-----w c:\arquivos de programas\a-squared Free

2009-05-01 17:06 . 2009-05-01 17:11 -------- d-----w c:\windows\system32\NtmsData

2009-05-01 00:53 . 2009-05-01 00:53 49148496 ----a-w c:\arquivos de programas\a2FreeSetup.exe

2009-04-29 21:54 . 2009-04-29 21:55 71712 --sha-w c:\windows\system32\drivers\fidbox.dat

2009-04-29 18:46 . 2009-04-29 15:08 38473448 ----a-w c:\arquivos de programas\setup_7.0.0.290_29.04.2009_16-50.exe

2009-04-29 16:35 . 2009-04-29 16:37 -------- d-----w c:\documents and settings\Carlos\DoctorWeb

2009-04-28 01:56 . 2009-05-03 03:32 -------- d-----w C:\Hijack

2009-04-21 21:16 . 2009-04-21 21:16 -------- d-----w c:\arquivos de programas\HT NETWORKS

2009-04-21 15:00 . 2009-04-29 16:37 -------- d-----w c:\windows\system32\3361

2009-04-21 14:59 . 2009-04-29 16:37 -------- d-----w c:\windows\dhcp

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-04 02:52 . 2006-04-08 15:33 6 ---ha-w c:\windows\Tasks\SA.DAT

2009-05-03 05:50 . 2008-08-07 20:14 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF

2009-05-03 05:50 . 2008-08-07 20:14 10563 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT

2009-04-29 21:55 . 2009-04-29 21:54 1916 --sha-w c:\windows\system32\drivers\fidbox.idx

2009-04-29 18:32 . 2008-01-28 00:57 114688 ----a-w c:\windows\system32\uha.exe

2009-04-29 18:31 . 2004-08-04 09:00 79360 ----a-w c:\windows\system32\nslookup.exe

2009-04-29 18:30 . 2004-08-04 09:00 9728 ----a-w c:\windows\system32\label.exe

2009-04-29 18:29 . 2004-08-04 09:00 7680 ----a-w c:\windows\system32\ckcnv.exe

2009-04-29 18:26 . 2004-08-04 09:00 159744 ----a-w c:\windows\pchealth\helpctr\binaries\msconfig.exe

2009-04-29 18:26 . 2004-08-04 09:00 743936 ----a-w c:\windows\pchealth\helpctr\binaries\HelpSvc.exe

2009-04-29 18:26 . 2004-08-04 09:00 768512 ----a-w c:\windows\pchealth\helpctr\binaries\HelpCtr.exe

2009-04-29 18:11 . 2004-08-04 09:00 287744 ----a-w c:\windows\winhlp32.exe

2009-04-29 18:11 . 2008-01-21 19:43 302592 ----a-w c:\windows\unin0416.exe

2009-04-29 18:11 . 2004-08-04 09:00 25600 ----a-w c:\windows\twunk_32.exe

2009-04-29 18:11 . 2004-08-04 09:00 15360 ----a-w c:\windows\TASKMAN.EXE

2009-04-29 18:11 . 2006-01-31 21:14 544768 ----a-w c:\windows\sm56hlpr.exe

2009-04-29 18:11 . 2006-11-25 21:53 46080 ----a-w c:\windows\setdebug.exe

2009-04-29 18:11 . 2004-08-04 09:00 150528 ----a-w c:\windows\regedit.exe

2009-04-29 18:11 . 2008-08-18 20:49 306688 ----a-w c:\windows\IsUninst.exe

2009-04-29 18:11 . 2007-12-27 21:53 40960 ----a-w c:\windows\InstFunc.exe

2009-04-29 18:11 . 2006-11-25 23:29 327168 ----a-w c:\windows\IsUn0416.exe

2009-04-29 18:11 . 2005-05-26 20:22 10752 ----a-w c:\windows\hh.exe

2009-04-29 18:11 . 2005-02-25 04:33 98304 ----a-w c:\windows\dla.exe

2009-04-29 16:37 . 2004-08-04 09:00 225280 ----a-w c:\windows\system32\dmadmin.exe

2009-04-29 16:37 . 2004-08-04 09:00 15360 ----a-w c:\windows\system32\ctfmon.exe

2009-04-29 16:37 . 2004-08-04 09:00 5632 ----a-w c:\windows\system32\cisvc.exe

2009-04-22 12:53 . 2004-08-04 09:00 182912 ----a-w c:\windows\system32\drivers\ndis.sys

2009-03-12 21:56 . 2007-05-29 22:12 -------- d-----w c:\arquivos de programas\Call of Duty

2009-02-15 19:11 . 2006-04-07 17:31 49586 ----a-w c:\windows\system32\perfc016.dat

2009-02-15 19:11 . 2006-04-07 17:31 347294 ----a-w c:\windows\system32\perfh016.dat

2009-02-09 14:17 . 2005-10-06 00:08 1846400 ----a-w c:\windows\system32\win32k.sys

.

 

------- Sigcheck -------

 

[-] 2009-04-29 16:37 15360 3DBFE7FF56149AEA6D452ED4F7140C48 c:\windows\system32\ctfmon.exe

[7] 2004-08-04 09:00 15360 F40BC97996B8E53799EEF1D63996674B c:\windows\system32\dllcache\ctfmon.exe

 

[-] 2009-04-29 16:38 24576 B57A7C16E7B27602252F543FC34D9B7F c:\windows\system32\userinit.exe

[7] 2004-08-04 09:00 24576 4CA695EC1EE4C7CF2144DFA00EA0E1F7 c:\windows\system32\dllcache\userinit.exe

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msmsgs"="c:\arquivos de programas\Messenger\msmsgs.exe" [2009-04-29 1694208]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2009-04-29 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"sunjavaupdatesched"="c:\arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe" [2009-04-29 36864]

"isusscheduler"="c:\arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" [2009-04-29 81920]

"isuspm startup"="c:\arquiv~1\ARQUIV~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2009-04-29 221184]

"hp software update"="c:\arquivos de programas\HP\HP Software Update\HPWuSchd2.exe" [2009-04-29 49152]

"sispower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2006-01-09 49152]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2009-04-29 15360]

 

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

BOOKcase 4.0.lnk - c:\arquivos de programas\TEXTware\BOOKcase40\BC40CASE.exe [2008-8-18 421888]

HP Digital Imaging Monitor.lnk - c:\arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Taskman"=""

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

"wave1"= serwvdrv.dll

"wave2"= serwvdrv.dll

"wave3"= serwvdrv.dll

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

.

.

------- Scan Suplementar -------

.

uStart Page = https://login.yahoo.com/config/login_verify...=br&.src=ym

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-03 23:52

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_USERS\S-1-5-21-3748263854-567553014-1295907222-1007\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

 

[HKEY_USERS\S-1-5-21-3748263854-567553014-1295907222-1007\Software\Policies\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (S-1-5-21-3748263854-567553014-1295907222-1007)

@Allowed: (Read) (S-1-5-21-3748263854-567553014-1295907222-1007)

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

------------------------ Outros Processos em Execução ------------------------

.

c:\arquivos de programas\a-squared Free\a2service.exe

c:\arquivos de programas\Arquivos comuns\LightScribe\LSSrvc.exe

c:\arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\wscntfy.exe

c:\arquivos de programas\HP\Digital Imaging\bin\hpqste08.exe

.

