[Resolvido!] Malware CiD

BlaK · Julho 23, 2009

Estou com um popup aparecendo em tempos, sempre no inicio do nome da pagina vem CiD. Li uns topicos de pessoas com o mesmo problema mas achei que talves a correção feita por elas seja diferente da que eu deva aplicar. Ai vai o log.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:45:57, on 23/7/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

D:\Arquivos de Programas\Gravity\RO\nProtect\npkcmsvc.exe

C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\ARQUIV~1\AVG\AVG8\avgrsx.exe

C:\Arquivos de programas\IDT\1082008184234\STacSV.exe

C:\Arquivos de programas\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\system32\svchost.exe

C:\ARQUIV~1\AVG\AVG8\avgemc.exe

C:\Arquivos de programas\AVG\AVG8\avgcsrvx.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\IDT\WDM\sttray.exe

C:\Arquivos de programas\USB Disk Security\USBGuard.exe

C:\WINDOWS\FixCamera.exe

C:\WINDOWS\tsnp325.exe

C:\WINDOWS\vsnp325.exe

C:\ARQUIV~1\AVG\AVG8\avgtray.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

C:\WINDOWS\sm56hlpr.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe

C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Arquivos de programas\DNA\btdna.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\ARQUIV~1\AVG\AVG8\avgnsx.exe

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Arquivos de programas\Orbitdownloader\orbitcth.dll

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Arquivos de programas\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Arquivos de programas\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\ARQUIV~1\AVG\AVG8\AVGTOO~1.DLL

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\ARQUIV~1\AVG\AVG8\AVGTOO~1.DLL

O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Arquivos de programas\Orbitdownloader\GrabPro.dll

O4 - HKLM\..\Run: [sysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe

O4 - HKLM\..\Run: [uSB Antivirus] C:\Arquivos de programas\USB Disk Security\USBGuard.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe

O4 - HKLM\..\Run: [tsnp325] C:\WINDOWS\tsnp325.exe

O4 - HKLM\..\Run: [snp325] C:\WINDOWS\vsnp325.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\ARQUIV~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sMSERIAL] sm56hlpr.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [Amok Mode Dupe Platform] C:\Documents and Settings\All Users\Dados de aplicativos\Hold Trust Amok Mode\COMP HTM.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Arquivos de programas\DNA\btdna.exe"

O4 - HKCU\..\Run: [transdale] C:\DOCUME~1\CLIQUE~1\DADOSD~1\HECKBI~1\Ping Funk Film.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab

O16 - DPF: {60541D7A-4EF1-4117-9607-7C1B0EEAAD18} (Image Uploader Control) - http://iu.ak.sonico.com//ImageUploader.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234038108093

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{8588D274-BCC0-42C0-A6D0-DF5FA099B6FE}: NameServer = 192.168.1.1

O17 - HKLM\System\CCS\Services\Tcpip\..\{B1626DC2-65F4-4E68-BD8D-C97495C33E39}: NameServer = 200.165.132.147,200.165.132.154

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Arquivos de programas\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: GbPluginBb - C:\Arquivos de programas\GbPlugin\gbieh.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Gbp Service (GbpSv) - - C:\ARQUIV~1\GbPlugin\GbpSv.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - D:\Arquivos de Programas\Gravity\RO\nProtect\npkcmsvc.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Arquivos de programas\WinPcap\rpcapd.exe

O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Arquivos de programas\IDT\1082008184234\STacSV.exe

--

End of file - 12264 bytes

Silas Martins · Julho 23, 2009

Faça o download de '>http://eric.71.mespages.googlepages.com/LopSD.exe"] Lop_Icone-medium;init:.jpg

Temporariamente desative seus programas de proteção (Antivirus, etc.) para não interferirem com a ferramenta.
Clique duas vezes no ícone do Lop S&D que estará no desktop. Se utiliza o Windows Vista, clique com o botão direito do mouse no LopSD.exe e escolha 'Executar como administrador'.
Irá surgir uma janela (conforme imagem abaixo), tecle P de Português e dê enter.
Pressione agora o número 2 e dê enter.
A ferramenta irá rodar e a sua tela irá piscar, o que é normal. Por favor, seja paciente e aguarde.
No final será gerado um relatório (C:\lopR.txt). Poste o conteúdo desse relatório em sua próxima resposta.

