[Resolvido!] Windows cannot find 'C\WINDOWS\Config&

[flake21 0]

Bom galera... Primeiramente saudações a todos do fórum!

Meu problema é típico... Fui baixar um crack pro "Street Fighter IV" e junto com o maldito arquivo veio um vírus (creio que tenha sido somente 1)...

Logo de cara, assim que terminou o download, o meu "Avira" acusou a intrusão do trojan, e eu dei a ordem de deletá-lo.

Até aí, tudo bem... Nem uma alteração significativa no sistema... Quando fui ligar o computador no dia seguinte, após a infecção, o windows iniciou normalmente,

e ao entrar na tela de boas vindas eu selecionei meu nome, pus minha senha e PUF... Nada de entrar... Como se tivesse ficado travado, e então "PAM" (akele barulhindo chato do windos).

Após o barulho e apertei crtl alt del e o pc entrou normalmente, porém com a seguinte msg:

"Windows cannot find 'C\WINDOWS\Config\csrss.exe'. Make sure you typed the name correctly, and then try again. To search for a

file, click the Start button, and then click Search".

Toda vez que eu inicio o pc agora, dá isso...

Não tenho a menor idéia do que possa ser... O scan do avira nunca acusa nada, e sempre faço scan do spybot, que tb não acusa nada demais... A não ser akeles spys porcarias (double click, etc...)

Segue meu log do hajckthis:

__________________

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:32:24, on 22/7/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.20583)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\WISPTIS.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\DOCUME~1\Flake21\LOCALS~1\Temp\Rar$EX00.203\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.oglobo.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\csrss.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 ME\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] "C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe"

O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\VistaCodecPack\rm\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AdVantage] "C:\Program Files\AdVantage\AdVantage.exe"

O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-21-1547161642-602162358-725345543-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Saluzinho')

O4 - HKUS\S-1-5-21-1547161642-602162358-725345543-500\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')

O4 - HKUS\S-1-5-21-1547161642-602162358-725345543-500\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'Administrator')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')

O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{DEE555A9-BC49-4E29-8284-35EFD504FCA7}: NameServer = 192.168.254.254

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

 

--

End of file - 7574 bytes

 

___________________

 

Desde já agradeço a atenção! Aguardo ajuda!

um abraço a todos!

[DigRam 144]

Boa Noite! flake21

 

<!> O malware infectou o system.ini,aonde demanda um certo cuidado,na remoção.

<><><><><><><><><>

<@> Baixe: < Pocket Killbox >

<@> Salve-o no Desktop!

<@> Abra o KillBox --> Marque a opção: Delete on Reboot

<@> Marque a caixa: "End Explorer Shell While Killing File" --> Minimize a ferramenta!

<@> Copie o(s) ficheiro(s),sob o QUOTE,para o Bloco de Notas.

<@> Estando desconectado,acesse o Bloco de Notas e execute estes atalhos: ( ctrl + a ) --> ( ctrl + c )

 

C:\WINDOWS\Config\csrss.exe

<@> No KillBox,que estava minimizado,clique em File --> Paste from Clipboard --> All Files.

<@> Clique no X e,na pergunta,diga Não!

<@> Reinicie o computador! <-- Importante!

<@> Vá até a pasta: C:\!KillBox...que foi gerada!

<@> Poste o relatório,que está em seu interior! ( C:\!KillBox\Logs\kb.log )

<><><><><><><><><>

<@> Abra o HijackThis --> Clique: Do a system scan only

<@> Marque,abaixo,esta entrada:

 

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\csrss.exe

<@> Com todos os programas fechados,clique em Fix checked --> Sim!

<@> Poste: kb.log + HijackThis,atualizado.

 

Abraços!

[flake21 0]

Olá DigRam! Primeiramente obrigado pela atenção e pela rapidez com que reposndeu meu tópico! Gostei da eficiência!

Fiz todo o procedimento, e ao reiniciar, o problema persistiu!