*****************************************************

.

Tempo para conclusão: 2009-05-04 23:54 - Máquina reiniciou

ComboFix-quarantined-files.txt 2009-05-04 02:53

ComboFix2.txt 2009-05-03 03:28

 

Pré-execução: 19 pasta(s) 62.230.134.784 bytes disponíveis

Pós execução: 18 pasta(s) 62.316.531.712 bytes disponíveis

 

153 --- E O F --- 2009-03-21 16:05

-------------------------------------------------------------------------

 

- Relatório HijackThis atualizado:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:57:25, on 3/5/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\a-squared Free\a2service.exe

C:\Arquivos de programas\Arquivos comuns\LightScribe\LSSrvc.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe

C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe

C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\TEXTware\BOOKcase40\BC40CASE.exe

C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe

C:\Arquivos de programas\HP\Digital Imaging\bin\hpqSTE08.exe

C:\WINDOWS\explorer.exe

C:\Hijack\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login_verify...=br&.src=ym

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Arquivos de programas\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Arquivos de programas\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll

O4 - HKLM\..\Run: [sunjavaupdatesched] C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [sispower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [isusscheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [isuspm startup] C:\ARQUIV~1\ARQUIV~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [hp software update] C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe

O4 - HKCU\..\Run: [msmsgs] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: BOOKcase 4.0.lnk = C:\Arquivos de programas\TEXTware\BOOKcase40\BC40CASE.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1131549136390

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Arquivos de programas\a-squared Free\a2service.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\LightScribe\LSSrvc.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\ARQUIV~1\ARQUIV~1\SYMANT~1\CCPD-LC\symlcsvc.exe (file missing)

 

--

End of file - 5070 bytes

----------------------------

 

Forte abraço!

[DigRam 144]

Bom Dia! Carlos SP

 

<@> Vá em Iniciar --> Executar --> Digite ou cole: combofix.exe /u --> Clique OK.

<@> Abrir-se-á,a seguinte janela: ( Abrir arquivo - Aviso de Segurança )

<@> Clique em Executar --> Aguarde!

<@> Surgirá,finalmente,a mensagem: "ComboFix está desinstalado" --> Clique OK.

<@> Caso encontre,apague: C:\ComboFix <-- A pasta! + C:\ComboFix.txt <-- Relatório!

 

A propósito, você poderia indicar algum programa antivírus (gratuito, de preferência)? No momento, estou meio desprotegido...

<@> Baixe: < Avira >

<@> Instale o programa --> Atualize-o! --> Configure-o --> Mas...não execute-o ainda.

<><><><><><><><><><><>

<@> Baixe: < > ( ...by andymanchesta )

<@> Salve-o no Disco Local-C e,descompacte-o aí mesmo.

<@> Reinicie o computador em Modo de Segurança. <-- Link!

<@> Dê um duplo clique em: < runThis.bat >

 

<!> Caso uma janela abra e feche,repentinamente!

<!> Vá em Iniciar --> Executar --> Digite ou cole: %systemdrive%\SDFix\apps\FixPath.exe /Q --> OK!

<!> Reinicie o computador e execute,novamente,o SDFix.

<!> Caso não funcione,verifique a variável %comspec%.

<!> Clique direito do mouse,em Meu Computador --> Propriedades --> Avançadas.

<!> Em Variáveis do Ambiente,verifique se a variável ComSpec,tem o seguinte valor para o cmd.exe:

 

<!> Valor: %SystemRoot%\system32\cmd.exe

<@> Aperte o Y.

<@> Aguarde a conclusão!

<@> Terminando,aperte Enter. ( Ou,qualquer tecla!)

<@> O computador será reiniciado!

<@> Aguarde,ainda,a conclusão da limpeza.

<@> Poste os relatórios: Report.txt + HijackThis,atualizado.

<><><><><><><><><><><>

<@> Baixe: < Norton Removal Tool >

<@> Execute esta Tool,mais o Avira. <-- Poste seu relatório!

 

Abraços!

[Carlos SP 0]

Boa tarde, DigRam!

 

Relatórios:

 

- SDFix:

 

SDFix: Version 1.240

Run by Carlos on seg 04/05/2009 at 12:22

 

Microsoft Windows XP [versão 5.1.2600]

Running From: C:\SDFix

 

Checking Services :

 

 

Restoring Default Security Values

Restoring Default Hosts File

 

Rebooting

 

 

Checking Files :

 

Trojan Files Found:

 

C:\201044~1 - Deleted

 

 

 

 

 

Removing Temp Files

 

ADS Check :

 

 

 

Final Check :

 

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-04 12:26:22

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden services & system hive ...

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"h0"=dword:00000000

"khjeh"=hex:cb,81,1f,64,0e,0b,17,f1,86,b4,b6,e1,84,b5,3a,75,2f,d6,49,68,ae,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"h0"=dword:00000000

"khjeh"=hex:cb,81,1f,64,0e,0b,17,f1,86,b4,b6,e1,84,b5,3a,75,2f,d6,49,68,ae,..

 

scanning hidden registry entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

 

Remaining Services :

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Arquivos de programas\\Messenger\\msmsgs.exe"="C:\\Arquivos de programas\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

 

Remaining Files :

 

 

File Backups: - C:\SDFix\backups\backups.zip

 

Files with Hidden Attributes :

 

Thu 23 Apr 2009 753 ...HR --- "C:\WINDOWS\system32\drivers\etc\Hosts.bak"

 

Finished!

----------------------------------------------------------------------

 

- Relatório HijackThis atualizado (antes de executar Norton Removal Tool e Avira):

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:29:28, on 4/5/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

C:\Arquivos de programas\a-squared Free\a2service.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

C:\Arquivos de programas\Arquivos comuns\LightScribe\LSSrvc.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe

C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe

C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\TEXTware\BOOKcase40\BC40CASE.exe

C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe

C:\Arquivos de programas\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Hijack\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login_verify...=br&.src=ym

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Arquivos de programas\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Arquivos de programas\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll

O4 - HKLM\..\Run: [sunjavaupdatesched] C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [sispower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [isusscheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [isuspm startup] C:\ARQUIV~1\ARQUIV~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [hp software update] C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [msmsgs] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: BOOKcase 4.0.lnk = C:\Arquivos de programas\TEXTware\BOOKcase40\BC40CASE.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1131549136390

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Arquivos de programas\a-squared Free\a2service.exe

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\LightScribe\LSSrvc.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\ARQUIV~1\ARQUIV~1\SYMANT~1\CCPD-LC\symlcsvc.exe (file missing)

 

--

End of file - 5602 bytes

-----------------------------------------------------------------

 

- Relatório Avira:

 

vira AntiVir Personal

Report file date: segunda-feira, 4 de maio de 2009 12:51

 

Scanning for 1376877 virus strains and unwanted programs.

