[Resolvido!] Win32/Heur e derivados (Win32/Virut, SHeur2.AMSD) in

Lucied · Julho 7, 2009

Olá.

Li a respeito desse malware, e sofro de alguns dos "sintomas" que o mesmo causa: conexão lenta, páginas que não carregam, wallpaper sumindo subitamente e aplicativos que não conseguem rodar (inclusive o logonui do Windows, o que gera erros logo na inicialização do sistema). O AVG detecta e supostamente remove o vírus, junto a alguns semelhantes, mas logo depois eles estão lá novamente, nas mesmas pastas. Tenho tido estes problemas desde o início da semana, e descofio que tenha sido infectado através de um pendrive.

Meu modem também está sinalizando transição de dados constante, o que me faz temer que dados do meu computador possam estar sendo roubados, ou que algo não agradável possa estar sendo baixado sem meu conhecimento. Preciso muito de ajuda, pois quero evitar ter de formatar este PC.

Segue o log do HijackThis:

-----------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1

Scan saved at 19:37:30, on 7/7/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Running processes:

H:\WINDOWS\System32\smss.exe

H:\WINDOWS\system32\winlogon.exe

H:\WINDOWS\system32\services.exe

H:\WINDOWS\system32\lsass.exe

H:\WINDOWS\system32\Ati2evxx.exe

H:\WINDOWS\system32\svchost.exe

H:\WINDOWS\System32\svchost.exe

H:\WINDOWS\system32\Ati2evxx.exe

H:\WINDOWS\system32\spoolsv.exe

H:\WINDOWS\system32\csrcs.exe

H:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

H:\WINDOWS\system32\servises.exe

H:\Arquivos de programas\Java\jre6\bin\jqs.exe

H:\ARQUIV~1\AVG\AVG8\avgtray.exe

H:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

H:\Arquivos de programas\IDT\WDM\sttray.exe

H:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe

H:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

H:\Arquivos de programas\Java\jre6\bin\jusched.exe

H:\WINDOWS\system32\servises.exe

H:\WINDOWS\system32\ctfmon.exe

H:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

H:\WINDOWS\system32\HPZipm12.exe

H:\WINDOWS\system32\servises.exe

H:\ARQUIV~1\AVG\AVG8\avgrsx.exe

H:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

H:\ARQUIV~1\AVG\AVG8\avgnsx.exe

h:\arquivos de programas\idt\ecsxpv_5762_010208\wdm\STacSV.exe

H:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

H:\WINDOWS\Explorer.exe

H:\WINDOWS\System32\svchost.exe

H:\ARQUIV~1\AVG\AVG8\avgemc.exe

H:\Arquivos de programas\AVG\AVG8\avgcsrvx.exe

H:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

H:\WINDOWS\system32\svchost.exe

H:\Arquivos de programas\Mozilla Firefox\firefox.exe

H:\Arquivos de programas\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

F2 - REG:system.ini: Shell=Explorer.exe csrcs.exe

O1 - Hosts: 92.241.176.188 advanced-virus-remover2009.com

O1 - Hosts: 92.241.176.188 www.advanced-virus-remover2009.com

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - H:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - H:\Arquivos de programas\BitComet\tools\BitCometBHO.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - H:\Arquivos de programas\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - H:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Auxiliar de Conex? do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - H:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - H:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - H:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [AVG8_TRAY] H:\ARQUIV~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [RemoteControl] "H:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "H:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [sysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] "H:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] H:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] H:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] H:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [startCCC] "H:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM\..\Run: [AutoTBar] AUTOTBAR.EXE

O4 - HKLM\..\Run: [HP Software Update] H:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "H:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [servises] H:\WINDOWS\system32\servises.exe

O4 - HKLM\..\RunOnce: [spybotSnD] "H:\Arquivos de programas\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] H:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [iSUSPM] "H:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKCU\..\Run: [DAEMON Tools Lite] "H:\Arquivos de programas\DAEMON Tools Lite\daemon.exe" -autorun