Baixe o Malwarebytes'>http://www.besttechie.net/tools/mbam-setup.exe"]Malwarebytes Anti-Malware

* Inicie a instalação clique em "mbam-setup.exe";

* Marque "Atualizar Malwarebytes Anti-Malware" e "Executar Malwarebytes Anti-Malware", e clique em concluir.

* Marque "Verificação Rápida" e depois clique em Verificar.

* Quando o scan terminar, clique em Ok e em "Mostrar Resultados" para ver o log;

* Se algo for detectado, veja se tudo está marcado e clique em "Remover";

* O log é automaticamente gravado e pode ser consultado clicando em "Logs" do menu principal;

* Copie e cole esse log, juntamente com o novo log do hijacktihis e do Lop S&D.

Aguado o retorno.

BlaK · Julho 23, 2009

Que coisa cativa, não sabia que a resposta iria ser tão rapida. Desculpe se fiz esperar demais hehe :assobiando:

--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3

X86-based PC ( Multiprocessor Free : Intel® Pentium® Dual CPU E2180 @ 2.00GHz )

BIOS : Default System BIOS

USER : Clique Aqui ( Administrator )

BOOT : Normal boot

Antivirus : AntiVir Desktop 9.0.1.30 (Activated)

C:\ (Local Disk) - NTFS - Total:48 Go (Free:19 Go)

D:\ (Local Disk) - NTFS - Total:100 Go (Free:24 Go)

E:\ (CD or DVD)

H:\ (CD or DVD)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )

Option : [2] ( qui 23/07/2009|19:42 )