 

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 2) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : HP-AF5E76A48CD1

 

Version information:

BUILD.DAT : 9.0.0.394 17962 Bytes 17/4/2009 11:20:00

AVSCAN.EXE : 9.0.3.5 466689 Bytes 4/5/2009 15:07:43

AVSCAN.DLL : 9.0.3.0 40705 Bytes 27/2/2009 13:58:24

LUKE.DLL : 9.0.3.2 209665 Bytes 20/2/2009 14:35:49

LUKERES.DLL : 9.0.2.0 12033 Bytes 27/2/2009 13:58:52

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27/10/2008 15:30:36

ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 11/2/2009 23:33:26

ANTIVIR2.VDF : 7.1.3.137 1810944 Bytes 30/4/2009 15:07:42

ANTIVIR3.VDF : 7.1.3.149 61440 Bytes 4/5/2009 15:07:42

Engineversion : 8.2.0.160

AEVDF.DLL : 8.1.1.1 106868 Bytes 4/5/2009 15:07:42

AESCRIPT.DLL : 8.1.1.79 385403 Bytes 4/5/2009 15:07:42

AESCN.DLL : 8.1.1.10 127348 Bytes 4/5/2009 15:07:42

AERDL.DLL : 8.1.1.3 438645 Bytes 29/10/2008 21:24:41

AEPACK.DLL : 8.1.3.14 397685 Bytes 4/5/2009 15:07:42

AEOFFICE.DLL : 8.1.0.36 196987 Bytes 26/2/2009 23:01:56

AEHEUR.DLL : 8.1.0.122 1737080 Bytes 4/5/2009 15:07:42

AEHELP.DLL : 8.1.2.2 119158 Bytes 26/2/2009 23:01:56

AEGEN.DLL : 8.1.1.39 348532 Bytes 4/5/2009 15:07:42

AEEMU.DLL : 8.1.0.9 393588 Bytes 9/10/2008 17:32:40

AECORE.DLL : 8.1.6.9 176500 Bytes 4/5/2009 15:07:42

AEBB.DLL : 8.1.0.3 53618 Bytes 9/10/2008 17:32:40

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 11:47:59

AVPREF.DLL : 9.0.0.1 43777 Bytes 5/12/2008 13:32:15

AVREP.DLL : 8.0.0.3 155905 Bytes 20/1/2009 17:34:28

AVREG.DLL : 9.0.0.0 36609 Bytes 5/12/2008 13:32:09

AVARKT.DLL : 9.0.0.3 292609 Bytes 4/5/2009 15:07:42

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 30/1/2009 13:37:08

SQLITE3.DLL : 3.6.1.0 326401 Bytes 28/1/2009 18:03:49

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 11:21:33

NETNT.DLL : 9.0.0.0 11521 Bytes 5/12/2008 13:32:10

RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 9/2/2009 14:45:45

RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/5/2009 15:07:42

 

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: c:\arquivos de programas\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+SPR,

 

Start of the scan: segunda-feira, 4 de maio de 2009 12:51

 

Starting search for hidden objects.

'31168' objects were checked, '0' hidden objects were found.

 

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'hpqste08.exe' - '1' Module(s) have been scanned

Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned

Scan process 'BC40CASE.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'msmsgs.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned

Scan process 'issch.exe' - '1' Module(s) have been scanned

Scan process 'jusched.exe' - '1' Module(s) have been scanned

Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'wscntfy.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'MDM.EXE' - '1' Module(s) have been scanned

Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'a2service.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

31 processes with 31 modules were scanned

 

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

 

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

 

Starting to scan executable files (registry).

The registry was scanned ( '49' files ).

 

 

Starting the file scan:

 

Begin scan in 'C:\'

C:\hiberfil.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\Documents and Settings\Carlos\Desktop\Flash_Disinfector.exe

 

[0] Archive type: RAR SFX (self extracting)

--> nircmd.exe

[DETECTION] Contains recognition pattern of the APPL/NirCmd.2 application

C:\System Volume Information\_restore{D0518E27-9216-4643-BEF1-64C323F10013}\RP5\A0015443.exe

[DETECTION] Contains recognition pattern of the WORM/Bacteraloh.BN worm

C:\System Volume Information\_restore{D0518E27-9216-4643-BEF1-64C323F10013}\RP5\A0015444.exe

[DETECTION] Contains recognition pattern of the WORM/Bacteraloh.V worm

C:\WINDOWS\system32\netsetup.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

 

Beginning disinfection:

C:\Documents and Settings\Carlos\Desktop\Flash_Disinfector.exe

[NOTE] The file was moved to '4a6014e5.qua'!

C:\System Volume Information\_restore{D0518E27-9216-4643-BEF1-64C323F10013}\RP5\A0015443.exe

[DETECTION] Contains recognition pattern of the WORM/Bacteraloh.BN worm

[NOTE] The file was moved to '4a2f14a9.qua'!

C:\System Volume Information\_restore{D0518E27-9216-4643-BEF1-64C323F10013}\RP5\A0015444.exe

[DETECTION] Contains recognition pattern of the WORM/Bacteraloh.V worm

[NOTE] The file was moved to '4baa285a.qua'!

C:\WINDOWS\system32\netsetup.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

[NOTE] The file was moved to '4a7314de.qua'!

 

 

End of the scan: segunda-feira, 4 de maio de 2009 13:14

Used time: 19:54 Minute(s)

 

The scan has been done completely.

 

3519 Scanned directories

200623 Files were scanned

4 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

4 Files were moved to quarantine

0 Files were renamed

2 Files cannot be scanned

200617 Files not concerned

868 Archives were scanned

2 Warnings

6 Notes

31168 Objects were scanned with rootkit scan

0 Hidden objects were found

--------------------------------------------------------------

 

Abraços!

[DigRam 144]

Boa Tarde! Carlos SP

 

<@> Baixe: < > ( ...by Old Timer Tools )

<@> Salve-o no desktop! --> Reinicie em Modo de Segurança.

<@> Execute a ferramenta --> Clique em "CleanUp" --> Confirme o reboot.

<><><><><><><><><><>

<@> Baixe: < > ( ...by Atribune )

<@> Salve-o no Desktop!

<@> Reinicie o computador,em Modo de Segurança!

<@> Clique em ATF-Cleaner.exe

<@> Em "Select Files To Delete",marque Select All.

<@> Clique em Empty Selected.

<@> Na janela Done Cleaning,dê o OK --> Exit

 

<@> Atenção: Se utiliza o Firefox:

 

* No topo,clique em Firefox e escolha: Select All --> Clique em Empty Selected.

 

<@> Atenção: Se utiliza o Opera:

 

* No topo,clique em Opera e escolha: Select All --> Clique em Empty Selected.

 

<@> Reinicie,normalmente,o computador!

<><><><><><><><><><>

<@> Atualize o Java.

<@> Versões antigas têm vulnerabilidades que,malwares,podem usar para infectar seu sistema.

<><><><><><><><><><>

<@> Faça download da última versão do Java Runtime Environment (JRE) 6u13.