O4 - HKCU\..\Run: [servises] H:\WINDOWS\system32\servises.exe

O8 - Extra context menu item: Baixar com &BitComet - res://H:\Arquivos de programas\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: Baixar todos com BitComet - res://H:\Arquivos de programas\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: Download all videos using BitComet - res://H:\Arquivos de programas\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://H:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Arquivos de programas\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1224693924984

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shock...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{11E93C6D-F3FB-419F-BF96-60586D109CC7}: NameServer = 201.10.1.2,201.10.120.3

O17 - HKLM\System\CS1\Services\Tcpip\..\{11E93C6D-F3FB-419F-BF96-60586D109CC7}: NameServer = 201.10.1.2,201.10.120.3

O17 - HKLM\System\CS2\Services\Tcpip\..\{11E93C6D-F3FB-419F-BF96-60586D109CC7}: NameServer = 201.10.1.2,201.10.120.3

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - H:\Arquivos de programas\AVG\AVG8\avgpp.dll

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - H:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - H:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O20 - Winlogon Notify: avgrsstarter - H:\WINDOWS\SYSTEM32\avgrsstx.dll

O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)

O20 - Winlogon Notify: WgaLogon - H:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - H:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - H:\ARQUIV~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - H:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - H:\Arquivos de programas\Java\jre6\bin\jqs.exe" -service -config "H:\Arquivos de programas\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)

O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - h:\Arquivos de programas\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)

O23 - Service: NMIndexingService - Unknown owner - H:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe (file missing)

O23 - Service: Pml Driver HPZ12 - HP - H:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - H:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

O23 - Service: Audio Service (STacSV) - IDT, Inc. - h:\arquivos de programas\idt\ecsxpv_5762_010208\wdm\STacSV.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - H:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

-----------------------------------------------------------------------------------

Agradeço qualquer ajuda desde já, e aguardo suporte.

~Lucied

PedroN · Julho 7, 2009

Faça o download do ComboFix de um destes locais:

Link 1.

Link 2.

Link 3.

Importante!

Você não deve usar Combofix a menos que você tenha sido instruído a fazê-lo por um análista de segurança.

Destina-se pelo seu criador para ser utilizado sob orientação e supervisão de um especialista, e não para uso privado.

Utilizando esta ferramenta incorreto poderia levar a desastrosa problemas com o seu sistema operacional.

Certifique-se de que você salvou ComboFix.exe para o seu desktop.

• Desabilite o seu Antivírus e AntiSpyware , geralmente através de um clique direito sobre o ícone da bandeja do sistema. Eles podem interferir na execução da ferramenta.

• Dê um duplo clique no ComboFix.exe & siga as instruções.

• Como parte de seu processo, ComboFix irá verificar se o Microsoft Windows Recovery Console está instalado. Como as infecções de malware são hoje, é fortemente recomendado que esteja pré-instalado em sua máquina antes de fazer qualquer remoção de malware. Ela permitirá que você arrancar em especial uma recuperação / reparação modo a permitir-nos-á mais fácil ajudá-lo a seu computador deve ter um problema após uma tentativa de remoção de malware.

• Siga as instruções para permitir ComboFix para baixar e instalar o Microsoft Windows Recovery Console e, quando for solicitado, concordar com o End-User License Agreement para instalar o Microsoft Windows Recovery Console.

-- Atenção: Se a consola de recuperação do Microsoft Windows já estiver instalado, ComboFix irá continuar a sua remoção malware procedimentos.

Uma vez que o Microsoft Windows Recovery Console é instalado usando o ComboFix, você deverá ver a seguinte mensagem:

Clique em Sim, para continuar a varredura de malware.

Quando terminar, ela deve produzir um log para você. Poste o relatorio do combofix que estar em C: \ ComboFix.txt junto com um log do hijackthis.

Lucied · Julho 7, 2009

Tentei baixar o ComboFix dos três sites mencionados, e em todas as vezes o mesmo erro ocorreu ao tentar executá-lo:

Alguma alternativa ao programa sugerido? Obrigado.

~Lucied

PS: Está muito difícil acessar qualquer página na internet. Foram quatro ou cinco tentativas em cada um dos links para que finalmente conseguisse baixar o ComboFix, e somente para que esta página de resposta carregasse acho que passaram-se cerca de 4 minutos.