Segue o log do kill box:

____________________________________________________

 

Pocket Killbox version 2.0.0.978

Running on Windows XP as Flake21(Administrator)

was started @ quarta-feira, julho 22, 2009, 9:32 PM

 

Killbox Closed(Exit) @ 9:43:46 PM

__________________________________________________

 

Pocket Killbox version 2.0.0.978

Running on Windows XP as Flake21(Administrator)

was started @ quarta-feira, julho 22, 2009, 9:44 PM

 

# 1 [Delete on Reboot]

Path = C:\WINDOWS\Config\csrss.exe

 

 

# 2 [Delete on Reboot]

Path = C:\WINDOWS\Config\csrss.exe

 

 

Killbox Closed(Exit) @ 9:48:16 PM

__________________________________________________

 

Segue o log do hajackthis:

 

__________________________________________________

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:51:33, on 22/7/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.20583)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\WinRAR\WinRAR.exe

C:\DOCUME~1\Flake21\LOCALS~1\Temp\Rar$EX00.375\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.oglobo.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 ME\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] "C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe"

O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\VistaCodecPack\rm\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AdVantage] "C:\Program Files\AdVantage\AdVantage.exe"

O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')

O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{DEE555A9-BC49-4E29-8284-35EFD504FCA7}: NameServer = 192.168.254.254

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

 

--

End of file - 7097 bytes

 

 

Agradeço novamente a atenção e a rapidez!!

Aguardo retorno.

[DigRam 144]

Boa Noite! flake21

 

<@> Baixe: < > ( ...by sUBs )

<@> Salve-o no desktop!

<@> Desabilite as proteções residente de: antivírus,antispywares e firewall. ( Menos o do Windows! )

<@> Feche todas as janelas e execute a ferramenta!

<@> Na solicitação: "Negação de garantia de software" --> Clique em Sim!

<@> Não possuindo o "Console de Recuperação",aceite optar pela instalação do mesmo!

 

<!> Caso aconteça a notificação de: Aplicativo Win32 inválido,delete a ferramenta ComboFix.exe e faça,novamente,seu download.

<!> Salve-a no desktop,renomeada como: Kombo.exe

<!> Ps: Nomeie durante o salvamento,e não após salvá-la!

<!> Ps: Surgindo alguma mensagem de erro,rode o ComboFix.exe em "Modo de Segurança". <-- Link!

<!> Ps: Para completar as remoções,talvez haja necessidade da ferramenta reiniciar o computador. <-- Aguarde!

<!> Ps: Evite executar,voluntariamente,esta ferramenta!

<!> Ps: Para evitar problemas,siga todas as recomendações propostas.

<!> Ps: O ComboFix é uma ferramenta que pode danificar o sistema. Utilize-o,somente,sob supervisão profissional.

<@> Abrir-se-á a janela Auto Scan. --> Aguarde!

<@> Àfim de completar as remoções,o ComboFix poderá reiniciar o computador.

<@> Se houver necessidade,digite a opção para continuar! --> ( 1 ) --> Aperte Enter! --> Aguarde a conclusão!

<@> Durante o scan,evite manusear o mouse ou teclado! <-- Importante!

<@> Para parar ou sair do ComboFix,tecle "N" ou "2" --> Aperte Enter!

<><><><><><><><><><><><>

<@> Terminando,poste os relatórios: C:\ComboFix.txt + HijackThis,atualizado.

 

Abraços!

[flake21 0]

DigRam, mais uma vez obrigado pela rapidez e eficiência com que tem respondido meus posts! Realizei o scan com o combofix, e reparei que ao final do scan, meu papel de parede mudou para um papel comum do próprio windows! Isso é comum?! PS.: Desculpa pela demora em responder, chego muito tarde em casa...

 

Segue o log do combofix:

___________________________________

 

ComboFix 09-07-23.02 - Flake21 23/07/2009 20:29.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1568 [GMT -3:00]

Running from: c:\documents and settings\Flake21\Desktop\Limpeza Malwares\ComboFix.exe

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

 

((((((((((((((((((((((((( Files Created from 2009-06-23 to 2009-07-23 )))))))))))))))))))))))))))))))

.

