[Resolvido!] Pc faz barulho como uma catraca

[DigRam 144]

Boa Noite !

 

Segue o link .

 

http://www.badongo.com/?page=upload_m_complete&s=&msg_u=http%3A%2F%2Fwww.badongo.com%2Ffile%2F16565583%0A&msg_e=

 

 

 

 

Grato

<><><><><><><><>

Opa! EDSSX

 

<!> Dessa vez o link não veio quebrado,mas...voçê postou o mesmo relatório incompleto.

<><><><><><><><>

<!> Amigo! Cabe aqui outra pergunta. Quando voçê executou o Toolbar S&D,o fez em Modo Seguro ou Normal?

<!> Se rodou em Modo Seguro,voçê poderá entrar como Administrador e deletar LEGACY_HOOKSYS.

 

Abraços!

[EDSSX 0]

Boa Noite !

 

 

Rodei o toolbarS&D em modo normal .

 

Quer que rode no modo seguro ?

 

 

 

Obrigado pela vossa atenção .

[DigRam 144]

Boa Noite !

 

 

Rodei o toolbarS&D em modo normal .

 

Quer que rode no modo seguro ?

 

 

 

Obrigado pela vossa atenção .

<><><><><><><><><>

Olá!

 

<!> Entre em Modo Seguro e,manualmente,delete LEGACY_HOOKSYS.

<!> Tendo êxito,pode executar Toolbar S&D em Modo Seguro,e postar seu relatório.

 

Abraços!

[EDSSX 0]

Boa Noite !

 

 

Não consegui deletar no modo seguro. Para rodar o toolbar S&D em modo seguro, apenas é possivel com rede e este log infra rodado desta maneira .

 

 

-----------\\ ToolBar S&D 1.2.8 XP/Vista

 

 

"D:\ToolBar SD" ( MAJ : 21-12-2008|20:47 )

Option : [2] ( qui 13/08/2009|22:57 )

 

-----------\\ Procura por Arquivos / Ficheiros ...

 

 

-----------\\ Extensions

 

(edsom luis) - {3112ca9c-de6d-4884-a869-9855de68056c} => google-toolbar

(edsom luis) - {991A772A-BA13-4c1d-A9EF-F897F31DEC7D} => megaupload

(edsom luis) - {3112ca9c-de6d-4884-a869-9855de68056c} => google-toolbar

 

 

-----------\\ [..\Internet Explorer\Main]

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]

"Start Page"="http://www.msn.com/"

"Default_Page_URL"="http://go.microsoft.com/fwlink/?LinkId=69157"

"Default_Search_URL"="http://go.microsoft.com/fwlink/?LinkId=54896"

"Search Page"="http://go.microsoft.com/fwlink/?LinkId=54896"

 

 

--------------------\\ Procurando por outras infecções

 

--------------------\\ ROOTKIT !!

 

Rootkit Pandex ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HOOKSYS]

Rootkit Pandex ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_HOOKSYS]

Rootkit Pandex ! .. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HOOKSYS]

 

 

 

 

1 - "D:\ToolBar SD\TB_1.txt" - 13/08/2009|20:16 - Option : [2]

2 - "D:\ToolBar SD\TB_2.txt" - qui 13/08/2009|22:58 - Option : [2]

 

 

 

Estas 3 pastas infra detectadas pelo avira antirootkit, estive observando que através do editor de registros ; não existem em meu sistema ( vai até em hmebrzs e esta pasta não abre ) . Nesta circunstância confirmaria o falso positivo ?

 

 

Hidden key : HKEY_LOCAL_MACHINE\System\ControlSet002\Services\hmebrzs\parameters.ren

Hidden key : HKEY_LOCAL_MACHINE\System\ControlSet002\Services\hmebrzs\parameters.ren.ren

Hidden key : HKEY_LOCAL_MACHINE\System\ControlSet002\Services\hmebrzs\parameters.ren.ren.ren

 

 

 

Grato

[DigRam 144]

Bom Dia! EDSSX

 

Estas 3 pastas infra detectadas pelo avira antirootkit, estive observando que através do editor de registros ; não existem em meu sistema ( vai até em hmebrzs e esta pasta não abre ) . Nesta circunstância confirmaria o falso positivo ?

 

Hidden key : HKEY_LOCAL_MACHINE\System\ControlSet002\Services\hmebrzs\parameters.ren

Hidden key : HKEY_LOCAL_MACHINE\System\ControlSet002\Services\hmebrzs\parameters.ren.ren

Hidden key : HKEY_LOCAL_MACHINE\System\ControlSet002\Services\hmebrzs\parameters.ren.ren.ren

<!> Se não abre,é porque está protegida ou oculta.Não indicando,devido à isso,ser maliciosa. Essa proteção,está ligada às permissões nas entradas do registro,dificultando ou impossibilitando ações na remoção/alteração por ferramentas.

<!> A chave é suspeita,pois pela sua nomenclatura,parece ligar-se à domínios perigosos.

<!> Aqui,temos alguns similares à essa entrada: < Link >

<!> Verifique no Hosts,se temos essa linha 127.0.0.1 services\hmebrzs.*,o que denotaria bloqueio do domínio. ( ...onde .* pode ser qualquer extensão! )

 

Rootkit Pandex ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HOOKSYS]

Rootkit Pandex ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_HOOKSYS]

Rootkit Pandex ! .. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HOOKSYS]

<!> Quanto à estas...sem alterar as permissões,permitindo controle total,serão indeletáveis.

<!> Exemplo similar,temos em relação ao que ocorre com serviços bancários.

 

Abraços!

[EDSSX 0]

Bom dia !

 

 

Tem não . Obrigado pela ampla atenção vossa . Pesquisarei na web um pouco mais sobre este desafio.

Se quizer encerrar este tópico, tudo bem .

 

 

 

 

Grato e abraços .

[DigRam 144]

Bom dia !

 

 

Tem não . Obrigado pela ampla atenção vossa . Pesquisarei na web um pouco mais sobre este desafio.

Se quizer encerrar este tópico, tudo bem .

 

 

 

 

Grato e abraços .

<><><><><><><><><><>

Boa Tarde! EDSSX

 

<!> O Tópico ficará aberto por uns 20 dias...e se até lá,não houver novidades,ele será arquivado.

 

Abraços!

[EDSSX 0]

Boa Tarde !

 

Não era possivel mais editar a ultima resposta .

 

Um detalhe ainda não mencionado, quando executei as alterações das permissões; os valores da chave sumiram do editor de registro cfe. figura infra porém ao abrir novamente o regedit eles voltavam .

 

 

Grato

[DigRam 144]

Boa Tarde! EDSSX

 

<!> Recomendo a leitura deste: < Comentários >

°°°°°°°°°°°°°°°°°°°°°°°°°

°°°°°°°°°°°°°°°°°°°°°°°°°

<!> Desinstale o Avira,temporariamente,e instale o Rising Antivirus.

<!> Faça um scan com o mesmo e,à seguir,desinstale-o. Utilize o RevoUninstaller,buscando uma desinstalação completa de seus componentes. Não utilise a desinstalação rápida.

°°°°°°°°°°°°°°°°°°°°°°°°°

<@> Baixe: < Revo Uninstaller >

<@> Salve-o no desktop.

<@> Instale o utilitário e verifique se na tela principal aparece o programa a ser desinstalado.

<@> Selecione-o e clique em Desinstalar.

<@> Ps: Este desinstalador,possui opções para remover entradas no registro,relacionadas ao Rising AV.

<@> Para maiores detalhes,leia o < Tutorial >

 

Abraços!

[EDSSX 0]

Boa Noite !

 

 

É nós dois estavámos certos . Lembra ? <!> Voçê já teve o programa Rising,instalado no PC? Pois essas entradas/serviços,estão relacionadas ao mesmo.

Minha resposta = Conforme acima é que ja tinha instalado ele, e perçebi que ele é malefico/tem um comportamento estranho no pc . Sim tinha instalado este Rising e que me lembre outros softwares do mesmo fabricante; inclusive o comportamento deles no pc estava muito estranho por isto removi .

 

Fiz os proçedimentos supra. Segue o log/figura que segundo consta não detectou nada .

 

[2009-08-14][20:21:06:515][2832][2696]: [ACTION][iNF]CRsConfigBase::InitializeRsConfig: GetPath(PathSize=2),Result=0x00000000

[2009-08-14][20:21:06:578][2832][2696]: [ACTION][iNF]CRsConfigBase::InitializeRsConfig: GetPath(PathSize=2),Result=0x00000000

[2009-08-14][20:21:06:609][2832][2696]: [ACTION]ActionID=0518000

[2009-08-14][20:21:36:953][2832][3264]: [ACTION]interval=4752000

[2009-08-14][20:21:36:984][2832][3264]: [ACTION][iNF]CRsConfigBase::InitializeRsConfig: GetPath(PathSize=2),Result=0x00000000

[2009-08-14][20:21:45:875][2832][3264]: [ACTION][iNF]CRsConfigBase::InitializeRsConfig: GetPath(PathSize=2),Result=0x00000000

 

 

 

E agora ( são 4 rootkits ) nós temos um novo companheiro o Rootkit Pandex ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hooksys cfe. novo log do toolbar S&D abaixo :

 

 

 

-----------\\ ToolBar S&D 1.2.8 XP/Vista

 

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3

X86-based PC ( Uniprocessor Free : AMD Sempron 2400+ )

BIOS : Version 07.00T

USER : edsom luis ( Administrator )

BOOT : Normal boot

Antivirus : Trend Micro Internet Security 17.1.1171 (Not Activated)

Firewall : Trend Micro Personal Firewall 5.5 (Activated)

A:\ (USB)

C:\ (Local Disk) - FAT32 - Total:17 Go (Free:7 Go)

D:\ (Local Disk) - FAT32 - Total:59 Go (Free:39 Go)

E:\ (CD or DVD)

 

"D:\ToolBar SD" ( MAJ : 21-12-2008|20:47 )

Option : [2] ( 14/08/2009|22:16 )

 

-----------\\ Procura por Arquivos / Ficheiros ...

 

 

-----------\\ Extensions

 

(edsom luis) - {3112ca9c-de6d-4884-a869-9855de68056c} => google-toolbar

(edsom luis) - {991A772A-BA13-4c1d-A9EF-F897F31DEC7D} => megaupload

(edsom luis) - {3112ca9c-de6d-4884-a869-9855de68056c} => google-toolbar

 

 

-----------\\ [..\Internet Explorer\Main]

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

"SearchMigratedDefaultURL"="http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8"

"Start Page"="http://www.msn.com"

"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

"Default_Page_URL"="http://www.msn.com"

"First Home Page"="http://g.msn.com/1me10IE8ENUS/701"

"Url"="http://go.microsoft.com/fwlink/?LinkID=68928"

"Url"="http://go.microsoft.com/fwlink/?LinkID=44406"

"Url"="http://go.microsoft.com/fwlink/?LinkID=68929"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]

"Start Page"="http://www.msn.com/"

"Default_Page_URL"="http://go.microsoft.com/fwlink/?LinkId=69157"

"Default_Search_URL"="http://go.microsoft.com/fwlink/?LinkId=54896"

"Search Page"="http://go.microsoft.com/fwlink/?LinkId=54896"

 

 

--------------------\\ Procurando por outras infecções

 

--------------------\\ ROOTKIT !!

 

Rootkit Pandex ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HOOKSYS]

Rootkit Pandex ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_HOOKSYS]

Rootkit Pandex ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hooksys]

Rootkit Pandex ! .. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HOOKSYS]

 

 

 

 

1 - "D:\ToolBar SD\TB_1.txt" - 13/08/2009|20:16 - Option : [2]

2 - "D:\ToolBar SD\TB_2.txt" - qui 13/08/2009|22:58 - Option : [2]

3 - "D:\ToolBar SD\TB_3.txt" - 14/08/2009| 0:31 - Option : [2]

4 - "D:\ToolBar SD\TB_4.txt" - 14/08/2009|22:18 - Option : [2]

 

-----------\\ Verificação completa em 22:18:03,23

 

 

 

Grato e abraços .

[DigRam 144]

Boa Noite! EDSSX

 

<!> Desinstalou o Rising AV,utilizando o RevoUninstaller?

<><><><><><><><><><>

<@> Baixe,novamente,o ComboFix.exe --> Salve-o no desktop!

<@> Copie estas informações,entre os XXXXXXX....,para o Bloco de Notas.

<@> Salve-as,no desktop,como: CFScript <-- Texto!

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Registry::

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HOOKSYS]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_HOOKSYS]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hooksys]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HOOKSYS]

 

Driver::

"hooksys"

"LEGACY_HOOKSYS"

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

<@> Reinicie em Modo de Segurança.

<@> Arraste o CFScript.txt,para o ícone do ComboFix.

<@> Arraste-o,até que surja uma solicitação para executar o ComboFix.exe.

<@> Terminando,poste: ComboFix.txt

 

Abraços!

[EDSSX 0]

Bom dia !

 

Sim removi com o revo .

 

 

Segue o log do combofix :

 

 

ComboFix 09-08-10.01 - edsom luis 14/08/2009 23:58.75.1 - FAT32x86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.511.377 [GMT -3:00]

Executando de: d:\documents and settings\edsom luis\Desktop\ComboFix.exe

Comandos utilizados :: d:\documents and settings\edsom luis\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Rising Antivirus *On-access scanning disabled* (Outdated) {234E4A88-48FA-4220-A994-5323706FF524}

AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}

FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

?

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_HOOKSYS

 

 

(((((((((((((((( Arquivos/Ficheiros criados de 2009-07-15 to 2009-08-15 ))))))))))))))))))))))))))))

.

 

2009-08-15 02:30 . 2009-08-15 02:30 -------- d-----w- D:\Lop SD

2009-08-15 00:59 . 2009-08-15 00:59 -------- d-----w- d:\documents and settings\All Users\Dados de aplicativos\Rising

2009-08-14 22:08 . 2007-04-02 19:26 19456 ----a-w- d:\windows\system32\dllcache\agt0804.dll

2009-08-14 22:07 . 2007-04-02 19:26 19456 ----a-w- d:\windows\system32\dllcache\agt0411.dll

2009-08-14 22:07 . 2007-04-02 19:26 19456 ----a-w- d:\windows\system32\dllcache\agt0404.dll

2009-08-14 22:07 . 2009-08-14 22:07 -------- d-----w- d:\arquivos de programas\Rising

2009-08-14 19:47 . 2009-03-30 13:33 96104 ----a-w- d:\windows\system32\drivers\avipbb.sys

2009-08-14 19:47 . 2009-02-13 15:29 22360 ----a-w- d:\windows\system32\drivers\avgntmgr.sys

2009-08-14 19:47 . 2009-02-13 15:17 45416 ----a-w- d:\windows\system32\drivers\avgntdd.sys

2009-08-14 19:47 . 2009-08-14 19:47 -------- d-----w- d:\documents and settings\All Users\Dados de aplicativos\Avira

2009-08-14 19:43 . 2009-08-14 19:43 -------- d-----w- d:\documents and settings\All Users\Dados de aplicativos\GbPlugin

2009-08-14 16:46 . 2009-05-07 07:04 157712 ----a-w- d:\windows\system32\drivers\tmcomm.sys

2009-08-14 01:51 . 2009-08-14 01:51 -------- d-----w- d:\documents and settings\Administrador

2009-08-13 23:10 . 2009-08-13 23:10 -------- d-----w- D:\ToolBar SD

2009-08-13 22:23 . 2009-08-13 22:23 -------- d-----w- D:\!KillBox

2009-08-13 18:48 . 2009-08-13 18:48 272 ----a-w- d:\windows\system32\drivers\sfi.dat

2009-08-13 15:32 . 2009-08-13 15:32 -------- d-----w- d:\documents and settings\edsom luis\Dados de aplicativos\Comodo

2009-08-13 13:00 . 2009-07-10 13:27 1315328 ------w- d:\windows\system32\dllcache\msoe.dll

2009-08-12 16:08 . 2009-08-12 16:08 -------- d-----w- d:\arquivos de programas\Lavalys

2009-08-09 02:14 . 2009-08-09 02:14 -------- d-----w- D:\f3e64e655c4cf5ea0969946e

2009-08-09 02:09 . 2009-08-09 02:09 -------- d-sh--w- d:\documents and settings\NetworkService\IETldCache

2009-08-05 09:00 . 2009-08-05 09:00 205312 ------w- d:\windows\system32\dllcache\mswebdvd.dll

2009-08-04 00:30 . 2009-08-04 00:30 -------- d-----w- d:\documents and settings\All Users\Dados de aplicativos\SUPERAntiSpyware.com

2009-08-04 00:29 . 2009-08-04 00:29 -------- d-----w- d:\documents and settings\edsom luis\Dados de aplicativos\SUPERAntiSpyware.com

2009-08-01 22:20 . 2009-08-01 22:20 -------- d-----w- d:\documents and settings\edsom luis\Dados de aplicativos\Yahoo!