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ REMOVIDOS

Deletado! - C:\WINDOWS\Tasks\A08DAEA1918A20D1.job

Deletado! - C:\WINDOWS\Tasks\B889C74E904A7046.job

Deletado! - C:\DOCUME~1\ALLUSE~1\DADOSD~1\Hold Trust Amok Mode\COMP HTM.exe

Deletado! - C:\Arquivos de programas\Orbitdownloader\addons

Deletado! - C:\Arquivos de programas\Orbitdownloader\banurl.ini

Deletado! - C:\Arquivos de programas\Orbitdownloader\changelog.txt

Deletado! - C:\Arquivos de programas\Orbitdownloader\download.dll

Deletado! - C:\Arquivos de programas\Orbitdownloader\Grab.exe

Deletado! - C:\Arquivos de programas\Orbitdownloader\GrabDll.dll

Deletado! - C:\Arquivos de programas\Orbitdownloader\GrabKernel.dll

Deletado! - C:\Arquivos de programas\Orbitdownloader\GrabPro.dll

Deletado! - C:\Arquivos de programas\Orbitdownloader\idht.dll

Deletado! - C:\Arquivos de programas\Orbitdownloader\Lang.ini

Deletado! - C:\Arquivos de programas\Orbitdownloader\language

Deletado! - C:\Arquivos de programas\Orbitdownloader\libeay32.dll

Deletado! - C:\Arquivos de programas\Orbitdownloader\orbitcth.dll

Deletado! - C:\Arquivos de programas\Orbitdownloader\orbitdm.exe

Deletado! - C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll

Deletado! - C:\Arquivos de programas\Orbitdownloader\orbitnet.exe

Deletado! - C:\Arquivos de programas\Orbitdownloader\saction.dll

Deletado! - C:\Arquivos de programas\Orbitdownloader\siteinfo.ini

Deletado! - C:\Arquivos de programas\Orbitdownloader\ssleay32.dll

Deletado! - C:\Arquivos de programas\Orbitdownloader\unins000.dat

Deletado! - C:\Arquivos de programas\Orbitdownloader\unins000.exe

Deletado! - C:\Arquivos de programas\Orbitdownloader\update

Deletado! - C:\Arquivos de programas\Orbitdownloader\winfile.dll

Deletado! - C:\DOCUME~1\CLIQUE~1\Cookies\clique_aqui@adserver5[1].txt

Deletado! - C:\DOCUME~1\ALLUSE~1\DADOSD~1\Hold Trust Amok Mode

Deletado! - C:\DOCUME~1\CLIQUE~1\DADOSD~1\heckbi~1

Deletado! - C:\Arquivos de programas\heckbi~1

Deletado! - C:\Arquivos de programas\Orbitdownloader

-

[ Arquivos/Ficheiros Hosts ] .. RESTAURADO

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

--------------------\\ Lista de pastas em DADOSD~1

[22/03/2009|22:31] C:\DOCUME~1\ALLUSE~1\DADOSD~1\Adobe

[04/07/2009|01:41] C:\DOCUME~1\ALLUSE~1\DADOSD~1\Apowersoft

[05/04/2009|12:16] C:\DOCUME~1\ALLUSE~1\DADOSD~1\Apple Computer

[23/07/2009|19:13] C:\DOCUME~1\ALLUSE~1\DADOSD~1\avg8

[23/07/2009|19:17] C:\DOCUME~1\ALLUSE~1\DADOSD~1\Avira

[02/04/2009|20:51] C:\DOCUME~1\ALLUSE~1\DADOSD~1\DAEMON Tools Lite

[14/02/2009|06:32] C:\DOCUME~1\ALLUSE~1\DADOSD~1\GbPlugin

[23/05/2009|11:12] C:\DOCUME~1\ALLUSE~1\DADOSD~1\Google

[03/06/2009|12:07] C:\DOCUME~1\ALLUSE~1\DADOSD~1\InstallShield

[19/02/2009|15:36] C:\DOCUME~1\ALLUSE~1\DADOSD~1\Messenger Plus!