 

2009-07-23 23:14 . 2009-07-23 23:14 -------- d--h--w- c:\windows\system32\GroupPolicy

2009-07-23 02:57 . 2009-07-23 02:57 -------- d--h--w- c:\windows\PIF

2009-07-23 00:32 . 2009-07-23 00:32 -------- d-----w- C:\!KillBox

2009-07-22 20:28 . 2009-07-22 20:30 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-07-16 03:25 . 2009-07-16 03:25 -------- d-----w- c:\documents and settings\Flake21\Local Settings\Application Data\CAPCOM

2009-07-15 23:16 . 2009-07-15 23:16 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP

2009-07-15 22:57 . 2009-07-15 22:57 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE

2009-07-14 23:58 . 2009-07-14 23:58 -------- d-----w- c:\documents and settings\Saluzinho\Local Settings\Application Data\Adobe

2009-07-14 03:24 . 2008-04-14 00:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll

2009-07-14 03:24 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll

2009-07-14 03:24 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2009-07-14 03:24 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2009-07-14 03:24 . 2008-04-13 18:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys

2009-07-14 03:24 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2009-07-01 00:10 . 2008-04-13 18:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys

2009-07-01 00:10 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-23 21:48 . 2009-04-26 01:28 -------- d-----w- c:\documents and settings\Flake21\Application Data\uTorrent

2009-07-22 21:55 . 2009-04-21 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-07-16 00:08 . 2009-04-21 21:50 -------- d-----w- c:\program files\AdVantage

2009-06-22 23:22 . 2009-04-26 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-06-22 12:23 . 2009-06-22 12:23 -------- d-----w- c:\program files\YourWare Solutions

2009-06-21 22:46 . 2009-06-21 22:46 -------- d-----w- c:\documents and settings\Saluzinho\Application Data\DivX

2009-06-21 22:45 . 2009-04-23 01:09 69232 ----a-w- c:\documents and settings\Saluzinho\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-06-16 04:06 . 2009-04-21 21:06 -------- d-----w- c:\documents and settings\Flake21\Application Data\Skype

2009-06-16 04:05 . 2009-04-21 21:08 -------- d-----w- c:\documents and settings\Flake21\Application Data\skypePM

2009-06-14 01:43 . 2009-04-21 19:39 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-06-14 01:43 . 2009-06-14 01:43 -------- d-----w- c:\program files\USB Vibration

2009-06-13 21:26 . 2009-04-21 16:06 102400 ----a-w- c:\windows\DUMP43b0.tmp

2009-06-11 04:28 . 2009-06-01 14:31 413696 ----a-w- c:\windows\system32\wrap_oal.dll

2009-06-11 04:28 . 2009-06-01 14:31 110592 ----a-w- c:\windows\system32\OpenAL32.dll

2009-06-08 03:10 . 2009-06-08 03:10 -------- d-----w- c:\program files\Noël Danjou

2009-06-08 02:21 . 2009-06-08 02:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!

2009-06-04 01:47 . 2009-06-01 13:44 -------- d-----w- c:\program files\DAEMON Tools Lite

2009-06-03 02:09 . 2009-04-23 01:08 -------- d-----w- c:\documents and settings\Saluzinho\Application Data\ATI

2009-06-01 14:41 . 2009-06-01 14:41 -------- d-----w- c:\documents and settings\All Users\Application Data\salvation

2009-06-01 14:32 . 2009-06-01 14:32 -------- d-----w- c:\program files\AGEIA Technologies

2009-06-01 14:31 . 2009-06-01 14:31 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-06-01 14:31 . 2009-06-01 14:31 -------- d-----w- c:\program files\OpenAL

2009-06-01 13:56 . 2009-04-21 22:12 -------- d-----w- c:\documents and settings\Flake21\Application Data\DAEMON Tools Lite

2009-06-01 13:44 . 2009-06-01 13:44 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite

2009-06-01 13:44 . 2009-06-01 13:44 -------- d-----w- c:\program files\DAEMON Tools Toolbar

2009-06-01 13:40 . 2009-04-21 22:12 721904 ----a-w- c:\windows\system32\drivers\sptd.sys

2009-06-01 04:25 . 2009-04-21 21:49 -------- d-----w- c:\documents and settings\Flake21\Application Data\BSplayer

2009-05-31 23:46 . 2009-04-21 19:34 69232 ----a-w- c:\documents and settings\Flake21\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-05-31 02:42 . 2009-05-31 02:42 -------- d-----w- c:\program files\uTorrent