<@> Localize: "Java Runtime Environment (JRE) 6 Update 13"

<@> Clique no botão Download.

<@> Marque a opção que diz: "Accept License Agreement"

<@> A página será atualizada!

<@> Clique no link,para download do Windows Offline Installation --> Salve-o no desktop!

<@> Feche o IE ou Firefox + Programas que estejam sendo executados.

<@> Vá em Iniciar --> Painel de Controle.

<@> Em Adicionar ou Remover Programas;remova todas as antigas versões do Java.

<><><><><><><><><><>

<@> Exemplos de antigas versões:

 

< > Java 2 Runtime Environment, SE v1.4.2

< > J2SE Runtime Environment 5.0

< > J2SE Runtime Environment 5.0 Update 6

 

<@> Selecione qualquer item com nome: Java Runtime Environment (JRE ou J2SE)

<@> Clique no botão Remover ou Alterar/Remover.

<@> Repita quantas vezes for necessária,para remover cada versão do Java.

<@> Concluindo,reinicie o computador!

<@> Instale a nova versão,com um duplo clique em jre-6u13-windows-i586-p.exe.

<><><><><><><><><><>

<!> O log está limpo! :thumbsup:

<!> Tudo Ok?

 

Abraços!

[Carlos SP 0]

Boa noite, DigRam!

 

Restam três questões:

 

1) Não estou conseguindo habilitar as Atualizações Automáticas do Windows; mesmo aplicando a atualização automática em Painel de Controle>Propriedades do Sistema, o alerta de segurança do Windows continua vermelho...

 

2) De todas as ferramentas que precisei baixar durante a remoção, quais deveria manter no PC?

 

3) Para prevenir futuras infecções - embora eu saiba que isso não é 100% garantido -, você recomenda mais algum programa além do Avira?

 

Forte abraço!

[DigRam 144]

Boa Noite! Carlos SP

 

1) Não estou conseguindo habilitar as Atualizações Automáticas do Windows; mesmo aplicando a atualização automática em Painel de Controle>Propriedades do Sistema, o alerta de segurança do Windows continua vermelho...

<!> Utilize o Dial-a-fix,nessa correção.

<><><><><><><><><>

<@> Baixe: < Dial-a-fix >

<@> Tire-o do zip!

<@> Marque as caixinhas: < > "Fix Windows Update" ou "Fix Windows Installer" --> Clique em "GO".

<@> Aguarde a barra de status exibir: "READY"

<@> Clique: "Flush SoftwareDistribution" --> Sim.

<@> Baixe,novamente,todas as atualizações que forem imprescindíveis.

<@> Salve e poste o relatório,do Dial-a-fix.

<><><><><><><><><>

2) De todas as ferramentas que precisei baixar durante a remoção, quais deveria manter no PC?

<!> Fique apenas com o antimalware: a-squared

<><><><><><><><><>

3) Para prevenir futuras infecções - embora eu saiba que isso não é 100% garantido -, você recomenda mais algum programa além do Avira?

<!> Caso queira,utilize um bom Firewall. --> ( Comodo Firewall )

 

Abraços!

[Carlos SP 0]

Boa noite, DigRam!

 

Executei o dial-a-fix, mas continuo com o problema na Atualização Automática do Windows. Verifiquei o "services.msc", conforme instrução da página do Windows Update, mas o ítem Atualizações Automáticas desapareceu... Relatório da ferramenta:

 

Notes about this log:

1) "->" denotes an external command being executed, and "-> (number)" indicates

the return code from the previous command

2) Not all external command return codes are accurate, or useful

3) Sometimes commands return 0 (no error) even when they fail or crash

4) If an error occurs while registering an object, please send an email to:

dial-a-fix@DjLizard.net and include a copy of this log

 

DAF version: v0.60.0.24

 

--- System info ---

OS: Microsoft Windows XP Service Pack 2

IE version: 6.0.2900.2180

MPC: 76501-OEM

CPU: Intel® Pentium® 4 CPU 3.20GHz (~3233MHz)

CPU: CPU is 64-bit or has 64-bit extensions

CPU: 2 CPU cores present

BIOS: 25/4/2006

Memory (approx): 479MB

Uptime: 0 hour(s)

Current directory: C:\DOCUME~1\Carlos\CONFIG~1\Temp\Rar$EX00.750\Dial-a-fix-v0.60.0.24

---

 

5/5/2009 00:30:59 -- Dial-a-fix : [v0.60.0.24] -- started

00:30:59 | Policy scan started

00:30:59 | Policy scan ended - no restrictive policies were found

--- MSI ---

00:32:10 | Registered: C:\WINDOWS\system32\msi.dll

--- Windows Update ---

--- Registration: Windows Update/Automatic Update DLLs ---

00:32:14 | Unregistered: C:\WINDOWS\system32\msxml.dll

00:32:14 | Registered: C:\WINDOWS\system32\msxml.dll

00:32:14 | Unregistered: C:\WINDOWS\system32\msxml2.dll

00:32:15 | Registered: C:\WINDOWS\system32\msxml2.dll

00:32:16 | Unregistered: C:\WINDOWS\system32\msxml3.dll

00:32:16 | Registered: C:\WINDOWS\system32\msxml3.dll

00:32:17 | Unregistered: C:\WINDOWS\system32\qmgr.dll

00:32:36 | Error during registration of C:\WINDOWS\system32\qmgr.dll - version: 6.6.2600.2180. The error returned is: Acesso negado.

(-2147024891)

00:32:36 | Unregistered: C:\WINDOWS\system32\qmgrprxy.dll

00:32:36 | Registered: C:\WINDOWS\system32\qmgrprxy.dll

00:32:36 | Unregistered: C:\WINDOWS\system32\winhttp.dll

00:32:36 | Registered: C:\WINDOWS\system32\winhttp.dll

00:32:36 | Registered: C:\WINDOWS\system32\wuapi.dll

00:32:43 | Error during unregistration of C:\WINDOWS\system32\wuaueng.dll - version: 7.2.6001.788. The error returned is: Acesso negado.

(-2147024891)

00:32:44 | Error during registration of C:\WINDOWS\system32\wuaueng.dll - version: 7.2.6001.788. The error returned is: Acesso negado.