[27/05/2009|10:49] C:\DOCUME~1\ALLUSE~1\DADOSD~1\Microsoft

[15/07/2009|17:55] C:\DOCUME~1\ALLUSE~1\DADOSD~1\Microsoft Help

[08/10/2008|19:12] C:\DOCUME~1\ALLUSE~1\DADOSD~1\Nero

[01/03/2009|18:25] C:\DOCUME~1\ALLUSE~1\DADOSD~1\Skype

[23/07/2009|09:39] C:\DOCUME~1\ALLUSE~1\DADOSD~1\Spybot - Search & Destroy

[03/06/2009|12:08] C:\DOCUME~1\ALLUSE~1\DADOSD~1\Tages

[07/02/2009|17:33] C:\DOCUME~1\ALLUSE~1\DADOSD~1\Windows Genuine Advantage

[07/02/2009|17:54] C:\DOCUME~1\ALLUSE~1\DADOSD~1\WLInstaller

[11/05/2009|20:41] C:\DOCUME~1\CLIQUE~1\DADOSD~1\Adobe

[23/10/2008|16:45] C:\DOCUME~1\CLIQUE~1\DADOSD~1\Ahead

[22/07/2009|20:44] C:\DOCUME~1\CLIQUE~1\DADOSD~1\Any Video Converter

[16/07/2009|13:50] C:\DOCUME~1\CLIQUE~1\DADOSD~1\BitTorrent

[02/04/2009|20:51] C:\DOCUME~1\CLIQUE~1\DADOSD~1\DAEMON Tools

[02/04/2009|20:51] C:\DOCUME~1\CLIQUE~1\DADOSD~1\DAEMON Tools Lite

[02/05/2009|11:40] C:\DOCUME~1\CLIQUE~1\DADOSD~1\DAEMON Tools Pro

[23/07/2009|19:35] C:\DOCUME~1\CLIQUE~1\DADOSD~1\DNA

[03/06/2009|12:16] C:\DOCUME~1\CLIQUE~1\DADOSD~1\Games

[28/06/2009|01:24] C:\DOCUME~1\CLIQUE~1\DADOSD~1\GrabPro

[17/04/2009|09:49] C:\DOCUME~1\CLIQUE~1\DADOSD~1\gtk-2.0

[22/04/2009|20:08] C:\DOCUME~1\CLIQUE~1\DADOSD~1\Hamachi

[08/10/2008|21:22] C:\DOCUME~1\CLIQUE~1\DADOSD~1\Identities

[10/04/2009|23:57] C:\DOCUME~1\CLIQUE~1\DADOSD~1\InstallShield

[11/11/2008|19:52] C:\DOCUME~1\CLIQUE~1\DADOSD~1\InterTrust

[04/07/2009|02:14] C:\DOCUME~1\CLIQUE~1\DADOSD~1\KC Softwares

[02/02/2009|20:38] C:\DOCUME~1\CLIQUE~1\DADOSD~1\Lightcomm

[18/07/2009|10:00] C:\DOCUME~1\CLIQUE~1\DADOSD~1\LimeWire

[13/10/2008|20:49] C:\DOCUME~1\CLIQUE~1\DADOSD~1\Macromedia

[05/04/2009|13:06] C:\DOCUME~1\CLIQUE~1\DADOSD~1\Media Player Classic

[23/07/2009|19:13] C:\DOCUME~1\CLIQUE~1\DADOSD~1\Microsoft

[18/02/2009|14:42] C:\DOCUME~1\CLIQUE~1\DADOSD~1\Microsoft Games

[17/07/2009|21:30] C:\DOCUME~1\CLIQUE~1\DADOSD~1\Mozilla

[22/07/2009|20:46] C:\DOCUME~1\CLIQUE~1\DADOSD~1\Orbit

[03/07/2009|22:08] C:\DOCUME~1\CLIQUE~1\DADOSD~1\Real

[27/05/2009|10:50] C:\DOCUME~1\CLIQUE~1\DADOSD~1\SecuROM

[11/02/2009|10:04] C:\DOCUME~1\CLIQUE~1\DADOSD~1\Sun

[25/06/2009|19:52] C:\DOCUME~1\CLIQUE~1\DADOSD~1\teamspeak2

[14/05/2009|18:33] C:\DOCUME~1\CLIQUE~1\DADOSD~1\Uniblue

[09/10/2008|21:27] C:\DOCUME~1\CLIQUE~1\DADOSD~1\WinRAR

[22/02/2009|17:43] C:\DOCUME~1\CLIQUE~1\DADOSD~1\Wireshark

[08/10/2008|18:31] C:\DOCUME~1\DEFAUL~1\DADOSD~1\Microsoft

[06/05/2009|17:25] C:\DOCUME~1\Ednoan\DADOSD~1\Adobe

[08/10/2008|20:37] C:\DOCUME~1\Ednoan\DADOSD~1\Ahead

[18/05/2009|07:45] C:\DOCUME~1\Ednoan\DADOSD~1\BitTorrent

[21/03/2009|22:07] C:\DOCUME~1\Ednoan\DADOSD~1\Desktopicon

[01/03/2009|18:32] C:\DOCUME~1\Ednoan\DADOSD~1\Google

[29/06/2009|16:08] C:\DOCUME~1\Ednoan\DADOSD~1\GrabPro