2009-07-31 18:51 . 2009-07-31 18:51 -------- d--h--w- d:\windows\PIF

2009-07-31 02:47 . 2009-07-31 02:47 -------- d-----w- d:\documents and settings\edsom luis\Dados de aplicativos\iolo

2009-07-31 00:29 . 2009-07-31 00:29 -------- d-----w- d:\documents and settings\edsom luis\Dados de aplicativos\Download Manager

2009-07-30 17:07 . 2009-07-30 17:07 -------- d-----w- d:\windows\system32\CatRoot2

2009-07-27 17:28 . 2008-07-08 17:54 148496 ----a-w- d:\windows\system32\drivers\12878755.sys

2009-07-25 22:09 . 2009-07-25 22:09 -------- d-----r- d:\documents and settings\LocalService\Meus documentos

2009-07-24 16:11 . 2009-07-24 16:11 -------- d-----w- d:\windows\Sun

2009-07-24 03:01 . 2009-07-24 03:01 -------- d-----w- d:\documents and settings\All Users\Modelos

2009-07-24 00:20 . 2009-07-24 00:20 -------- d-----w- d:\documents and settings\All Users\Dados de aplicativos\Trend Micro

2009-07-23 15:10 . 2009-07-23 15:10 -------- d-----w- d:\arquivos de programas\blcorp

2009-07-21 23:37 . 2009-07-21 23:37 579072 ----a-w- d:\windows\system32\dllcache\user32.dll

2009-07-21 23:35 . 2009-07-21 23:35 -------- d-----w- d:\windows\ERUNT

2009-07-17 19:03 . 2009-07-17 19:03 58880 ------w- d:\windows\system32\dllcache\atl.dll

2009-07-16 11:14 . 2009-06-16 14:39 81920 ------w- d:\windows\system32\dllcache\fontsub.dll

2009-07-16 11:14 . 2009-06-16 14:39 119808 ------w- d:\windows\system32\dllcache\t2embed.dll

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-15 02:55 . 2009-04-29 23:59 32 --sha-w- d:\windows\system32\drivers\fidbox.idx

2009-08-15 02:55 . 2009-04-29 23:59 32 --sha-w- d:\windows\system32\drivers\fidbox.dat

2009-08-12 14:44 . 2001-10-28 21:07 79022 ----a-w- d:\windows\system32\perfc016.dat

2009-08-12 14:44 . 2001-10-28 21:07 468108 ----a-w- d:\windows\system32\perfh016.dat

2009-08-05 09:00 . 2004-08-04 10:45 205312 ----a-w- d:\windows\system32\mswebdvd.dll

2009-07-28 19:33 . 2009-03-19 00:30 55656 ----a-w- d:\windows\system32\drivers\avgntflt.sys

2009-07-18 13:05 . 2008-11-12 18:12 208 ----a-w- d:\windows\system32\drivers\GbpKmAp.lst

2009-07-17 19:03 . 2004-08-04 10:45 58880 ----a-w- d:\windows\system32\atl.dll

2009-07-16 00:21 . 2009-06-21 23:42 3775176 ----a-w- d:\documents and settings\All Users\Dados de aplicativos\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-07-13 16:36 . 2009-04-23 15:56 38160 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys

2009-07-13 16:36 . 2009-04-23 15:56 19096 ----a-w- d:\windows\system32\drivers\mbam.sys

2009-07-12 15:21 . 2004-08-04 10:45 233472 ----a-w- d:\windows\system32\wmpdxm.dll

2009-07-03 16:59 . 2004-08-04 10:45 915456 ----a-w- d:\windows\system32\wininet.dll

2009-06-22 17:02 . 2009-06-22 17:01 -------- d-----w- d:\arquivos de programas\Gadwin Systems

2009-06-17 19:05 . 2009-06-17 19:05 -------- d-----w- d:\arquivos de programas\Mozilla Firefox 3.5 Preview

2009-06-16 14:39 . 2004-08-04 10:45 119808 ----a-w- d:\windows\system32\t2embed.dll

2009-06-16 14:39 . 2001-10-28 21:06 81920 ----a-w- d:\windows\system32\fontsub.dll

2009-06-15 10:44 . 2004-08-04 10:45 81408 ----a-w- d:\windows\system32\tlntsess.exe

2009-06-15 10:44 . 2004-08-04 10:45 77824 ----a-w- d:\windows\system32\telnet.exe

2009-06-12 03:43 . 2004-08-04 10:45 219648 ----a-w- d:\windows\system32\uxtheme.dll

2009-06-10 14:14 . 2004-08-04 10:45 85504 ----a-w- d:\windows\system32\avifil32.dll

2009-06-10 12:21 . 2007-09-19 13:40 2066432 ----a-w- d:\windows\system32\mstscax.dll

2009-06-10 06:15 . 2004-08-04 10:45 132096 ----a-w- d:\windows\system32\wkssvc.dll

2009-06-03 19:10 . 2004-08-04 10:45 1295872 ----a-w- d:\windows\system32\quartz.dll

2009-05-17 17:31 . 2009-05-17 17:31 15240 ----a-w- d:\documents and settings\edsom luis\Dados de aplicativos\Microsoft\IdentityCRL\PROD\ppcrlconfig.dll

2009-03-27 23:27 . 2009-03-27 23:27 2399 ----a-w- d:\arquivos de programas\Arquivos comuns\operadef6.ini

2009-02-26 14:04 . 2009-02-26 14:04 8250 ----a-w- d:\arquivos de programas\Arquivos comuns\license.rtf

2009-02-26 14:04 . 2009-02-26 14:04 234477 ----a-w- d:\arquivos de programas\Arquivos comuns\english.lng

2009-02-26 13:49 . 2009-02-26 13:49 3712000 ----a-w- d:\arquivos de programas\Arquivos comuns\opera.dll

2009-02-26 13:49 . 2009-02-26 13:49 20480 ----a-w- d:\arquivos de programas\Arquivos comuns\OUniAnsi.dll

2009-02-26 13:49 . 2009-02-26 13:49 653419 ----a-w- d:\arquivos de programas\Arquivos comuns\encoding.bin

2009-02-26 13:49 . 2009-02-26 13:49 99328 ----a-w- d:\arquivos de programas\Arquivos comuns\opera.exe

2009-01-07 16:52 . 2009-01-07 16:52 6809 ----a-w- d:\arquivos de programas\Arquivos comuns\license.txt

2008-09-03 17:12 . 2008-09-03 17:12 8470 ----a-w- d:\arquivos de programas\Arquivos comuns\search.ini

2008-06-09 13:17 . 2008-06-09 13:17 301 ----a-w- d:\arquivos de programas\Arquivos comuns\c3nform.vxml

2008-05-05 12:51 . 2008-05-05 12:51 3873 ----a-w- d:\arquivos de programas\Arquivos comuns\lngcode.txt

2004-02-26 16:35 . 2004-02-26 16:35 7904 ----a-w- d:\arquivos de programas\Arquivos comuns\html40_entities.dtd

2009-07-30 17:45 . 2009-02-27 15:11 122880 ----a-w- d:\arquivos de programas\mozilla firefox\components\GoogleDesktopMozilla.dll

2009-03-08 17:09 . 2009-04-05 21:55 638816 --sha-w- d:\windows\NiwradSoft Shell Pack\Backup\iexplore.exe

.

 

------- Sigcheck -------

 

[-] 2008-04-14 03:20 579072 A9B36030497E98C29210E4544700649D d:\windows\system32\user32.dll

[-] 2009-07-21 23:37 579072 A9B36030497E98C29210E4544700649D d:\windows\system32\dllcache\user32.dll

[7] 2007-03-08 15:36 578048 B5782EE6EAFE3C218236F79F1A27B747 d:\windows\$NtServicePackUninstall$\user32.dll

[-] 2008-04-14 03:20 579072 A9B36030497E98C29210E4544700649D d:\windows\ServicePackFiles\i386\user32.dll

[7] 2007-03-08 15:50 578560 F86D3E5C8FE13297E1C2D662F9E2D59D d:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll

[7] 2005-03-02 18:20 577536 3ED0A4D74EFD5AAF8408095F452E2613 d:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll

[7] 2008-04-14 03:20 579072 54907DB28872A7A6D3EE2B4747A23828 d:\windows\NiwradSoft Shell Pack\Backup\user32.dll

[7] 2004-08-04 10:45 577536 E0FF28447D1038DE106D1F2FDF851647 d:\windows\$NtUninstallKB890859$\user32.dll

[7] 2005-03-02 18:18 577536 7FFBCF1B94E6929DEECE06670C2407D6 d:\windows\$NtUninstallKB925902$\user32.dll

 

[-] 2008-04-14 03:21 549376 B0C0BF2504B830BFC1E93CA39F3C75FE d:\windows\system32\winlogon.exe

[7] 2004-08-04 10:45 504320 6F7BDE7A1126DEBF0CC359A54953EFC1 d:\windows\$NtServicePackUninstall$\winlogon.exe

[-] 2008-04-14 03:21 549376 B0C0BF2504B830BFC1E93CA39F3C75FE d:\windows\ServicePackFiles\i386\winlogon.exe

[7] 2008-04-14 03:21 509952 71D440F79B711627B12B567FB2EADB42 d:\windows\NiwradSoft Shell Pack\Backup\winlogon.exe

 

[-] 2008-04-14 03:20 1542656 77F71BF6970EA10B4CC9AA1D45654AA0 d:\windows\explorer.exe

[7] 2007-06-13 13:21 1035264 DCCBF18E94D651393A3FFA060F88E0A0 d:\windows\$NtServicePackUninstall$\explorer.exe

[7] 2004-08-04 10:45 1034240 FA61A19050AE14BEC1A26DE82390DD65 d:\windows\$NtUninstallKB938828$\explorer.exe

[-] 2008-04-14 03:20 1542656 77F71BF6970EA10B4CC9AA1D45654AA0 d:\windows\ServicePackFiles\i386\explorer.exe

[7] 2007-06-13 13:10 1035264 45D521506825A10B80833B4E9621CCF6 d:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

[7] 2008-04-14 03:20 1035776 064EC7FF5F58B928C3E119402977FA6D d:\windows\NiwradSoft Shell Pack\Backup\explorer.exe

 

[-] 2008-04-14 03:20 40448 584450C5B2439571755D40444589C63D d:\windows\system32\ctfmon.exe

[7] 2004-08-04 10:45 15360 F40BC97996B8E53799EEF1D63996674B d:\windows\$NtServicePackUninstall$\ctfmon.exe

[-] 2008-04-14 03:20 40448 584450C5B2439571755D40444589C63D d:\windows\ServicePackFiles\i386\ctfmon.exe

[7] 2008-04-14 03:20 15360 4E486ADFE3A0B9ED0EB0639902E9F64F d:\windows\NiwradSoft Shell Pack\Backup\ctfmon.exe

 

[-] 2008-04-14 03:20 1523712 3D762A3DE04DE62F1E4CCDF7CF2A66E1 d:\windows\system32\comres.dll

[7] 2004-08-04 10:45 821760 FB93B504600DA3EC407ED0252EEF97AB d:\windows\$NtServicePackUninstall$\comres.dll

[-] 2008-04-14 03:20 1523712 3D762A3DE04DE62F1E4CCDF7CF2A66E1 d:\windows\ServicePackFiles\i386\comres.dll

[7] 2008-04-14 03:20 821760 D3F8E8DBE93A80440CAC78B305B40A67 d:\windows\NiwradSoft Shell Pack\Backup\comres.dll

 

[-] 2008-04-14 03:20 643072 302CD5BE4CA48200F9AC1C6074D71805 d:\windows\system32\comctl32.dll

[7] 2008-04-14 03:17 1054208 3356DF9145BC1AD45B43C528F9F7527C d:\windows\WinSxS\InstallTemp\15449055\comctl32.dll

[7] 2008-04-13 22:17 1054208 3356DF9145BC1AD45B43C528F9F7527C d:\windows\WinSxS\InstallTemp\27228101\comctl32.dll

[7] 2004-08-04 10:44 1050624 3680CF24C64348BFDC89E290790398E7 d:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll

[7] 2001-10-28 21:06 921088 AEF3D788DBF40C7C4D204EA45EB0C505 d:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll

[7] 2006-08-25 15:49 1054208 50141E3C168F02C3920891400CEC9FF4 d:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll

[7] 2008-04-13 22:17 1054208 3356DF9145BC1AD45B43C528F9F7527C d:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

[7] 2006-08-25 15:49 617472 873E9E5B23D206BE443ABD3CF597C2E8 d:\windows\$NtServicePackUninstall$\comctl32.dll

[-] 2008-04-14 03:20 643072 302CD5BE4CA48200F9AC1C6074D71805 d:\windows\ServicePackFiles\i386\comctl32.dll

[7] 2008-04-14 03:20 617472 085C5892D9C1E19B3CEFD1B79F5BBF13 d:\windows\NiwradSoft Shell Pack\Backup\comctl32.dll

[7] 2004-08-04 10:45 611328 021631D9D0729D9E52300CCEACE4F054 d:\windows\$NtUninstallKB923191$\comctl32.dll

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="d:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

"Gadwin PrintScreen"="d:\arquivos de programas\Gadwin Systems\PrintScreen\PrintScreen.exe" [2008-12-09 495616]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Desktop Search"="d:\arquivos de programas\Google\Google Desktop Search\GoogleDesktop.exe" [2009-07-30 30192]

"Adobe Reader Speed Launcher"="d:\arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"avgnt"="d:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoRealMode"= 0 (0x0)

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399003}"= "d:\arquivos de programas\GBPLUGIN\gbiehcef.dll" [2009-03-27 264776]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginCef]

2009-03-27 14:22 264776 ------w- d:\arquivos de programas\GbPlugin\gbiehcef.dll

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"d:\\WINDOWS\\system32\\rtcshare.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"d:\\Arquivos de programas\\Windows Live\\Messenger\\MSNMSGR.EXE"=

"d:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=

 

R0 GbpKm;Gbp KernelMode;d:\windows\system32\drivers\GbpKm.sys [18/04/2009 21:46 26568]

R1 is-AP9JMdrv;is-AP9JMdrv;d:\windows\system32\drivers\12878755.sys [27/07/2009 14:28 148496]

R1 is-C4H53drv;is-C4H53drv;d:\windows\system32\drivers\70906987.sys [29/04/2009 21:02 148496]

R2 713xTVCard;SAA7131 TV Card;d:\windows\system32\drivers\SAA713x.sys [15/03/2005 12:00 277504]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [14/08/2009 16:47 108289]

R2 GbpSv;Gbp Service;d:\arquiv~1\GbPlugin\GbpSv.exe [18/06/2008 14:26 52808]

R2 ioloFileInfoList;iolo FileInfoList Service;d:\arquivos de programas\iolo\Common\Lib\ioloServiceManager.exe [16/04/2009 20:43 628584]

R2 ioloProductUpdate;iolo Product Update Service;d:\arquivos de programas\iolo\Common\Lib\ioloServiceManager.exe [16/04/2009 20:43 628584]

R2 ioloSystemService;iolo System Service;d:\arquivos de programas\iolo\Common\Lib\ioloServiceManager.exe [16/04/2009 20:43 628584]

R3 xpvcom;XPVCOM Port;d:\windows\system32\drivers\XPVCOM.sys [23/03/2007 02:00 30032]

S0 Lbd;Lbd;d:\windows\system32\DRIVERS\Lbd.sys --> d:\windows\system32\DRIVERS\Lbd.sys [?]

S3 GoogleDesktopManager-060409-093314;Gerenciador do Google Desktop 5.9.906.4286;d:\arquivos de programas\Google\Google Desktop Search\GoogleDesktop.exe [11/04/2009 15:38 30192]

S3 MBAMSwissArmy;MBAMSwissArmy;d:\windows\system32\drivers\mbamswissarmy.sys [23/04/2009 12:56 38160]

S3 rspSanity;rspSanity;d:\windows\system32\drivers\rspSanity32.sys [14/04/2009 19:51 30136]

.

Conteúdo da pasta 'Tarefas Agendadas'

 

2009-04-07 d:\windows\Tasks\HP DArC Task 2003-04-11 09:53ewlett-PackardHewlett-Packard Companyeskjet35002003-04-11 18:25N4BF150JQ9B.job

- d:\arquivos de programas\HP\hpcoretech\comp\hpdarc.exe [2003-04-11 18:25]

 

2009-08-15 d:\windows\Tasks\User_Feed_Synchronization-{85870EB0-73F3-41E1-92DD-7C153C1F486E}.job

- d:\windows\system32\msfeedssync.exe [2007-08-13 07:31]

.

.