PedroN · Julho 7, 2009

- Faça o download do SDFIX

Reinicie seu computador, e aperte a tecla F8 (F5 em alguns casos) intermitentemente durante a inicialização, até aparecer um menu onde você deverá escolher a opção Modo Seguro

1. Entre na pasta SDFix que foi instalada no seu computador e dê um duplo clique no arquivo RunThis.bat

2. Tecle Y para que a ferramenta inicie o processo de remoção

3. Quando tudo terminar, você verá um aviso dizendo para apertar qualquer tecla para continuar. Ao pressionar qualquer tecla, o computador será reiniciado automaticamente

4. Após reiniciar, a ferramenta ainda será executada novamente e irá terminar o seu trabalho e a palavra Finished irá aparecer. Pressione qualquer tecla.

5. Uma janela com o relatório do SDFix irá aparecer.

6. Copie e cole este relatório na sua resposta . Caso você tenha fechado a janela, uma cópia do relatório estará na pasta SDFix com o nome Report.txt.

Lucied · Julho 8, 2009

PedroN,

Executei o SDFix em modo de segurança como instruído, mas após a reinicialização automática do PC novos programas acusaram erros (DAEMON Tools Lite - DaemonSearchBar.exe - e o Catalyst da minha placa de vídeo ATI - MOM.exe). Também houveram erros ao tentar iniciar esses mesmos programas manualmente, depois do término da inicialização. Parece que ao menos a conexão ficou levemente mais rápida, e o logonui.exe iniciou normalmente (com tela de boas vindas do Windows XP, etc).

Segue o log do SDFix:

--------------------------------------------------------------------

SDFix: Version 1.153

Run by Jorge on ter 07/07/2009 at 21:14

Microsoft Windows XP [versão 5.1.2600]

Running From: H:\SDFix

Checking Services :

Restoring Windows Registry Values

Restoring Windows Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-07 21:21:30

Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:

ZwOpenFile

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]

"p0"="H:\Arquivos de programas\Alcohol Soft\Alcohol 120\"

"h0"=dword:00000000

"ujdew"=hex:5f,22,85,7c,fe,d0,3e,07,01,b4,3c,3f,30,04,42,8d,95,92,a6,bd,b5,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"h0"=dword:00000001

"khjeh"=hex:32,85,68,ca,6b,60,44,5d,01,c1,40,0d,8e,dd,e8,9e,67,71,96,7a,13,..

"p0"="H:\Arquivos de programas\DAEMON Tools Lite\"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"khjeh"=hex:5c,a4,a5,39,c9,9d,98,8c,38,97,47,f9,3e,91,0f,a7,57,3d,ab,6b,e7,..

"a0"=hex:20,01,00,00,fa,36,ae,03,03,7f,6b,b6,c6,da,d0,49,4a,de,f7,9a,3c,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:c9,80,1d,2b,96,8c,3f,a9,e5,ba,bc,07,24,ff,06,cd,d9,e4,5b,59,33,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]

"khjeh"=hex:b2,b1,60,5e,c3,30,9a,73,8c,c6,99,46,fe,9e,d2,0d,ec,fe,f6,ba,06,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]

"p0"="H:\Arquivos de programas\Alcohol Soft\Alcohol 120\"

"h0"=dword:00000000

"ujdew"=hex:5f,22,85,7c,fe,d0,3e,07,01,b4,3c,3f,30,04,42,8d,95,92,a6,bd,b5,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"h0"=dword:00000001

"khjeh"=hex:32,85,68,ca,6b,60,44,5d,01,c1,40,0d,8e,dd,e8,9e,67,71,96,7a,13,..

"p0"="H:\Arquivos de programas\DAEMON Tools Lite\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"khjeh"=hex:5c,a4,a5,39,c9,9d,98,8c,38,97,47,f9,3e,91,0f,a7,57,3d,ab,6b,e7,..