(-2147024891)

00:32:44 | Unregistered: C:\WINDOWS\system32\wuaueng1.dll

00:32:44 | Registered: C:\WINDOWS\system32\wuaueng1.dll

00:32:44 | Unregistered: C:\WINDOWS\system32\wucltui.dll

00:32:44 | Registered: C:\WINDOWS\system32\wucltui.dll

00:32:44 | Unregistered: C:\WINDOWS\system32\wups.dll

00:32:45 | Registered: C:\WINDOWS\system32\wups.dll

00:32:45 | Unregistered: C:\WINDOWS\system32\wups2.dll

00:32:45 | Registered: C:\WINDOWS\system32\wups2.dll

00:32:45 | Unregistered: C:\WINDOWS\system32\wuweb.dll

00:32:45 | Registered: C:\WINDOWS\system32\wuweb.dll

00:32:45 | Registered: C:\WINDOWS\system32\ole32.dll

--- SSL/HTTPS/Cryptography ---

00:32:48 | Executed 'cmd.exe /c rmdir /q /s C:\WINDOWS\system32\Catroot2'

--- Registration: SSL/HTTPS/Cryptography ---

00:32:48 | Unregistered: C:\WINDOWS\system32\cryptdlg.dll

00:32:48 | Registered: C:\WINDOWS\system32\cryptdlg.dll

00:32:48 | Unregistered: C:\WINDOWS\system32\cryptui.dll

00:32:48 | Registered: C:\WINDOWS\system32\cryptui.dll

00:32:48 | Unregistered: C:\WINDOWS\system32\cryptext.dll

00:32:49 | Registered: C:\WINDOWS\system32\cryptext.dll

00:32:49 | Unregistered: C:\WINDOWS\system32\dssenh.dll

00:32:49 | Registered: C:\WINDOWS\system32\dssenh.dll

00:32:49 | Unregistered: C:\WINDOWS\system32\gpkcsp.dll

00:32:49 | Registered: C:\WINDOWS\system32\gpkcsp.dll

00:32:49 | Unregistered: C:\WINDOWS\system32\initpki.dll

00:33:32 | Registered: C:\WINDOWS\system32\initpki.dll

00:33:32 | Unregistered: C:\WINDOWS\system32\licdll.dll

00:33:32 | Registered: C:\WINDOWS\system32\licdll.dll

00:33:32 | Unregistered: C:\WINDOWS\system32\mssign32.dll

00:33:32 | Registered: C:\WINDOWS\system32\mssign32.dll

00:33:32 | Unregistered: C:\WINDOWS\system32\mssip32.dll

00:33:32 | Registered: C:\WINDOWS\system32\mssip32.dll

00:33:51 | Unregistered: C:\WINDOWS\system32\scardssp.dll

00:33:54 | Registered: C:\WINDOWS\system32\scardssp.dll

00:33:54 | Unregistered: C:\WINDOWS\system32\sccbase.dll

00:33:54 | Registered: C:\WINDOWS\system32\sccbase.dll

00:33:54 | Unregistered: C:\WINDOWS\system32\scecli.dll

00:33:55 | Registered: C:\WINDOWS\system32\scecli.dll

00:33:55 | Unregistered: C:\WINDOWS\system32\softpub.dll

00:33:55 | Registered: C:\WINDOWS\system32\softpub.dll

00:33:55 | Unregistered: C:\WINDOWS\system32\slbcsp.dll

00:33:55 | Registered: C:\WINDOWS\system32\slbcsp.dll

00:33:57 | Unregistered: C:\WINDOWS\system32\regwizc.dll

00:33:57 | Registered: C:\WINDOWS\system32\regwizc.dll

00:33:57 | Unregistered: C:\WINDOWS\system32\rsaenh.dll

00:33:57 | Registered: C:\WINDOWS\system32\rsaenh.dll

00:33:57 | Unregistered: C:\WINDOWS\system32\winhttp.dll

00:33:57 | Registered: C:\WINDOWS\system32\winhttp.dll

00:33:57 | Unregistered: C:\WINDOWS\system32\wintrust.dll

00:33:57 | Registered: C:\WINDOWS\system32\wintrust.dll

--- Registration: Programming cores/runtimes ---

00:33:58 | Registered: C:\WINDOWS\system32\atl.dll

00:33:58 | Registered: C:\WINDOWS\system32\corpol.dll

00:33:58 | Registered: C:\WINDOWS\system32\jscript.dll

00:33:58 | Registered: C:\WINDOWS\system32\dispex.dll

00:33:58 | Registered: C:\WINDOWS\system32\scrrun.dll

00:33:58 | Registered: C:\WINDOWS\system32\scrobj.dll

00:33:58 | Registered: C:\WINDOWS\system32\vbscript.dll

00:33:58 | Registered: C:\WINDOWS\system32\wshext.dll

--- Flush SoftwareDistribution ---

-------------------------------------------------------------------

 

Abraços!

[DigRam 144]

Bom Dia! Carlos SP

 

<@> Baixe: < UnHook >

<@> Salve-o no Desktop!

<@> Execute,agora,a ferramenta da Symantec. ( UnHookExec.inf )

<@> Clique com o lado direito,do Mouse. --> Clique em Instalar.

<@> Reinicie o computador!

<><><><><><><><><><>

<@> Baixe: < securitycenterrestore.reg >

<@> Salve-a no desktop,como arquivo de entradas de registro. ( .reg ) < >

<@> Ps: Não salve-as como texto,aonde sua inserção ao registro,seria inócua.

<@> Reinicie o computador,em Modo de segurança.

<@> Execute o arquivo ( .reg ),e confirme sua inserção ao registro.

<@> Terminando,reinicie o computador!

<><><><><><><><><><>

<@> Execute,novamente,o Dial-a-fix e poste seu relatório. <--

 

Abraços!

[Carlos SP 0]

Bom dia, DigRam!

 

Relatório Dial-a-fix atualizado:

 

Notes about this log:

1) "->" denotes an external command being executed, and "-> (number)" indicates

the return code from the previous command

2) Not all external command return codes are accurate, or useful

3) Sometimes commands return 0 (no error) even when they fail or crash

4) If an error occurs while registering an object, please send an email to:

dial-a-fix@DjLizard.net and include a copy of this log

 

DAF version: v0.60.0.24

 

--- System info ---

OS: Microsoft Windows XP Service Pack 2

IE version: 6.0.2900.2180

MPC: 76501-OEM

CPU: Intel® Pentium® 4 CPU 3.20GHz (~3200MHz)

CPU: CPU is 64-bit or has 64-bit extensions

CPU: 2 CPU cores present

BIOS: 25/4/2006

Memory (approx): 479MB

Uptime: 0 hour(s)

Current directory: C:\DOCUME~1\Carlos\CONFIG~1\Temp\Rar$EX00.422\Dial-a-fix-v0.60.0.24

---

 

5/5/2009 11:53:19 -- Dial-a-fix : [v0.60.0.24] -- started

11:53:19 | Policy scan started

11:53:19 | Policy scan ended - no restrictive policies were found

--- MSI ---

11:53:48 | Registered: C:\WINDOWS\system32\msi.dll

--- Windows Update ---

--- Registration: Windows Update/Automatic Update DLLs ---

11:53:51 | Unregistered: C:\WINDOWS\system32\msxml.dll

11:53:51 | Registered: C:\WINDOWS\system32\msxml.dll

11:53:52 | Unregistered: C:\WINDOWS\system32\msxml2.dll

11:53:52 | Registered: C:\WINDOWS\system32\msxml2.dll

11:53:53 | Unregistered: C:\WINDOWS\system32\msxml3.dll

11:53:53 | Registered: C:\WINDOWS\system32\msxml3.dll

11:53:53 | Unregistered: C:\WINDOWS\system32\qmgr.dll

11:53:55 | Error during registration of C:\WINDOWS\system32\qmgr.dll - version: 6.6.2600.2180. The error returned is: Acesso negado.

