[Arquivado] Análise de Log

[Nildo Júnior 0]

Uso o Windows XP, e desde que eu instalei o Avira Antivir Personal no meu computador, todas as vezes que eu ligo ele, ele detecta o vírus TR/Crypt.XPACK.Gen no diretório C:\WINDOWS\system32\nmdfgds0.dll. Se mando para a quarentena ou mando excluir, logo em seguida a janela aparede de novo e sou obrigado a ignorar a presença do vírus, para que as janelas parem de aparecer. Formatei a unidade C, mas não adiantou, o vírus continua a aparecer.

Outra coisa estranha que observei, é que sempre que eu peço para exibir os arquivos e pastas ocultas, nunca funciona, quando volto na janela, novamente está marcado para não exibir.

 

Abaixo segue o Log do HiJackThis:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:36:02, on 27/7/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe

C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\imapi.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\HiJack\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Arquivos de programas\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: (no name) - {6EF05952-B48D-4944-AA91-57A6A1A48EF8} - C:\Arquivos de programas\Puxa Rápido\IEBHO.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

 

--

End of file - 5985 bytes

[Silas Martins 0]

Olá Nildo, Por favor siga as instruções abaixo;

 

Importante: não realize nenhum download durante minhas análises;

Não faça uso de ferramentas P2P (como Ares Emule etc);

Só utilize as ferramentas que eu indicar, nunca faça um scan que eu não tenha lhe pedido.

 

Faça download do '>http://dnl-us6.kaspersky-labs.com/devbuilds/AVPTool/"]Kaspersky Removal Tool. Salve em seu desktop (área de trabalho).

• Instale o programa normalmente, seguindo todas as instruções.
• Uma pasta chamada Virus Removal Tool será criada no desktop.
• Na tela principal do programa clique na opção Meu computador, Startup objects, Disk boot sectors e depois clique no botão Scan.
• Seja paciente, o scan pode demorar
• Se ele encontrar alguma infecção abrirá uma janela de alerta clique em skip.
• Após completar tudo, clique no botão Reports... e clique em Save to file.
• Dê um nome para o arquivo e salve numa pasta de sua preferência.
• Feche o resultado clicando no X da janela.
• Logo em seguida feche o programa também clicando no X da janela. Ao fazer isso será questionado se quer desinstalar a ferramenta, clique em No. Poste o conteúdo desse arquivo em sua próxima resposta.

Aguardo retorno

[Nildo Júnior 0]

Segui as instruções acima. Porém o arquivo gerado ficou muito grande (76,9MB) e eu não consegui copiar e colar ele inteiro aqui. Então retirei umas partes da seção Events. Isso será suficiente?

 

Scan

----

Scanned: 677851

Detected: 12

Untreated: 12

Start time: 28/7/2009 12:39:49

Duration: 02:18:29

Finish time: 28/7/2009 14:58:18

 

 

Detected

--------

Status Object

------ ------

detected: Trojan program Trojan-GameThief.Win32.Magania.bajq File: c:\fbak.exe

detected: Trojan program Trojan-GameThief.Win32.Magania.bajq File: d:\fbak.exe

detected: Trojan program Trojan-GameThief.Win32.Magania.bajq File: e:\fbak.exe

detected: Trojan program Trojan-GameThief.Win32.Magania.bajq File: c:\windows\system32\olhrwef.exe

detected: Trojan program Trojan-GameThief.Win32.Magania.baka File: C:\WINDOWS\system32\nmdfgds0.dll

detected: Trojan program Trojan-GameThief.Win32.Magania.baka File: C:\WINDOWS\system32\nmdfgds0.VIR

detected: Trojan program Trojan-GameThief.Win32.Magania.azha File: D:\ej10fkdo.bat

detected: Trojan program Trojan-GameThief.Win32.Magania.axjr File: D:\em8tqm.cmd

detected: virus Worm.Win32.AutoRun.aayn File: D:\jeorels.cmd

detected: Trojan program Trojan-GameThief.Win32.Magania.axgd File: D:\jm3cx96.bat

detected: adware not-a-virus:AdWare.Win32.Gator.3102 File: D:\COMPARTILHADA\Programas\Filme\DivXPro501GAINBundle.exe//Gain_Trickler.exe

detected: Trojan program Trojan-GameThief.Win32.Magania.azha File: E:\ej10fkdo.bat

 

 

Events

------

Time Name Status Reason

---- ---- ------ ------

28/7/2009 12:39:55 File: c:\windows\system32\mmdrv.dll ok scanned

28/7/2009 12:39:55 File: c:\windows\system\timer.drv ok scanned

28/7/2009 12:39:55 File: c:\fbak.exe detected Trojan program 'Trojan-GameThief.Win32.Magania.bajq'

28/7/2009 12:39:55 File: c:\fbak.exe not disinfected postponed

28/7/2009 12:39:55 File: d:\fbak.exe detected Trojan program 'Trojan-GameThief.Win32.Magania.bajq'

28/7/2009 12:39:55 File: d:\fbak.exe not disinfected postponed

28/7/2009 12:39:55 File: e:\fbak.exe detected Trojan program 'Trojan-GameThief.Win32.Magania.bajq'

28/7/2009 12:39:55 File: e:\fbak.exe not disinfected postponed

[...]

28/7/2009 12:41:07 File: c:\windows\system32\olhrwef.exe detected Trojan program 'Trojan-GameThief.Win32.Magania.bajq'

28/7/2009 12:41:07 File: c:\windows\system32\olhrwef.exe not disinfected postponed

[...]

28/7/2009 12:41:55 File: C:\WINDOWS\system32\nmdfgds0.dll detected Trojan program 'Trojan-GameThief.Win32.Magania.baka'

28/7/2009 12:41:55 File: C:\WINDOWS\system32\nmdfgds0.dll not disinfected postponed

[...]

28/7/2009 13:35:54 File: D:\ej10fkdo.bat detected Trojan program 'Trojan-GameThief.Win32.Magania.azha'

28/7/2009 13:35:54 File: D:\ej10fkdo.bat not disinfected postponed

28/7/2009 13:35:54 File: D:\em8tqm.cmd detected Trojan program 'Trojan-GameThief.Win32.Magania.axjr'

28/7/2009 13:35:54 File: D:\em8tqm.cmd not disinfected postponed

28/7/2009 13:35:54 File: D:\fbak.exe detected Trojan program 'Trojan-GameThief.Win32.Magania.bajq'

28/7/2009 13:35:54 File: D:\fbak.exe not disinfected postponed

28/7/2009 13:35:55 File: D:\jeorels.cmd detected virus 'Worm.Win32.AutoRun.aayn'

28/7/2009 13:35:55 File: D:\jeorels.cmd not disinfected postponed

28/7/2009 13:35:55 File: D:\jm3cx96.bat detected Trojan program 'Trojan-GameThief.Win32.Magania.axgd'

28/7/2009 13:35:55 File: D:\jm3cx96.bat not disinfected postponed

[...]