"a0"=hex:20,01,00,00,fa,36,ae,03,03,7f,6b,b6,c6,da,d0,49,4a,de,f7,9a,3c,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:c9,80,1d,2b,96,8c,3f,a9,e5,ba,bc,07,24,ff,06,cd,d9,e4,5b,59,33,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]

"khjeh"=hex:b2,b1,60,5e,c3,30,9a,73,8c,c6,99,46,fe,9e,d2,0d,ec,fe,f6,ba,06,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\\27:\xf5wjY\1]

"DisplayName"="\x3da2\x7665\x1200\27\x1340\21\t"

"DeviceDesc"="\x3da2\x7665\x1200\27\x1340\21\t"

"ProviderName"="\xea70\x37e\x24dc\21\xfcb0\x1e2\x2808\21\x9005\x77f7"

"MFG"="\xffff\xffff\x3dbf\x7665\x654f\x7665\x900"

"ReinstallString"=".10.1000.8"

"DeviceInstanceIds"=str(7):"g:\chipset\xp3264\smbus\smbusati.inf"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]

"TracesProcessed"=dword:0000003d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"LoadAppInit_DLLs"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\17_\xe8\x90]

"Order"=hex:08,00,00,00,02,00,00,00,80,00,00,00,01,00,00,00,01,00,00,00,74,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\17_\xe8\x90\DEVIL FORCE]

"Order"=hex:08,00,00,00,02,00,00,00,02,02,00,00,01,00,00,00,04,00,00,00,80,..

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"H:\\Arquivos de programas\\AVG\\AVG8\\avgemc.exe"="H:\\Arquivos de programas\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"

"H:\\Arquivos de programas\\AVG\\AVG8\\avgupd.exe"="H:\\Arquivos de programas\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"

"H:\\Arquivos de programas\\CyberLink\\PowerDVD\\PowerDVD.exe"="H:\\Arquivos de programas\\CyberLink\\PowerDVD\\PowerDVD.exe:*:Enabled:CyberLink PowerDVD"

"G:\\CDS\\Nero\\Installation\\SetupX.exe"="G:\\CDS\\Nero\\Installation\\SetupX.exe:*:Enabled:Nero ProductSetup"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"H:\\Arquivos de programas\\MSN Messenger\\livecall.exe"="H:\\Arquivos de programas\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

"H:\\Arquivos de programas\\Macromedia\\Fireworks MX\\Fireworks.exe"="H:\\Arquivos de programas\\Macromedia\\Fireworks MX\\Fireworks.exe:*:Enabled:Fireworks MX"

"H:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="H:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"

"H:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqste08.exe"="H:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"

"H:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="H:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"

"H:\\Arquivos de programas\\BitComet\\BitComet.exe"="H:\\Arquivos de programas\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"

"H:\\Arquivos de programas\\Macromedia\\Flash MX\\Flash.exe"="H:\\Arquivos de programas\\Macromedia\\Flash MX\\Flash.exe:*:Enabled:Flash 6.0 r51"

"H:\\WINDOWS\\system32\\PnkBstrA.exe"="H:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"

"H:\\WINDOWS\\system32\\PnkBstrB.exe"="H:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"

"H:\\Arquivos de programas\\Instinct\\instinct.exe"="H:\\Arquivos de programas\\Instinct\\instinct.exe:*:Enabled:ds2main"

"H:\\Arquivos de programas\\Lionhead Studios Ltd\\Black & White\\runblack.exe"="H:\\Arquivos de programas\\Lionhead Studios Ltd\\Black & White\\runblack.exe:*:Enabled:lh"

"H:\\Arquivos de programas\\SEGA\\Iron Man\\IronMan.exe"="H:\\Arquivos de programas\\SEGA\\Iron Man\\IronMan.exe:*:Enabled:A2M Game Engine"

"H:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"="H:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"

"H:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"="H:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

"H:\\Arquivos de programas\\Unreal Tournament 3\\Binaries\\UT3.exe"="H:\\Arquivos de programas\\Unreal Tournament 3\\Binaries\\UT3.exe:*:Enabled:Unreal Tournament 3"

"H:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="H:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"

"H:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hposfx08.exe"="H:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"

"H:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hposid01.exe"="H:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"

"H:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="H:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"

"H:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="H:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"

"H:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="H:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"

"H:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="H:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"

"H:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpoews01.exe"="H:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"

"H:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="H:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"

"H:\\Arquivos de programas\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"="H:\\Arquivos de programas\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe:*:Enabled:Rockstar Games Social Club"