(-2147024891)

11:53:55 | Unregistered: C:\WINDOWS\system32\qmgrprxy.dll

11:53:55 | Registered: C:\WINDOWS\system32\qmgrprxy.dll

11:53:55 | Unregistered: C:\WINDOWS\system32\winhttp.dll

11:53:55 | Registered: C:\WINDOWS\system32\winhttp.dll

11:53:56 | Registered: C:\WINDOWS\system32\wuapi.dll

11:53:57 | Error during unregistration of C:\WINDOWS\system32\wuaueng.dll - version: 7.2.6001.788. The error returned is: Acesso negado.

(-2147024891)

11:53:57 | Error during registration of C:\WINDOWS\system32\wuaueng.dll - version: 7.2.6001.788. The error returned is: Acesso negado.

(-2147024891)

11:53:57 | Unregistered: C:\WINDOWS\system32\wuaueng1.dll

11:53:57 | Registered: C:\WINDOWS\system32\wuaueng1.dll

11:53:58 | Unregistered: C:\WINDOWS\system32\wucltui.dll

11:53:58 | Registered: C:\WINDOWS\system32\wucltui.dll

11:53:58 | Unregistered: C:\WINDOWS\system32\wups.dll

11:53:58 | Registered: C:\WINDOWS\system32\wups.dll

11:53:58 | Unregistered: C:\WINDOWS\system32\wups2.dll

11:53:58 | Registered: C:\WINDOWS\system32\wups2.dll

11:53:58 | Unregistered: C:\WINDOWS\system32\wuweb.dll

11:53:58 | Registered: C:\WINDOWS\system32\wuweb.dll

11:53:58 | Registered: C:\WINDOWS\system32\ole32.dll

--- SSL/HTTPS/Cryptography ---

11:54:01 | Executed 'cmd.exe /c rmdir /q /s C:\WINDOWS\system32\Catroot2'

--- Registration: SSL/HTTPS/Cryptography ---

11:54:01 | Unregistered: C:\WINDOWS\system32\cryptdlg.dll

11:54:01 | Registered: C:\WINDOWS\system32\cryptdlg.dll

11:54:01 | Unregistered: C:\WINDOWS\system32\cryptui.dll

11:54:01 | Registered: C:\WINDOWS\system32\cryptui.dll

11:54:01 | Unregistered: C:\WINDOWS\system32\cryptext.dll

11:54:01 | Registered: C:\WINDOWS\system32\cryptext.dll

11:54:01 | Unregistered: C:\WINDOWS\system32\dssenh.dll

11:54:01 | Registered: C:\WINDOWS\system32\dssenh.dll

11:54:01 | Unregistered: C:\WINDOWS\system32\gpkcsp.dll

11:54:01 | Registered: C:\WINDOWS\system32\gpkcsp.dll

11:54:01 | Unregistered: C:\WINDOWS\system32\initpki.dll

11:54:29 | Registered: C:\WINDOWS\system32\initpki.dll

11:54:29 | Unregistered: C:\WINDOWS\system32\licdll.dll

11:54:29 | Registered: C:\WINDOWS\system32\licdll.dll

11:54:29 | Unregistered: C:\WINDOWS\system32\mssign32.dll

11:54:29 | Registered: C:\WINDOWS\system32\mssign32.dll

11:54:29 | Unregistered: C:\WINDOWS\system32\mssip32.dll

11:54:29 | Registered: C:\WINDOWS\system32\mssip32.dll

11:54:30 | Unregistered: C:\WINDOWS\system32\scardssp.dll

11:54:30 | Registered: C:\WINDOWS\system32\scardssp.dll

11:54:30 | Unregistered: C:\WINDOWS\system32\sccbase.dll

11:54:30 | Registered: C:\WINDOWS\system32\sccbase.dll

11:54:30 | Unregistered: C:\WINDOWS\system32\scecli.dll

11:54:30 | Registered: C:\WINDOWS\system32\scecli.dll

11:54:30 | Unregistered: C:\WINDOWS\system32\softpub.dll

11:54:30 | Registered: C:\WINDOWS\system32\softpub.dll

11:54:30 | Unregistered: C:\WINDOWS\system32\slbcsp.dll

11:54:30 | Registered: C:\WINDOWS\system32\slbcsp.dll

11:54:30 | Unregistered: C:\WINDOWS\system32\regwizc.dll

11:54:30 | Registered: C:\WINDOWS\system32\regwizc.dll

11:54:30 | Unregistered: C:\WINDOWS\system32\rsaenh.dll

11:54:30 | Registered: C:\WINDOWS\system32\rsaenh.dll

11:54:30 | Unregistered: C:\WINDOWS\system32\winhttp.dll

11:54:30 | Registered: C:\WINDOWS\system32\winhttp.dll

11:54:30 | Unregistered: C:\WINDOWS\system32\wintrust.dll

11:54:31 | Registered: C:\WINDOWS\system32\wintrust.dll

--- Registration: Programming cores/runtimes ---

11:54:31 | Registered: C:\WINDOWS\system32\atl.dll

11:54:31 | Registered: C:\WINDOWS\system32\corpol.dll

11:54:31 | Registered: C:\WINDOWS\system32\jscript.dll

11:54:31 | Registered: C:\WINDOWS\system32\dispex.dll

11:54:31 | Registered: C:\WINDOWS\system32\scrrun.dll

11:54:31 | Registered: C:\WINDOWS\system32\scrobj.dll

11:54:31 | Registered: C:\WINDOWS\system32\vbscript.dll

11:54:31 | Registered: C:\WINDOWS\system32\wshext.dll

--- Flush SoftwareDistribution ---

----------------------------------------

Abraços!

[DigRam 144]

Boa Tarde! Carlos SP

 

<@> Vá em Iniciar --> Executar --> Digite: services.msc --> OK.

<@> Busque por: "Atualizações Automáticas" --> Dê um duplo-clique nessa entrada.

<@> Clique na aba Logon e marque: "Conta do sistema local"

<@> Deixe a opção: "Permitir que o serviço interaja com a área de trabalho",desmarcada.

<@> Verifique na parte de Perfil de Hardware,se o serviço está ativado.

<@> Se estiver desativado,clique na opção "Ativar" --> Clique Ok.

<@> Repita o procedimento,àcima,para: "Serviço de transferência inteligente de plano de fundo" (BITS)

<><><><><><><><><><><>

<@> Agora,vamos registrar o Windows Update.

<@> Vá em Iniciar --> Executar --> Digite: cmd --> Ok.

<@> No prompt de comando,digite: regsvr32 qmgr.dll --> Aperte Enter.

<@> Espere até receber a mensagem de registro concluído.

<@> Faça,também,para: regsvr32 wuaueng.dll --> Aperte Enter.

<@> Terminando,reinicie o computador!

<><><><><><><><><><><>

<@> Vá em Iniciar --> Executar --> Digite: sfc /scannow --> Clique OK.

 

< >

 

<@> Será pedido a colocação do CD-ROM,do Windows XP,no drive.

<@> Aguarde a conclusão do reparo! --> Reinicie!

<><><><><><><><><><><>

<!> Informe os resultados!