28/7/2009 14:13:31 File: D:\COMPARTILHADA\Programas\Filme\DivXPro501GAINBundle.exe//Gain_Trickler.exe detected adware 'not-a-virus:AdWare.Win32.Gator.3102'

28/7/2009 14:13:32 File: D:\COMPARTILHADA\Programas\Filme\DivXPro501GAINBundle.exe//Gain_Trickler.exe not disinfected postponed

[...]

 

 

Statistics

----------

Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted

------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------

All objects 500325 11 11 0 0 3780 1400 2 3

Startup objects 675 4 4 0 0 0 111 0 0

Disk boot sectors 4 0 0 0 0 0 0 0 0

Meu computador 499646 7 7 0 0 3780 1289 2 3

 

 

Settings

--------

Parameter Value

--------- -----

Security Level Recommended

Action Prompt for action when the scan is complete

Run mode Manually

File types Scan all files

Scan only new and changed files No

Scan archives All

Scan embedded OLE objects All

Skip if object is larger than No

Skip if scan takes longer than No

Parse email formats No

Scan password-protected archives No

Enable iChecker technology No

Enable iSwift technology No

Show detected threats on "Detected" tab Yes

Rootkits search Yes

Deep rootkits search No

Use heuristic analyzer Yes

 

 

Quarantine

----------

Status Object Size Added

------ ------ ---- -----

 

 

Backup

------

Status Object Size

------ ------ ----

[Silas Martins 0]

Neutalização/desinfecção

Vá no Kaspersky removal tool que você já baixou e execute as intruções abaixo

• Agora abra a pasta Virus Removal Tool que foi criada no desktop.
• Clique no ícone do Kaspersky cujo nome é Star.
• Feche a pasta Virus Removal Tool.
• Agora localize abaixo o subtítulo Statistics.
• Clique aí...
• Surgira a janela com o resultado do scan feito anteriormente.
• Certifique que a caixa abaixo Show neutralized objetcs, esteja selecionada.
• Clique no botão Neutralize all.
• Ao fazer isto a janela de alerta (e um ruído) irá surgir.
• Clique na caixa Aplly to all.
• Agora clique no botão Desinfect.
• Caso a janela de alerta abra novamente, repita o procedimento.
• Pode acontecer que da opção Desinfect não esteja habilitada, então escolha Delete.
• Pode ser que a ferramenta reinicie seu computador para que alguns malwares sejam deletados.
• Após completar tudo, clique no botão Reports... e clique em Save to file.
• Dê um nome diferente para o arquivo e salve numa pasta de sua preferência.
• Feche o resultado clicando no X da janela.
• Logo em seguida feche o programa também clicando no X da janela. Ao fazer isso será questionado se quer desinstalar a ferramenta, clique em Yes.
• Abrirá um aviso perguntando se quer realmente desinstalar, clique em Sim.
• Por fim será pedido para reiniciar o computador, clique novamente em Sim.
• Poste o conteúdo desse arquivo em sua próxima resposta.

Observação: Caso apareça alguma mensagem pedindo para colocar uma senha, clique no botão "Skip".

 

Aguardo retorno

[Nildo Júnior 0]

Fiz o que pediu acima. O log está abaixo:

 

Scan

----

Scanned: 677851

Detected: 12

Untreated: 0

Start time: 28/7/2009 12:39:49

Duration: 02:18:29

Finish time: 28/7/2009 14:58:18

 

 

Detected

--------

Status Object

------ ------

deleted: Trojan program Trojan-GameThief.Win32.Magania.bajq File: c:\fbak.exe

deleted: Trojan program Trojan-GameThief.Win32.Magania.bajq File: d:\fbak.exe

deleted: Trojan program Trojan-GameThief.Win32.Magania.bajq File: e:\fbak.exe

deleted: Trojan program Trojan-GameThief.Win32.Magania.bajq File: c:\windows\system32\olhrwef.exe

will be deleted when the computer is restarted: Trojan program Trojan-GameThief.Win32.Magania.baka File: C:\WINDOWS\system32\nmdfgds0.dll

deleted: Trojan program Trojan-GameThief.Win32.Magania.baka File: C:\WINDOWS\system32\nmdfgds0.VIR

deleted: Trojan program Trojan-GameThief.Win32.Magania.azha File: D:\ej10fkdo.bat

deleted: Trojan program Trojan-GameThief.Win32.Magania.axjr File: D:\em8tqm.cmd

deleted: virus Worm.Win32.AutoRun.aayn File: D:\jeorels.cmd

deleted: Trojan program Trojan-GameThief.Win32.Magania.axgd File: D:\jm3cx96.bat

deleted: adware not-a-virus:AdWare.Win32.Gator.3102 File: D:\COMPARTILHADA\Programas\Filme\DivXPro501GAINBundle.exe//Gain_Trickler.exe

deleted: Trojan program Trojan-GameThief.Win32.Magania.azha File: E:\ej10fkdo.bat

 

 

Events

------

Time Name Status Reason

---- ---- ------ ------

 

[...]

 

29/7/2009 13:18:47 File: c:\fbak.exe detected Trojan program 'Trojan-GameThief.Win32.Magania.bajq'

29/7/2009 13:19:31 File: d:\fbak.exe detected Trojan program 'Trojan-GameThief.Win32.Magania.bajq'

29/7/2009 13:19:35 File: d:\fbak.exe backed up

29/7/2009 13:19:35 Startup object: d:\autorun.inf\AutoRun\open disinfected Trojan program 'Trojan-GameThief.Win32.Magania.bajq'

29/7/2009 13:19:35 Startup object: d:\autorun.inf\AutoRun\shell\open\Command disinfected Trojan program 'Trojan-GameThief.Win32.Magania.bajq'

29/7/2009 13:19:35 File: d:\fbak.exe deleted

29/7/2009 13:19:35 File: e:\fbak.exe detected Trojan program 'Trojan-GameThief.Win32.Magania.bajq'

29/7/2009 13:19:35 File: e:\fbak.exe backed up

29/7/2009 13:19:35 Startup object: e:\autorun.inf\AutoRun\open disinfected Trojan program 'Trojan-GameThief.Win32.Magania.bajq'

29/7/2009 13:19:35 Startup object: e:\autorun.inf\AutoRun\shell\open\Command disinfected Trojan program 'Trojan-GameThief.Win32.Magania.bajq'

29/7/2009 13:19:35 File: e:\fbak.exe deleted

29/7/2009 13:19:35 File: c:\windows\system32\olhrwef.exe detected Trojan program 'Trojan-GameThief.Win32.Magania.bajq'

29/7/2009 13:19:35 File: c:\windows\system32\olhrwef.exe backed up

29/7/2009 13:19:35 Startup object: HKEY_USERS\S-1-5-21-1659004503-299502267-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run\cdoosoft disinfected Trojan program 'Trojan-GameThief.Win32.Magania.bajq'

29/7/2009 13:19:36 File: c:\windows\system32\olhrwef.exe deleted

29/7/2009 13:19:36 File: c:\windows\system32\nmdfgds0.dll detected Trojan program 'Trojan-GameThief.Win32.Magania.baka'

