[Arquivado] Problema com desktop e não consigo desligar o pc

tpazzin · Julho 2, 2009

O meu pc não desliga, não reinicia, não aparece nada no meu desktop, e o pc está muito lento. Espero que possam me ajudar, e pelo que vi pelos outros posts, é certo que conseguem.

Vou postar um log do hijack para ajudar:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:37:44, on 2/7/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16850)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

C:\Arquivos de programas\IVT Corporation\BlueSoleil\BTNtService.exe

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\SnAgOS.exe

C:\Arquivos de programas\Borland\InterBase\bin\ibguard.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\ARQUIV~1\AVG\AVG8\avgrsx.exe

C:\ARQUIV~1\AVG\AVG8\avgnsx.exe

C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\SnMgrSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Borland\InterBase\bin\ibserver.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\sm56hlpr.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\system32\VTtrayp.exe

C:\Arquivos de programas\Power Manager\PM.exe

C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\domino.exe

C:\WINDOWS\VMSnap1.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\ARQUIV~1\AVG\AVG8\avgtray.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\Arquivos de programas\IVT Corporation\BlueSoleil\BlueSoleil.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Tiago\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Tiago\Meus documentos\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com.br/0SEPTBR/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com.br/0SEPTBR/SAOS01?FORM=TOOLBR

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com.br/0SEPTBR/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.itautec.com.br/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Arquivos de programas\BitComet\tools\BitCometBHO_1.1.5.19.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Arquivos de programas\AVG\AVG8\avgssie.dll

O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Arquivos de programas\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre6\bin\ssv.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\Arquivos de programas\GbPlugin\gbieh.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - (no file)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll

O4 - HKLM\..\Run: [sMSERIAL] sm56hlpr.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

O4 - HKLM\..\Run: [PowerManager] C:\Arquivos de programas\Power Manager\PM.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [domino] C:\WINDOWS\domino.exe

O4 - HKLM\..\Run: [VMSnap1] C:\WINDOWS\VMSnap1.exe

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\ARQUIV~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Arquivos de programas\Corel\Corel Graphics 12\Languages\BR\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=070909 serial=DR12CUS-2178927-HVQ lang=BP

O4 - HKLM\..\Run: [] C:\WINDOWS\system32\svc\svchosts.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Tiago\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /c

O4 - Global Startup: BlueSoleil.lnk = ?

O8 - Extra context menu item: Abrir em uma nova guia do plano de fundo - res://C:\Arquivos de programas\Windows Live Toolbar\Components\pt-br\msntabres.dll.mui/229?cf1ece1bf5e44ddebc591bef809d0870

O8 - Extra context menu item: Abrir em uma nova guia do primeiro plano - res://C:\Arquivos de programas\Windows Live Toolbar\Components\pt-br\msntabres.dll.mui/230?cf1ece1bf5e44ddebc591bef809d0870

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: Baixar link usando &BitComet - res://C:\Arquivos de programas\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: Baixar todos os links usando BitComet - res://C:\Arquivos de programas\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: Baixar todos os vídeos usando BitComet - res://C:\Arquivos de programas\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Arquivos de programas\PokerStars\PokerStarsUpdate.exe

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} - http://activex.camfrogweb.com/advanced/2.0..._instmodule.exe

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab

O16 - DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.6.0_10) -

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Arquivos de programas\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - (no file)

O20 - Winlogon Notify: GbPluginBb - C:\Arquivos de programas\GbPlugin\gbieh.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Arquivos de programas\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Gbp Service (GbpSv) - - C:\ARQUIV~1\GbPlugin\GbpSv.exe

O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Arquivos de programas\Borland\InterBase\bin\ibguard.exe

O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Arquivos de programas\Borland\InterBase\bin\ibserver.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: SNMgrSvc - Open Communications Security S/A - C:\WINDOWS\system32\SnMgrSvc.exe

--

End of file - 11960 bytes

Desde já, agradeço.

jgarcia · Julho 3, 2009

Opa tpazzin,

Baixe o ComboFix em:

ComboFix

1) Desabilite o seu anti-vírus temporariamente;

2) Dê um duplo-clique no combofix.exe e aguarde (o processo total demora cerca de 10 minutos);

3) A janela de “NEGAÇÃO DE GARANTIA DO SOFTWARE” abrir-se-á. Leia atentamente o texto contido nesta janela e clique sobre “SIM” para continuar.

PS.: Caso não concorde com os termos clique sobre “NÃO” para sair do software, cabendo lembrar que o processo de desinfecção não será possível sem a continuidade do ComboFix.