 

Abraços!

[Carlos SP 0]

Boa tarde, DigRam!

 

Não consegui finalizar o procedimento. Quando eu entrei no prompt de comando com os registros que você indicou, obtive a resposta:

 

"DLLRegisterServer em qmgr.dll [ou wuaueng.dll] falhou. Código de retorno: 0x80070005"

 

--------

Abraço.

[DigRam 144]

Boa tarde, DigRam!

 

Não consegui finalizar o procedimento. Quando eu entrei no prompt de comando com os registros que você indicou, obtive a resposta:

 

"DLLRegisterServer em qmgr.dll [ou wuaueng.dll] falhou. Código de retorno: 0x80070005"

 

--------

Abraço.

<><><><><><><><><><>

Opa! Carlos SP

 

<!> Não tem problema! Siga com o CD do Windows XP,no comando sfc /scannow.

 

Abraços!

[Carlos SP 0]

Boa noite, DigRam!

 

Executei os procedimentos para reparo, mas após reiniciar o computador as atualizações automáticas continuam desativadas. Não foi gerado relatório do reparo com sfc /scannow.

 

Abraços.

[DigRam 144]

Boa noite, DigRam!

 

Executei os procedimentos para reparo, mas após reiniciar o computador as atualizações automáticas continuam desativadas. Não foi gerado relatório do reparo com sfc /scannow.

 

Abraços.

<><><><><><><><><>

Opa! Carlos SP

 

<@> Baixe: < TuneUp Utilities 2009 >

<@> Para baixar,digite o seu E-Mail e clique em Start download.

<@> Salve o executável,TU2009TrialEN.exe,em Arquivos de Programas.

<@> O programa é Trial! Mas...haverá tempo,para a otimização do computador.

<@> Procure desfragmentar o Disco e Registro.

<@> Utilize a correção de problemas: Disk Doctor + Reparos da atualização automática.

 

Abraços!

[Carlos SP 0]

Bom dia, DigRam!

 

Executei as tarefas recomendadas do TuneUp, mas no momento de reparar o Windows Update aparece a tela "O TuneUp Utilities encontrou um problema e precisa ser fechado". Tentei algumas vezes, com o mesmo resultado...

 

Duas perguntas, para confirmar:

 

1) Desfragmentador de disco = TuneUp Disk Doctor?

2) Correção do registro = TuneUp Register Cleaner?

 

Abraço!

[DigRam 144]

Bom dia, DigRam!

 

Executei as tarefas recomendadas do TuneUp, mas no momento de reparar o Windows Update aparece a tela "O TuneUp Utilities encontrou um problema e precisa ser fechado". Tentei algumas vezes, com o mesmo resultado...

 

Duas perguntas, para confirmar:

 

1) Desfragmentador de disco = TuneUp Disk Doctor?

2) Correção do registro = TuneUp Register Cleaner?

 

Abraço!

<><><><><><><><><>

Opa! Carlos SP

 

<!> Mas..que falta de sorte! Justamente,na função que nos interessa,falhou o TuneUp.

<><><><><><><><><>

Duas perguntas, para confirmar:

 

1) Desfragmentador de disco = TuneUp Disk Doctor?

2) Correção do registro = TuneUp Register Cleaner?

<1> Para correção de erros lógicos! OK

<2> Limpeza ao registro! OK

<><><><><><><><><>

<@> Verifique se o serviço Atualizações Automáticas,está iniciado e automatizado.

<@> Para acessar,vá em Painel de controle --> Ferramentas administrativas --> Serviços.

<@> Estando logado como administrador,vá em Iniciar --> Executar.

<@> Digite ou cole: cmd --> OK.

<@> No prompt de comando,digite:

 

<1> net stop wuauserv --> Aperte ENTER.

 

<2> regsvr32 %windir%\system32\wups2.dll --> Aperte Enter.

 

<3> net start wuauserv --> Aperte Enter.

 

<4> exit --> Aperte Enter.

 

<@> Faça um por vez!

<@> Reinicie o computador,e verifique a habilitação do serviço de "Atualizações Automáticas".

 

Abraços!

[Carlos SP 0]

Boa noite, DigRam!

 

- Em Ferramentas administrativas>serviços, Atualizações Automáticas não está marcado como iniciado, e a inicialização está desativada. Quando eu tentei aplicar a inicialização automática, na janela Propriedades, o acesso foi negado (mesmo com privilégios administrativos).

 

- No prompt de comando, o registro net stop wuauserv leva ao resultado "O serviço de atualizações automáticas não foi iniciado". Tentei ainda o registro regsvr32 %windir%\system32\wups2.dll, que foi o único com êxito.

 

Abraços.

[DigRam 144]

Boa noite, DigRam!

 

- Em Ferramentas administrativas>serviços, Atualizações Automáticas não está marcado como iniciado, e a inicialização está desativada. Quando eu tentei aplicar a inicialização automática, na janela Propriedades, o acesso foi negado (mesmo com privilégios administrativos).

 

- No prompt de comando, o registro net stop wuauserv leva ao resultado "O serviço de atualizações automáticas não foi iniciado". Tentei ainda o registro regsvr32 %windir%\system32\wups2.dll, que foi o único com êxito.

 

Abraços.

<><><><><><><><><>

- Em Ferramentas administrativas>serviços, Atualizações Automáticas não está marcado como iniciado, e a inicialização está desativada. Quando eu tentei aplicar a inicialização automática, na janela Propriedades, o acesso foi negado (mesmo com privilégios administrativos).

<!> Isso denota,ainda,uma ação maliciosa.

<><><><><><><><><>

<!> Delete ou desinstale a ferramenta: Kaspersky Virus Removal Tool

<!> Baixe uma nova versão,e execute-a! Poste o seu relatório.

<!> Tente,novamente,habilitar a Inicialização Automática.

 

Abraços!

[Carlos SP 0]

Boa noite, DigRam!

 

O relatório do Kaspersky atualizado estava limpo, mas passei o Avira e houve detecção; peguei o log do HijackThis caso necessário:

(Desde o log limpo, estou com o Avira e o Comodo Firewall instalados e atualizados.)

 

Relatório Kasperky

Scan

----

Scanned: 435120

Detected: 0

Untreated: 0

Start time: 9/5/2009 23:29:52

Duration: 03:09:18

Finish time: 10/5/2009 02:39:10

 

 

Detected

--------

Status Object

------ ------

 

 

Events

------

Time Name Status Reason

---- ---- ------ ------

 

 

Statistics

----------

Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted

------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------

 

 

Settings

--------

Parameter Value

--------- -----

Security Level Recommended

Action Prompt for action when the scan is complete

Run mode Manually

File types Scan all files

Scan only new and changed files No

Scan archives All

Scan embedded OLE objects All

Skip if object is larger than No

Skip if scan takes longer than No

Parse email formats No

Scan password-protected archives No

Enable iChecker technology No

Enable iSwift technology No

Show detected threats on "Detected" tab Yes

Rootkits search Yes

Deep rootkits search No

Use heuristic analyzer Yes

 

 

Quarantine

----------

Status Object Size Added

------ ------ ---- -----

 

 

Backup

------

Status Object Size

------ ------ ----

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Relatório Avira:

 

Avira AntiVir Personal

Report file date: domingo, 10 de maio de 2009 10:12

 

Scanning for 1385351 virus strains and unwanted programs.