[22/01/2009|09:28] C:\DOCUME~1\Ednoan\DADOSD~1\Help

[08/10/2008|18:35] C:\DOCUME~1\Ednoan\DADOSD~1\Identities

[08/02/2009|13:43] C:\DOCUME~1\Ednoan\DADOSD~1\InstallShield

[21/02/2009|22:09] C:\DOCUME~1\Ednoan\DADOSD~1\LimeWire

[07/02/2009|21:53] C:\DOCUME~1\Ednoan\DADOSD~1\Macromedia

[23/07/2009|19:11] C:\DOCUME~1\Ednoan\DADOSD~1\Microsoft

[22/04/2009|10:51] C:\DOCUME~1\Ednoan\DADOSD~1\Microsoft Games

[19/07/2009|00:48] C:\DOCUME~1\Ednoan\DADOSD~1\Orbit

[11/10/2008|12:10] C:\DOCUME~1\Ednoan\DADOSD~1\Real

[16/07/2009|20:25] C:\DOCUME~1\Ednoan\DADOSD~1\Skype

[23/07/2009|16:02] C:\DOCUME~1\Ednoan\DADOSD~1\skypePM

[09/03/2009|08:46] C:\DOCUME~1\Ednoan\DADOSD~1\Sun

[03/12/2008|08:20] C:\DOCUME~1\Ednoan\DADOSD~1\WinRAR

[23/07/2009|19:11] C:\DOCUME~1\LOCALS~1\DADOSD~1\Microsoft

[23/07/2009|19:11] C:\DOCUME~1\NETWOR~1\DADOSD~1\Microsoft

--------------------\\ Tarefas Agendadas na pasta C:\WINDOWS\Tasks

[23/07/2009 17:10][--ah-----] C:\WINDOWS\tasks\User_Feed_Synchronization-{3CD2284E-DB19-4572-B0BF-E6F1AD1CBE6C}.job

[23/07/2009 18:21][--ah-----] C:\WINDOWS\tasks\User_Feed_Synchronization-{F57CD1EE-A40D-46E8-8915-4CB31E0F3E67}.job

[23/07/2009 09:05][--ah-----] C:\WINDOWS\tasks\SA.DAT

[28/10/2001 14:07][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Lista de pastas em C:\Arquivos de programas

[22/03/2009|22:29] C:\Arquivos de programas\Adobe

[03/06/2009|12:06] C:\Arquivos de programas\AGEIA Technologies

[03/06/2009|12:06] C:\Arquivos de programas\Arquivos comuns

[08/10/2008|18:52] C:\Arquivos de programas\AVG

[23/07/2009|19:17] C:\Arquivos de programas\Avira

[01/07/2009|00:14] C:\Arquivos de programas\BigSoL3D 1.4

[16/02/2009|17:43] C:\Arquivos de programas\BitTorrent

[08/10/2008|19:04] C:\Arquivos de programas\CCleaner

[08/04/2009|09:03] C:\Arquivos de programas\CNPJ2009

[08/10/2008|18:29] C:\Arquivos de programas\ComPlus Applications

[02/04/2009|20:50] C:\Arquivos de programas\DAEMON Tools Lite

[02/05/2009|15:29] C:\Arquivos de programas\directX

[07/02/2009|14:25] C:\Arquivos de programas\DLink

[23/07/2009|17:45] C:\Arquivos de programas\DNA

[23/05/2009|11:22] C:\Arquivos de programas\eMule

[11/06/2009|23:19] C:\Arquivos de programas\FLV Player

[21/03/2009|21:20] C:\Arquivos de programas\FormatFactory

[29/06/2009|17:33] C:\Arquivos de programas\GameVicio

[10/02/2009|15:12] C:\Arquivos de programas\GbPlugin

[24/05/2009|21:26] C:\Arquivos de programas\Google

[07/04/2009|16:44] C:\Arquivos de programas\Hamachi

[16/05/2009|12:47] C:\Arquivos de programas\Hewlett-Packard

[16/05/2009|12:56] C:\Arquivos de programas\hp deskjet 3420 series

[08/10/2008|18:43] C:\Arquivos de programas\IDT

[03/06/2009|11:44] C:\Arquivos de programas\InstallShield Installation Information