4) Outra janela irá abrir, caso a sua máquina não possua o CONSOLE DE RECUPERAÇÃO DO WINDOWS. É recomendável executar a instalação do console ante de dar continuidade ao processo, pois tal ação proporcionará a garantia de que o sistema poderá ser recuperado em caso de problemas durante a varredura.

Clique sobre “SIM” e aguarde, pois o processo de instalação do console dar-se-á automaticamente através do próprio ComboFix. Ele poderá demorar alguns minutos (dependerá da velocidade de sua conexão), portanto seja paciente.

Quando a janela “INSTALANDO O CONSOLE DE RECUPERAÇÃO” aparecer clique em “OK”, depois clique sobre “SIM” para aceitar a licença EULA.

Ao término da instalação do console de recuperação abrir-se-á uma janela avisando que “O CONSOLE DE RECUPERAÇÃO FOI INSTALADA COM SUCESSO”.

Clique sobre “SIM” para continuar a varredura.

5) O ComboFix iniciará o AUTOSCAN (aguarde).

ATENÇÃO: Não clique na janela do ComboFix, nem termine o processo abruptamente enquanto a ferramenta estiver sendo executada, pois isto implicará na desconfiguração de seu desktop (ele ficará todo branco).

Ao término do processo a máquina será reiniciada para a emissão do relatório.

6) Ao reiniciar a máquina o ComboFix irá executar o FIND3M para a criação do relatório final da varredura. O log ficará alocado em C:\ComboFix.txt.

7) Reabilite o seu anti-vírus;

8) Preciso que você cole o conteúdo do ComboFix.txt em sua próxima resposta.

OBS.1: Caso apareça uma mensagem avisando que ESTE NÃO É UM APLICATIVO WIN 32 VÁLIDO baixe o ComboFix novamente, mas salve-o em seu Desktop como KomboFix. Em último caso, tente utilizar o ComboFix em MODO SEGURO.

OBS.2: Caso haja um clique sobre a janela do ComboFix em execução, ela irá MAXIMIZAR, sobrepondo-se sobre as demais. Para minimizá-la novamente basta utilizar a combinação ALT + TAB.

Abraços.

tpazzin · Julho 3, 2009

Aí está o que requisitou.

ComboFix 09-07-02.02 - Tiago 03/07/2009 2:34.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.55.1046.18.446.192 [GMT -3:00]

Executando de: c:\documents and settings\Tiago\Meus documentos\Downloads\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

ADS - drivers: deleted 204 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\Tiago\CONFIG~1\Temp\catchme.dll

c:\documents and settings\Tiago\Configurações locais\Temp\catchme.dll

c:\windows\Installer\135d2bd.msi

c:\windows\Installer\285db6a.msp

c:\windows\Installer\28710dd.msp

c:\windows\Installer\617f0.msp

c:\windows\Installer\WinRMSrv.msi

.

(((((((((((((((( Arquivos/Ficheiros criados de 2009-06-03 to 2009-07-03 ))))))))))))))))))))))))))))

.

2009-07-02 17:07 . 2009-07-02 17:07 -------- d-----w- C:\!KillBox

2009-07-02 08:20 . 2009-07-02 08:20 -------- d-----w- C:\desktopclean

2009-07-02 05:12 . 2009-07-02 07:33 -------- d-----w- c:\arquivos de programas\NitroPC

2009-06-27 19:38 . 2009-06-27 19:39 -------- d-----w- C:\Brasfoot2009

2009-06-23 05:14 . 2009-06-23 05:14 -------- d-----w- c:\arquivos de programas\Lavalys

2009-06-20 23:22 . 2009-07-02 07:13 -------- d---a-w- c:\documents and settings\All Users\Dados de aplicativos\TEMP

2009-06-19 23:27 . 2009-07-02 19:58 -------- d-----w- c:\windows\system32\svc

2009-06-17 23:58 . 2009-06-17 23:58 -------- d-----w- c:\arquivos de programas\SWF-AVI-GIF Converter

2009-06-09 20:12 . 2009-06-09 20:30 -------- d-----w- C:\Jogos

2009-06-07 09:02 . 2009-06-07 09:02 -------- d-----w- c:\arquivos de programas\SolitaireMahjong

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-03 05:47 . 2009-07-03 05:47 186504 ----a-w- c:\windows\system32\SnAgOS.TMP

2009-06-26 21:25 . 2009-04-11 22:19 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-06-26 21:25 . 2009-04-11 22:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-06-26 21:25 . 2009-04-11 22:19 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-06-26 07:42 . 2009-05-23 18:07 -------- d-----w- c:\arquivos de programas\Megacubo