2009-05-31 02:30 . 2009-05-31 02:30 -------- d-----w- c:\program files\7-Zip

2009-05-31 02:02 . 2009-04-21 22:18 158528 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-05-29 04:07 . 2009-04-21 19:58 -------- d-----w- c:\documents and settings\Flake21\Application Data\CyberLink

2009-05-16 23:16 . 2009-05-16 23:16 0 ----a-w- c:\windows\ativpsrm.bin

2009-05-07 15:32 . 2004-08-04 01:56 345600 ----a-w- c:\windows\system32\localspl.dll

2009-05-05 13:59 . 2009-04-21 19:25 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-04-28 03:23 . 2009-04-22 02:09 737280 ----a-w- c:\windows\iun6002.exe

2009-04-27 23:05 . 2009-04-21 22:10 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-04-27 23:05 . 2009-04-21 22:10 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-07-22 19:50 . 2009-04-21 21:00 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

2009-03-21 14:06 . 2007-07-22 13:14 4227072 --sha-r- c:\windows\system32\rbkvjanl.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 1591808]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-07-25 1397760]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]

"{1290A33C-85F5-4164-A1BE-7DD299D4986A}"="c:\program files\CyberLink\PowerBackup\PBKScheduler.exe" [2004-06-08 69721]

"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-10 53248]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]

"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-01-11 577536]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"ShowDeskFix"="shell32" [X]

 

c:\documents and settings\Flake21\Start Menu\Programs\Startup\

MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-4-21 534016]

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"d:\\Download - Setups\\Programas\\utorrent.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"f:\\Garena\\Garena.exe"=

"f:\\Left4Dead\\left4dead.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"f:\\Evolved Games\\Terminator Salvation\\TerminatorSalvation.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"f:\\Steam\\steamapps\\flake21\\team fortress 2\\hl2.exe"=

"f:\\Street Fighter IV\\StreetFighterIV.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"2151:TCP"= 2151:TCP:zfswqhqu

 

R0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [21/4/2009 16:38 16640]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [21/4/2009 19:10 108289]

S2 zgmna;Windows Manager;c:\windows\system32\svchost.exe -k netsvcs [3/8/2004 22:56 14336]

S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\Flake21\LOCALS~1\Temp\UUOBF.tmp --> c:\docume~1\Flake21\LOCALS~1\Temp\UUOBF.tmp [?]

 

--- Other Services/Drivers In Memory ---

 

*NewlyCreated* - IDSVC

*NewlyCreated* - SYSMONLOG

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

zgmna

.

- - - - ORPHANS REMOVED - - - -

 

HKCU-Run-AdVantage - c:\program files\AdVantage\AdVantage.exe

HKCU-Run-Power2GoExpress - (no file)

HKLM-Run-TkBellExe - c:\program files\VistaCodecPack\rm\Update_OB\realsched.exe

 

 

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.oglobo.com.br/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: {DEE555A9-BC49-4E29-8284-35EFD504FCA7} = 192.168.254.254

FF - ProfilePath - c:\documents and settings\Flake21\Application Data\Mozilla\Firefox\Profiles\o3mmpvd5.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.oglobo.com.br/

FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nprpjplug.dll

 

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-23 20:31

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]

"ImagePath"="\??\c:\docume~1\Flake21\LOCALS~1\Temp\UUOBF.tmp"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\zgmna]

"ServiceDll"="c:\windows\system32\rbkvjanl.dll"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(796)

c:\windows\system32\Ati2evxx.dll

 

- - - - - - - > 'explorer.exe'(3540)

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\wpdshserviceobj.dll

c:\windows\system32\portabledevicetypes.dll

c:\windows\system32\portabledeviceapi.dll

.

Completion time: 2009-07-23 20:32

ComboFix-quarantined-files.txt 2009-07-23 23:32

 

Pre-Run: 18.304.360.448 bytes free

Post-Run: 18.546.376.704 bytes free

 

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

 

174 --- E O F --- 2009-06-25 04:56

 

________________________________________________

 

Segue o log do hajackthis

 

________________________________________________

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:44:10, on 23/7/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.20583)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Flake21\Desktop\Limpeza Malwares\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.oglobo.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 ME\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] "C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe"

O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')

O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{DEE555A9-BC49-4E29-8284-35EFD504FCA7}: NameServer = 192.168.254.254

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

 

--

End of file - 6444 bytes

 

____________________________________________________

 

Agradeço toda a atenção!

aguadro retorno!

abçs

[DigRam 144]

Boa Noite! flake21

 

<@> Copie estas informações,entre os XXXXXXX....,para o Bloco de Notas.