29/7/2009 13:19:36 File: c:\windows\system32\nmdfgds0.dll backed up

29/7/2009 13:19:36 File: c:\windows\system32\nmdfgds0.dll will be deleted on system restart

29/7/2009 13:20:05 File: c:\windows\system32\nmdfgds0.vir detected Trojan program 'Trojan-GameThief.Win32.Magania.baka'

29/7/2009 13:20:05 File: c:\windows\system32\nmdfgds0.vir backed up

29/7/2009 13:20:05 File: c:\windows\system32\nmdfgds0.vir deleted

29/7/2009 13:20:05 File: d:\ej10fkdo.bat detected Trojan program 'Trojan-GameThief.Win32.Magania.azha'

29/7/2009 13:20:05 File: d:\ej10fkdo.bat backed up

29/7/2009 13:20:05 File: d:\ej10fkdo.bat deleted

29/7/2009 13:20:05 File: d:\em8tqm.cmd detected Trojan program 'Trojan-GameThief.Win32.Magania.axjr'

29/7/2009 13:20:05 File: d:\em8tqm.cmd backed up

29/7/2009 13:20:05 File: d:\em8tqm.cmd deleted

29/7/2009 13:20:05 File: d:\jeorels.cmd detected virus 'Worm.Win32.AutoRun.aayn'

29/7/2009 13:20:06 File: d:\jeorels.cmd backed up

29/7/2009 13:20:06 File: d:\jeorels.cmd deleted

29/7/2009 13:20:06 File: d:\jm3cx96.bat detected Trojan program 'Trojan-GameThief.Win32.Magania.axgd'

29/7/2009 13:20:06 File: d:\jm3cx96.bat backed up

29/7/2009 13:20:06 File: d:\jm3cx96.bat deleted

29/7/2009 13:20:06 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe archive Vise

29/7/2009 13:20:06 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe//vise32ex.dll ok scanned

29/7/2009 13:20:06 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe//English.vlg ok scanned

29/7/2009 13:20:06 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe//dsetup.dll ok scanned

29/7/2009 13:20:06 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe//jpeg.dll ok scanned

29/7/2009 13:20:06 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe//rebootnt.exe ok scanned

29/7/2009 13:20:06 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe//uninst32.exe ok scanned

29/7/2009 13:20:06 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe//default.bmp ok scanned

29/7/2009 13:20:06 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe//divxpro_gain.jpg ok scanned

29/7/2009 13:20:06 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe//GAIN Banner.bmp ok scanned

29/7/2009 13:20:14 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe//divxdec.ax ok scanned

29/7/2009 13:20:31 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe//divx.dll ok scanned

29/7/2009 13:20:31 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe//LICENSE.TXT ok scanned

29/7/2009 13:20:31 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe//DivX help guide.url ok scanned

29/7/2009 13:20:31 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe//DivX.com.url ok scanned

29/7/2009 13:20:31 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe//README.txt ok scanned

29/7/2009 13:20:33 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe//mp4fil32.dll ok scanned

29/7/2009 13:20:33 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe//Gain_Trickler.exe detected adware 'not-a-virus:AdWare.Win32.Gator.3102'

29/7/2009 13:20:34 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe backed up

29/7/2009 13:20:34 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe//Default.dps archive ZIP

29/7/2009 13:20:34 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe//Default.dps/skin.divl ok scanned

29/7/2009 13:20:34 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe//Default.dps/compact.png ok scanned

29/7/2009 13:20:34 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe//Default.dps/fullscreen.png ok scanned

29/7/2009 13:20:34 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe//Default.dps/fullscreenbitmapfont.png ok scanned

29/7/2009 13:20:34 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe//Default.dps/logo.png ok scanned

29/7/2009 13:20:34 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe//Default.dps/main.png ok scanned

29/7/2009 13:20:34 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe//Default.dps/screenshot.png ok scanned

29/7/2009 13:20:34 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe//Default.dps/buttons.png ok scanned

29/7/2009 13:20:34 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe//Default.dps/timebitmapfont.png ok scanned

29/7/2009 13:20:34 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe//Default.dps/titlebitmapfont.png ok scanned

29/7/2009 13:20:34 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe//Default.dps ok scanned

29/7/2009 13:20:34 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe//DivX Player 2.0 Alpha.exe packed file PE_Patch

29/7/2009 13:20:34 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe//DivX Player 2.0 Alpha.exe//PE_Patch ok scanned

29/7/2009 13:20:57 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe//DivX Player 2.0 Alpha.exe ok scanned

29/7/2009 13:20:57 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe//LICENSE.TXT ok scanned

29/7/2009 13:20:57 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe//README.txt ok scanned

29/7/2009 13:20:57 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe//DivX.com.url ok scanned

29/7/2009 13:20:57 File: d:\compartilhada\programas\filme\divxpro501gainbundle.exe deleted

29/7/2009 13:20:57 File: e:\ej10fkdo.bat detected Trojan program 'Trojan-GameThief.Win32.Magania.azha'

29/7/2009 13:20:57 File: e:\ej10fkdo.bat backed up

29/7/2009 13:20:57 File: e:\ej10fkdo.bat deleted

 

 

Statistics

----------

Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted

------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------

 

 

Settings

--------

Parameter Value

--------- -----

Security Level Recommended

Action Prompt for action when the scan is complete

Run mode Manually

File types Scan all files

Scan only new and changed files No

Scan archives All

Scan embedded OLE objects All

Skip if object is larger than No

Skip if scan takes longer than No

Parse email formats No

Scan password-protected archives No

Enable iChecker technology No

Enable iSwift technology No

Show detected threats on "Detected" tab Yes

Rootkits search Yes

Deep rootkits search No

Use heuristic analyzer Yes

 

 

Quarantine

----------

Status Object Size Added

------ ------ ---- -----

 

 

Backup

------

Status Object Size

------ ------ ----

Infected: Trojan program Trojan-GameThief.Win32.Magania.azha d:\ej10fkdo.bat 106,3 KB

Infected: Trojan program Trojan-GameThief.Win32.Magania.bajq e:\fbak.exe 105,5 KB

Infected: Trojan program Trojan-GameThief.Win32.Magania.bajq d:\fbak.exe 105,5 KB

Infected: Trojan program Trojan-GameThief.Win32.Magania.bajq c:\fbak.exe 105,5 KB

Infected: Trojan program Trojan-GameThief.Win32.Magania.axgd d:\jm3cx96.bat 109,6 KB

Infected: virus Worm.Win32.AutoRun.aayn d:\jeorels.cmd 103,7 KB

Infected: Trojan program Trojan-GameThief.Win32.Magania.baka c:\windows\system32\nmdfgds0.vir 90,5 KB

Infected: Trojan program Trojan-GameThief.Win32.Magania.bajq c:\windows\system32\olhrwef.exe 105,5 KB

Infected: adware not-a-virus:AdWare.Win32.Gator.3102 d:\compartilhada\programas\filme\divxpro501gainbundle.exe 3 MB

Infected: Trojan program Trojan-GameThief.Win32.Magania.azha e:\ej10fkdo.bat 106,3 KB

Infected: Trojan program Trojan-GameThief.Win32.Magania.axjr d:\em8tqm.cmd 107,1 KB

Infected: Trojan program Trojan-GameThief.Win32.Magania.baka c:\windows\system32\nmdfgds0.dll 90,5 KB

[Silas Martins 0]

Baixe o Malwarebytes'>http://www.besttechie.net/tools/mbam-setup.exe"]Malwarebytes Anti-Malware

 

 

* Inicie a instalação clique em "mbam-setup.exe";

* Marque "Atualizar Malwarebytes Anti-Malware" e "Executar Malwarebytes Anti-Malware", e clique em concluir.