[08/10/2008|18:38] C:\Arquivos de programas\Intel

[21/07/2009|13:13] C:\Arquivos de programas\Internet Explorer

[02/04/2009|12:09] C:\Arquivos de programas\Java

[19/02/2009|22:36] C:\Arquivos de programas\Messenger

[19/07/2009|00:44] C:\Arquivos de programas\Messenger Plus! Live

[14/02/2009|15:10] C:\Arquivos de programas\Microsoft

[08/10/2008|18:31] C:\Arquivos de programas\microsoft frontpage

[08/10/2008|19:25] C:\Arquivos de programas\Microsoft Office

[22/07/2009|17:36] C:\Arquivos de programas\Microsoft Silverlight

[14/02/2009|15:09] C:\Arquivos de programas\Microsoft SQL Server Compact Edition

[14/02/2009|15:10] C:\Arquivos de programas\Microsoft Sync Framework

[08/10/2008|19:25] C:\Arquivos de programas\Microsoft Visual Studio

[08/10/2008|19:25] C:\Arquivos de programas\Microsoft Works

[19/03/2009|10:24] C:\Arquivos de programas\Movie Maker

[08/10/2008|18:28] C:\Arquivos de programas\MSN Gaming Zone

[08/02/2009|00:05] C:\Arquivos de programas\MSXML 4.0

[08/10/2008|19:12] C:\Arquivos de programas\Nero

[19/02/2009|22:30] C:\Arquivos de programas\NetMeeting

[07/02/2009|15:51] C:\Arquivos de programas\Oi Velox

[19/03/2009|10:24] C:\Arquivos de programas\Outlook Express

[01/07/2009|13:09] C:\Arquivos de programas\PhotoScape

[08/10/2008|18:56] C:\Arquivos de programas\Positivo

[23/10/2008|20:58] C:\Arquivos de programas\Project64 1.6

[05/04/2009|12:16] C:\Arquivos de programas\QuickTime Alternative

[09/10/2008|21:01] C:\Arquivos de programas\Real

[08/10/2008|18:30] C:\Arquivos de programas\Servi‡os on-line

[01/03/2009|18:25] C:\Arquivos de programas\Skype

[10/04/2009|11:58] C:\Arquivos de programas\SMPlayer

[18/03/2009|17:41] C:\Arquivos de programas\Spybot - Search & Destroy

[08/03/2009|20:09] C:\Arquivos de programas\Teamspeak2_RC2

[23/07/2009|09:48] C:\Arquivos de programas\Trend Micro

[08/10/2008|18:35] C:\Arquivos de programas\Uninstall Information

[15/02/2009|00:03] C:\Arquivos de programas\Unity

[02/05/2009|16:52] C:\Arquivos de programas\Universal Interactive

[05/04/2009|12:59] C:\Arquivos de programas\URUSoft

[08/10/2008|19:02] C:\Arquivos de programas\USB Disk Security

[05/04/2009|13:05] C:\Arquivos de programas\Webteh

[07/02/2009|17:41] C:\Arquivos de programas\Windows Installer 4.5 SDK

[02/07/2009|11:31] C:\Arquivos de programas\Windows Live

[12/02/2009|09:18] C:\Arquivos de programas\Windows Live SkyDrive

[26/02/2009|17:07] C:\Arquivos de programas\Windows Media Connect 2

[26/02/2009|17:10] C:\Arquivos de programas\Windows Media Player

[19/02/2009|22:30] C:\Arquivos de programas\Windows NT

[08/10/2008|18:30] C:\Arquivos de programas\WindowsUpdate

[22/02/2009|17:46] C:\Arquivos de programas\WinPcap

[08/10/2008|18:56] C:\Arquivos de programas\WinRAR

[22/02/2009|17:42] C:\Arquivos de programas\Wireshark

[08/10/2008|18:31] C:\Arquivos de programas\xerox

[08/10/2008|19:03] C:\Arquivos de programas\XP Codec Pack

--------------------\\ Lista de pastas em C:\Arquivos de programas\Arquivos comuns

[22/03/2009|22:30] C:\Arquivos de programas\Arquivos comuns\Adobe

[08/10/2008|19:13] C:\Arquivos de programas\Arquivos comuns\Ahead

[08/10/2008|19:25] C:\Arquivos de programas\Arquivos comuns\DESIGNER

[07/04/2009|17:24] C:\Arquivos de programas\Arquivos comuns\DirectX

[03/06/2009|11:44] C:\Arquivos de programas\Arquivos comuns\InstallShield

[08/02/2009|22:59] C:\Arquivos de programas\Arquivos comuns\Microsoft Shared

[08/10/2008|18:30] C:\Arquivos de programas\Arquivos comuns\MSSoap

[08/10/2008|15:24] C:\Arquivos de programas\Arquivos comuns\ODBC

[05/04/2009|12:01] C:\Arquivos de programas\Arquivos comuns\Real

[08/10/2008|18:30] C:\Arquivos de programas\Arquivos comuns\Servi‡os

[01/03/2009|18:25] C:\Arquivos de programas\Arquivos comuns\Skype

[09/02/2009|09:13] C:\Arquivos de programas\Arquivos comuns\snp325

[08/10/2008|15:24] C:\Arquivos de programas\Arquivos comuns\SpeechEngines

[19/02/2009|22:44] C:\Arquivos de programas\Arquivos comuns\System

[14/02/2009|14:18] C:\Arquivos de programas\Arquivos comuns\Windows Live

[07/02/2009|17:56] C:\Arquivos de programas\Arquivos comuns\WindowsLiveInstaller

[03/06/2009|12:06] C:\Arquivos de programas\Arquivos comuns\Wise Installation Wizard

[05/04/2009|12:01] C:\Arquivos de programas\Arquivos comuns\xing shared

--------------------\\ Process

( 46 Processes )

... OK !

--------------------\\ Procura pelo S_Lop

Não foram encontradas pastas com o Lop!

--------------------\\ Procura por Arquivos/Ficheiros e pastas do Lop

Não foram encontradas pastas com o Lop!

--------------------\\ Procura no Registro

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

..... OK !

--------------------\\ Verificando o Arquivos/Ficheiros Hosts

Arquivos/Ficheiros Hosts LIMPO

--------------------\\ Procurando Arquivos/Ficheiros ocultos com o Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-23 19:44:48

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden files: 0

--------------------\\ Procurando por outras infecções

Não foram encontradas outras infecções.

[F:1451][D:17]-> C:\DOCUME~1\CLIQUE~1\CONFIG~1\Temp

[F:70][D:0]-> C:\DOCUME~1\CLIQUE~1\Cookies

[F:109][D:4]-> C:\DOCUME~1\CLIQUE~1\CONFIG~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - qui 23/07/2009|19:45 - Option : [2]

--------------------\\ Verificação completa em 19:45:38

Malwarebytes' Anti-Malware 1.39

Versão do banco de dados: 2491

Windows 5.1.2600 Service Pack 3

23/7/2009 20:00:00

mbam-log-2009-07-23 (20-00-00).txt

Tipo de Verificação: Rápida

Objetos verificados: 84982

Tempo decorrido: 3 minute(s), 6 second(s)

Processos da Memória infectados: 0

Módulos de Memória Infectados: 0

Chaves do Registro infectadas: 3

Valores do Registro infectados: 0

Ítens do Registro infectados: 0

Pastas infectadas: 0

Arquivos infectados: 1

Processos da Memória infectados:

(Nenhum ítem malicioso foi detectado)

Módulos de Memória Infectados:

(Nenhum ítem malicioso foi detectado)

Chaves do Registro infectadas:

HKEY_CLASSES_ROOT\AppID\{647d5a4e-78b5-53ed-7e75-1940d1dffea4} (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2c86c605-6081-d104-96f7-f765c20b22f1} (Adware.ShoppingAdsHelper) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\ShoppingAdsHelper.dll (Adware.BHO) -> Quarantined and deleted successfully.

Valores do Registro infectados:

(Nenhum ítem malicioso foi detectado)

Ítens do Registro infectados:

(Nenhum ítem malicioso foi detectado)

Pastas infectadas:

(Nenhum ítem malicioso foi detectado)

Arquivos infectados:

c:\WINDOWS\system32\videocore.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:03:26, on 23/7/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

D:\Arquivos de Programas\Gravity\RO\nProtect\npkcmsvc.exe

C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Arquivos de programas\IDT\1082008184234\STacSV.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\IDT\WDM\sttray.exe

C:\Arquivos de programas\USB Disk Security\USBGuard.exe

C:\WINDOWS\FixCamera.exe

C:\WINDOWS\tsnp325.exe

C:\WINDOWS\vsnp325.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

C:\WINDOWS\sm56hlpr.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe

C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

C:\Arquivos de programas\DNA\btdna.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Arquivos de programas\Orbitdownloader\orbitcth.dll (file missing)