2009-06-20 23:19 . 2007-04-10 00:18 -------- d--h--w- c:\arquivos de programas\InstallShield Installation Information

2009-06-18 19:59 . 2009-03-06 21:51 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\GbPlugin

2009-06-17 21:58 . 2006-03-02 12:00 82072 ----a-w- c:\windows\system32\perfc016.dat

2009-06-17 21:58 . 2006-03-02 12:00 461940 ----a-w- c:\windows\system32\perfh016.dat

2009-05-31 21:40 . 2009-02-04 22:03 -------- d-----w- c:\arquivos de programas\phpDesigner

2009-05-25 19:30 . 2009-05-25 19:30 -------- d-----w- c:\arquivos de programas\FormatFactory

2009-05-25 18:55 . 2009-05-25 18:46 -------- d-----w- c:\documents and settings\Tiago\Dados de aplicativos\Any Video Converter

2009-05-25 18:47 . 2009-05-25 18:45 -------- d-----w- c:\arquivos de programas\Any Video Converter

2009-05-23 18:11 . 2009-05-23 18:11 -------- d-----w- c:\arquivos de programas\TVUPlayer

2009-05-22 22:09 . 2009-01-28 05:42 -------- d-----w- c:\arquivos de programas\PokerStars

2009-05-14 01:54 . 2007-08-05 19:12 -------- d-----w- c:\arquivos de programas\Macromedia

2009-05-14 01:53 . 2007-08-05 19:13 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Macromedia

2009-05-07 15:33 . 2006-03-02 12:00 347136 ----a-w- c:\windows\system32\localspl.dll

2009-05-03 19:36 . 2009-04-11 22:19 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-04-29 04:45 . 2006-03-02 12:00 827392 ----a-w- c:\windows\system32\wininet.dll

2009-04-29 04:45 . 2006-03-02 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-04-24 16:59 . 2009-04-03 06:22 3140 --sha-w- c:\documents and settings\All Users\Dados de aplicativos\KGyGaAvL.sys

2009-04-24 16:59 . 2009-04-03 06:22 88 --sh--r- c:\documents and settings\All Users\Dados de aplicativos\56D2EE7344.sys

2009-04-19 19:50 . 2006-03-02 12:00 1847296 ----a-w- c:\windows\system32\win32k.sys

2009-04-18 22:59 . 2009-04-18 22:59 56 ---ha-w- c:\windows\system32\ezsidmv.dat

2009-04-17 06:20 . 2009-04-17 06:20 1878888 ----a-w- c:\documents and settings\Tiago\Dados de aplicativos\Opera\Opera\profile\cache4\temporary_download\install_flash_player.exe

2009-04-15 14:53 . 2006-03-02 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll

2008-12-15 00:11 . 2008-06-18 05:08 71930 ----a-w- c:\arquivos de programas\megacubo_log.log

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\arquivos de programas\Messenger\msmsgs.exe" [2008-04-14 1695232]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"SpybotSD TeaTimer"="c:\arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"Skype"="c:\arquivos de programas\Skype\Phone\Skype.exe" [2009-03-27 24103720]

"Google Update"="c:\documents and settings\Tiago\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" [2009-05-06 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PowerManager"="c:\arquivos de programas\Power Manager\PM.exe" [2006-06-30 159744]

"RemoteControl"="c:\arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]

"QuickTime Task"="c:\arquivos de programas\QuickTime\qttask.exe" [2006-09-01 282624]

"domino"="c:\windows\domino.exe" [2006-07-04 49152]

"VMSnap1"="c:\windows\VMSnap1.exe" [2006-07-17 49152]

"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\2\printray.exe" [2001-09-06 36864]

"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

"AVG8_TRAY"="c:\arquiv~1\AVG\AVG8\avgtray.exe" [2009-06-26 1948440]

"CorelDRAW Graphics Suite 11b"="c:\arquivos de programas\Corel\Corel Graphics 12\Languages\BR\Programs\Registration.exe" [2003-11-28 729088]

"SMSERIAL"="sm56hlpr.exe" - c:\windows\sm56hlpr.exe [2005-09-16 557056]

"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-10-04 90112]

"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-07 53248]

"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2005-10-31 163840]

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

BlueSoleil.lnk - c:\arquivos de programas\IVT Corporation\BlueSoleil\BlueSoleil.exe [2008-10-4 1183744]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\eMule\\emule.exe"=

"c:\\Arquivos de programas\\BitComet\\BitComet.exe"=

"c:\\Arquivos de programas\\FTP Commander\\ftpcomm.exe"=

"c:\\Arquivos de programas\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Arquivos de programas\\Java\\jre1.6.0_07\\bin\\javaw.exe"=