------- Scan Suplementar -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://www.msn.com

uLocal Page =

uDefault_Search_URL =

mWindow Title =

mLocal Page =

uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s

IE: {{ED98F8D1-09AC-4107-B2FF-91DBE011B0C5} - {6BBCFF8E-D837-4DA4-9141-1F645B34A179} -

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

FF - ProfilePath - d:\documents and settings\edsom luis\Dados de aplicativos\Mozilla\Firefox\Profiles\r46u2xkd.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://portuguese.ircfast.com/pt/index.php?rvs=hompag

FF - prefs.js: keyword.URL - hxxp://br.search.yahoo.com/search?ei=ISO-8859-1&fr=megaup&p=

FF - component: d:\arquivos de programas\Mozilla Firefox 3.5 Preview\components\GoogleDesktopMozilla.dll

FF - component: d:\arquivos de programas\Mozilla Firefox 3.5 Preview\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll

FF - plugin: d:\arquivos de programas\Microsoft\Office Live\npOLW.dll

FF - plugin: d:\arquivos de programas\Opera 10 Beta\program\plugins\npdsplay.dll

FF - plugin: d:\arquivos de programas\Opera 10 Beta\program\plugins\NPSWF32.dll

FF - plugin: d:\arquivos de programas\Opera 10 Beta\program\plugins\npwmsdrm.dll

FF - plugin: d:\documents and settings\All Users\Dados de aplicativos\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll

 

---- FIREFOX POLICIES ----

FF - user.js: network.http.max-connections-per-server - 6

FF - user.js: network.http.max-persistent-connections-per-server - 3

FF - user.js: nglayout.initialpaint.delay - 750

FF - user.js: content.notify.interval - 750000

FF - user.js: content.max.tokenizing.time - 2250000

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("media.enforce_same_site_origin", false);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("media.cache_size", 51200);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("media.ogg.enabled", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("media.wave.enabled", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("media.autoplay.enabled", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("dom.storage.default_quota", 5120);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("layout.css.dpi", -1);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("geo.enabled", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-15 00:06

Windows 5.1.2600 Service Pack 3 FAT NTAPI

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•6~*]

"6140110900063D11C8EF10054038389C"="D?\\WINDOWS\\system32\\FM20ENU.DLL"

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'winlogon.exe'(644)

d:\windows\system32\SETUPAPI.dll

d:\windows\system32\sfc_os.dll

d:\arquivos de programas\GBPLUGIN\gbiehcef.dll

d:\windows\system32\COMRes.dll

d:\windows\system32\cscui.dll

 

- - - - - - - > 'lsass.exe'(700)

d:\windows\system32\SETUPAPI.dll

d:\windows\system32\psbase.dll

 

- - - - - - - > 'explorer.exe'(2280)

d:\windows\system32\WININET.dll

d:\arquivos de programas\GBPLUGIN\gbiehcef.dll

d:\windows\system32\COMRes.dll

d:\windows\System32\cscui.dll

d:\windows\system32\ntshrui.dll

d:\windows\system32\msi.dll

d:\windows\system32\LINKINFO.dll

d:\windows\system32\webcheck.dll

d:\windows\system32\SETUPAPI.dll

d:\windows\system32\WPDShServiceObj.dll

d:\windows\system32\NETSHELL.dll

d:\windows\system32\credui.dll

d:\windows\system32\PortableDeviceTypes.dll

d:\windows\system32\PortableDeviceApi.dll

.

------------------------ Outros Processos em Execução ------------------------

.

d:\arquivos de programas\GBPLUGIN\GBPSV.EXE

d:\arquivos de programas\AVIRA\ANTIVIR DESKTOP\AVGUARD.EXE

d:\arquivos de programas\JAVA\JRE6\BIN\JQS.EXE

d:\arquivos de programas\ARQUIVOS COMUNS\MICROSOFT SHARED\VS7DEBUG\MDM.EXE

d:\arquivos de programas\MICROSOFT\SEARCH ENHANCEMENT PACK\SEAPORT\SEAPORT.EXE

.

**************************************************************************

.

Tempo para conclusão: 2009-08-15 0:10 - Máquina reiniciou

ComboFix-quarantined-files.txt 2009-08-15 03:09

ComboFix2.txt 2009-08-12 15:08

ComboFix3.txt 2009-08-10 18:22

ComboFix4.txt 2009-08-10 18:04

 

Pré-execução: 13 pasta(s) 42.973.921.280 bytes disponíveis

Pós execução: 13 pasta(s) 42.427.056.128 bytes disponíveis

 

322 --- E O F --- 2009-08-14 03:01

 

 

 

 

Obrigado e abraços .

[DigRam 144]

Bom Dia! EDSSX

 

<!> No intuito de detectar programas corrompidos,baixe FindyKill.

<><><><><><><><><>

<@> Baixe: < FindyKill > ( ...par Chiquitine29 )

<@> Salve-a em Arquivos de Programas!

<@> Feche programas que estejam abertos.

<@> Desabilite a proteção residente de antivírus e antispywares.

<@> Ps: A detecção dessa ferramenta,por antivírus,é um falso positivo!

<@> Instale a ferramenta,e aceite todas as condições pedidas.

<@> Terminando;execute a ferramenta com um duplo-clique,em: C:\Arquivos de Programas\FindyKill\FindyKill.bat

<@> No prompt,aperte o P. --> Enter. <-- Opções das linguas!

<@> À seguir,aperte o 2. ( "Eliminar los ficheros infectados" )

<@> Aperte Enter --> O computador vai reiniciar,por duas vezes! --> Aguarde!

<@> Terminando,clique em uma área vazia do prompt! --> Aperte Enter.

<@> Abrir-se-à o Bloco de Notas,com o relatório: D:\FindyKill.txt <-- Rapport!

 

Abraços!

[EDSSX 0]

Boa Tarde !

 

 

Segue log do FindyKill :

 

 

 

############################## | FindyKill V5.006 |

 

# User : edsom luis (Administradores) # EDIM

# Update on 14/08/09 by Chiquitine29

# Start at: 11:29:02 | 15/08/2009

# Website : http://pagesperso-orange.fr/NosTools/index.html

 

# AMD Sempron 2400+

# Microsoft Windows XP Professional (5.1.2600 32-bit) # Service Pack 3

# Internet Explorer 8.0.6001.18702

# Windows Firewall Status : Enabled

# AV : Rising Antivirus [ (!) Disabled | (!) Outdated ]

# AV : AntiVir Desktop 9.0.1.32 [ Enabled | Updated ]

# AV : Trend Micro Internet Security 17.1.1171 [ (!) Disabled | Updated ]

# FW : Trend Micro Personal Firewall[ Enabled ]5.5

 

# A:\ # Unidade de disquete de 3 1/2 polegadas

# C:\ # Disco fixo local # 17,28 Go (7,49 Go free) # FAT32

# D:\ # Disco fixo local # 59 Go (39,53 Go free) # FAT32

# E:\ # Disco CD-ROM

 

############################## | Processos ativos |

 

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\csrss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\ARQUIV~1\GbPlugin\GbpSv.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\system32\logonui.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\Explorer.EXE

D:\WINDOWS\system32\spoolsv.exe

D:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

D:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

D:\WINDOWS\System32\svchost.exe

D:\Arquivos de programas\iolo\common\lib\ioloServiceManager.exe

D:\Arquivos de programas\Java\jre6\bin\jqs.exe

D:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

D:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

D:\WINDOWS\System32\alg.exe

D:\WINDOWS\system32\wbem\wmiprvse.exe

D:\WINDOWS\system32\rundll32.exe

 

################## | D: |

 

 

################## | D:\WINDOWS |

 

 

################## | D:\WINDOWS\system32 |

 

 

################## | D:\WINDOWS\system32\drivers |

 

 

################## | D:\Documents and Settings\edsom luis\Dados de aplicativos |

 

 

################## | Outros ... |

 

 

################## | Temporary Internet Files |

 

 

################## | Registro / Chaves infeciosas |

 

 

################## | Estado / Serviços / Informações |

 

# Safe mode : OK

 

 

# Affichagem dos arquivos ocultos : OK

 

# Ndisuio -> Start = 3 ( Good = 3 | Bad = 4 )

# EapHost -> Start = 2 ( Good = 2 | Bad = 4 )

# Ip6Fw -> Start = 2 ( Good = 2 | Bad = 4 )

# SharedAccess -> Start = 2 ( Good = 2 | Bad = 4 )

# wuauserv -> Start = 2 ( Good = 2 | Bad = 4 )

# wscsvc -> Start = 2 ( Good = 2 | Bad = 4 )

 

# Presente ! C:\autorun.inf ( # Not infected ) -> Folder created by Flash_Disinfector.

# Presente ! D:\autorun.inf ( # Not infected ) -> Folder created by Flash_Disinfector.

 

################## | PEH ... |

 

 

################## | Cracks / Keygens / Serials |

 

"D:\Documents and Settings\edsom luis\Meus documentos\Arquivos de programas\Arquivos comuns\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_05.b13\"patchjre.exe""

22/02/2008 04:41 |Size 5596520 |Crc32 29d6c2f0 |Md5 e12a955a32acf7dfba0139b26e6405ac

 

"D:\Documents and Settings\edsom luis\Meus documentos\Arquivos de programas\Arquivos comuns\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_05.b13\"zipper.exe""

22/02/2008 04:40 |Size 20480 |Crc32 e5036695 |Md5 044ba60ccf8c4aec996bb335ba699b5d

 

"D:\Documents and Settings\edsom luis\Meus documentos\Arquivos de programas\Arquivos comuns\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_05.b13\"launcher.exe""

22/02/2008 04:41 |Size 3584 |Crc32 d748ac3a |Md5 2e29ad60d99ef43d9898b155af017279

 

"D:\Documents and Settings\All Users\Documentos\Component\Patch\223\"TISPthTl.exe""

23/07/2009 21:18 |Size 249808 |Crc32 64d851b0 |Md5 ff7fe7e8626050099c7c7f10fd53300b

 

 

################## | ! Fim do relatório # FindyKill V5.006 ! |

 

 

 

Grato e abraços .

[DigRam 144]

Boa Tarde! EDSSX

 

<!> O relatório FindyKill.txt,mostrou bons resultados,para funções importantes.

<!> Voçê,no passado,teve alguns serviços virtuais malwares e que,de suspeitos,foram mostrados por esse relatório no Linha Defensiva.

< Link >

<!> Talvez não mais existam pois,na época,deveriam ter sido aplicadas remoções pelo scripts do ComboFix. Mas...por cautela,aplicarei a prevenção.

<><><><><><><><><><><>

<@> Selecione e copie,todo o conteúdo que está na área do Quote,para o Bloco de Notas.

<@> Salve-o,no Desktop,com o nome: CFScript.txt

 

File::

d:\windows\system32\drivers\hookcont.sys

d:\windows\system32\drivers\rsntgdi.sys

d:\arquivos de programas\rising\ris\rsfwdrv.sys

d:\arquivos de programas\rising\ris\rfwtdi.sys

d:\arquivos de programas\rising\ris\ccenter.exe

d:\arquivos de programas\rising\ris\ravtask.exe

d:\arquivos de programas\rising\ris\proccomm.dll

d:\arquivos de programas\rising\ris\rsconf.dll

d:\arquivos de programas\rising\ris\combase.dll

d:\arquivos de programas\rising\ris\rsappmgr.dll

d:\arquivos de programas\rising\ris\cfgdll.dll

d:\arquivos de programas\rising\ris\cnt09.dll

d:\arquivos de programas\rising\ris\cnt08.dll

d:\arquivos de programas\rising\ris\rstask.dll

d:\arquivos de programas\rising\ris\rsstub.dll

d:\arquivos de programas\Rising\ris\ravmond.exe

d:\windows\system32\ravext.dll

d:\windows\system32\ravtel.exe

d:\windows\system32\lkvfn.dll

Folder::

d:\arquivos de programas\rising\ris

d:\arquivos de programas\rising

NetSvc::

"hmebrzs"

"znfsio"

Driver::

"znfsio"

"hmebrzs"

"rfwbase"

"rfwtdi"

"rsfwdrv"

"rsntgdi"

"hookcont"

"hooksys"

Registry::

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hmebrzs]

"ServiceDll"=-

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\znfsio]

"ServiceDll"=-

<@> Ps: Não utilizem este script em outra máquina!

<@> Arraste,o CFScript.txt para o ícone/interior do ComboFix.

<@> Veja a demonstração!

 

 

<@> Atenda à solicitação,que deverá surgir,para rodar o ComboFix.

<@> Ps: Faça o arraste,até surgir essa solicitação! ( janela )

<@> Terminando,poste os relatórios: C:\ComboFix.txt + HijackThis,atualizado.

 

Abraços!

[EDSSX 0]

Boa Tarde !

 

Segue log do combofix:

 

ComboFix 09-08-10.06 - edsom luis 15/08/2009 14:21.77.1 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.511.197 [GMT -3:00]

Executando de: d:\documents and settings\edsom luis\Desktop\ComboFix.exe

Comandos utilizados :: d:\documents and settings\edsom luis\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Rising Antivirus *On-access scanning disabled* (Outdated) {234E4A88-48FA-4220-A994-5323706FF524}

AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}

FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

 

FILE ::

"d:\arquivos de programas\rising\ris\ccenter.exe"

"d:\arquivos de programas\rising\ris\cfgdll.dll"

"d:\arquivos de programas\rising\ris\cnt08.dll"

"d:\arquivos de programas\rising\ris\cnt09.dll"

"d:\arquivos de programas\rising\ris\combase.dll"

"d:\arquivos de programas\rising\ris\proccomm.dll"

"d:\arquivos de programas\Rising\ris\ravmond.exe"

"d:\arquivos de programas\rising\ris\ravtask.exe"

"d:\arquivos de programas\rising\ris\rfwtdi.sys"

"d:\arquivos de programas\rising\ris\rsappmgr.dll"

"d:\arquivos de programas\rising\ris\rsconf.dll"

"d:\arquivos de programas\rising\ris\rsfwdrv.sys"

"d:\arquivos de programas\rising\ris\rsstub.dll"

"d:\arquivos de programas\rising\ris\rstask.dll"

"d:\windows\system32\drivers\hookcont.sys"

"d:\windows\system32\drivers\rsntgdi.sys"

"d:\windows\system32\lkvfn.dll"

"d:\windows\system32\ravext.dll"

"d:\windows\system32\ravtel.exe"

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

.?

.

.

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_HOOKCONT

-------\Service_hmebrzs

-------\Service_znfsio

-------\Service_hmebrzs

-------\Service_znfsio

 

 

(((((((((((((((( Arquivos/Ficheiros criados de 2009-07-15 to 2009-08-15 ))))))))))))))))))))))))))))

.

 

2009-08-15 15:33 . 2009-07-27 03:52 243200 ------w- d:\windows\system32\drivers\cohhgmca.sys

2009-08-15 14:21 . 2009-08-15 14:22 -------- d-----w- D:\FindyKill

2009-08-15 02:30 . 2009-08-15 02:30 -------- d-----w- D:\Lop SD

2009-08-15 00:59 . 2009-08-15 00:59 -------- d-----w- d:\documents and settings\All Users\Dados de aplicativos\Rising

2009-08-14 22:08 . 2007-04-02 19:26 19456 ----a-w- d:\windows\system32\dllcache\agt0804.dll

2009-08-14 22:07 . 2007-04-02 19:26 19456 ----a-w- d:\windows\system32\dllcache\agt0411.dll

2009-08-14 22:07 . 2007-04-02 19:26 19456 ----a-w- d:\windows\system32\dllcache\agt0404.dll

2009-08-14 19:47 . 2009-03-30 13:33 96104 ----a-w- d:\windows\system32\drivers\avipbb.sys

2009-08-14 19:47 . 2009-02-13 15:29 22360 ----a-w- d:\windows\system32\drivers\avgntmgr.sys

2009-08-14 19:47 . 2009-02-13 15:17 45416 ----a-w- d:\windows\system32\drivers\avgntdd.sys

2009-08-14 19:47 . 2009-08-14 19:47 -------- d-----w- d:\documents and settings\All Users\Dados de aplicativos\Avira

2009-08-14 19:43 . 2009-08-14 19:43 -------- d-----w- d:\documents and settings\All Users\Dados de aplicativos\GbPlugin

2009-08-14 16:46 . 2009-05-07 07:04 157712 ----a-w- d:\windows\system32\drivers\tmcomm.sys

2009-08-14 01:56 . 2009-08-14 01:56 -------- d-sh--w- d:\documents and settings\Administrador\IETldCache

2009-08-14 01:56 . 2009-08-14 01:56 -------- d-----r- d:\documents and settings\Administrador\Meus documentos

2009-08-14 01:51 . 2009-08-14 01:51 -------- d-----r- d:\documents and settings\Administrador\Favoritos

2009-08-14 01:51 . 2007-09-19 13:33 -------- d--h--w- d:\documents and settings\Administrador\Modelos

2009-08-14 01:51 . 2007-09-19 13:33 -------- d--h--w- d:\documents and settings\Administrador\Configurações locais

2009-08-14 01:51 . 2007-09-19 13:33 -------- d--h--r- d:\documents and settings\Administrador\Dados de aplicativos

2009-08-14 01:51 . 2007-09-19 13:33 -------- d-----r- d:\documents and settings\Administrador\Menu Iniciar

2009-08-14 01:51 . 2009-08-14 01:51 -------- d-----w- d:\documents and settings\Administrador

2009-08-13 23:10 . 2009-08-13 23:10 -------- d-----w- D:\ToolBar SD

2009-08-13 22:23 . 2009-08-13 22:23 -------- d-----w- D:\!KillBox

2009-08-13 18:48 . 2009-08-13 18:48 272 ----a-w- d:\windows\system32\drivers\sfi.dat

2009-08-13 15:32 . 2009-08-13 15:32 -------- d-----w- d:\documents and settings\edsom luis\Dados de aplicativos\Comodo

2009-08-13 13:00 . 2009-07-10 13:27 1315328 ------w- d:\windows\system32\dllcache\msoe.dll

2009-08-12 16:08 . 2009-08-12 16:08 -------- d-----w- d:\arquivos de programas\Lavalys

2009-08-09 02:14 . 2009-08-09 02:14 -------- d-----w- D:\f3e64e655c4cf5ea0969946e

2009-08-09 02:09 . 2009-08-09 02:09 -------- d-sh--w- d:\documents and settings\NetworkService\IETldCache

2009-08-05 09:00 . 2009-08-05 09:00 205312 ------w- d:\windows\system32\dllcache\mswebdvd.dll

2009-08-04 00:30 . 2009-08-04 00:30 -------- d-----w- d:\documents and settings\All Users\Dados de aplicativos\SUPERAntiSpyware.com

2009-08-04 00:29 . 2009-08-04 00:29 -------- d-----w- d:\documents and settings\edsom luis\Dados de aplicativos\SUPERAntiSpyware.com

2009-08-01 22:20 . 2009-08-01 22:20 -------- d-----w- d:\documents and settings\edsom luis\Dados de aplicativos\Yahoo!