<@> Salve-as,no desktop,como: CFScript <-- Texto!

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

File::

c:\windows\system32\rbkvjanl.dll

c:\windows\iun6002.exe

Registry::

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"2151:TCP"=""

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\zgmna]

Folder::

c:\program files\AdVantage

C:\!KillBox

Netsvc::

"zfswqhqu"

"zgmna"

Driver::

"zgmna"

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

<@> Arraste o CFScript.txt,para o ícone do ComboFix.

<@> Arraste-o,até que surja uma solicitação para executar o ComboFix.exe.

<@> Terminando,poste: ComboFix.txt + HijackThis,atualizado.

 

Abraços!

[flake21 0]

Boa noite DigRam!

Segue o log do Combofix:

________________________________

 

ComboFix 09-07-23.02 - Flake21 23/07/2009 23:11.2.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1610 [GMT -3:00]

Running from: c:\documents and settings\Flake21\Desktop\Limpeza Malwares\ComboFix.exe

Command switches used :: c:\documents and settings\Flake21\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

 

FILE ::

"c:\windows\iun6002.exe"

"c:\windows\system32\rbkvjanl.dll"

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\!KillBox

c:\!killbox\Logs\kb.log

c:\program files\AdVantage

c:\program files\AdVantage\{A89AED22-9133-424c-88E7-C8235C5FF302}\chrome.manifest

c:\program files\AdVantage\{A89AED22-9133-424c-88E7-C8235C5FF302}\chrome\content\advantage.png

c:\program files\AdVantage\{A89AED22-9133-424c-88E7-C8235C5FF302}\chrome\content\contents.rdf

c:\program files\AdVantage\{A89AED22-9133-424c-88E7-C8235C5FF302}\chrome\content\overlay.js

c:\program files\AdVantage\{A89AED22-9133-424c-88E7-C8235C5FF302}\chrome\content\overlay.xul

c:\program files\AdVantage\{A89AED22-9133-424c-88E7-C8235C5FF302}\chrome\content\vssver2.scc

c:\program files\AdVantage\{A89AED22-9133-424c-88E7-C8235C5FF302}\chrome\locale\en-US\overlay.dtd

c:\program files\AdVantage\{A89AED22-9133-424c-88E7-C8235C5FF302}\chrome\locale\en-US\vssver2.scc

c:\program files\AdVantage\{A89AED22-9133-424c-88E7-C8235C5FF302}\components\IMeMedia_FF.xpt

c:\program files\AdVantage\{A89AED22-9133-424c-88E7-C8235C5FF302}\install.js

c:\program files\AdVantage\{A89AED22-9133-424c-88E7-C8235C5FF302}\install.rdf

c:\program files\AdVantage\{A89AED22-9133-424c-88E7-C8235C5FF302}\vssver2.scc

c:\program files\AdVantage\AdVantage.cch

c:\program files\AdVantage\AdVantage.db

c:\program files\AdVantage\AdVantage.htm

c:\program files\AdVantage\AdVantageupdate.exe

c:\program files\AdVantage\user.db

c:\windows\iun6002.exe

c:\windows\system32\rbkvjanl.dll

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_ZGMNA

-------\Service_zgmna

 

 

((((((((((((((((((((((((( Files Created from 2009-06-24 to 2009-07-24 )))))))))))))))))))))))))))))))

.