"c:\\Arquivos de programas\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Arquivos de programas\\phpDesigner\\phpDesigner.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\AVG\\AVG8\\avgupd.exe"=

"c:\\Arquivos de programas\\AVG\\AVG8\\avgnsx.exe"=

"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

"c:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"=

"c:\\WINDOWS\\system32\\rtcshare.exe"=

"c:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"=

"c:\\Arquivos de programas\\Megacubo\\megacubo.exe"=

"c:\\Documents and Settings\\Tiago\\Configurações locais\\Dados de aplicativos\\Google\\Chrome\\Application\\chrome.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"11005:TCP"= 11005:TCP:BitComet 11005 TCP

"11005:UDP"= 11005:UDP:BitComet 11005 UDP

R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\gbpkm.sys [6/3/2009 18:52 31536]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/4/2009 19:19 327688]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/4/2009 19:19 108552]

R1 SNSID;SNSID;c:\windows\system32\drivers\SNSID.SYS [20/7/2007 15:47 22784]

R1 SNSMS;SNSMS;c:\windows\system32\drivers\SNSMS.SYS [20/7/2007 15:47 35464]

R2 avg8wd;AVG Free8 WatchDog;c:\arquiv~1\AVG\AVG8\avgwdsvc.exe [11/4/2009 19:19 298776]

R2 GbpSv;Gbp Service;c:\arquiv~1\GbPlugin\GbpSv.exe [6/3/2009 18:52 53040]

R2 Ps2KSecureKeyboard;SecureKbd;c:\windows\system32\drivers\psseckbd.sys [20/7/2007 15:47 15048]

R2 SNMgrSvc;SNMgrSvc;c:\windows\system32\SnMgrSvc.exe [20/7/2007 15:47 280712]

R3 EKBfltr;ENE Keyboard Controller;c:\windows\system32\drivers\EKBfltr.sys [23/11/2006 05:04 5504]

S3 dump_wmimmc;dump_wmimmc; [x]

.

Conteúdo da pasta 'Tarefas Agendadas'

.

- - - - ORFÃOS REMOVIDOS - - - -

HKLM-Run-<NO NAME> - c:\windows\system32\svc\svchosts.exe

.

------- Scan Suplementar -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = hxxp://www.itautec.com.br/

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://g.msn.com.br/0SEPTBR/SAOS01?FORM=TOOLBR

IE: Abrir com o GetRight Browser

IE: Abrir em uma nova guia do plano de fundo - c:\arquivos de programas\Windows Live Toolbar\Components\pt-br\msntabres.dll.mui/229?cf1ece1bf5e44ddebc591bef809d0870

IE: Abrir em uma nova guia do primeiro plano - c:\arquivos de programas\Windows Live Toolbar\Components\pt-br\msntabres.dll.mui/230?cf1ece1bf5e44ddebc591bef809d0870

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: Baixar link usando &BitComet - c:\arquivos de programas\BitComet\BitComet.exe/AddLink.htm

IE: Baixar todos os links usando BitComet - c:\arquivos de programas\BitComet\BitComet.exe/AddAllLink.htm

IE: Baixar todos os vídeos usando BitComet - c:\arquivos de programas\BitComet\BitComet.exe/AddVideo.htm

IE: Download com o GetRight

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: bancobrasil.com.br\www2

DPF: Microsoft XML Parser for Java

DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} - hxxp://activex.camfrogweb.com/advanced/2.0.2.3/cfweb_activex.camfrogweb.com-advanced-2.0.2.3_instmodule.exe

FF - ProfilePath - c:\documents and settings\Tiago\Dados de aplicativos\Mozilla\Firefox\Profiles\r8vpe4l7.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.bandasdegaragem.com.br/audioterapia

FF - prefs.js: network.proxy.type - 2

FF - component: c:\arquivos de programas\AVG\AVG8\Firefox\components\avgssff.dll

FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\npzylomgamesplayer.dll

FF - plugin: c:\documents and settings\All Users\Dados de aplicativos\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\arquivos de programas\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\arquivos de programas\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\arquivos de programas\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\arquivos de programas\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-03 02:48

Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

**************************************************************************

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

[HKEY_USERS\S-1-5-21-4267833771-4243619368-3267618919-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5720F416-4696-472D-B7C4-2F733F026E58}*]

@Allowed: (Read) (RestrictedCode)