2009-07-31 18:51 . 2009-07-31 18:51 -------- d--h--w- d:\windows\PIF

2009-07-31 02:47 . 2009-07-31 02:47 -------- d-----w- d:\documents and settings\edsom luis\Dados de aplicativos\iolo

2009-07-31 00:29 . 2009-07-31 00:29 -------- d-----w- d:\documents and settings\edsom luis\Dados de aplicativos\Download Manager

2009-07-30 17:07 . 2009-07-30 17:07 -------- d-----w- d:\windows\system32\CatRoot2

2009-07-27 17:28 . 2008-07-08 17:54 148496 ----a-w- d:\windows\system32\drivers\12878755.sys

2009-07-27 03:52 . 2009-07-27 03:52 95744 ----a-w- d:\windows\system32\mdhook.dll

2009-07-25 22:09 . 2009-07-25 22:09 -------- d-----r- d:\documents and settings\LocalService\Meus documentos

2009-07-24 16:11 . 2009-07-24 16:11 -------- d-----w- d:\windows\Sun

2009-07-24 03:01 . 2009-07-24 03:01 -------- d-----w- d:\documents and settings\All Users\Modelos

2009-07-24 00:20 . 2009-07-24 00:20 -------- d-----w- d:\documents and settings\All Users\Dados de aplicativos\Trend Micro

2009-07-23 15:10 . 2009-07-23 15:10 -------- d-----w- d:\arquivos de programas\blcorp

2009-07-21 23:37 . 2009-07-21 23:37 579072 ----a-w- d:\windows\system32\dllcache\user32.dll

2009-07-21 23:35 . 2009-07-21 23:35 -------- d-----w- d:\windows\ERUNT

2009-07-17 19:03 . 2009-07-17 19:03 58880 ------w- d:\windows\system32\dllcache\atl.dll

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-15 17:28 . 2009-04-29 23:59 32 --sha-w- d:\windows\system32\drivers\fidbox.idx

2009-08-15 17:28 . 2009-04-29 23:59 32 --sha-w- d:\windows\system32\drivers\fidbox.dat

2009-08-12 14:44 . 2001-10-28 21:07 79022 ----a-w- d:\windows\system32\perfc016.dat

2009-08-12 14:44 . 2001-10-28 21:07 468108 ----a-w- d:\windows\system32\perfh016.dat

2009-08-05 09:00 . 2004-08-04 10:45 205312 ----a-w- d:\windows\system32\mswebdvd.dll

2009-07-28 19:33 . 2009-03-19 00:30 55656 ----a-w- d:\windows\system32\drivers\avgntflt.sys

2009-07-18 13:05 . 2008-11-12 18:12 208 ----a-w- d:\windows\system32\drivers\GbpKmAp.lst

2009-07-17 19:03 . 2004-08-04 10:45 58880 ----a-w- d:\windows\system32\atl.dll

2009-07-16 00:21 . 2009-06-21 23:42 3775176 ----a-w- d:\documents and settings\All Users\Dados de aplicativos\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-07-13 16:36 . 2009-04-23 15:56 38160 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys

2009-07-13 16:36 . 2009-04-23 15:56 19096 ----a-w- d:\windows\system32\drivers\mbam.sys

2009-07-12 15:21 . 2004-08-04 10:45 233472 ----a-w- d:\windows\system32\wmpdxm.dll

2009-07-03 16:59 . 2004-08-04 10:45 915456 ----a-w- d:\windows\system32\wininet.dll

2009-06-22 17:02 . 2009-06-22 17:01 -------- d-----w- d:\arquivos de programas\Gadwin Systems

2009-06-17 19:05 . 2009-06-17 19:05 -------- d-----w- d:\arquivos de programas\Mozilla Firefox 3.5 Preview

2009-06-16 14:39 . 2004-08-04 10:45 119808 ----a-w- d:\windows\system32\t2embed.dll

2009-06-16 14:39 . 2001-10-28 21:06 81920 ----a-w- d:\windows\system32\fontsub.dll

2009-06-15 10:44 . 2004-08-04 10:45 81408 ----a-w- d:\windows\system32\tlntsess.exe

2009-06-15 10:44 . 2004-08-04 10:45 77824 ----a-w- d:\windows\system32\telnet.exe

2009-06-12 03:43 . 2004-08-04 10:45 219648 ----a-w- d:\windows\system32\uxtheme.dll

2009-06-10 14:14 . 2004-08-04 10:45 85504 ----a-w- d:\windows\system32\avifil32.dll

2009-06-10 12:21 . 2007-09-19 13:40 2066432 ----a-w- d:\windows\system32\mstscax.dll

2009-06-10 06:15 . 2004-08-04 10:45 132096 ----a-w- d:\windows\system32\wkssvc.dll

2009-06-03 19:10 . 2004-08-04 10:45 1295872 ----a-w- d:\windows\system32\quartz.dll

2009-03-27 23:27 . 2009-03-27 23:27 2399 ----a-w- d:\arquivos de programas\Arquivos comuns\operadef6.ini

2009-02-26 14:04 . 2009-02-26 14:04 8250 ----a-w- d:\arquivos de programas\Arquivos comuns\license.rtf

2009-02-26 14:04 . 2009-02-26 14:04 234477 ----a-w- d:\arquivos de programas\Arquivos comuns\english.lng

2009-02-26 13:49 . 2009-02-26 13:49 3712000 ----a-w- d:\arquivos de programas\Arquivos comuns\opera.dll

2009-02-26 13:49 . 2009-02-26 13:49 20480 ----a-w- d:\arquivos de programas\Arquivos comuns\OUniAnsi.dll

2009-02-26 13:49 . 2009-02-26 13:49 653419 ----a-w- d:\arquivos de programas\Arquivos comuns\encoding.bin

2009-02-26 13:49 . 2009-02-26 13:49 99328 ----a-w- d:\arquivos de programas\Arquivos comuns\opera.exe

2009-01-07 16:52 . 2009-01-07 16:52 6809 ----a-w- d:\arquivos de programas\Arquivos comuns\license.txt

2008-09-03 17:12 . 2008-09-03 17:12 8470 ----a-w- d:\arquivos de programas\Arquivos comuns\search.ini

2008-06-09 13:17 . 2008-06-09 13:17 301 ----a-w- d:\arquivos de programas\Arquivos comuns\c3nform.vxml

2008-05-05 12:51 . 2008-05-05 12:51 3873 ----a-w- d:\arquivos de programas\Arquivos comuns\lngcode.txt

2004-02-26 16:35 . 2004-02-26 16:35 7904 ----a-w- d:\arquivos de programas\Arquivos comuns\html40_entities.dtd

2009-07-30 17:45 . 2009-02-27 15:11 122880 ----a-w- d:\arquivos de programas\mozilla firefox\components\GoogleDesktopMozilla.dll

2009-03-08 17:09 . 2009-04-05 21:55 638816 --sha-w- d:\windows\NiwradSoft Shell Pack\Backup\iexplore.exe

.

 

------- Sigcheck -------

 

[-] 2008-04-14 03:20 579072 A9B36030497E98C29210E4544700649D d:\windows\system32\user32.dll

[-] 2009-07-21 23:37 579072 A9B36030497E98C29210E4544700649D d:\windows\system32\dllcache\user32.dll

[7] 2007-03-08 15:36 578048 B5782EE6EAFE3C218236F79F1A27B747 d:\windows\$NtServicePackUninstall$\user32.dll

[-] 2008-04-14 03:20 579072 A9B36030497E98C29210E4544700649D d:\windows\ServicePackFiles\i386\user32.dll

[7] 2007-03-08 15:50 578560 F86D3E5C8FE13297E1C2D662F9E2D59D d:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll

[7] 2005-03-02 18:20 577536 3ED0A4D74EFD5AAF8408095F452E2613 d:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll

[7] 2008-04-14 03:20 579072 54907DB28872A7A6D3EE2B4747A23828 d:\windows\NiwradSoft Shell Pack\Backup\user32.dll

[7] 2004-08-04 10:45 577536 E0FF28447D1038DE106D1F2FDF851647 d:\windows\$NtUninstallKB890859$\user32.dll

[7] 2005-03-02 18:18 577536 7FFBCF1B94E6929DEECE06670C2407D6 d:\windows\$NtUninstallKB925902$\user32.dll

 

[-] 2008-04-14 03:21 549376 B0C0BF2504B830BFC1E93CA39F3C75FE d:\windows\system32\winlogon.exe

[7] 2004-08-04 10:45 504320 6F7BDE7A1126DEBF0CC359A54953EFC1 d:\windows\$NtServicePackUninstall$\winlogon.exe

[-] 2008-04-14 03:21 549376 B0C0BF2504B830BFC1E93CA39F3C75FE d:\windows\ServicePackFiles\i386\winlogon.exe

[7] 2008-04-14 03:21 509952 71D440F79B711627B12B567FB2EADB42 d:\windows\NiwradSoft Shell Pack\Backup\winlogon.exe

 

[-] 2008-04-14 03:20 1542656 77F71BF6970EA10B4CC9AA1D45654AA0 d:\windows\explorer.exe

[7] 2007-06-13 13:21 1035264 DCCBF18E94D651393A3FFA060F88E0A0 d:\windows\$NtServicePackUninstall$\explorer.exe

[7] 2004-08-04 10:45 1034240 FA61A19050AE14BEC1A26DE82390DD65 d:\windows\$NtUninstallKB938828$\explorer.exe

[-] 2008-04-14 03:20 1542656 77F71BF6970EA10B4CC9AA1D45654AA0 d:\windows\ServicePackFiles\i386\explorer.exe

[7] 2007-06-13 13:10 1035264 45D521506825A10B80833B4E9621CCF6 d:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

[7] 2008-04-14 03:20 1035776 064EC7FF5F58B928C3E119402977FA6D d:\windows\NiwradSoft Shell Pack\Backup\explorer.exe

 

[-] 2008-04-14 03:20 40448 584450C5B2439571755D40444589C63D d:\windows\system32\ctfmon.exe

[7] 2004-08-04 10:45 15360 F40BC97996B8E53799EEF1D63996674B d:\windows\$NtServicePackUninstall$\ctfmon.exe

[-] 2008-04-14 03:20 40448 584450C5B2439571755D40444589C63D d:\windows\ServicePackFiles\i386\ctfmon.exe

[7] 2008-04-14 03:20 15360 4E486ADFE3A0B9ED0EB0639902E9F64F d:\windows\NiwradSoft Shell Pack\Backup\ctfmon.exe

 

[-] 2008-04-14 03:20 1523712 3D762A3DE04DE62F1E4CCDF7CF2A66E1 d:\windows\system32\comres.dll

[7] 2004-08-04 10:45 821760 FB93B504600DA3EC407ED0252EEF97AB d:\windows\$NtServicePackUninstall$\comres.dll

[-] 2008-04-14 03:20 1523712 3D762A3DE04DE62F1E4CCDF7CF2A66E1 d:\windows\ServicePackFiles\i386\comres.dll

[7] 2008-04-14 03:20 821760 D3F8E8DBE93A80440CAC78B305B40A67 d:\windows\NiwradSoft Shell Pack\Backup\comres.dll

 

[-] 2008-04-14 03:20 643072 302CD5BE4CA48200F9AC1C6074D71805 d:\windows\system32\comctl32.dll

[7] 2008-04-14 03:17 1054208 3356DF9145BC1AD45B43C528F9F7527C d:\windows\WinSxS\InstallTemp\15449055\comctl32.dll

[7] 2008-04-13 22:17 1054208 3356DF9145BC1AD45B43C528F9F7527C d:\windows\WinSxS\InstallTemp\27228101\comctl32.dll

[7] 2004-08-04 10:44 1050624 3680CF24C64348BFDC89E290790398E7 d:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll

[7] 2001-10-28 21:06 921088 AEF3D788DBF40C7C4D204EA45EB0C505 d:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll

[7] 2006-08-25 15:49 1054208 50141E3C168F02C3920891400CEC9FF4 d:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll

[7] 2008-04-13 22:17 1054208 3356DF9145BC1AD45B43C528F9F7527C d:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

[7] 2006-08-25 15:49 617472 873E9E5B23D206BE443ABD3CF597C2E8 d:\windows\$NtServicePackUninstall$\comctl32.dll

[-] 2008-04-14 03:20 643072 302CD5BE4CA48200F9AC1C6074D71805 d:\windows\ServicePackFiles\i386\comctl32.dll

[7] 2008-04-14 03:20 617472 085C5892D9C1E19B3CEFD1B79F5BBF13 d:\windows\NiwradSoft Shell Pack\Backup\comctl32.dll

[7] 2004-08-04 10:45 611328 021631D9D0729D9E52300CCEACE4F054 d:\windows\$NtUninstallKB923191$\comctl32.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-08-15_03.06.11 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-08-15 17:29 . 2009-08-15 17:29 16384 d:\windows\temp\Perflib_Perfdata_448.dat

+ 2009-08-15 17:27 . 2009-08-15 17:27 8192 d:\windows\ERDNT\subs\Users\00000004\UsrClass.dat

+ 2009-08-15 17:27 . 2009-08-15 17:27 8192 d:\windows\ERDNT\subs\Users\00000002\UsrClass.dat

- 2009-08-15 03:03 . 2009-08-15 03:03 8192 d:\windows\ERDNT\subs\Users\00000002\UsrClass.dat

+ 2009-08-15 17:27 . 2009-08-15 17:27 208896 d:\windows\ERDNT\subs\Users\00000006\UsrClass.dat

+ 2009-08-15 17:27 . 2009-08-15 17:27 233472 d:\windows\ERDNT\subs\Users\00000003\ntuser.dat

+ 2009-08-15 17:27 . 2009-08-15 17:27 229376 d:\windows\ERDNT\subs\Users\00000001\ntuser.dat

- 2009-08-15 03:03 . 2009-08-15 03:03 229376 d:\windows\ERDNT\subs\Users\00000001\ntuser.dat

+ 2009-08-15 17:27 . 2009-08-15 17:27 10084352 d:\windows\ERDNT\subs\Users\00000005\ntuser.dat

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="d:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

"Gadwin PrintScreen"="d:\arquivos de programas\Gadwin Systems\PrintScreen\PrintScreen.exe" [2008-12-09 495616]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Desktop Search"="d:\arquivos de programas\Google\Google Desktop Search\GoogleDesktop.exe" [2009-07-30 30192]

"Adobe Reader Speed Launcher"="d:\arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"avgnt"="d:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoRealMode"= 0 (0x0)

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399003}"= "d:\arquivos de programas\GBPLUGIN\gbiehcef.dll" [2009-03-27 264776]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginCef]

2009-03-27 14:22 264776 ------w- d:\arquivos de programas\GbPlugin\gbiehcef.dll

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"d:\\WINDOWS\\system32\\rtcshare.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"d:\\Arquivos de programas\\Windows Live\\Messenger\\MSNMSGR.EXE"=

"d:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=

 

R0 GbpKm;Gbp KernelMode;d:\windows\system32\drivers\GbpKm.sys [18/04/2009 21:46 26568]

R1 cohhgmca;cohhgmca;d:\windows\system32\drivers\cohhgmca.sys [15/08/2009 12:33 243200]

R1 is-AP9JMdrv;is-AP9JMdrv;d:\windows\system32\drivers\12878755.sys [27/07/2009 14:28 148496]

R1 is-C4H53drv;is-C4H53drv;d:\windows\system32\drivers\70906987.sys [29/04/2009 21:02 148496]

R2 713xTVCard;SAA7131 TV Card;d:\windows\system32\drivers\SAA713x.sys [15/03/2005 12:00 277504]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [14/08/2009 16:47 108289]

R2 GbpSv;Gbp Service;d:\arquiv~1\GbPlugin\GbpSv.exe [18/06/2008 14:26 52808]

R2 ioloFileInfoList;iolo FileInfoList Service;d:\arquivos de programas\iolo\Common\Lib\ioloServiceManager.exe [16/04/2009 20:43 628584]

R2 ioloProductUpdate;iolo Product Update Service;d:\arquivos de programas\iolo\Common\Lib\ioloServiceManager.exe [16/04/2009 20:43 628584]

R2 ioloSystemService;iolo System Service;d:\arquivos de programas\iolo\Common\Lib\ioloServiceManager.exe [16/04/2009 20:43 628584]

R3 xpvcom;XPVCOM Port;d:\windows\system32\drivers\XPVCOM.sys [23/03/2007 02:00 30032]

S0 Lbd;Lbd;d:\windows\system32\DRIVERS\Lbd.sys --> d:\windows\system32\DRIVERS\Lbd.sys [?]