* Marque "Verificação Completa" e depois clique em Verificar.

* Quando o scan terminar, clique em Ok e em "Mostrar Resultados" para ver o log;

* Se algo for detectado, veja se tudo está marcado e clique em "Remover";

* O log é automaticamente gravado e pode ser consultado clicando em "Logs" do menu principal;

* Copie e cole esse log, juntamente com o novo log do hijacktihis .

Aguado o retorno.

[Nildo Júnior 0]

Boa tarde. Segui as instruções os logs estão abaixo:

 

Malwarebytes' Anti-Malware 1.39

Versão do banco de dados: 2421

Windows 5.1.2600 Service Pack 2

 

30/7/2009 14:01:13

mbam-log-2009-07-30 (14-01-13).txt

 

Tipo de Verificação: Completa (C:\|D:\|E:\|)

Objetos verificados: 167059

Tempo decorrido: 35 minute(s), 48 second(s)

 

Processos da Memória infectados: 0

Módulos de Memória Infectados: 0

Chaves do Registro infectadas: 0

Valores do Registro infectados: 0

Ítens do Registro infectados: 1

Pastas infectadas: 0

Arquivos infectados: 56

 

Processos da Memória infectados:

(Nenhum ítem malicioso foi detectado)

 

Módulos de Memória Infectados:

(Nenhum ítem malicioso foi detectado)

 

Chaves do Registro infectadas:

(Nenhum ítem malicioso foi detectado)

 

Valores do Registro infectados:

(Nenhum ítem malicioso foi detectado)

 

Ítens do Registro infectados:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

 

Pastas infectadas:

(Nenhum ítem malicioso foi detectado)

 

Arquivos infectados:

d:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP111\A0147212.com (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP112\A0147226.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP112\A0147278.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP112\A0148425.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP114\A0161243.bat (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP114\A0163242.bat (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP115\A0167514.cmd (Trojan.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP117\A0173193.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP119\A0178264.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP119\A0181302.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP120\A0182367.bat (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP121\A0184555.bat (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP121\A0187835.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP122\A0187850.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP122\A0189855.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP123\A0191129.cmd (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP123\A0192314.cmd (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP123\A0192336.cmd (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP125\A0194505.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP128\A0199898.bat (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP128\A0199989.bat (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP128\A0200142.exe (Trojan.Agent) -> Quarantined and deleted successfully.

d:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP129\A0200211.bat (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP92\A0099077.bat (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP92\A0099105.bat (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP93\A0100309.bat (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP93\A0102376.bat (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP94\A0104607.bat (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP94\A0104674.bat (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP94\A0104714.bat (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP94\A0104781.bat (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP95\A0105891.bat (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP96\A0105964.com (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP96\A0107958.com (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP97\A0112584.com (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{bac5b801-ed5e-457e-8565-4ad3fca6852c}\RP22\A0003077.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{bac5b801-ed5e-457e-8565-4ad3fca6852c}\RP22\A0003064.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{bac5b801-ed5e-457e-8565-4ad3fca6852c}\RP22\A0003067.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{bac5b801-ed5e-457e-8565-4ad3fca6852c}\RP22\A0003072.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{bac5b801-ed5e-457e-8565-4ad3fca6852c}\RP22\A0003073.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{bac5b801-ed5e-457e-8565-4ad3fca6852c}\RP22\A0003078.cmd (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{bac5b801-ed5e-457e-8565-4ad3fca6852c}\RP22\A0003079.com (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{bac5b801-ed5e-457e-8565-4ad3fca6852c}\RP22\A0003080.cmd (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{bac5b801-ed5e-457e-8565-4ad3fca6852c}\RP22\A0003084.bat (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{bac5b801-ed5e-457e-8565-4ad3fca6852c}\RP22\A0003089.com (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{bac5b801-ed5e-457e-8565-4ad3fca6852c}\RP22\A0003090.bat (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{bac5b801-ed5e-457e-8565-4ad3fca6852c}\RP22\A0003092.cmd (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{bac5b801-ed5e-457e-8565-4ad3fca6852c}\RP35\A0015023.bat (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{bac5b801-ed5e-457e-8565-4ad3fca6852c}\RP35\A0015024.cmd (Trojan.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{bac5b801-ed5e-457e-8565-4ad3fca6852c}\RP35\A0015026.bat (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{bac5b801-ed5e-457e-8565-4ad3fca6852c}\RP38\A0017230.bat (Spyware.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{bac5b801-ed5e-457e-8565-4ad3fca6852c}\RP38\A0017231.cmd (Trojan.OnlineGames) -> Quarantined and deleted successfully.

d:\system volume information\_restore{bac5b801-ed5e-457e-8565-4ad3fca6852c}\RP38\A0017233.bat (Spyware.OnlineGames) -> Quarantined and deleted successfully.

e:\system volume information\_restore{51d6452f-29d7-4b41-ae40-bb03bbfdd40f}\RP129\A0200213.bat (Spyware.OnlineGames) -> Quarantined and deleted successfully.

e:\system volume information\_restore{bac5b801-ed5e-457e-8565-4ad3fca6852c}\RP35\A0015028.bat (Spyware.OnlineGames) -> Quarantined and deleted successfully.

e:\system volume information\_restore{bac5b801-ed5e-457e-8565-4ad3fca6852c}\RP38\A0017235.bat (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:05:57, on 30/7/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe

C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\HiJack\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Arquivos de programas\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: (no name) - {6EF05952-B48D-4944-AA91-57A6A1A48EF8} - C:\Arquivos de programas\Puxa Rápido\IEBHO.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

 

--

End of file - 6170 bytes

[Silas Martins 0]

 

Baixe o ComboFix em:

ComboFix'>http://download.bleepingcomputer.com/sUBs/ComboFix.exe"]ComboFix

(Link alternativodo ComboFix.exe'>http://www.baixa.la/arquivo/2867097"]ComboFix.exe)

 

1) Desabilite o seu anti-vírus temporariamente;

 

2) Dê um duplo-clique no combofix.exe e aguarde (o processo total demora cerca de 10 minutos);

 

3) A janela de "NEGAÇÃO DE GARANTIA DO SOFTWARE" abrir-se-á. Leia atentamente o texto contido nesta janela e clique sobre "SIM" para continuar.

 

PS.: Caso não concorde com os termos clique sobre "NÃO" para sair do software, cabendo lembrar que o processo de desinfecção não será possível sem a continuidade do ComboFix.