 

2009-07-23 23:14 . 2009-07-23 23:14 -------- d--h--w- c:\windows\system32\GroupPolicy

2009-07-23 02:57 . 2009-07-23 02:57 -------- d--h--w- c:\windows\PIF

2009-07-22 20:28 . 2009-07-22 20:30 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-07-16 03:25 . 2009-07-16 03:25 -------- d-----w- c:\documents and settings\Flake21\Local Settings\Application Data\CAPCOM

2009-07-15 23:16 . 2009-07-15 23:16 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP

2009-07-15 22:57 . 2009-07-15 22:57 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE

2009-07-14 23:58 . 2009-07-14 23:58 -------- d-----w- c:\documents and settings\Saluzinho\Local Settings\Application Data\Adobe

2009-07-14 03:24 . 2008-04-14 00:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll

2009-07-14 03:24 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll

2009-07-14 03:24 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2009-07-14 03:24 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2009-07-14 03:24 . 2008-04-13 18:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys

2009-07-14 03:24 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2009-07-01 00:10 . 2008-04-13 18:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys

2009-07-01 00:10 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-23 21:48 . 2009-04-26 01:28 -------- d-----w- c:\documents and settings\Flake21\Application Data\uTorrent

2009-07-22 21:55 . 2009-04-21 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-06-22 23:22 . 2009-04-26 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-06-22 12:23 . 2009-06-22 12:23 -------- d-----w- c:\program files\YourWare Solutions

2009-06-21 22:46 . 2009-06-21 22:46 -------- d-----w- c:\documents and settings\Saluzinho\Application Data\DivX

2009-06-21 22:45 . 2009-04-23 01:09 69232 ----a-w- c:\documents and settings\Saluzinho\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-06-16 04:06 . 2009-04-21 21:06 -------- d-----w- c:\documents and settings\Flake21\Application Data\Skype

2009-06-16 04:05 . 2009-04-21 21:08 -------- d-----w- c:\documents and settings\Flake21\Application Data\skypePM

2009-06-14 01:43 . 2009-04-21 19:39 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-06-14 01:43 . 2009-06-14 01:43 -------- d-----w- c:\program files\USB Vibration

2009-06-13 21:26 . 2009-04-21 16:06 102400 ----a-w- c:\windows\DUMP43b0.tmp

2009-06-11 04:28 . 2009-06-01 14:31 413696 ----a-w- c:\windows\system32\wrap_oal.dll

2009-06-11 04:28 . 2009-06-01 14:31 110592 ----a-w- c:\windows\system32\OpenAL32.dll

2009-06-08 03:10 . 2009-06-08 03:10 -------- d-----w- c:\program files\Noël Danjou

2009-06-08 02:21 . 2009-06-08 02:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!

2009-06-04 01:47 . 2009-06-01 13:44 -------- d-----w- c:\program files\DAEMON Tools Lite

2009-06-03 02:09 . 2009-04-23 01:08 -------- d-----w- c:\documents and settings\Saluzinho\Application Data\ATI

2009-06-01 14:41 . 2009-06-01 14:41 -------- d-----w- c:\documents and settings\All Users\Application Data\salvation

2009-06-01 14:32 . 2009-06-01 14:32 -------- d-----w- c:\program files\AGEIA Technologies

2009-06-01 14:31 . 2009-06-01 14:31 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-06-01 14:31 . 2009-06-01 14:31 -------- d-----w- c:\program files\OpenAL

2009-06-01 13:56 . 2009-04-21 22:12 -------- d-----w- c:\documents and settings\Flake21\Application Data\DAEMON Tools Lite

2009-06-01 13:44 . 2009-06-01 13:44 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite

2009-06-01 13:44 . 2009-06-01 13:44 -------- d-----w- c:\program files\DAEMON Tools Toolbar

2009-06-01 13:40 . 2009-04-21 22:12 721904 ----a-w- c:\windows\system32\drivers\sptd.sys

2009-06-01 04:25 . 2009-04-21 21:49 -------- d-----w- c:\documents and settings\Flake21\Application Data\BSplayer

2009-05-31 23:46 . 2009-04-21 19:34 69232 ----a-w- c:\documents and settings\Flake21\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-05-31 02:42 . 2009-05-31 02:42 -------- d-----w- c:\program files\uTorrent

2009-05-31 02:30 . 2009-05-31 02:30 -------- d-----w- c:\program files\7-Zip

2009-05-31 02:02 . 2009-04-21 22:18 158528 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-05-29 04:07 . 2009-04-21 19:58 -------- d-----w- c:\documents and settings\Flake21\Application Data\CyberLink