S3 GoogleDesktopManager-060409-093314;Gerenciador do Google Desktop 5.9.906.4286;d:\arquivos de programas\Google\Google Desktop Search\GoogleDesktop.exe [11/04/2009 15:38 30192]

S3 MBAMSwissArmy;MBAMSwissArmy;d:\windows\system32\drivers\mbamswissarmy.sys [23/04/2009 12:56 38160]

S3 rspSanity;rspSanity;d:\windows\system32\drivers\rspSanity32.sys [14/04/2009 19:51 30136]

.

Conteúdo da pasta 'Tarefas Agendadas'

 

2009-04-07 d:\windows\Tasks\HP DArC Task 2003-04-11 09:53ewlett-PackardHewlett-Packard Companyeskjet35002003-04-11 18:25N4BF150JQ9B.job

- d:\arquivos de programas\HP\hpcoretech\comp\hpdarc.exe [2003-04-11 18:25]

 

2009-08-15 d:\windows\Tasks\User_Feed_Synchronization-{85870EB0-73F3-41E1-92DD-7C153C1F486E}.job

- d:\windows\system32\msfeedssync.exe [2007-08-13 07:31]

.

.

------- Scan Suplementar -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://www.msn.com

uLocal Page =

uDefault_Search_URL =

mWindow Title =

mLocal Page =

uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s

IE: {{ED98F8D1-09AC-4107-B2FF-91DBE011B0C5} - {6BBCFF8E-D837-4DA4-9141-1F645B34A179} -

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

FF - ProfilePath - d:\documents and settings\edsom luis\Dados de aplicativos\Mozilla\Firefox\Profiles\r46u2xkd.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://portuguese.ircfast.com/pt/index.php?rvs=hompag

FF - prefs.js: keyword.URL - hxxp://br.search.yahoo.com/search?ei=ISO-8859-1&fr=megaup&p=

FF - component: d:\arquivos de programas\Mozilla Firefox 3.5 Preview\components\GoogleDesktopMozilla.dll

FF - component: d:\arquivos de programas\Mozilla Firefox 3.5 Preview\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll

FF - plugin: d:\arquivos de programas\Microsoft\Office Live\npOLW.dll

FF - plugin: d:\arquivos de programas\Opera 10 Beta\program\plugins\npdsplay.dll

FF - plugin: d:\arquivos de programas\Opera 10 Beta\program\plugins\NPSWF32.dll

FF - plugin: d:\arquivos de programas\Opera 10 Beta\program\plugins\npwmsdrm.dll

FF - plugin: d:\documents and settings\All Users\Dados de aplicativos\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll

 

---- FIREFOX POLICIES ----

FF - user.js: network.http.max-connections-per-server - 6

FF - user.js: network.http.max-persistent-connections-per-server - 3

FF - user.js: nglayout.initialpaint.delay - 750

FF - user.js: content.notify.interval - 750000

FF - user.js: content.max.tokenizing.time - 2250000

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("media.enforce_same_site_origin", false);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("media.cache_size", 51200);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("media.ogg.enabled", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("media.wave.enabled", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("media.autoplay.enabled", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("dom.storage.default_quota", 5120);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("layout.css.dpi", -1);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("geo.enabled", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-15 14:30

Windows 5.1.2600 Service Pack 3 FAT NTAPI

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•6~*]

"6140110900063D11C8EF10054038389C"="D?\\WINDOWS\\system32\\FM20ENU.DLL"

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'winlogon.exe'(644)

d:\windows\system32\mdhook.dll

d:\windows\system32\SETUPAPI.dll

d:\windows\system32\sfc_os.dll

d:\arquivos de programas\GBPLUGIN\gbiehcef.dll

d:\windows\system32\COMRes.dll

d:\windows\system32\cscui.dll

 

- - - - - - - > 'lsass.exe'(700)

d:\windows\system32\mdhook.dll

d:\windows\system32\setupapi.dll

d:\windows\system32\psbase.dll

 

- - - - - - - > 'explorer.exe'(2780)

d:\windows\system32\WININET.dll

d:\windows\system32\COMRes.dll

d:\windows\System32\cscui.dll

d:\windows\system32\ntshrui.dll

d:\arquivos de programas\GBPLUGIN\gbiehcef.dll

d:\windows\system32\webcheck.dll

d:\windows\system32\msi.dll

d:\windows\system32\SETUPAPI.dll

d:\windows\system32\WPDShServiceObj.dll

d:\windows\system32\LINKINFO.dll

d:\windows\system32\NETSHELL.dll

d:\windows\system32\credui.dll

d:\windows\system32\PortableDeviceTypes.dll

d:\windows\system32\PortableDeviceApi.dll

 

- - - - - - - > 'csrss.exe'(620)

.

.

------------------------ Outros Processos em Execução ------------------------

.

d:\arquivos de programas\GBPLUGIN\GBPSV.EXE

d:\arquivos de programas\AVIRA\ANTIVIR DESKTOP\AVGUARD.EXE

d:\arquivos de programas\JAVA\JRE6\BIN\JQS.EXE

d:\arquivos de programas\ARQUIVOS COMUNS\MICROSOFT SHARED\VS7DEBUG\MDM.EXE

d:\arquivos de programas\MICROSOFT\SEARCH ENHANCEMENT PACK\SEAPORT\SEAPORT.EXE

.

**************************************************************************

.

Tempo para conclusão: 2009-08-15 14:35 - Máquina reiniciou

ComboFix-quarantined-files.txt 2009-08-15 17:35

ComboFix4.txt 2009-08-14 23:58

ComboFix5.txt 2009-08-15 14:59

 

Pré-execução: 14 pasta(s) 42.420.502.528 bytes disponíveis

Pós execução: 14 pasta(s) 42.407.690.240 bytes disponíveis

 

377 --- E O F --- 2009-08-14 03:01

 

 

 

Segue novo log do :

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:24:16, on 15/08/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\ARQUIV~1\GbPlugin\GbpSv.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\spoolsv.exe

D:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

D:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

D:\WINDOWS\System32\svchost.exe

D:\Arquivos de programas\iolo\common\lib\ioloServiceManager.exe

D:\Arquivos de programas\Google\Google Desktop Search\GoogleDesktop.exe

D:\Arquivos de programas\Java\jre6\bin\jqs.exe

D:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe

D:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

D:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

D:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

D:\Arquivos de programas\Gadwin Systems\PrintScreen\PrintScreen.exe

D:\WINDOWS\system32\wuauclt.exe

D:\WINDOWS\explorer.exe

D:\Arquivos de programas\Mozilla Firefox 3.5 Preview\firefox.exe

D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\Diretório temporário 1 para antivir_rootkit(2).zip\avirarkd.exe

D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\vezsbdiz.exe

D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\Diretório temporário 1 para HiJackThis(3).zip\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://g.msn.com/1me10IE8ENUS/701

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - D:\Arquivos de programas\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - D:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbiehcef.dll

O4 - HKLM\..\Run: [Google Desktop Search] "D:\Arquivos de programas\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avgnt] "D:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [msnmsgr] "D:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [Gadwin PrintScreen] D:\Arquivos de programas\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab

O20 - Winlogon Notify: GbPluginCef - D:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbiehcef.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - D:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - D:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Gbp Service (GbpSv) - - D:\ARQUIV~1\GbPlugin\GbpSv.exe

O23 - Service: Gerenciador do Google Desktop 5.9.906.4286 (GoogleDesktopManager-060409-093314) - Google - D:\Arquivos de programas\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - D:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - D:\Arquivos de programas\iolo\common\lib\ioloServiceManager.exe

O23 - Service: iolo Product Update Service (ioloProductUpdate) - Unknown owner - D:\Arquivos de programas\iolo\common\lib\ioloServiceManager.exe

O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - D:\Arquivos de programas\iolo\common\lib\ioloServiceManager.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Arquivos de programas\Java\jre6\bin\jqs.exe

 

 

--

End of file - 5320 bytes

 

 

Nós estamos começando a ter êxito. Pois segue log do avira antirootkit limpo . Legal

 

Avira AntiRootkit Tool (1.1.0.1)

 

========================================================================================================

- Scan started sábado, 15 de agosto de 2009 - 15:22:14

========================================================================================================

 

--------------------------------------------------------------------------------------------------------

Configuration:

--------------------------------------------------------------------------------------------------------

- [X] Scan files

- [X] Scan registry

- [X] Scan processes

- [ ] Fast scan

- Working disk total size : 59.00 GB

- Working disk free size : 39.52 GB (66 %)

--------------------------------------------------------------------------------------------------------

 

Scan task finished. No hidden objects detected!

 

--------------------------------------------------------------------------------------------------------

Files: 0/158518

Registry items: 0/346924

Processes: 0/34

Scan time: 00:05:21

--------------------------------------------------------------------------------------------------------

Active processes:

- vezsbdiz.exe (PID 1996) (Avira AntiRootkit Tool)

- HijackThis.exe (PID 2648)

- notepad.exe (PID 1540)

- System (PID 4)

- SMSS.EXE (PID 556)

- CSRSS.EXE (PID 620)

- WINLOGON.EXE (PID 644)

- SERVICES.EXE (PID 688)

- LSASS.EXE (PID 700)

- GBPSV.EXE (PID 872)

- SVCHOST.EXE (PID 900)

- SVCHOST.EXE (PID 1016)

- SVCHOST.EXE (PID 1112)

- SVCHOST.EXE (PID 1328)

- SVCHOST.EXE (PID 1472)

- SPOOLSV.EXE (PID 1588)

- SCHED.EXE (PID 1652)

- AVGUARD.EXE (PID 328)

- SVCHOST.EXE (PID 436)

- ioloServiceManager.exe (PID 496)

- GoogleDesktop.exe (PID 956)

- JQS.EXE (PID 1096)

- avgnt.exe (PID 1104)

- MDSERVICE.EXE (PID 1228)

- MalwareDefender.exe (PID 1264)

- msnmsgr.exe (PID 1276)

- MDM.EXE (PID 1404)

- SEAPORT.EXE (PID 1792)

- PrintScreen.exe (PID 160)

- ALG.EXE (PID 2320)

- wuauclt.exe (PID 3992)

- EXPLORER.EXE (PID 2780)

- firefox.exe (PID 3352)

- avirarkd.exe (PID 2428)

========================================================================================================

- Scan finished sábado, 15 de agosto de 2009 - 15:27:35

========================================================================================================

 

Obrigado e abraços .

[EDSSX 0]

Boa Tarde !

 

Ao rodar o toolbar S&D fecha as paginas e não dava mais para editar aqui .

Tivemos êxito . Pois segue log do mesmo limpo . Legal .

 

 

-----------\\ ToolBar S&D 1.2.8 XP/Vista

 

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3

X86-based PC ( Uniprocessor Free : AMD Sempron 2400+ )

BIOS : Version 07.00T

USER : edsom luis ( Administrator )

BOOT : Normal boot

Antivirus : Trend Micro Internet Security 17.1.1171 (Not Activated)

Firewall : Trend Micro Personal Firewall 5.5 (Activated)

A:\ (USB)

C:\ (Local Disk) - FAT32 - Total:17 Go (Free:7 Go)

D:\ (Local Disk) - FAT32 - Total:59 Go (Free:39 Go)

E:\ (CD or DVD)

 

"D:\ToolBar SD" ( MAJ : 21-12-2008|20:47 )

Option : [2] ( 15/08/2009|16:03 )

 

-----------\\ Procura por Arquivos / Ficheiros ...

 

 

-----------\\ Extensions

 

(edsom luis) - {3112ca9c-de6d-4884-a869-9855de68056c} => google-toolbar

(edsom luis) - {991A772A-BA13-4c1d-A9EF-F897F31DEC7D} => megaupload

(edsom luis) - {3112ca9c-de6d-4884-a869-9855de68056c} => google-toolbar

 

 

-----------\\ [..\Internet Explorer\Main]

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

"SearchMigratedDefaultURL"="http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8"

"Start Page"="http://www.msn.com"

"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

"First Home Page"="http://g.msn.com/1me10IE8ENUS/701"

"Url"="http://go.microsoft.com/fwlink/?LinkID=68928"

"Url"="http://go.microsoft.com/fwlink/?LinkID=44406"

"Url"="http://go.microsoft.com/fwlink/?LinkID=68929"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]

"Start Page"="http://www.msn.com/"

"Default_Page_URL"="http://go.microsoft.com/fwlink/?LinkId=69157"

"Default_Search_URL"="http://go.microsoft.com/fwlink/?LinkId=54896"

"Search Page"="http://go.microsoft.com/fwlink/?LinkId=54896"

 

 

--------------------\\ Procurando por outras infecções

 

 

Não foram encontradas outras infecções.

 

 

1 - "D:\ToolBar SD\TB_1.txt" - 13/08/2009|20:16 - Option : [2]

2 - "D:\ToolBar SD\TB_2.txt" - qui 13/08/2009|22:58 - Option : [2]

3 - "D:\ToolBar SD\TB_3.txt" - 14/08/2009| 0:31 - Option : [2]

4 - "D:\ToolBar SD\TB_4.txt" - 14/08/2009|22:18 - Option : [2]

5 - "D:\ToolBar SD\TB_5.txt" - 15/08/2009|16:06 - Option : [2]

 

-----------\\ Verificação completa em 16:06:39,18

 

 

Obrigado pela tua ampla atenção e dedicação . Abraços .

[EDSSX 0]

Boa Tarde !

 

No tópico não esta dando para editar embora consta a opção .

 

Entretanto segundo log do McAfee® Rootkit Detective consta :

 

Object-Type: Registry-key

Object-Name: Parameters\system32\drivers\cohhgmca.sys

Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\znfsio\Parameters

Status: Hidden

 

Object-Type: Registry-key

Object-Name: Parameters.RENSet002\Services\znfsio\Parameters

Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\znfsio\Parameters.REN

Status: Hidden

 

Object-Type: Registry-key

Object-Name: Parameters.REN.REN02\Services\znfsio\Parameters.REN

Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\znfsio\Parameters.REN.REN

Status: Hidden

 

Object-Type: Registry-key

Object-Name: Parameters.REN.REN.RENervices\znfsio\Parameters.REN.REN

Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\znfsio\Parameters.REN.REN.REN

Status: Hidden

 

 

Segue log do McAfee® Rootkit Detective :

 

 

McAfee® Rootkit Detective 1.1 scan report

On 15-08-2009 at 16:43:07

OS-Version 5.1.2600

Service Pack 3.0

====================================

 

Object-Type: SSDT-hook

Object-Name: ZwClose

Object-Path: D:\WINDOWS\system32\drivers\cohhgmca.sys

 

Object-Type: SSDT-hook

Object-Name: ZwCreateFile

Object-Path: D:\WINDOWS\system32\drivers\cohhgmca.sys

 

Object-Type: SSDT-hook

Object-Name: ZwCreateKey

Object-Path: (NULL)

 

Object-Type: SSDT-hook

Object-Name: ZwCreateSection

Object-Path: D:\WINDOWS\system32\drivers\cohhgmca.sys

 

Object-Type: SSDT-hook

Object-Name: ZwCreateThread

Object-Path: (NULL)

 

Object-Type: SSDT-hook

Object-Name: ZwDebugActiveProcess

Object-Path: D:\WINDOWS\system32\drivers\cohhgmca.sys

 

Object-Type: SSDT-hook

Object-Name: ZwDeleteFile

Object-Path: D:\WINDOWS\system32\drivers\cohhgmca.sys

 

Object-Type: SSDT-hook

Object-Name: ZwDeleteKey

Object-Path: (NULL)

 

Object-Type: SSDT-hook

Object-Name: ZwDeleteValueKey

Object-Path: (NULL)

 

Object-Type: SSDT-hook

Object-Name: ZwDeviceIoControlFile

Object-Path: D:\WINDOWS\system32\drivers\cohhgmca.sys

 

Object-Type: SSDT-hook

Object-Name: ZwDuplicateObject

Object-Path: D:\WINDOWS\system32\drivers\cohhgmca.sys

 

Object-Type: SSDT-hook

Object-Name: ZwFsControlFile

Object-Path: D:\WINDOWS\system32\drivers\cohhgmca.sys

 

Object-Type: SSDT-hook

Object-Name: ZwInitiatePowerAction

Object-Path: D:\WINDOWS\system32\drivers\cohhgmca.sys

 