 

4) Outra janela irá abrir, caso a sua máquina não possua o CONSOLE DE RECUPERAÇÃO DO WINDOWS. É recomendável executar a instalação do console ante de dar continuidade ao processo, pois tal ação proporcionará a garantia de que o sistema poderá ser recuperado em caso de problemas durante a varredura.

 

Clique sobre "SIM" e aguarde, pois o processo de instalação do console dar-se-á automaticamente através do próprio ComboFix. Ele poderá demorar alguns minutos (dependerá da velocidade de sua conexão), portanto seja paciente.

 

Quando a janela "INSTALANDO O CONSOLE DE RECUPERAÇÃO" aparecer clique em "OK", depois clique sobre "SIM" para aceitar a licença EULA.

 

Ao término da instalação do console de recuperação abrir-se-á uma janela avisando que "O CONSOLE DE RECUPERAÇÃO FOI INSTALADA COM SUCESSO".

 

Clique sobre "SIM" para continuar a varredura.

 

5) O ComboFix iniciará o AUTOSCAN (aguarde).

 

ATENÇÃO: Não clique na janela do ComboFix, nem termine o processo abruptamente enquanto a ferramenta estiver sendo executada, pois isto implicará na desconfiguração de seu desktop (ele ficará todo branco).

 

Ao término do processo a máquina será reiniciada para a emissão do relatório.

 

6) Ao reiniciar a máquina o ComboFix irá executar o FIND3M para a criação do relatório final da varredura. O log ficará alocado em C:\ComboFix.txt.

 

7) Reabilite o seu anti-vírus;

 

8) Preciso que você cole o conteúdo do ComboFix.txt e do novo log Hijackthis em sua próxima resposta.

 

OBS.1: Caso apareça uma mensagem avisando que ESTE NÃO É UM APLICATIVO WIN 32 VÁLIDO baixe o ComboFix novamente, mas salve-o em seu Desktop como KomboFix. Em último caso, tente utilizar o ComboFix em MODO SEGURO.

 

OBS.2: Caso haja um clique sobre a janela do ComboFix em execução, ela irá MAXIMIZAR, sobrepondo-se sobre as demais. Para minimizá-la novamente basta utilizar a combinação ALT + TAB.

 

Aguardo retorno

[Nildo Júnior 0]

Log do ComboFix:

ComboFix 09-07-29.04 - Usuário 31/07/2009 12:15.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.1023.669 [GMT -3:00]

Executando de: c:\documents and settings\Usuário\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\autorun.inf

D:\Autorun.inf

E:\Autorun.inf

 

.

(((((((((((((((( Arquivos/Ficheiros criados de 2009-06-28 to 2009-07-31 ))))))))))))))))))))))))))))

.

 

2009-07-31 03:23 . 2009-02-09 11:50 2061952 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe

2009-07-31 03:23 . 2009-02-09 11:50 2019840 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe

2009-07-31 03:23 . 2009-02-09 11:50 2184704 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe

2009-07-31 03:23 . 2009-02-09 11:50 2140160 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe

2009-07-30 23:46 . 2009-07-30 23:46 -------- d-----w- c:\arquivos de programas\Windows Live

2009-07-30 15:07 . 2009-07-13 16:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-30 15:07 . 2009-07-30 15:07 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes

2009-07-30 15:07 . 2009-07-30 15:07 -------- d-----w- c:\arquivos de programas\Malwarebytes' Anti-Malware

2009-07-30 15:07 . 2009-07-13 16:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-30 02:54 . 2006-03-18 08:00 22608 ----a-r- c:\windows\system32\drivers\usbprint.sys

2009-07-28 19:27 . 2009-07-28 19:27 -------- d-----w- c:\arquivos de programas\MSXML 4.0

2009-07-28 15:38 . 2009-07-29 16:28 9621536 --sha-w- c:\windows\system32\drivers\fidbox.dat

2009-07-27 19:49 . 2009-07-31 14:41 -------- d-----w- c:\arquivos de programas\Puxa Rápido

2009-07-27 15:10 . 2008-10-16 17:06 268648 ----a-w- c:\windows\system32\mucltui.dll

2009-07-27 15:10 . 2008-10-16 17:06 208744 ----a-w- c:\windows\system32\muweb.dll

2009-07-27 03:58 . 2009-07-27 04:00 164352 ----a-w- c:\windows\system32\SpoonUninstall.exe

2009-07-27 03:43 . 2009-07-27 03:43 -------- d-----w- c:\windows\Sun

2009-07-26 20:47 . 2009-07-26 22:09 -------- dcsh--w- c:\arquivos de programas\Arquivos comuns\WindowsLiveInstaller

2009-07-26 20:46 . 2009-07-30 23:59 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\WLInstaller

2009-07-26 14:03 . 2008-10-24 11:10 453632 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2009-07-25 18:30 . 2009-07-25 18:30 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\CyberLink

2009-07-25 17:44 . 2008-06-14 17:59 272384 -c----w- c:\windows\system32\dllcache\bthport.sys

2009-07-25 17:44 . 2008-06-14 17:59 272384 ------w- c:\windows\system32\drivers\bthport.sys

2009-07-24 20:34 . 2009-07-24 20:34 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Windows Live

2009-07-24 19:34 . 2009-07-30 17:05 -------- d-----w- C:\HiJack

2009-07-24 18:53 . 2009-07-24 20:05 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\NOS

2009-07-24 18:53 . 2009-07-24 20:05 -------- d-----w- c:\arquivos de programas\NOS

2009-07-16 17:11 . 2009-07-16 17:11 -------- d-----w- c:\arquivos de programas\FormatFactory

2009-07-15 22:25 . 2009-07-15 22:25 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\NVIDIA

2009-07-15 22:24 . 2009-07-15 22:24 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\nView_Profiles

2009-07-14 18:19 . 2009-07-15 22:46 -------- d-----w- c:\arquivos de programas\eclipse

2009-07-13 23:39 . 2001-02-12 17:56 45568 ----a-w- c:\windows\UniFish3.exe

2009-07-12 19:06 . 2009-07-12 19:06 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\FLEXnet

2009-07-12 18:57 . 2009-07-12 18:57 -------- d-----w- c:\arquivos de programas\Bonjour

2009-07-12 18:36 . 2009-07-12 18:36 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Macrovision Shared

2009-07-12 18:29 . 2004-08-04 02:08 26496 -c--a-w- c:\windows\system32\dllcache\usbstor.sys

2009-07-09 22:57 . 2009-07-09 22:57 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Corel

2009-07-09 22:56 . 2009-07-09 22:56 -------- d-----w- c:\arquivos de programas\Corel

2009-07-09 22:51 . 2004-03-22 06:17 24816 ----a-w- c:\windows\system32\mdimon.dll

2009-07-09 22:48 . 2009-07-09 22:50 -------- d-----w- c:\windows\SHELLNEW

2009-07-09 22:45 . 2009-07-12 18:57 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Adobe