2009-05-16 23:16 . 2009-05-16 23:16 0 ----a-w- c:\windows\ativpsrm.bin

2009-05-07 15:32 . 2004-08-04 01:56 345600 ----a-w- c:\windows\system32\localspl.dll

2009-05-05 13:59 . 2009-04-21 19:25 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-04-27 23:05 . 2009-04-21 22:10 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-04-27 23:05 . 2009-04-21 22:10 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-07-22 19:50 . 2009-04-21 21:00 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 1591808]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-07-25 1397760]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]

"{1290A33C-85F5-4164-A1BE-7DD299D4986A}"="c:\program files\CyberLink\PowerBackup\PBKScheduler.exe" [2004-06-08 69721]

"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-10 53248]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]

"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-01-11 577536]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"ShowDeskFix"="shell32" [X]

 

c:\documents and settings\Flake21\Start Menu\Programs\Startup\

MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-4-21 534016]

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"d:\\Download - Setups\\Programas\\utorrent.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"f:\\Garena\\Garena.exe"=

"f:\\Left4Dead\\left4dead.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"f:\\Evolved Games\\Terminator Salvation\\TerminatorSalvation.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"f:\\Steam\\steamapps\\flake21\\team fortress 2\\hl2.exe"=

"f:\\Street Fighter IV\\StreetFighterIV.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"2151:TCP"=

 

R0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [21/4/2009 16:38 16640]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [21/4/2009 19:10 108289]

S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\Flake21\LOCALS~1\Temp\JDT8D.tmp --> c:\docume~1\Flake21\LOCALS~1\Temp\JDT8D.tmp [?]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.oglobo.com.br/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: {DEE555A9-BC49-4E29-8284-35EFD504FCA7} = 192.168.254.254

FF - ProfilePath - c:\documents and settings\Flake21\Application Data\Mozilla\Firefox\Profiles\o3mmpvd5.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.oglobo.com.br/

FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nprpjplug.dll

 

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-23 23:15

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]

"ImagePath"="\??\c:\docume~1\Flake21\LOCALS~1\Temp\JDT8D.tmp"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(800)

c:\windows\system32\Ati2evxx.dll

 

- - - - - - - > 'explorer.exe'(3676)

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\wpdshserviceobj.dll

c:\windows\system32\portabledevicetypes.dll

c:\windows\system32\portabledeviceapi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\program files\Ahead\InCD\InCDsrv.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

.

**************************************************************************

.

Completion time: 2009-07-24 23:17 - machine was rebooted

ComboFix-quarantined-files.txt 2009-07-24 02:17

ComboFix2.txt 2009-07-23 23:32

 

Pre-Run: 18.557.476.864 bytes free

Post-Run: 18.413.481.984 bytes free

 

196 --- E O F --- 2009-07-24 02:17

 

__________________________________________

 

Segue o log do Hajackthis:

 

__________________________________________

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:20:34, on 23/7/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.20583)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe

C:\Program Files\MagicDisc\MagicDisc.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Flake21\Desktop\Limpeza Malwares\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.oglobo.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 ME\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] "C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe"

O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')

O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{DEE555A9-BC49-4E29-8284-35EFD504FCA7}: NameServer = 192.168.254.254

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

 

--

End of file - 6495 bytes

 

__________________________________________

 

Desde já agradeço mais uma vez!

Estou no aguardo!

abçs

[DigRam 144]

Bom Dia! flake21

 

<@> Vá em Iniciar --> Executar --> Digite ou cole: combofix.exe /u --> Clique OK.

<@> Abrir-se-á,a seguinte janela: ( Abrir arquivo - Aviso de Segurança )

<@> Clique em Executar --> Aguarde!

<@> Surgirá,finalmente,a mensagem: "ComboFix está desinstalado" --> Clique OK.

<@> Caso encontre,apague: C:\ComboFix <-- A pasta! + C:\ComboFix.txt <-- Relatório!

<><><><><><><><><><>

<!> Seus logs estão limpos! :bye:

<!> Tudo Ok?

 

Abraços!

[flake21 0]

Mais uma vez agradeço a paciência e eficiência! Realmente o problema foi resolvido e só tenho elogios a fazer ao fórum que tanto me ajudou!

Obrigado mais uma vez!!

Falouuu!

um abção

[DigRam 144]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.