 

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 2) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : HP-AF5E76A48CD1

 

Version information:

BUILD.DAT : 9.0.0.394 17962 Bytes 17/4/2009 11:20:00

AVSCAN.EXE : 9.0.3.5 466689 Bytes 4/5/2009 15:07:43

AVSCAN.DLL : 9.0.3.0 40705 Bytes 27/2/2009 13:58:24

LUKE.DLL : 9.0.3.2 209665 Bytes 20/2/2009 14:35:49

LUKERES.DLL : 9.0.2.0 12033 Bytes 27/2/2009 13:58:52

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27/10/2008 15:30:36

ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 11/2/2009 23:33:26

ANTIVIR2.VDF : 7.1.3.137 1810944 Bytes 30/4/2009 15:07:42

ANTIVIR3.VDF : 7.1.3.178 195584 Bytes 8/5/2009 22:07:51

Engineversion : 8.2.0.166

AEVDF.DLL : 8.1.1.1 106868 Bytes 4/5/2009 15:07:42

AESCRIPT.DLL : 8.1.1.81 385401 Bytes 8/5/2009 22:09:40

AESCN.DLL : 8.1.1.10 127348 Bytes 4/5/2009 15:07:42

AERDL.DLL : 8.1.1.3 438645 Bytes 29/10/2008 21:24:41

AEPACK.DLL : 8.1.3.16 397686 Bytes 8/5/2009 22:09:27

AEOFFICE.DLL : 8.1.0.36 196987 Bytes 26/2/2009 23:01:56

AEHEUR.DLL : 8.1.0.128 1757559 Bytes 8/5/2009 22:09:10

AEHELP.DLL : 8.1.2.2 119158 Bytes 26/2/2009 23:01:56

AEGEN.DLL : 8.1.1.42 348531 Bytes 8/5/2009 22:08:07

AEEMU.DLL : 8.1.0.9 393588 Bytes 9/10/2008 17:32:40

AECORE.DLL : 8.1.6.9 176500 Bytes 4/5/2009 15:07:42

AEBB.DLL : 8.1.0.3 53618 Bytes 9/10/2008 17:32:40

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 11:47:59

AVPREF.DLL : 9.0.0.1 43777 Bytes 5/12/2008 13:32:15

AVREP.DLL : 8.0.0.3 155905 Bytes 20/1/2009 17:34:28

AVREG.DLL : 9.0.0.0 36609 Bytes 5/12/2008 13:32:09

AVARKT.DLL : 9.0.0.3 292609 Bytes 4/5/2009 15:07:42

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 30/1/2009 13:37:08

SQLITE3.DLL : 3.6.1.0 326401 Bytes 28/1/2009 18:03:49

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 11:21:33

NETNT.DLL : 9.0.0.0 11521 Bytes 5/12/2008 13:32:10

RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 9/2/2009 14:45:45

RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/5/2009 15:07:42

 

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: c:\arquivos de programas\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+SPR,

 

Start of the scan: domingo, 10 de maio de 2009 10:12

 

Starting search for hidden objects.

'41365' objects were checked, '0' hidden objects were found.

 

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'wscntfy.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'TUProgSt.exe' - '1' Module(s) have been scanned

Scan process 'MDM.EXE' - '1' Module(s) have been scanned

Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned

Scan process 'jqs.exe' - '1' Module(s) have been scanned

Scan process 'cmdagent.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'a2service.exe' - '1' Module(s) have been scanned

Scan process 'hpqste08.exe' - '1' Module(s) have been scanned

Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned

Scan process 'BC40CASE.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'msmsgs.exe' - '1' Module(s) have been scanned

Scan process 'cpf.exe' - '1' Module(s) have been scanned

Scan process 'jusched.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned

Scan process 'issch.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

34 processes with 34 modules were scanned

 

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

 

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

 

Starting to scan executable files (registry).

The registry was scanned ( '48' files ).

 

 

Starting the file scan:

 

Begin scan in 'C:\'

C:\hiberfil.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\System Volume Information\_restore{D0518E27-9216-4643-BEF1-64C323F10013}\RP5\A0015452.exe

 

[0] Archive type: RAR SFX (self extracting)

--> nircmd.exe

[DETECTION] Contains recognition pattern of the APPL/NirCmd.2 application

C:\System Volume Information\_restore{D0518E27-9216-4643-BEF1-64C323F10013}\RP5\A0015453.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

C:\Virut\rmvirut.exe

[DETECTION] Is the TR/Proxy.Horst.2706944 Trojan

 

Beginning disinfection:

C:\System Volume Information\_restore{D0518E27-9216-4643-BEF1-64C323F10013}\RP5\A0015452.exe

[NOTE] The file was moved to '4a36da77.qua'!

C:\System Volume Information\_restore{D0518E27-9216-4643-BEF1-64C323F10013}\RP5\A0015453.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

[NOTE] The file was moved to '4b54aad8.qua'!

C:\Virut\rmvirut.exe

[DETECTION] Is the TR/Proxy.Horst.2706944 Trojan

[NOTE] The file was moved to '4a7cdab4.qua'!

 

 

End of the scan: domingo, 10 de maio de 2009 10:44

Used time: 30:17 Minute(s)

 

The scan has been done completely.

 

3197 Scanned directories

210329 Files were scanned

3 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

3 Files were moved to quarantine

0 Files were renamed

2 Files cannot be scanned

210324 Files not concerned

915 Archives were scanned

2 Warnings

5 Notes

41365 Objects were scanned with rootkit scan

0 Hidden objects were found

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

 

Relatório HijackThis:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 02:04:31, on 11/5/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe

C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\Arquivos de programas\Comodo\Firewall\CPF.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\TEXTware\BOOKcase40\BC40CASE.exe

C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe

C:\Arquivos de programas\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Arquivos de programas\a-squared Free\a2service.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

C:\Arquivos de programas\Comodo\Firewall\cmdagent.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Arquivos comuns\LightScribe\LSSrvc.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\TUProgSt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Arquivos de programas\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Hijack\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login_verify...=br&.src=ym

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Arquivos de programas\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Arquivos de programas\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll

O4 - HKLM\..\Run: [sispower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [isusscheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [isuspm startup] C:\ARQUIV~1\ARQUIV~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [hp software update] C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Arquivos de programas\Comodo\Firewall\CPF.exe" /background

O4 - HKCU\..\Run: [msmsgs] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: BOOKcase 4.0.lnk = C:\Arquivos de programas\TEXTware\BOOKcase40\BC40CASE.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1131549136390

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=29223

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Arquivos de programas\a-squared Free\a2service.exe

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Arquivos de programas\Comodo\Firewall\cmdagent.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\LightScribe\LSSrvc.exe

O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe

O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

 

--

End of file - 6348 bytes

>>>>>>>>>>>>>>>>>>>>

Abraços.