Object-Type: SSDT-hook

Object-Name: ZwLoadDriver

Object-Path: D:\WINDOWS\system32\drivers\cohhgmca.sys

 

Object-Type: SSDT-hook

Object-Name: ZwLoadKey2

Object-Path: (NULL)

 

Object-Type: SSDT-hook

Object-Name: ZwMakeTemporaryObject

Object-Path: D:\WINDOWS\system32\drivers\cohhgmca.sys

 

Object-Type: SSDT-hook

Object-Name: ZwOpenFile

Object-Path: D:\WINDOWS\system32\drivers\cohhgmca.sys

 

Object-Type: SSDT-hook

Object-Name: ZwOpenProcess

Object-Path: (NULL)

 

Object-Type: SSDT-hook

Object-Name: ZwOpenSection

Object-Path: D:\WINDOWS\system32\drivers\cohhgmca.sys

 

Object-Type: SSDT-hook

Object-Name: ZwOpenThread

Object-Path: (NULL)

 

Object-Type: SSDT-hook

Object-Name: ZwProtectVirtualMemory

Object-Path: D:\WINDOWS\system32\drivers\cohhgmca.sys

 

Object-Type: SSDT-hook

Object-Name: ZwQueueApcThread

Object-Path: D:\WINDOWS\system32\drivers\cohhgmca.sys

 

Object-Type: SSDT-hook

Object-Name: ZwReadVirtualMemory

Object-Path: D:\WINDOWS\system32\drivers\cohhgmca.sys

 

Object-Type: SSDT-hook

Object-Name: ZwRenameKey

Object-Path: D:\WINDOWS\system32\drivers\cohhgmca.sys

 

Object-Type: SSDT-hook

Object-Name: ZwReplaceKey

Object-Path: (NULL)

 

Object-Type: SSDT-hook

Object-Name: ZwRequestWaitReplyPort

Object-Path: D:\WINDOWS\system32\drivers\cohhgmca.sys

 

Object-Type: SSDT-hook

Object-Name: ZwRestoreKey

Object-Path: (NULL)

 

Object-Type: SSDT-hook

Object-Name: ZwSetContextThread

Object-Path: D:\WINDOWS\system32\drivers\cohhgmca.sys

 

Object-Type: SSDT-hook

Object-Name: ZwSetInformationFile

Object-Path: D:\WINDOWS\system32\drivers\cohhgmca.sys

 

Object-Type: SSDT-hook

Object-Name: ZwSetInformationProcess

Object-Path: D:\WINDOWS\system32\drivers\cohhgmca.sys

 

Object-Type: SSDT-hook

Object-Name: ZwSetSystemInformation

Object-Path: D:\WINDOWS\system32\drivers\cohhgmca.sys

 

Object-Type: SSDT-hook

Object-Name: ZwSetSystemPowerState

Object-Path: D:\WINDOWS\system32\drivers\cohhgmca.sys

 

Object-Type: SSDT-hook

Object-Name: ZwSetSystemTime

Object-Path: D:\WINDOWS\system32\drivers\cohhgmca.sys

 

Object-Type: SSDT-hook

Object-Name: ZwSetValueKey

Object-Path: (NULL)

 

Object-Type: SSDT-hook

Object-Name: ZwShutdownSystem

Object-Path: D:\WINDOWS\system32\drivers\cohhgmca.sys

 

Object-Type: SSDT-hook

Object-Name: ZwSuspendProcess

Object-Path: D:\WINDOWS\system32\drivers\cohhgmca.sys

 

Object-Type: SSDT-hook

Object-Name: ZwSuspendThread

Object-Path: D:\WINDOWS\system32\drivers\cohhgmca.sys

 

Object-Type: SSDT-hook

Object-Name: ZwSystemDebugControl

Object-Path: D:\WINDOWS\system32\drivers\cohhgmca.sys

 

Object-Type: SSDT-hook

Object-Name: ZwTerminateProcess

Object-Path: (NULL)

 

Object-Type: SSDT-hook

Object-Name: ZwTerminateThread

Object-Path: D:\WINDOWS\system32\drivers\cohhgmca.sys

 

Object-Type: SSDT-hook

Object-Name: ZwUnmapViewOfSection

Object-Path: D:\WINDOWS\system32\drivers\cohhgmca.sys

 

Object-Type: SSDT-hook

Object-Name: ZwWriteFile

Object-Path: D:\WINDOWS\system32\drivers\cohhgmca.sys

 

Object-Type: SSDT-hook

Object-Name: ZwWriteFileGather

Object-Path: D:\WINDOWS\system32\drivers\cohhgmca.sys

 

Object-Type: SSDT-hook

Object-Name: ZwWriteVirtualMemory

Object-Path: D:\WINDOWS\system32\drivers\cohhgmca.sys

 

Object-Type: Registry-key

Object-Name: Parameters\system32\drivers\cohhgmca.sys

Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\znfsio\Parameters

Status: Hidden

 

Object-Type: Registry-key

Object-Name: Parameters.RENSet002\Services\znfsio\Parameters

Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\znfsio\Parameters.REN

Status: Hidden

 

Object-Type: Registry-key

Object-Name: Parameters.REN.REN02\Services\znfsio\Parameters.REN

Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\znfsio\Parameters.REN.REN

Status: Hidden

 

Object-Type: Registry-key

Object-Name: Parameters.REN.REN.RENervices\znfsio\Parameters.REN.REN

Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\znfsio\Parameters.REN.REN.REN

Status: Hidden

 

Object-Type: IAT/EAT-hook

PID: 944

Details: Export : Function : ADVAPI32.dll!StartServiceW => d:\windows\system32\mdhook.dll:18004060

Object-Path: d:\windows\system32\mdhook.dll

Status: Hooked

 

Object-Type: IAT/EAT-hook

PID: 944

Details: Export : Function : ADVAPI32.dll!StartServiceA => d:\windows\system32\mdhook.dll:18003FA0

Object-Path: d:\windows\system32\mdhook.dll

Status: Hooked

 

Object-Type: IAT/EAT-hook

PID: 944

Details: Export : Function : ADVAPI32.dll!OpenServiceW => d:\windows\system32\mdhook.dll:18003730

Object-Path: d:\windows\system32\mdhook.dll

Status: Hooked

 

Object-Type: IAT/EAT-hook

PID: 944

Details: Export : Function : ADVAPI32.dll!OpenServiceA => d:\windows\system32\mdhook.dll:180036E0

Object-Path: d:\windows\system32\mdhook.dll

Status: Hooked

 

Object-Type: IAT/EAT-hook

PID: 944

Details: Export : Function : ADVAPI32.dll!CreateServiceW => d:\windows\system32\mdhook.dll:180039C0

Object-Path: d:\windows\system32\mdhook.dll

Status: Hooked

 

Object-Type: IAT/EAT-hook

PID: 944

Details: Export : Function : ADVAPI32.dll!CreateServiceA => d:\windows\system32\mdhook.dll:18003780

Object-Path: d:\windows\system32\mdhook.dll

Status: Hooked

 

Object-Type: Process

Object-Name: System Idle Process

Pid: 0

Object-Path:

Status: Visible

 

Object-Type: Process

Object-Name: CSRSS.EXE

Pid: 620

Object-Path: D:\WINDOWS\system32\csrss.exe

Status: Visible

 

Object-Type: Process

Object-Name: IOLOSERVICEMANA

Pid: 496

Object-Path: D:\Arquivos de programas\iolo\common\lib\ioloServiceManager.exe

Status: Visible

 

Object-Type: Process

Object-Name: SVCHOST.EXE

Pid: 900

Object-Path: D:\WINDOWS\system32\svchost.exe

Status: Visible

 

Object-Type: Process

Object-Name: SVCHOST.EXE

Pid: 436

Object-Path: D:\WINDOWS\System32\svchost.exe

Status: Visible

 

Object-Type: Process

Object-Name: GBPSV.EXE

Pid: 872

Object-Path: D:\ARQUIV~1\GbPlugin\GbpSv.exe

Status: Visible

 

Object-Type: Process

Object-Name: System

Pid: 4

Object-Path:

Status: Visible

 

Object-Type: Process

Object-Name: msnmsgr.exe

Pid: 1276

Object-Path: D:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

Status: Visible

 

Object-Type: Process

Object-Name: PrintScreen.exe

Pid: 160

Object-Path: D:\Arquivos de programas\Gadwin Systems\PrintScreen\PrintScreen.exe

Status: Visible

 

Object-Type: Process

Object-Name: Rootkit_Detecti

Pid: 2176

Object-Path: D:\Documents and Settings\edsom luis\Configurações locais\temp\McafeeRootkitDetective\Rootkit_Detective.exe

Status: Visible

 

Object-Type: Process

Object-Name: SERVICES.EXE

Pid: 688

Object-Path: D:\WINDOWS\system32\services.exe

Status: Visible

 

Object-Type: Process

Object-Name: rundll32.exe

Pid: 1184

Object-Path: D:\WINDOWS\system32\rundll32.exe

Status: Visible

 

Object-Type: Process

Object-Name: SPOOLSV.EXE

Pid: 1588

Object-Path: D:\WINDOWS\system32\spoolsv.exe

Status: Visible

 

Object-Type: Process

Object-Name: MDM.EXE

Pid: 1404

Object-Path: D:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

Status: Visible

 

Object-Type: Process

Object-Name: SCHED.EXE

Pid: 1652

Object-Path: D:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

Status: Visible

 

Object-Type: Process

Object-Name: JQS.EXE

Pid: 1096

Object-Path: D:\Arquivos de programas\Java\jre6\bin\jqs.exe

Status: Visible

 

Object-Type: Process

Object-Name: EXPLORER.EXE

Pid: 944

Object-Path: D:\WINDOWS\explorer.exe

Status: Visible

 

Object-Type: Process

Object-Name: SVCHOST.EXE

Pid: 1472

Object-Path: D:\WINDOWS\system32\svchost.exe

Status: Visible

 

Object-Type: Process

Object-Name: LSASS.EXE

Pid: 700

Object-Path: D:\WINDOWS\system32\lsass.exe

Status: Visible

 

Object-Type: Process

Object-Name: AVGUARD.EXE

Pid: 328

Object-Path: D:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

Status: Visible

 

Object-Type: Process

Object-Name: firefox.exe

Pid: 4080

Object-Path: D:\Arquivos de programas\Mozilla Firefox 3.5 Preview\firefox.exe

Status: Visible

 

Object-Type: Process

Object-Name: avgnt.exe

Pid: 1104

Object-Path: D:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe

Status: Visible

 

Object-Type: Process

Object-Name: MDSERVICE.EXE

Pid: 1228

Object-Path: d:\arquivos de programas\malware defender\mdservice.exe

Status: Visible

 

Object-Type: Process

Object-Name: EXPLORER.EXE

Pid: 2780

Object-Path: D:\WINDOWS\explorer.exe

Status: Visible

 

Object-Type: Process

Object-Name: malwaredefender

Pid: 1264

Object-Path: D:\arquivos de programas\malware defender\malwaredefender.exe

Status: Visible

 

Object-Type: Process

Object-Name: wuauclt.exe

Pid: 3992

Object-Path: D:\WINDOWS\system32\wuauclt.exe

Status: Visible

 

Object-Type: Process

Object-Name: WINLOGON.EXE

Pid: 644

Object-Path: D:\WINDOWS\system32\winlogon.exe

Status: Visible

 

Object-Type: Process

Object-Name: SVCHOST.EXE

Pid: 1016

Object-Path: D:\WINDOWS\system32\svchost.exe

Status: Visible

 

Object-Type: Process

Object-Name: SEAPORT.EXE

Pid: 1792

Object-Path: D:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

Status: Visible

 

Object-Type: Process

Object-Name: ALG.EXE

Pid: 2320

Object-Path: D:\WINDOWS\System32\alg.exe

Status: Visible

 

Object-Type: Process

Object-Name: SVCHOST.EXE

Pid: 1328

Object-Path: D:\WINDOWS\system32\svchost.exe

Status: Visible

 

Object-Type: Process

Object-Name: GoogleDesktop.e

Pid: 956

Object-Path: D:\Arquivos de programas\Google\Google Desktop Search\GoogleDesktop.exe

Status: Visible

 

Object-Type: Process

Object-Name: SVCHOST.EXE

Pid: 1112

Object-Path: D:\WINDOWS\System32\svchost.exe

Status: Visible

 

Object-Type: Process

Object-Name: SMSS.EXE

Pid: 556

Object-Path: D:\WINDOWS\System32\smss.exe

Status: Visible

 

Scan complete. Hidden registry keys/values: 4

 

 

Obrigado pela tua ampla atenção e dedicação . Abraços

[DigRam 144]

Boa Noite! EDSSX

 

<!> Reparei um boa redução nas infecções,considerando o alto grau de dificuldade na remoção de rootkits chineses.

<!> Terminando o scripts,com o ComboFix,reinicie e rode o McAfee® Rootkit Detective.

<><><><><><><><><>

<@> Copie estas informações,entre os XXXXXXX....,para o Bloco de Notas.

<@> Salve-as,no desktop,como: CFScript <-- Texto!

 

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Rootkit::

d:\windows\system32\drivers\cohhgmca.sys

Registry::

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\znfsio\Parameters.REN.REN.REN]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\znfsio\Parameters.REN.REN]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\znfsio\Parameters.REN]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\znfsio\Parameters]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\znfsio]

Folder::

d:\documents and settings\All Users\Dados de aplicativos\Rising

D:\!KillBox

Driver::

"cohhgmca"

NetSvc::

"cohhgmca"

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

 

<@> Arraste o CFScript.txt,para o ícone do ComboFix.

<@> Arraste-o,até que surja uma solicitação para executar o ComboFix.exe.

<@> Terminando,poste: ComboFix.txt + relatório do McAfee® Rootkit Detective.

 

Abraços!

[EDSSX 0]

Boa Noite !

 

Legal que limpeza e viva fatoração, sistemas, funções e parábolas . Combofix excluiu e log infra do mcaferootkitdetective limpo. Scan complete. No hidden processes/files found.

Total files scanned: 59735

 

 

 

 

 

Segue log do combofix :

 

ComboFix 09-08-10.06 - edsom luis 15/08/2009 23:16.78.1 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.511.245 [GMT -3:00]

Executando de: d:\documents and settings\edsom luis\Desktop\ComboFix.exe

Comandos utilizados :: d:\documents and settings\edsom luis\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Rising Antivirus *On-access scanning disabled* (Outdated) {234E4A88-48FA-4220-A994-5323706FF524}

AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}

FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

* AV residente está ativo

 

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

D:\!KillBox

d:\!killbox\Logs\kb.log

d:\windows\system32\72568.dll

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_COHHGMCA

-------\Service_cohhgmca

 

 

(((((((((((((((( Arquivos/Ficheiros criados de 2009-07-16 to 2009-08-16 ))))))))))))))))))))))))))))

.

 

2009-08-16 02:11 . 2009-08-16 02:11 -------- d-sh--w- D:\FOUND.000

2009-08-15 22:31 . 2009-08-15 22:32 -------- d-----w- d:\documents and settings\All Users\Dados de aplicativos\iolo

2009-08-15 22:06 . 2009-08-15 22:06 54624 ----a-w- d:\windows\system32\72568.sys

2009-08-15 21:51 . 2009-08-15 21:52 128352 ----a-w- d:\windows\system32\9235D.dll

2009-08-15 21:51 . 2009-08-15 21:51 54624 ----a-w- d:\windows\system32\9235D.sys

2009-08-15 15:33 . 2009-08-15 15:33 -------- d-----w- d:\arquivos de programas\Malware Defender

2009-08-15 02:30 . 2009-08-15 02:30 -------- d-----w- D:\Lop SD

2009-08-14 22:08 . 2007-04-02 19:26 19456 ----a-w- d:\windows\system32\dllcache\agt0804.dll

2009-08-14 22:07 . 2007-04-02 19:26 19456 ----a-w- d:\windows\system32\dllcache\agt0411.dll

2009-08-14 22:07 . 2007-04-02 19:26 19456 ----a-w- d:\windows\system32\dllcache\agt0404.dll

2009-08-14 19:47 . 2009-03-30 13:33 96104 ----a-w- d:\windows\system32\drivers\avipbb.sys

2009-08-14 19:47 . 2009-02-13 15:29 22360 ----a-w- d:\windows\system32\drivers\avgntmgr.sys

2009-08-14 19:47 . 2009-02-13 15:17 45416 ----a-w- d:\windows\system32\drivers\avgntdd.sys

2009-08-14 19:47 . 2009-08-14 19:47 -------- d-----w- d:\documents and settings\All Users\Dados de aplicativos\Avira

2009-08-14 19:43 . 2009-08-14 19:43 -------- d-----w- d:\documents and settings\All Users\Dados de aplicativos\GbPlugin

2009-08-14 16:46 . 2009-05-07 07:04 157712 ----a-w- d:\windows\system32\drivers\tmcomm.sys

2009-08-14 01:56 . 2009-08-14 01:56 -------- d-sh--w- d:\documents and settings\Administrador\IETldCache

2009-08-14 01:56 . 2009-08-14 01:56 -------- d-----r- d:\documents and settings\Administrador\Meus documentos

2009-08-14 01:51 . 2009-08-14 01:51 -------- d-----r- d:\documents and settings\Administrador\Favoritos

2009-08-14 01:51 . 2007-09-19 13:33 -------- d--h--w- d:\documents and settings\Administrador\Modelos

2009-08-14 01:51 . 2007-09-19 13:33 -------- d--h--w- d:\documents and settings\Administrador\Configurações locais

2009-08-14 01:51 . 2007-09-19 13:33 -------- d--h--r- d:\documents and settings\Administrador\Dados de aplicativos

2009-08-14 01:51 . 2007-09-19 13:33 -------- d-----r- d:\documents and settings\Administrador\Menu Iniciar

2009-08-14 01:51 . 2009-08-14 01:51 -------- d-----w- d:\documents and settings\Administrador

2009-08-13 23:10 . 2009-08-13 23:10 -------- d-----w- D:\ToolBar SD

2009-08-13 18:48 . 2009-08-13 18:48 272 ----a-w- d:\windows\system32\drivers\sfi.dat

2009-08-13 13:00 . 2009-07-10 13:27 1315328 ------w- d:\windows\system32\dllcache\msoe.dll

2009-08-12 16:08 . 2009-08-12 16:08 -------- d-----w- d:\arquivos de programas\Lavalys

2009-08-09 02:14 . 2009-08-09 02:14 -------- d-----w- D:\f3e64e655c4cf5ea0969946e

2009-08-09 02:09 . 2009-08-09 02:09 -------- d-sh--w- d:\documents and settings\NetworkService\IETldCache

2009-08-05 09:00 . 2009-08-05 09:00 205312 ------w- d:\windows\system32\dllcache\mswebdvd.dll

2009-08-01 22:20 . 2009-08-01 22:20 -------- d-----w- d:\documents and settings\edsom luis\Dados de aplicativos\Yahoo!