2009-07-09 22:25 . 2009-07-09 22:25 -------- d-----w- c:\windows\system32\pt-br

2009-07-09 22:23 . 2009-07-31 03:28 -------- d--h--w- c:\windows\$hf_mig$

2009-07-09 22:22 . 2004-08-04 03:45 25600 ----a-w- c:\documents and settings\LocalService\Dados de aplicativos\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

2009-07-09 22:17 . 2004-08-04 03:45 221184 ----a-w- c:\windows\system32\wmpns.dll

2009-07-09 22:16 . 2009-07-09 22:16 -------- d-----w- c:\arquivos de programas\Windows Media Connect 2

2009-07-09 22:15 . 2009-07-09 22:16 -------- d-----w- c:\windows\system32\drivers\UMDF

2009-07-09 22:15 . 2009-07-09 22:15 -------- d-----w- c:\windows\system32\LogFiles

2009-07-09 22:05 . 2009-07-09 22:05 -------- d-----w- c:\arquivos de programas\IObit

2009-07-09 22:04 . 2009-07-09 22:04 -------- d-----w- c:\arquivos de programas\Arquivos comuns\xing shared

2009-07-09 22:04 . 2009-07-09 22:04 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Real

2009-07-09 22:04 . 2009-07-09 22:04 -------- d-----w- c:\arquivos de programas\Real

2009-07-09 22:00 . 2009-07-09 22:01 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Ahead

2009-07-09 22:00 . 2009-07-09 22:00 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Nero

2009-07-09 22:00 . 2009-07-09 22:00 -------- d-----w- c:\arquivos de programas\Nero

2009-07-09 21:57 . 2009-07-09 21:57 -------- d-----w- c:\arquivos de programas\Java

2009-07-09 21:57 . 2009-07-09 21:57 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Java

2009-07-09 21:55 . 2009-02-13 17:22 95576 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-07-09 21:55 . 2009-02-13 14:31 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-07-09 21:55 . 2009-02-13 14:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-07-09 21:55 . 2009-02-13 14:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-07-09 21:55 . 2009-07-09 21:55 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Avira

2009-07-09 21:55 . 2009-07-09 21:55 -------- d-----w- c:\arquivos de programas\Avira

2009-07-09 21:51 . 2001-03-08 21:30 24064 ------w- c:\windows\system32\msxml3a.dll

2009-07-09 21:51 . 2009-07-09 22:04 499712 ----a-w- c:\windows\system32\msvcp71.dll

2009-07-09 21:51 . 2009-07-09 22:04 348160 ----a-w- c:\windows\system32\msvcr71.dll

2009-07-09 21:50 . 2009-07-09 21:51 -------- d-----w- c:\arquivos de programas\CyberLink

2009-07-09 21:49 . 2007-04-04 21:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll

2009-07-09 21:49 . 2007-04-04 21:55 261480 ----a-w- c:\windows\system32\xactengine2_7.dll

2009-07-09 21:49 . 2007-03-15 19:57 443752 ----a-w- c:\windows\system32\d3dx10_33.dll

2009-07-09 21:49 . 2007-03-12 19:42 1123696 ----a-w- c:\windows\system32\D3DCompiler_33.dll

2009-07-09 21:47 . 2009-07-09 22:10 -------- d-----w- c:\windows\nview

2009-07-09 21:47 . 2007-05-21 07:32 208896 ----a-w- c:\windows\system32\nvudisp.exe

2009-07-09 21:47 . 2006-08-16 20:55 208896 ----a-w- c:\windows\system32\NVUNINST.EXE

2009-07-08 21:16 . 2009-07-08 21:16 -------- d-----w- c:\windows\system32\Attansic

2009-07-08 21:16 . 2006-10-31 05:50 28416 ----a-r- c:\windows\system32\drivers\atl02_xp.sys

2009-07-08 21:16 . 2009-07-08 21:16 -------- d-----w- c:\arquivos de programas\Attansic

2009-07-08 21:14 . 2009-07-08 21:14 -------- d-----w- c:\windows\system32\Lang

2009-07-08 21:12 . 2007-01-30 10:54 16116224 ------r- c:\windows\RTHDCPL.exe

2009-07-08 21:12 . 2006-10-11 09:42 2157568 ------r- c:\windows\MicCal.exe

2009-07-08 21:12 . 2005-05-03 10:43 69632 ------r- c:\windows\Alcmtr.exe

2009-07-08 21:12 . 2006-05-04 08:26 2808832 ------r- c:\windows\alcwzrd.exe

2009-07-08 21:12 . 2009-07-08 21:12 -------- d-----w- c:\arquivos de programas\Realtek

2009-07-08 21:12 . 2009-07-09 22:57 -------- d--h--w- c:\arquivos de programas\InstallShield Installation Information

2009-07-08 21:12 . 2009-07-08 21:12 315392 ----a-w- c:\windows\HideWin.exe

2009-07-08 21:12 . 2007-01-12 08:54 520192 ------r- c:\windows\RtlExUpd.dll

2009-07-08 21:12 . 2009-07-09 22:56 -------- d-----w- c:\arquivos de programas\Arquivos comuns\InstallShield

2009-07-08 21:11 . 2009-07-08 21:11 -------- d-----w- c:\windows\ASUSInstAll

2009-07-08 21:09 . 2009-07-08 21:09 -------- d-----w- c:\arquivos de programas\Intel

2009-07-08 21:08 . 2004-08-13 02:56 5810 ----a-r- c:\windows\system32\drivers\ASACPI.sys

2009-07-08 21:08 . 2006-10-10 11:33 10288 ----a-w- c:\windows\system32\drivers\ASUSHWIO.SYS

2009-07-08 21:05 . 2009-07-31 13:16 -------- d-----w- c:\documents and settings\Usuário

2009-07-08 21:00 . 2004-08-04 03:45 27136 -c--a-w- c:\windows\system32\dllcache\iscomlog.dll

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-31 12:55 . 2001-09-28 12:00 48846 ----a-w- c:\windows\system32\perfc016.dat

2009-07-31 12:55 . 2001-09-28 12:00 344734 ----a-w- c:\windows\system32\perfh016.dat

2009-07-29 16:28 . 2009-07-28 15:38 115916 --sha-w- c:\windows\system32\drivers\fidbox.idx

2009-07-16 00:44 . 2009-07-08 20:59 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-07-08 20:59 . 2009-07-08 20:59 -------- d-----w- c:\arquivos de programas\microsoft frontpage

2009-07-08 20:58 . 2009-07-08 20:58 -------- d-----w- c:\arquivos de programas\Serviços on-line

2009-07-08 20:57 . 2009-07-08 20:57 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Serviços

2009-07-08 20:56 . 2009-07-08 20:56 21844 ----a-w- c:\windows\system32\emptyregdb.dat

2009-06-16 14:54 . 2004-08-04 03:45 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:54 . 2001-09-28 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll

2009-06-03 19:26 . 2004-08-04 03:45 1295360 ----a-w- c:\windows\system32\quartz.dll

2009-05-07 15:43 . 2004-08-04 03:45 345600 ----a-w- c:\windows\system32\localspl.dll

.