"H:\\Arquivos de programas\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"="H:\\Arquivos de programas\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe:*:Enabled:Grand Theft Auto IV"

"\\??\\H:\\WINDOWS\\system32\\winlogon.exe"="\\??\\H:\\WINDOWS\\system32\\winlogon.exe:*:enabled:@shell32.dll,-1"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"H:\\Arquivos de programas\\MSN Messenger\\livecall.exe"="H:\\Arquivos de programas\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

"H:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"="H:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"

"H:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"="H:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

Remaining Files :

Files with Hidden Attributes :

Wed 22 Oct 2008 949,072 A.SHR --- H:\ARQUIV~1\SPYBOT~1\ADVCHECK.DLL

Mon 15 Sep 2008 1,562,960 A.SHR --- H:\ARQUIV~1\SPYBOT~1\SDHELPER.DLL

Thu 14 Aug 2008 1,429,840 A.SHR --- H:\ARQUIV~1\SPYBOT~1\SDUPDATE.EXE

Wed 30 Jul 2008 4,891,984 A.SHR --- H:\ARQUIV~1\SPYBOT~1\SPYBOTSD.EXE

Thu 5 Mar 2009 2,280,448 A.SHR --- H:\ARQUIV~1\SPYBOT~1\TEATIMER.EXE

Wed 22 Oct 2008 962,896 A.SHR --- H:\ARQUIV~1\SPYBOT~1\TOOLS.DLL

Tue 16 Sep 2008 1,833,296 A.SHR --- H:\ARQUIV~1\TEATIM~1\TEATIMER.EXE

Sun 13 Apr 2008 713,010 A.SHR --- H:\WINDOWS\SYSTEM32\CSRCS.EXE

Sat 1 Sep 2007 81,920 A..H. --- H:\ARQUIV~1\SLACKS~1\MACROX~1\CARMLIC.EXE

Thu 2 Oct 2008 0 A.SH. --- H:\DOCUME~1\ALLUSE~1\DRM\CACHE\INDIV01.TMP

Sun 24 Feb 2008 190,976 A..H. --- H:\DOCUME~1\JORGE\MEUSDO~1\NOVAPA~1\~WRL0003.TMP

Tue 4 Mar 2008 191,488 A..H. --- H:\DOCUME~1\JORGE\MEUSDO~1\NOVAPA~1\~WRL0005.TMP

Sun 2 Mar 2008 51,712 A..H. --- H:\DOCUME~1\JORGE\MEUSDO~1\NOVAPA~1\~WRL0250.TMP

Tue 4 Mar 2008 191,488 A..H. --- H:\DOCUME~1\JORGE\MEUSDO~1\NOVAPA~1\~WRL0570.TMP

Tue 4 Mar 2008 194,560 A..H. --- H:\DOCUME~1\JORGE\MEUSDO~1\NOVAPA~1\~WRL0841.TMP

Tue 4 Mar 2008 51,712 A..H. --- H:\DOCUME~1\JORGE\MEUSDO~1\NOVAPA~1\~WRL1187.TMP

Sat 14 Jul 2007 97,280 A..H. --- H:\DOCUME~1\JORGE\MEUSDO~1\NOVAPA~1\~WRL1255.TMP

Tue 4 Mar 2008 192,512 A..H. --- H:\DOCUME~1\JORGE\MEUSDO~1\NOVAPA~1\~WRL1957.TMP

Tue 4 Mar 2008 193,536 A..H. --- H:\DOCUME~1\JORGE\MEUSDO~1\NOVAPA~1\~WRL2140.TMP

Thu 23 Aug 2007 48,128 ...H. --- H:\TIGERH~1\_IRUCA~2\TEXTS\SISTEM~1\~WRL0118.TMP

Wed 18 Jul 2007 27,136 ...H. --- H:\TIGERH~1\_IRUCA~2\TEXTS\SISTEM~1\~WRL0141.TMP

Wed 22 Aug 2007 47,616 ...H. --- H:\TIGERH~1\_IRUCA~2\TEXTS\SISTEM~1\~WRL0253.TMP

Wed 18 Jul 2007 31,232 ...H. --- H:\TIGERH~1\_IRUCA~2\TEXTS\SISTEM~1\~WRL0379.TMP

Wed 22 Aug 2007 47,616 ...H. --- H:\TIGERH~1\_IRUCA~2\TEXTS\SISTEM~1\~WRL0785.TMP

Thu 23 Aug 2007 53,248 ...H. --- H:\TIGERH~1\_IRUCA~2\TEXTS\SISTEM~1\~WRL0812.TMP

Thu 23 Aug 2007 49,664 ...H. --- H:\TIGERH~1\_IRUCA~2\TEXTS\SISTEM~1\~WRL1101.TMP

Wed 18 Jul 2007 28,160 ...H. --- H:\TIGERH~1\_IRUCA~2\TEXTS\SISTEM~1\~WRL1804.TMP

Thu 23 Aug 2007 48,128 ...H. --- H:\TIGERH~1\_IRUCA~2\TEXTS\SISTEM~1\~WRL2698.TMP

Thu 23 Aug 2007 49,664 ...H. --- H:\TIGERH~1\_IRUCA~2\TEXTS\SISTEM~1\~WRL2877.TMP

Wed 22 Aug 2007 44,544 ...H. --- H:\TIGERH~1\_IRUCA~2\TEXTS\SISTEM~1\~WRL3062.TMP

Wed 18 Jul 2007 30,208 ...H. --- H:\TIGERH~1\_IRUCA~2\TEXTS\SISTEM~1\~WRL3313.TMP

Wed 18 Jul 2007 31,744 ...H. --- H:\TIGERH~1\_IRUCA~2\TEXTS\SISTEM~1\~WRL3412.TMP

Wed 18 Jul 2007 31,744 ...H. --- H:\TIGERH~1\_IRUCA~2\TEXTS\SISTEM~1\~WRL3552.TMP

Wed 18 Jul 2007 155,136 ...H. --- H:\TIGERH~1\_IRUCA~2\TEXTS\STORYL~1\~WRL0535.TMP

Sun 31 Dec 2006 301,568 ...H. --- H:\TIGERH~1\_IRUCA~2\TEXTS\STORYL~1\~WRL1073.TMP

Sun 31 Dec 2006 300,032 ...H. --- H:\TIGERH~1\_IRUCA~2\TEXTS\STORYL~1\~WRL2924.TMP

Thu 16 Oct 2008 1,471,528 A..H. --- H:\WINDOWS\SOFTWA~1\DOWNLOAD\162671~1\BIT30.TMP

Thu 2 Oct 2008 0 A..H. --- H:\WINDOWS\SOFTWA~1\DOWNLOAD\DB4AF1~1\BIT5.TMP

Fri 17 Oct 2008 2,874,920 A..H. --- H:\WINDOWS\SOFTWA~1\DOWNLOAD\F2EEA5~1\BIT2F.TMP

Wed 24 Jun 2009 4,520 ...HR --- H:\DOCUME~1\JORGE\DADOSD~1\SECUROM\USERDATA\SECURO~1.BAK

Thu 23 Aug 2007 48,128 A..H. --- H:\DOCUME~1\JORGE\MEUSDO~1\NOVAPA~1\SISTEM~1\~WRL0118.TMP

Wed 18 Jul 2007 27,136 A..H. --- H:\DOCUME~1\JORGE\MEUSDO~1\NOVAPA~1\SISTEM~1\~WRL0141.TMP

Wed 22 Aug 2007 47,616 A..H. --- H:\DOCUME~1\JORGE\MEUSDO~1\NOVAPA~1\SISTEM~1\~WRL0253.TMP

Wed 18 Jul 2007 31,232 A..H. --- H:\DOCUME~1\JORGE\MEUSDO~1\NOVAPA~1\SISTEM~1\~WRL0379.TMP

Wed 22 Aug 2007 47,616 A..H. --- H:\DOCUME~1\JORGE\MEUSDO~1\NOVAPA~1\SISTEM~1\~WRL0785.TMP

Thu 23 Aug 2007 53,248 A..H. --- H:\DOCUME~1\JORGE\MEUSDO~1\NOVAPA~1\SISTEM~1\~WRL0812.TMP

Thu 23 Aug 2007 49,664 A..H. --- H:\DOCUME~1\JORGE\MEUSDO~1\NOVAPA~1\SISTEM~1\~WRL1101.TMP

Wed 18 Jul 2007 28,160 A..H. --- H:\DOCUME~1\JORGE\MEUSDO~1\NOVAPA~1\SISTEM~1\~WRL1804.TMP

Thu 23 Aug 2007 48,128 A..H. --- H:\DOCUME~1\JORGE\MEUSDO~1\NOVAPA~1\SISTEM~1\~WRL2698.TMP