2009-07-31 18:51 . 2009-07-31 18:51 -------- d--h--w- d:\windows\PIF

2009-07-31 00:29 . 2009-07-31 00:29 -------- d-----w- d:\documents and settings\edsom luis\Dados de aplicativos\Download Manager

2009-07-30 17:07 . 2009-07-30 17:07 -------- d-----w- d:\windows\system32\CatRoot2

2009-07-27 17:28 . 2008-07-08 17:54 148496 ----a-w- d:\windows\system32\drivers\12878755.sys

2009-07-25 22:09 . 2009-07-25 22:09 -------- d-----r- d:\documents and settings\LocalService\Meus documentos

2009-07-24 16:11 . 2009-07-24 16:11 -------- d-----w- d:\windows\Sun

2009-07-24 03:01 . 2009-07-24 03:01 -------- d-----w- d:\documents and settings\All Users\Modelos

2009-07-23 15:10 . 2009-07-23 15:10 -------- d-----w- d:\arquivos de programas\blcorp

2009-07-21 23:37 . 2009-07-21 23:37 579072 ----a-w- d:\windows\system32\dllcache\user32.dll

2009-07-21 23:35 . 2009-07-21 23:35 -------- d-----w- d:\windows\ERUNT

2009-07-17 19:03 . 2009-07-17 19:03 58880 ------w- d:\windows\system32\dllcache\atl.dll

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-16 02:23 . 2009-04-29 23:59 32 --sha-w- d:\windows\system32\drivers\fidbox.idx

2009-08-16 02:23 . 2009-04-29 23:59 32 --sha-w- d:\windows\system32\drivers\fidbox.dat

2009-08-12 14:44 . 2001-10-28 21:07 79022 ----a-w- d:\windows\system32\perfc016.dat

2009-08-12 14:44 . 2001-10-28 21:07 468108 ----a-w- d:\windows\system32\perfh016.dat

2009-08-05 09:00 . 2004-08-04 10:45 205312 ----a-w- d:\windows\system32\mswebdvd.dll

2009-07-28 19:33 . 2009-03-19 00:30 55656 ----a-w- d:\windows\system32\drivers\avgntflt.sys

2009-07-18 13:05 . 2008-11-12 18:12 208 ----a-w- d:\windows\system32\drivers\GbpKmAp.lst

2009-07-17 19:03 . 2004-08-04 10:45 58880 ----a-w- d:\windows\system32\atl.dll

2009-07-16 00:21 . 2009-06-21 23:42 3775176 ----a-w- d:\documents and settings\All Users\Dados de aplicativos\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-07-13 16:36 . 2009-04-23 15:56 38160 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys

2009-07-13 16:36 . 2009-04-23 15:56 19096 ----a-w- d:\windows\system32\drivers\mbam.sys

2009-07-12 15:21 . 2004-08-04 10:45 233472 ----a-w- d:\windows\system32\wmpdxm.dll

2009-07-03 16:59 . 2004-08-04 10:45 915456 ----a-w- d:\windows\system32\wininet.dll

2009-06-22 17:02 . 2009-06-22 17:01 -------- d-----w- d:\arquivos de programas\Gadwin Systems

2009-06-17 19:05 . 2009-06-17 19:05 -------- d-----w- d:\arquivos de programas\Mozilla Firefox 3.5 Preview

2009-06-16 14:39 . 2004-08-04 10:45 119808 ----a-w- d:\windows\system32\t2embed.dll

2009-06-16 14:39 . 2001-10-28 21:06 81920 ----a-w- d:\windows\system32\fontsub.dll

2009-06-15 10:44 . 2004-08-04 10:45 81408 ----a-w- d:\windows\system32\tlntsess.exe

2009-06-15 10:44 . 2004-08-04 10:45 77824 ----a-w- d:\windows\system32\telnet.exe

2009-06-12 03:43 . 2004-08-04 10:45 219648 ----a-w- d:\windows\system32\uxtheme.dll

2009-06-10 14:14 . 2004-08-04 10:45 85504 ----a-w- d:\windows\system32\avifil32.dll

2009-06-10 12:21 . 2007-09-19 13:40 2066432 ----a-w- d:\windows\system32\mstscax.dll

2009-06-10 06:15 . 2004-08-04 10:45 132096 ----a-w- d:\windows\system32\wkssvc.dll

2009-06-03 19:10 . 2004-08-04 10:45 1295872 ----a-w- d:\windows\system32\quartz.dll

2009-03-27 23:27 . 2009-03-27 23:27 2399 ----a-w- d:\arquivos de programas\Arquivos comuns\operadef6.ini

2009-02-26 14:04 . 2009-02-26 14:04 8250 ----a-w- d:\arquivos de programas\Arquivos comuns\license.rtf

2009-02-26 14:04 . 2009-02-26 14:04 234477 ----a-w- d:\arquivos de programas\Arquivos comuns\english.lng

2009-02-26 13:49 . 2009-02-26 13:49 3712000 ----a-w- d:\arquivos de programas\Arquivos comuns\opera.dll

2009-02-26 13:49 . 2009-02-26 13:49 20480 ----a-w- d:\arquivos de programas\Arquivos comuns\OUniAnsi.dll

2009-02-26 13:49 . 2009-02-26 13:49 653419 ----a-w- d:\arquivos de programas\Arquivos comuns\encoding.bin

2009-02-26 13:49 . 2009-02-26 13:49 99328 ----a-w- d:\arquivos de programas\Arquivos comuns\opera.exe

2009-01-07 16:52 . 2009-01-07 16:52 6809 ----a-w- d:\arquivos de programas\Arquivos comuns\license.txt

2008-09-03 17:12 . 2008-09-03 17:12 8470 ----a-w- d:\arquivos de programas\Arquivos comuns\search.ini

2008-06-09 13:17 . 2008-06-09 13:17 301 ----a-w- d:\arquivos de programas\Arquivos comuns\c3nform.vxml

2008-05-05 12:51 . 2008-05-05 12:51 3873 ----a-w- d:\arquivos de programas\Arquivos comuns\lngcode.txt

2004-02-26 16:35 . 2004-02-26 16:35 7904 ----a-w- d:\arquivos de programas\Arquivos comuns\html40_entities.dtd

2009-07-30 17:45 . 2009-02-27 15:11 122880 ----a-w- d:\arquivos de programas\mozilla firefox\components\GoogleDesktopMozilla.dll

2009-03-08 17:09 . 2009-04-05 21:55 638816 --sha-w- d:\windows\NiwradSoft Shell Pack\Backup\iexplore.exe

.

 

------- Sigcheck -------

 

[-] 2008-04-14 03:20 579072 A9B36030497E98C29210E4544700649D d:\windows\system32\user32.dll

[-] 2009-07-21 23:37 579072 A9B36030497E98C29210E4544700649D d:\windows\system32\dllcache\user32.dll

[7] 2007-03-08 15:36 578048 B5782EE6EAFE3C218236F79F1A27B747 d:\windows\$NtServicePackUninstall$\user32.dll

[-] 2008-04-14 03:20 579072 A9B36030497E98C29210E4544700649D d:\windows\ServicePackFiles\i386\user32.dll

[7] 2007-03-08 15:50 578560 F86D3E5C8FE13297E1C2D662F9E2D59D d:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll

[7] 2005-03-02 18:20 577536 3ED0A4D74EFD5AAF8408095F452E2613 d:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll

[7] 2008-04-14 03:20 579072 54907DB28872A7A6D3EE2B4747A23828 d:\windows\NiwradSoft Shell Pack\Backup\user32.dll

[7] 2004-08-04 10:45 577536 E0FF28447D1038DE106D1F2FDF851647 d:\windows\$NtUninstallKB890859$\user32.dll

[7] 2005-03-02 18:18 577536 7FFBCF1B94E6929DEECE06670C2407D6 d:\windows\$NtUninstallKB925902$\user32.dll

 

[-] 2008-04-14 03:21 549376 B0C0BF2504B830BFC1E93CA39F3C75FE d:\windows\system32\winlogon.exe

[7] 2004-08-04 10:45 504320 6F7BDE7A1126DEBF0CC359A54953EFC1 d:\windows\$NtServicePackUninstall$\winlogon.exe

[-] 2008-04-14 03:21 549376 B0C0BF2504B830BFC1E93CA39F3C75FE d:\windows\ServicePackFiles\i386\winlogon.exe

[7] 2008-04-14 03:21 509952 71D440F79B711627B12B567FB2EADB42 d:\windows\NiwradSoft Shell Pack\Backup\winlogon.exe

 

[-] 2008-04-14 03:20 1542656 77F71BF6970EA10B4CC9AA1D45654AA0 d:\windows\explorer.exe

[7] 2007-06-13 13:21 1035264 DCCBF18E94D651393A3FFA060F88E0A0 d:\windows\$NtServicePackUninstall$\explorer.exe

[7] 2004-08-04 10:45 1034240 FA61A19050AE14BEC1A26DE82390DD65 d:\windows\$NtUninstallKB938828$\explorer.exe

[-] 2008-04-14 03:20 1542656 77F71BF6970EA10B4CC9AA1D45654AA0 d:\windows\ServicePackFiles\i386\explorer.exe

[7] 2007-06-13 13:10 1035264 45D521506825A10B80833B4E9621CCF6 d:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

[7] 2008-04-14 03:20 1035776 064EC7FF5F58B928C3E119402977FA6D d:\windows\NiwradSoft Shell Pack\Backup\explorer.exe

 

[-] 2008-04-14 03:20 40448 584450C5B2439571755D40444589C63D d:\windows\system32\ctfmon.exe

[7] 2004-08-04 10:45 15360 F40BC97996B8E53799EEF1D63996674B d:\windows\$NtServicePackUninstall$\ctfmon.exe

[-] 2008-04-14 03:20 40448 584450C5B2439571755D40444589C63D d:\windows\ServicePackFiles\i386\ctfmon.exe

[7] 2008-04-14 03:20 15360 4E486ADFE3A0B9ED0EB0639902E9F64F d:\windows\NiwradSoft Shell Pack\Backup\ctfmon.exe

 

[-] 2008-04-14 03:20 1523712 3D762A3DE04DE62F1E4CCDF7CF2A66E1 d:\windows\system32\comres.dll

[7] 2004-08-04 10:45 821760 FB93B504600DA3EC407ED0252EEF97AB d:\windows\$NtServicePackUninstall$\comres.dll

[-] 2008-04-14 03:20 1523712 3D762A3DE04DE62F1E4CCDF7CF2A66E1 d:\windows\ServicePackFiles\i386\comres.dll

[7] 2008-04-14 03:20 821760 D3F8E8DBE93A80440CAC78B305B40A67 d:\windows\NiwradSoft Shell Pack\Backup\comres.dll

 

[-] 2008-04-14 03:20 643072 302CD5BE4CA48200F9AC1C6074D71805 d:\windows\system32\comctl32.dll

[7] 2008-04-14 03:17 1054208 3356DF9145BC1AD45B43C528F9F7527C d:\windows\WinSxS\InstallTemp\15449055\comctl32.dll

[7] 2008-04-13 22:17 1054208 3356DF9145BC1AD45B43C528F9F7527C d:\windows\WinSxS\InstallTemp\27228101\comctl32.dll

[7] 2004-08-04 10:44 1050624 3680CF24C64348BFDC89E290790398E7 d:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll

[7] 2001-10-28 21:06 921088 AEF3D788DBF40C7C4D204EA45EB0C505 d:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll

[7] 2006-08-25 15:49 1054208 50141E3C168F02C3920891400CEC9FF4 d:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll

[7] 2008-04-13 22:17 1054208 3356DF9145BC1AD45B43C528F9F7527C d:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

[7] 2006-08-25 15:49 617472 873E9E5B23D206BE443ABD3CF597C2E8 d:\windows\$NtServicePackUninstall$\comctl32.dll

[-] 2008-04-14 03:20 643072 302CD5BE4CA48200F9AC1C6074D71805 d:\windows\ServicePackFiles\i386\comctl32.dll

[7] 2008-04-14 03:20 617472 085C5892D9C1E19B3CEFD1B79F5BBF13 d:\windows\NiwradSoft Shell Pack\Backup\comctl32.dll

[7] 2004-08-04 10:45 611328 021631D9D0729D9E52300CCEACE4F054 d:\windows\$NtUninstallKB923191$\comctl32.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-08-15_03.06.11 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-08-16 02:25 . 2009-08-16 02:25 16384 d:\windows\temp\Perflib_Perfdata_46c.dat

+ 2009-08-16 02:23 . 2009-08-16 02:23 8192 d:\windows\ERDNT\subs\Users\00000004\UsrClass.dat

+ 2009-08-16 02:23 . 2009-08-16 02:23 8192 d:\windows\ERDNT\subs\Users\00000002\UsrClass.dat

- 2009-08-15 03:03 . 2009-08-15 03:03 8192 d:\windows\ERDNT\subs\Users\00000002\UsrClass.dat

+ 2009-08-16 02:23 . 2009-08-16 02:23 208896 d:\windows\ERDNT\subs\Users\00000006\UsrClass.dat

+ 2009-08-16 02:23 . 2009-08-16 02:23 233472 d:\windows\ERDNT\subs\Users\00000003\ntuser.dat

+ 2009-08-16 02:23 . 2009-08-16 02:23 229376 d:\windows\ERDNT\subs\Users\00000001\ntuser.dat

- 2009-08-15 03:03 . 2009-08-15 03:03 229376 d:\windows\ERDNT\subs\Users\00000001\ntuser.dat

+ 2009-08-16 02:23 . 2009-08-16 02:23 10084352 d:\windows\ERDNT\subs\Users\00000005\ntuser.dat

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="d:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

"Gadwin PrintScreen"="d:\arquivos de programas\Gadwin Systems\PrintScreen\PrintScreen.exe" [2008-12-09 495616]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Desktop Search"="d:\arquivos de programas\Google\Google Desktop Search\GoogleDesktop.exe" [2009-07-30 30192]

"Adobe Reader Speed Launcher"="d:\arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"avgnt"="d:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoRealMode"= 0 (0x0)

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399003}"= "d:\arquivos de programas\GBPLUGIN\gbiehcef.dll" [2009-03-27 264776]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginCef]

2009-03-27 14:22 264776 ------w- d:\arquivos de programas\GbPlugin\gbiehcef.dll

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"d:\\WINDOWS\\system32\\rtcshare.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"d:\\Arquivos de programas\\Windows Live\\Messenger\\MSNMSGR.EXE"=

"d:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=

 

R0 GbpKm;Gbp KernelMode;d:\windows\system32\drivers\GbpKm.sys [18/04/2009 21:46 26568]

R1 is-AP9JMdrv;is-AP9JMdrv;d:\windows\system32\drivers\12878755.sys [27/07/2009 14:28 148496]

R1 is-C4H53drv;is-C4H53drv;d:\windows\system32\drivers\70906987.sys [29/04/2009 21:02 148496]

R2 713xTVCard;SAA7131 TV Card;d:\windows\system32\drivers\SAA713x.sys [15/03/2005 12:00 277504]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [14/08/2009 16:47 108289]

R2 GbpSv;Gbp Service;d:\arquiv~1\GbPlugin\GbpSv.exe [18/06/2008 14:26 52808]

R2 ioloFileInfoList;iolo FileInfoList Service;d:\arquivos de programas\iolo\Common\Lib\ioloServiceManager.exe [16/04/2009 20:43 628584]

R2 ioloProductUpdate;iolo Product Update Service;d:\arquivos de programas\iolo\Common\Lib\ioloServiceManager.exe [16/04/2009 20:43 628584]

R2 ioloSystemService;iolo System Service;d:\arquivos de programas\iolo\Common\Lib\ioloServiceManager.exe [16/04/2009 20:43 628584]

R3 xpvcom;XPVCOM Port;d:\windows\system32\drivers\XPVCOM.sys [23/03/2007 02:00 30032]

S0 Lbd;Lbd;d:\windows\system32\DRIVERS\Lbd.sys --> d:\windows\system32\DRIVERS\Lbd.sys [?]

S2 MalwareDefenderService;Malware Defender Service;d:\arquivos de programas\Malware Defender\mdservice.exe [27/07/2009 00:51 84992]

S3 72568;72568;d:\windows\system32\72568.sys [15/08/2009 19:06 54624]

S3 9235D;9235D;d:\windows\system32\9235D.sys [15/08/2009 18:51 54624]

S3 GoogleDesktopManager-060409-093314;Gerenciador do Google Desktop 5.9.906.4286;d:\arquivos de programas\Google\Google Desktop Search\GoogleDesktop.exe [11/04/2009 15:38 30192]

S3 MBAMSwissArmy;MBAMSwissArmy;d:\windows\system32\drivers\mbamswissarmy.sys [23/04/2009 12:56 38160]

S3 rspSanity;rspSanity;d:\windows\system32\drivers\rspSanity32.sys [14/04/2009 19:51 30136]

.

Conteúdo da pasta 'Tarefas Agendadas'

 

2009-04-07 d:\windows\Tasks\HP DArC Task 2003-04-11 09:53ewlett-PackardHewlett-Packard Companyeskjet35002003-04-11 18:25N4BF150JQ9B.job

- d:\arquivos de programas\HP\hpcoretech\comp\hpdarc.exe [2003-04-11 18:25]

 

2009-08-16 d:\windows\Tasks\User_Feed_Synchronization-{85870EB0-73F3-41E1-92DD-7C153C1F486E}.job

- d:\windows\system32\msfeedssync.exe [2007-08-13 07:31]

.

.

------- Scan Suplementar -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://www.msn.com

uLocal Page =

uDefault_Search_URL =

mWindow Title =

mLocal Page =

uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s

IE: {{ED98F8D1-09AC-4107-B2FF-91DBE011B0C5} - {6BBCFF8E-D837-4DA4-9141-1F645B34A179} -

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

FF - ProfilePath - d:\documents and settings\edsom luis\Dados de aplicativos\Mozilla\Firefox\Profiles\r46u2xkd.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://portuguese.ircfast.com/pt/index.php?rvs=hompag

FF - prefs.js: keyword.URL - hxxp://br.search.yahoo.com/search?ei=ISO-8859-1&fr=megaup&p=

FF - component: d:\arquivos de programas\Mozilla Firefox 3.5 Preview\components\GoogleDesktopMozilla.dll

FF - component: d:\arquivos de programas\Mozilla Firefox 3.5 Preview\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll

FF - plugin: d:\arquivos de programas\Microsoft\Office Live\npOLW.dll

FF - plugin: d:\arquivos de programas\Opera 10 Beta\program\plugins\npdsplay.dll

FF - plugin: d:\arquivos de programas\Opera 10 Beta\program\plugins\NPSWF32.dll

FF - plugin: d:\arquivos de programas\Opera 10 Beta\program\plugins\npwmsdrm.dll

FF - plugin: d:\documents and settings\All Users\Dados de aplicativos\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll

 

---- FIREFOX POLICIES ----

FF - user.js: network.http.max-connections-per-server - 6

FF - user.js: network.http.max-persistent-connections-per-server - 3

FF - user.js: nglayout.initialpaint.delay - 750

FF - user.js: content.notify.interval - 750000

FF - user.js: content.max.tokenizing.time - 2250000

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("media.enforce_same_site_origin", false);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("media.cache_size", 51200);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("media.ogg.enabled", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("media.wave.enabled", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("media.autoplay.enabled", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("dom.storage.default_quota", 5120);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("layout.css.dpi", -1);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\all.js - pref("geo.enabled", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

d:\arquivos de programas\Mozilla Firefox 3.5 Preview\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-15 23:25

Windows 5.1.2600 Service Pack 3 FAT NTAPI

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•6~*]

"6140110900063D11C8EF10054038389C"="D?\\WINDOWS\\system32\\FM20ENU.DLL"

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'winlogon.exe'(644)

d:\windows\system32\SETUPAPI.dll

d:\windows\system32\sfc_os.dll

d:\arquivos de programas\GBPLUGIN\gbiehcef.dll

d:\windows\system32\COMRes.dll

d:\windows\system32\cscui.dll

 

- - - - - - - > 'lsass.exe'(700)

d:\windows\system32\SETUPAPI.dll

d:\windows\system32\psbase.dll

 

- - - - - - - > 'explorer.exe'(2516)

d:\windows\system32\WININET.dll

d:\arquivos de programas\GBPLUGIN\gbiehcef.dll

d:\windows\system32\COMRes.dll

d:\windows\System32\cscui.dll

d:\windows\system32\LINKINFO.dll

d:\windows\system32\ntshrui.dll

d:\windows\system32\msi.dll

d:\windows\system32\webcheck.dll

d:\windows\system32\SETUPAPI.dll

d:\windows\system32\WPDShServiceObj.dll

d:\windows\system32\NETSHELL.dll

d:\windows\system32\credui.dll

d:\windows\system32\PortableDeviceTypes.dll

d:\windows\system32\PortableDeviceApi.dll

.

------------------------ Outros Processos em Execução ------------------------

.

d:\arquivos de programas\GBPLUGIN\GBPSV.EXE

d:\arquivos de programas\AVIRA\ANTIVIR DESKTOP\AVGUARD.EXE

d:\arquivos de programas\JAVA\JRE6\BIN\JQS.EXE

d:\arquivos de programas\ARQUIVOS COMUNS\MICROSOFT SHARED\VS7DEBUG\MDM.EXE

d:\arquivos de programas\MICROSOFT\SEARCH ENHANCEMENT PACK\SEAPORT\SEAPORT.EXE

.

**************************************************************************

.

Tempo para conclusão: 2009-08-16 23:29 - Máquina reiniciou

ComboFix-quarantined-files.txt 2009-08-16 02:29

ComboFix2.txt 2009-08-15 03:10

ComboFix3.txt 2009-08-12 15:08

ComboFix4.txt 2009-08-10 18:22

ComboFix5.txt 2009-08-15 16:59

 

Pré-execução: 13 pasta(s) 42.449.862.656 bytes disponíveis

Pós execução: 12 pasta(s) 42.445.209.600 bytes disponíveis

 

344 --- E O F --- 2009-08-14 03:01

 

 

 

Segue log do mcafeerootkitdetective :

 

 

 

McAfee® Rootkit Detective 1.1 scan report

On 15-08-2009 at 23:41:09

OS-Version 5.1.2600

Service Pack 3.0

====================================

 

Object-Type: SSDT-hook

Object-Name: ZwClose

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwCreateFile

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwCreateKey

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwCreateSection

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwCreateThread

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwDebugActiveProcess

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwDeleteFile

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwDeleteKey

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwDeleteValueKey

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwDeviceIoControlFile

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwDuplicateObject

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwFsControlFile

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwInitiatePowerAction

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwLoadDriver

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwLoadKey2

Object-Path: (NULL)

 

Object-Type: SSDT-hook

Object-Name: ZwMakeTemporaryObject

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwOpenFile

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwOpenProcess

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwOpenSection

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwOpenThread

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwProtectVirtualMemory

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwQueueApcThread

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwReadVirtualMemory

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwRenameKey

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwReplaceKey

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwRequestWaitReplyPort

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwRestoreKey

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwSetContextThread

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwSetInformationFile

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwSetInformationProcess

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwSetSystemInformation

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwSetSystemPowerState

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwSetSystemTime

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwSetValueKey

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwShutdownSystem

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwSuspendProcess

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwSuspendThread

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwSystemDebugControl

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwTerminateProcess

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwTerminateThread

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwUnmapViewOfSection

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwWriteFile

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwWriteFileGather

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: SSDT-hook

Object-Name: ZwWriteVirtualMemory

Object-Path: D:\WINDOWS\system32\drivers\gofhgcpp.sys

 

Object-Type: IAT/EAT-hook

PID: 3764

Details: Export : Function : ADVAPI32.dll!StartServiceW => d:\windows\system32\mdhook.dll:18004060

Object-Path: d:\windows\system32\mdhook.dll

Status: Hooked

 

Object-Type: IAT/EAT-hook

PID: 3764

Details: Export : Function : ADVAPI32.dll!StartServiceA => d:\windows\system32\mdhook.dll:18003FA0

Object-Path: d:\windows\system32\mdhook.dll

Status: Hooked

 

Object-Type: IAT/EAT-hook

PID: 3764

Details: Export : Function : ADVAPI32.dll!OpenServiceW => d:\windows\system32\mdhook.dll:18003730

Object-Path: d:\windows\system32\mdhook.dll

Status: Hooked

 

Object-Type: IAT/EAT-hook

PID: 3764

Details: Export : Function : ADVAPI32.dll!OpenServiceA => d:\windows\system32\mdhook.dll:180036E0

Object-Path: d:\windows\system32\mdhook.dll

Status: Hooked

 

Object-Type: IAT/EAT-hook

PID: 3764

Details: Export : Function : ADVAPI32.dll!CreateServiceW => d:\windows\system32\mdhook.dll:180039C0

Object-Path: d:\windows\system32\mdhook.dll

Status: Hooked

 

Object-Type: IAT/EAT-hook

PID: 3764

Details: Export : Function : ADVAPI32.dll!CreateServiceA => d:\windows\system32\mdhook.dll:18003780

Object-Path: d:\windows\system32\mdhook.dll

Status: Hooked

 

Object-Type: IAT/EAT-hook

PID: 2516

Details: Export : Function : ADVAPI32.dll!StartServiceW => d:\windows\system32\mdhook.dll:18004060

Object-Path: d:\windows\system32\mdhook.dll

Status: Hooked

 

Object-Type: IAT/EAT-hook

PID: 2516

Details: Export : Function : ADVAPI32.dll!StartServiceA => d:\windows\system32\mdhook.dll:18003FA0

Object-Path: d:\windows\system32\mdhook.dll

Status: Hooked

 

Object-Type: IAT/EAT-hook

PID: 2516

Details: Export : Function : ADVAPI32.dll!OpenServiceW => d:\windows\system32\mdhook.dll:18003730

Object-Path: d:\windows\system32\mdhook.dll

Status: Hooked

 

Object-Type: IAT/EAT-hook

PID: 2516

Details: Export : Function : ADVAPI32.dll!OpenServiceA => d:\windows\system32\mdhook.dll:180036E0

Object-Path: d:\windows\system32\mdhook.dll

Status: Hooked

 

Object-Type: IAT/EAT-hook

PID: 2516

Details: Export : Function : ADVAPI32.dll!CreateServiceW => d:\windows\system32\mdhook.dll:180039C0

Object-Path: d:\windows\system32\mdhook.dll

Status: Hooked

 

Object-Type: IAT/EAT-hook

PID: 2516

Details: Export : Function : ADVAPI32.dll!CreateServiceA => d:\windows\system32\mdhook.dll:18003780

Object-Path: d:\windows\system32\mdhook.dll

Status: Hooked

 

Object-Type: Process

Object-Name: System Idle Process

Pid: 0

Object-Path:

Status: Visible

 

Object-Type: Process

Object-Name: CSRSS.EXE

Pid: 620

Object-Path: D:\WINDOWS\system32\csrss.exe

Status: Visible

 

Object-Type: Process

Object-Name: GBPSV.EXE

Pid: 868

Object-Path: D:\ARQUIV~1\GbPlugin\GbpSv.exe

Status: Visible

 

Object-Type: Process

Object-Name: SVCHOST.EXE

Pid: 900

Object-Path: D:\WINDOWS\system32\svchost.exe

Status: Visible

 

Object-Type: Process

Object-Name: AVGUARD.EXE

Pid: 404

Object-Path: D:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

Status: Visible

 

Object-Type: Process

Object-Name: SEAPORT.EXE

Pid: 1892

Object-Path: D:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

Status: Visible

 

Object-Type: Process

Object-Name: PrintScreen.exe

Pid: 1212

Object-Path: D:\Arquivos de programas\Gadwin Systems\PrintScreen\PrintScreen.exe

Status: Visible

 

Object-Type: Process

Object-Name: IOLOSERVICEMANA

Pid: 500

Object-Path: D:\Arquivos de programas\iolo\common\lib\ioloServiceManager.exe

Status: Visible

 

Object-Type: Process

Object-Name: MDM.EXE

Pid: 1740

Object-Path: D:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

Status: Visible

 

Object-Type: Process

Object-Name: System

Pid: 4

Object-Path:

Status: Visible

 

Object-Type: Process

Object-Name: EXPLORER.EXE

Pid: 2516

Object-Path: D:\WINDOWS\explorer.exe

Status: Visible

 

Object-Type: Process

Object-Name: SERVICES.EXE

Pid: 688

Object-Path: D:\WINDOWS\system32\services.exe

Status: Visible

 

Object-Type: Process

Object-Name: SVCHOST.EXE

Pid: 440

Object-Path: D:\WINDOWS\System32\svchost.exe

Status: Visible

 

Object-Type: Process

Object-Name: firefox.exe

Pid: 2768

Object-Path: D:\Arquivos de programas\Mozilla Firefox 3.5 Preview\firefox.exe

Status: Visible

 

Object-Type: Process

Object-Name: SCHED.EXE

Pid: 1652

Object-Path: D:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

Status: Visible

 

Object-Type: Process

Object-Name: SVCHOST.EXE

Pid: 1468

Object-Path: D:\WINDOWS\system32\svchost.exe

Status: Visible

 

Object-Type: Process

Object-Name: EXPLORER.EXE

Pid: 3764

Object-Path: D:\WINDOWS\explorer.exe

Status: Visible

 

Object-Type: Process

Object-Name: MalwareDefender

Pid: 820

Object-Path: D:\Arquivos de programas\Malware Defender\MalwareDefender.exe

Status: Visible

 

Object-Type: Process

Object-Name: Rootkit_Detecti

Pid: 3084

Object-Path: D:\Documents and Settings\edsom luis\Configurações locais\temp\McafeeRootkitDetective\Rootkit_Detective.exe

Status: Visible

 

Object-Type: Process

Object-Name: SPOOLSV.EXE

Pid: 1596

Object-Path: D:\WINDOWS\system32\spoolsv.exe

Status: Visible

 

Object-Type: Process

Object-Name: mdservice.exe

Pid: 2496

Object-Path: d:\arquivos de programas\malware defender\mdservice.exe

Status: Visible

 

Object-Type: Process

Object-Name: SVCHOST.EXE

Pid: 1008

Object-Path: D:\WINDOWS\system32\svchost.exe

Status: Visible

 

Object-Type: Process

Object-Name: SVCHOST.EXE

Pid: 1380

Object-Path: D:\WINDOWS\system32\svchost.exe

Status: Visible

 

Object-Type: Process

Object-Name: JQS.EXE

Pid: 1132

Object-Path: D:\Arquivos de programas\Java\jre6\bin\jqs.exe

Status: Visible

 

Object-Type: Process

Object-Name: LSASS.EXE

Pid: 700

Object-Path: D:\WINDOWS\system32\lsass.exe

Status: Visible

 

Object-Type: Process

Object-Name: wuauclt.exe

Pid: 3800

Object-Path: D:\WINDOWS\system32\wuauclt.exe

Status: Visible

 

Object-Type: Process

Object-Name: SVCHOST.EXE

Pid: 1104

Object-Path: D:\WINDOWS\System32\svchost.exe

Status: Visible

 

Object-Type: Process

Object-Name: GoogleDesktop.e

Pid: 980

Object-Path: D:\Arquivos de programas\Google\Google Desktop Search\GoogleDesktop.exe

Status: Visible

 

Object-Type: Process

Object-Name: avgnt.exe

Pid: 1076

Object-Path: D:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe

Status: Visible

 

Object-Type: Process

Object-Name: WINLOGON.EXE

Pid: 644

Object-Path: D:\WINDOWS\system32\winlogon.exe

Status: Visible

 

Object-Type: Process

Object-Name: SMSS.EXE

Pid: 556

Object-Path: D:\WINDOWS\System32\smss.exe

Status: Visible

 

Object-Type: Process

Object-Name: msnmsgr.exe

Pid: 928

Object-Path: D:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

Status: Visible

 

Object-Type: Process

Object-Name: alg.exe

Pid: 2292

Object-Path: D:\WINDOWS\System32\alg.exe

Status: Visible

 

Scan complete. No hidden processes/files found.

Total files scanned: 59735

 

 

Obrigado pela tua ampla atenção. Abraços .