 

------- Sigcheck -------

 

[-] 2004-08-04 03:45 14336 5DE3E7B6F7624552F2F06664F110820D c:\windows\system32\svchost.exe

[-] 2004-08-04 03:45 14336 5DE3E7B6F7624552F2F06664F110820D c:\windows\system32\dllcache\svchost.exe

 

[-] 2004-08-04 03:45 577536 E0FF28447D1038DE106D1F2FDF851647 c:\windows\system32\user32.dll

[-] 2004-08-04 03:45 577536 E0FF28447D1038DE106D1F2FDF851647 c:\windows\system32\dllcache\user32.dll

 

[-] 2004-08-04 03:45 82944 A5163442377D3C305BBFF612F80047D7 c:\windows\system32\ws2_32.dll

[-] 2004-08-04 03:45 82944 A5163442377D3C305BBFF612F80047D7 c:\windows\system32\dllcache\ws2_32.dll

 

[-] 2004-08-04 03:45 658432 398A619CE60090303042D1F8CC68F712 c:\windows\ie7\wininet.dll

[-] 2007-08-13 21:54 818688 A4A0FC92358F39538A6494C42EF99FE9 c:\windows\system32\wininet.dll

[-] 2007-08-13 21:54 818688 A4A0FC92358F39538A6494C42EF99FE9 c:\windows\system32\dllcache\wininet.dll

 

[-] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys

[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys

[-] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys

[-] 2004-08-04 02:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB951748$\tcpip.sys

[-] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\SoftwareDistribution\Download\abc8d424bc7438e463cef8a2ec1c00e4\sp2gdr\tcpip.sys

[-] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\SoftwareDistribution\Download\abc8d424bc7438e463cef8a2ec1c00e4\sp2qfe\tcpip.sys

[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\SoftwareDistribution\Download\abc8d424bc7438e463cef8a2ec1c00e4\sp3gdr\tcpip.sys

[-] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\SoftwareDistribution\Download\abc8d424bc7438e463cef8a2ec1c00e4\sp3qfe\tcpip.sys

[-] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\system32\dllcache\tcpip.sys

[-] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\system32\drivers\tcpip.sys

 

[-] 2004-08-04 03:45 504320 6F7BDE7A1126DEBF0CC359A54953EFC1 c:\windows\system32\winlogon.exe

[-] 2004-08-04 03:45 504320 6F7BDE7A1126DEBF0CC359A54953EFC1 c:\windows\system32\dllcache\winlogon.exe

 

[-] 2004-08-04 02:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\system32\dllcache\ndis.sys

[-] 2004-08-04 02:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\system32\drivers\ndis.sys

 

[-] 2004-08-04 02:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\system32\dllcache\ip6fw.sys

[-] 2004-08-04 02:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\system32\drivers\ip6fw.sys

 

[-] 2004-08-04 03:45 1034240 FA61A19050AE14BEC1A26DE82390DD65 c:\windows\explorer.exe

[-] 2004-08-04 03:45 1034240 FA61A19050AE14BEC1A26DE82390DD65 c:\windows\system32\dllcache\explorer.exe

 

[-] 2004-08-04 03:45 13312 35C6463B3C5F62D2B20C953B6E1538E9 c:\windows\system32\lsass.exe

[-] 2004-08-04 03:45 13312 35C6463B3C5F62D2B20C953B6E1538E9 c:\windows\system32\dllcache\lsass.exe

 

[-] 2004-08-04 03:45 15360 F40BC97996B8E53799EEF1D63996674B c:\windows\system32\ctfmon.exe

[-] 2004-08-04 03:45 15360 F40BC97996B8E53799EEF1D63996674B c:\windows\system32\dllcache\ctfmon.exe

 

[-] 2004-08-04 03:45 57856 3971289FA7072812CAF4D053BBC6352B c:\windows\system32\spoolsv.exe

[-] 2004-08-04 03:45 57856 3971289FA7072812CAF4D053BBC6352B c:\windows\system32\dllcache\spoolsv.exe

 

[-] 2004-08-04 03:45 24576 4CA695EC1EE4C7CF2144DFA00EA0E1F7 c:\windows\system32\userinit.exe

[-] 2004-08-04 03:45 24576 4CA695EC1EE4C7CF2144DFA00EA0E1F7 c:\windows\system32\dllcache\userinit.exe

 

[-] 2004-08-04 03:45 296960 23DFF6DAA7565CC5802E057A6B9F585E c:\windows\system32\termsrv.dll

[-] 2004-08-04 03:45 296960 23DFF6DAA7565CC5802E057A6B9F585E c:\windows\system32\dllcache\termsrv.dll

 

[-] 2004-08-04 03:45 17408 0F81EB414DE1D77DD315F4A3D324BC1E c:\windows\system32\powrprof.dll

[-] 2004-08-04 03:45 17408 0F81EB414DE1D77DD315F4A3D324BC1E c:\windows\system32\dllcache\powrprof.dll

 

[-] 2004-08-04 03:45 110080 602B88592E0690D0DFB5E5F44A9EF820 c:\windows\system32\imm32.dll

[-] 2004-08-04 03:45 110080 602B88592E0690D0DFB5E5F44A9EF820 c:\windows\system32\dllcache\imm32.dll

 

[-] 2004-08-04 03:45 172032 2E131621557A6EF486FC86D738CBC8B6 c:\windows\system32\appmgmts.dll

[-] 2004-08-04 03:45 172032 2E131621557A6EF486FC86D738CBC8B6 c:\windows\system32\dllcache\appmgmts.dll

 

[-] 2004-08-04 03:39 25088 7FC1E330386610D5EB3E7C4C7893CA93 c:\windows\system32\drivers\kbdclass.sys

 

[-] 2004-08-04 03:45 821760 FB93B504600DA3EC407ED0252EEF97AB c:\windows\system32\comres.dll

[-] 2004-08-04 03:45 821760 FB93B504600DA3EC407ED0252EEF97AB c:\windows\system32\dllcache\comres.dll

 

[-] 2004-08-04 03:45 22016 CFFC7F8E8F898BE4561887EF301F8BF3 c:\windows\system32\lpk.dll

[-] 2004-08-04 03:45 22016 CFFC7F8E8F898BE4561887EF301F8BF3 c:\windows\system32\dllcache\lpk.dll

 

[-] 2001-09-28 12:00 4224 DA1F27D85E0D1525F6621372E7B685E9 c:\windows\system32\dllcache\beep.sys

[-] 2001-09-28 12:00 4224 DA1F27D85E0D1525F6621372E7B685E9 c:\windows\system32\drivers\beep.sys

 

[-] 2001-09-28 12:00 2944 73C1E1F395918BC2C6DD67AF7591A3AD c:\windows\system32\dllcache\null.sys

[-] 2001-09-28 12:00 2944 73C1E1F395918BC2C6DD67AF7591A3AD c:\windows\system32\drivers\null.sys

 