Thu 23 Aug 2007 49,664 A..H. --- H:\DOCUME~1\JORGE\MEUSDO~1\NOVAPA~1\SISTEM~1\~WRL2877.TMP

Wed 22 Aug 2007 44,544 A..H. --- H:\DOCUME~1\JORGE\MEUSDO~1\NOVAPA~1\SISTEM~1\~WRL3062.TMP

Wed 18 Jul 2007 30,208 A..H. --- H:\DOCUME~1\JORGE\MEUSDO~1\NOVAPA~1\SISTEM~1\~WRL3313.TMP

Wed 18 Jul 2007 31,744 A..H. --- H:\DOCUME~1\JORGE\MEUSDO~1\NOVAPA~1\SISTEM~1\~WRL3412.TMP

Wed 18 Jul 2007 31,744 A..H. --- H:\DOCUME~1\JORGE\MEUSDO~1\NOVAPA~1\SISTEM~1\~WRL3552.TMP

Wed 18 Jul 2007 155,136 A..H. --- H:\DOCUME~1\JORGE\MEUSDO~1\NOVAPA~1\STORYL~1\~WRL0535.TMP

Sun 31 Dec 2006 301,568 A..H. --- H:\DOCUME~1\JORGE\MEUSDO~1\NOVAPA~1\STORYL~1\~WRL1073.TMP

Sun 31 Dec 2006 300,032 A..H. --- H:\DOCUME~1\JORGE\MEUSDO~1\NOVAPA~1\STORYL~1\~WRL2924.TMP

Thu 16 Oct 2008 1,847,941 A..H. --- H:\WINDOWS\SOFTWA~1\DOWNLOAD\C7B96A~1\DOWNLOAD\BIT37.TMP

Finished!

--------------------------------------------------------------------

....E também um novo log do HijackThis:

--------------------------------------------------------------------

Logfile of HijackThis v1.99.1

Scan saved at 21:39:33, on 7/7/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Running processes:

H:\WINDOWS\System32\smss.exe

H:\WINDOWS\system32\winlogon.exe

H:\WINDOWS\system32\services.exe

H:\WINDOWS\system32\lsass.exe

H:\WINDOWS\system32\Ati2evxx.exe

H:\WINDOWS\system32\svchost.exe

H:\WINDOWS\System32\svchost.exe

H:\WINDOWS\system32\Ati2evxx.exe

H:\WINDOWS\system32\spoolsv.exe

H:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

H:\Arquivos de programas\Java\jre6\bin\jqs.exe

H:\ARQUIV~1\AVG\AVG8\avgrsx.exe

H:\ARQUIV~1\AVG\AVG8\avgnsx.exe

H:\WINDOWS\system32\HPZipm12.exe

H:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

h:\arquivos de programas\idt\ecsxpv_5762_010208\wdm\STacSV.exe

H:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

H:\WINDOWS\System32\svchost.exe

H:\ARQUIV~1\AVG\AVG8\avgemc.exe

H:\Arquivos de programas\AVG\AVG8\avgcsrvx.exe

H:\WINDOWS\system32\svchost.exe

H:\ARQUIV~1\AVG\AVG8\avgtray.exe

H:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

H:\Arquivos de programas\IDT\WDM\sttray.exe

H:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe

H:\Arquivos de programas\Java\jre6\bin\jusched.exe

H:\WINDOWS\system32\servises.exe

H:\WINDOWS\system32\ctfmon.exe

H:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

H:\WINDOWS\system32\servises.exe

H:\WINDOWS\explorer.exe