"oacljnfpaooflnbjllafkjhmjakikd"=hex:64,61,64,66,62,69,61,70,00,b0

"oaginiccbdjoohkhhoaoggblhibbgk"=hex:6a,61,64,66,65,68,6a,62,6f,61,70,6b,6a,66,

68,6a,65,69,62,66,00,fd

"naajhbocafkccoegdibbjgmncooa"=hex:6a,61,64,66,65,68,6a,62,6f,61,70,6b,6a,66,

68,6a,65,69,62,66,00,fd

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•6~*]

"6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]

@DACL=(02 0000)

"DLLName"="avgrsstx.dll"

"Startup"="AvgStartup"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]

@DACL=(02 0000)

"Asynchronous"=dword:00000001

"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"

"Startup"="WlDimsStartup"

"Shutdown"="WlDimsShutdown"

"Logon"="WlDimsLogon"

"Logoff"="WlDimsLogoff"

"StartShell"="WlDimsStartShell"

"Lock"="WlDimsLock"

"Unlock"="WlDimsUnlock"

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(804)

c:\arquivos de programas\GbPlugin\gbieh.dll

- - - - - - - > 'explorer.exe'(2964)

c:\windows\system32\SnAgOS.TMP

c:\windows\system32\Sngw.dll

c:\arquivos de programas\GbPlugin\gbieh.dll

c:\windows\system32\msls31.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Outros Processos em Execução ------------------------

.

c:\windows\system32\LexBceS.exe

c:\windows\system32\Lexpps.exe

c:\arquivos de programas\IVT Corporation\BlueSoleil\BTNtService.exe

c:\arquivos de programas\Bonjour\mDNSResponder.exe

c:\arquivos de programas\Borland\InterBase\bin\ibguard.exe

c:\arquivos de programas\Java\jre6\bin\jqs.exe

c:\arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\arquivos de programas\AVG\AVG8\avgrsx.exe

c:\arquiv~1\AVG\AVG8\avgnsx.exe

c:\arquivos de programas\Windows Media Player\wmpnetwk.exe

c:\windows\system32\SnAgOS.EXE

c:\arquivos de programas\Borland\InterBase\bin\ibserver.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\wbem\wmiapsrv.exe

.

**************************************************************************

.

Tempo para conclusão: 2009-07-03 3:07 - Máquina reiniciou

ComboFix-quarantined-files.txt 2009-07-03 06:07

Pré-execução: 4.890.378.240 bytes disponíveis

Pós execução: 4.862.255.104 bytes disponíveis

WindowsXP-KB310994-SP2-Home-BootDisk-PTB.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

241 --- E O F --- 2009-06-12 06:30

jgarcia · Julho 7, 2009

Opa tpazzin,

Siga as instruções:

1. Abra o Bloco de Notas -> Copie (Control + C) e Cole (Control + V) todo o texto incluído no "Quote":

File::
c:\documents and settings\All Users\Dados de aplicativos\KGyGaAvL.sys

c:\documents and settings\All Users\Dados de aplicativos\56D2EE7344.sys

c:\windows\system32\ezsidmv.dat

Driver::

"dump_wmimmc"

RegNull::

[HKEY_USERS\S-1-5-21-4267833771-4243619368-3267618919-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5720F416-4696-472D-B7C4-2F733F026E58}*]

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•6~*]

"6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

RegLock::

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]

ATENÇÃO: O script acima foi elaborado especificamente para a infecção contida neste computador. Utilizá-lo em outra máquina poderá originar graves problemas ao usuário.

2. Salve o arquivo como CFScript.txt;

3. Tal como exemplificado na foto abaixo, arraste o arquivo CFScript.txt para o ComboFix.exe.

4. Ao término do processo a ferramenta irá gerar um log. Poste-o (C:\ComboFix.txt) em sua próxima resposta, juntamente com um novo log do HijackThis.

Abraços.

tpazzin · Julho 11, 2009

Log do HiJack

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:49:19, on 11/7/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16850)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

C:\Arquivos de programas\IVT Corporation\BlueSoleil\BTNtService.exe

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Borland\InterBase\bin\ibguard.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\ARQUIV~1\AVG\AVG8\avgrsx.exe

C:\ARQUIV~1\AVG\AVG8\avgnsx.exe

C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\SnMgrSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Borland\InterBase\bin\ibserver.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\SnAgOS.exe

C:\WINDOWS\system32\SnLiveUp.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\sm56hlpr.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\system32\VTtrayp.exe

C:\Arquivos de programas\Power Manager\PM.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\domino.exe

C:\WINDOWS\VMSnap1.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\ARQUIV~1\AVG\AVG8\avgtray.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\Documents and Settings\Tiago\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe

C:\Arquivos de programas\IVT Corporation\BlueSoleil\BlueSoleil.exe

C:\WINDOWS\explorer.exe