[-] 2004-08-04 01:39 142464 841F385C6CFAF66B58FBD898722BB4F0 c:\windows\system32\dllcache\aec.sys

[-] 2004-08-04 01:39 142464 841F385C6CFAF66B58FBD898722BB4F0 c:\windows\system32\drivers\aec.sys

 

[-] 2001-09-28 12:00 924432 168C72C281EC3BE3201AC95F42A577CF c:\windows\system32\mfc40u.dll

[-] 2001-09-28 12:00 924432 168C72C281EC3BE3201AC95F42A577CF c:\windows\system32\dllcache\mfc40u.dll

 

[-] 2004-08-04 03:45 33792 0B572FBB16E7E10D7DAB749CD390017C c:\windows\system32\msgsvc.dll

[-] 2004-08-04 03:45 33792 0B572FBB16E7E10D7DAB749CD390017C c:\windows\system32\dllcache\msgsvc.dll

 

[-] 2004-08-04 03:45 611328 021631D9D0729D9E52300CCEACE4F054 c:\windows\system32\comctl32.dll

[-] 2004-08-04 03:45 611328 021631D9D0729D9E52300CCEACE4F054 c:\windows\system32\dllcache\comctl32.dll

[-] 2001-09-28 12:00 921088 AEF3D788DBF40C7C4D204EA45EB0C505 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll

[-] 2004-08-04 03:44 1050624 3680CF24C64348BFDC89E290790398E7 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll

 

[-] 2001-09-28 12:00 11904 EBD5CF43AD9526EAB9B2A15A54760EA9 c:\windows\system32\drivers\acpiec.sys

 

[-] 2004-08-04 03:45 5120 FA7EE4A359AE09930904881982D22AB8 c:\windows\system32\sfc.dll

[-] 2004-08-04 03:45 5120 FA7EE4A359AE09930904881982D22AB8 c:\windows\system32\dllcache\sfc.dll

 

[-] 2004-08-04 03:45 407040 82777C1BE8E9F0B1574DAC5BC29C7D6F c:\windows\system32\netlogon.dll

[-] 2004-08-04 03:45 407040 82777C1BE8E9F0B1574DAC5BC29C7D6F c:\windows\system32\dllcache\netlogon.dll

 

[-] 2004-08-04 03:45 171008 0B1D7BF8EB2BC685D154CB925F3629CB c:\windows\system32\srsvc.dll

[-] 2004-08-04 03:45 171008 0B1D7BF8EB2BC685D154CB925F3629CB c:\windows\system32\dllcache\srsvc.dll

 

[-] 2004-08-04 03:45 437248 BC0F28B3C2AB6ACDA3361721442E4CB7 c:\windows\system32\ntmssvc.dll

[-] 2004-08-04 03:45 437248 BC0F28B3C2AB6ACDA3361721442E4CB7 c:\windows\system32\dllcache\ntmssvc.dll

 

[-] 2004-08-04 03:45 89088 0E5B060277525AA68995EB492FD5CBF3 c:\windows\system32\rasauto.dll

[-] 2004-08-04 03:45 89088 0E5B060277525AA68995EB492FD5CBF3 c:\windows\system32\dllcache\rasauto.dll

 

[-] 2004-08-04 03:45 1548288 1DD4FC7EEE3A45257528A34FDF7BC689 c:\windows\system32\sfcfiles.dll

[-] 2004-08-04 03:45 1548288 1DD4FC7EEE3A45257528A34FDF7BC689 c:\windows\system32\dllcache\sfcfiles.dll

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]

"MSMSGS"="c:\arquivos de programas\Messenger\msmsgs.exe" [2004-08-04 1667584]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avgnt"="c:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"NeroFilterCheck"="c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-21 7630848]

"TkBellExe"="c:\arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" [2009-07-09 185872]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-01-30 16116224]

"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-05-21 1519616]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"=

"c:\\Arquivos de programas\\eclipse\\eclipse.exe"=

"c:\\Arquivos de programas\\Puxa Rápido\\PuxaRapido.exe"=

 

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [9/7/2009 18:55 108289]

.

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.uol.com.br/

uInternet Connection Wizard,ShellNext = iexplore

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: {28D1B74F-39B0-4A9C-ADC3-572763B579ED} = 200.221.11.101 200.147.255.100

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-31 12:17

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

.

Tempo para conclusão: 2009-07-31 12:18

ComboFix-quarantined-files.txt 2009-07-31 15:18

 

Pré-execução: 7.320.653.824 bytes disponíveis

Pós execução: 7.295.533.056 bytes disponíveis

 

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

 

257 --- E O F --- 2009-07-31 03:29

 

Log do HiJackThis:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:23:06, on 31/7/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe

C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\HiJack\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Arquivos de programas\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: (no name) - {6EF05952-B48D-4944-AA91-57A6A1A48EF8} - C:\Arquivos de programas\Puxa Rápido\IEBHO.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

 

--

End of file - 5722 bytes

[Silas Martins 0]

1º Etapa

 

Faça o download do '>http://renatomejias.nwmogi.com.br/PenClean/PenClean.zip"]PenClean e salve no seu desktop.

• Execute o programa.
• Veja se a opção Log sup esteja selecionada.
• Caso queira vacinar, marque a opção vacinar, o Penclean irá adicionar uma pasta chamada autorun.inf nas unidades(isto ira evitar novas infecções).
• Selecione a opção Verificar o computador e clique no botão Verificar.<<Aguarde alguns instantes, o exame é bem rápido>>
• Será informa se algo foi encontrado, se for encontrado será pedido para reiniciar, clique em Sim. O computador será reiniciado.
• Poste o relatório do PenClean que estará em C:\PenClean\PenClean.txt

2ª Etapa

 

Temporariamente desactive o seu anti-virus! - Veja'>http://forum.imasters.com.br/index.php?/topic/323876-desabilitar-temporariamente-o-programa-de-seguranca/"]Veja como desativar seu antivirus

 

Faça um Online Scan em '>http://www.kaspersky.com/virusscanner"]kaspersky Virusscanner

• Clique em
• Quando questionando para instalar o ActiveX, clique
• Aguarde a instalação e a actualização e depois clique em
• Clique agora em
• Nas opções do scan (settings), certifique-se que as entradas abaixo estão selecionadas:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)

• Scan Options:

• Scan Archives
  Scan Mail Bases

[*]Clique [*]Clique em My Computer para que seja feito um Scan completo no seu Sistema.[*]Será inciaido o scan e poderá demorar um pouco. Seja paciente e aguarde.[*]No final do Scan, clique no botão Save as Text[*]Salve o log com os resultados e cole o conteúdo na sua próxima mensagem.[*]Gere e cole também um novo log do HijackThis.

Caso o log fique extenso demais faça um upload dele no site http://www.baixa.la/'>http://www.baixa.la/"]http://www.baixa.la/ e poste o link junto com os log's do Hijackthis e penclean

 

Aguardo retorno

[Mário Monteiro 179]

Tópico Arquivado

 

Como o autor não respondeu por mais de 30 dias, o tópico foi arquivado.

 

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura.