[Resolvido!] Virus e Malware em netbook

[EGH 0]

Olá

 

Tenho um netbook Asus EEEpc que está com uma infecção.

 

Seguem abaixo os logs do combofix e do hijackthis

 

obrigado desde já

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 02:11:52, on 27/7/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

 

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

c:\ARQUIV~1\GbPlugin\GbpSv.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\Explorer.EXE

D:\WINDOWS\system32\spoolsv.exe

c:\Arquivos de programas\Java\jre6\bin\jqs.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

D:\WINDOWS\system32\wbem\wmiapsrv.exe

D:\WINDOWS\system32\wuauclt.exe

D:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

D:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

E:\nfqh.exe

E:\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - c:\Arquivos de programas\GbPlugin\gbiehcef.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [Advanced DHTML Enable] D:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\238.exe

O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [Google Update] "D:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /c

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://D:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://D:\ARQUIV~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233346427359

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://imagem.caixa.gov.br/cab/gbpdist.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: GbPluginCef - c:\Arquivos de programas\GbPlugin\gbiehcef.dll

O23 - Service: Gbp Service (GbpSv) - - c:\ARQUIV~1\GbPlugin\GbpSv.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - c:\Arquivos de programas\Java\jre6\bin\jqs.exe

 

--

End of file - 4820 bytes

 

 

 

 

 

 

 

 

ComboFix 09-07-20.05 - Administrador 27/07/2009 2:15.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.2039.1717 [GMT -3:00]

Executando de: E:\ComboFix.exe

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

D:\DELTREE.EXE

d:\recycler\S-1-5-21-5199901796-1337845913-275803712-5118

d:\recycler\S-1-5-21-6249050863-9699732478-535716143-0302

d:\recycler\S-1-5-21-7451556510-2704140153-179675921-3688

d:\windows\system32\msconfig.exe

 

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_DAC970NT

-------\Service_dac970nt

 

 

(((((((((((((((( Arquivos/Ficheiros criados de 2009-06-27 to 2009-07-27 ))))))))))))))))))))))))))))

.

 

2009-07-27 05:21 . 2009-07-27 05:21 -------- d-----w- d:\windows\system32\xircom

2009-07-27 05:21 . 2009-07-27 05:21 -------- d-----w- d:\windows\system32\wbem\snmp

2009-07-25 19:02 . 2009-07-26 04:31 198688 --sha-w- d:\windows\system32\drivers\fidbox.dat

2009-07-15 15:43 . 2009-07-15 15:43 -------- d-----w- d:\documents and settings\Administrador\Dados de aplicativos\TrueCrypt

2009-07-15 15:43 . 2009-07-15 15:43 217664 ----a-w- d:\windows\system32\drivers\truecrypt.sys

2009-07-15 15:43 . 2009-07-15 15:43 -------- d-----w- c:\arquivos de programas\TrueCrypt

2009-07-15 02:21 . 2009-07-15 02:23 -------- d-----w- d:\documents and settings\Administrador\Dados de aplicativos\Gmail Backup

2009-07-14 23:23 . 2009-07-14 23:23 -------- d-----w- c:\arquivos de programas\KLC

2009-07-14 23:21 . 1996-11-08 05:48 368912 ----a-w- d:\windows\system32\vbar332.dll

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-27 05:21 . 2009-07-27 05:21 -------- d-----w- c:\arquivos de programas\microsoft frontpage

2009-07-26 04:31 . 2009-07-25 19:02 4448 --sha-w- d:\windows\system32\drivers\fidbox.idx

2009-07-26 00:10 . 2004-08-04 03:45 412672 ----a-w- d:\windows\system32\zipfldr.dll

2009-07-25 21:08 . 2004-08-04 03:45 111104 ----a-w- d:\windows\system32\rundll32.exe

2009-07-25 21:03 . 2004-08-04 03:45 113152 ----a-w- d:\windows\system32\grpconv.exe

2009-07-25 21:03 . 2004-08-04 03:45 478208 ----a-w- d:\windows\system32\cmd.exe

2009-07-25 19:00 . 2004-08-04 03:45 1116160 ----a-w- d:\windows\explorer.exe

2009-07-15 15:35 . 2009-02-12 02:01 -------- d-----w- d:\documents and settings\All Users\Dados de aplicativos\GbPlugin

2009-07-15 13:22 . 2009-02-12 02:01 -------- d-----w- c:\arquivos de programas\GbPlugin

2009-07-15 02:01 . 2001-10-28 14:07 49044 ----a-w- d:\windows\system32\perfc016.dat

2009-07-15 02:01 . 2001-10-28 14:07 344972 ----a-w- d:\windows\system32\perfh016.dat

2009-07-15 01:58 . 2009-02-08 20:29 -------- d-----w- d:\documents and settings\Administrador\Dados de aplicativos\BitTorrent

2009-06-21 20:58 . 2009-06-21 20:58 21564 ---ha-w- d:\windows\system32\mlfcache.dat

2009-06-19 15:48 . 2009-06-19 15:48 -------- d-----w- c:\arquivos de programas\Google

2009-06-05 19:12 . 2009-06-05 19:12 -------- d-----w- c:\arquivos de programas\Microsoft Silverlight

2009-05-13 07:13 . 2009-02-12 02:01 26568 ----a-w- d:\windows\system32\drivers\gbpkm.sys

2009-05-09 13:56 . 2009-05-09 13:56 56 ---ha-w- d:\windows\system32\ezsidmv.dat

2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w- d:\windows\system32\GPhotos.scr

.

 

------- Sigcheck -------

 

[-] 2009-07-25 19:00 1116160 29A59DE550FE950862E02EDBE89CC505 d:\windows\explorer.exe

[-] 2008-04-14 02:20 1035776 064EC7FF5F58B928C3E119402977FA6D d:\windows\SoftwareDistribution\Download\286c254ee4e7710365274c10a063b3f3\explorer.exe

 

[-] 2008-04-14 02:20 15360 4E486ADFE3A0B9ED0EB0639902E9F64F d:\windows\SoftwareDistribution\Download\286c254ee4e7710365274c10a063b3f3\ctfmon.exe

[-] 2004-08-04 03:45 117760 E86EB31E2C5EFE2F61AF101190E72E5A d:\windows\system32\ctfmon.exe

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2004-08-04 117760]

"msnmsgr"="c:\arquivos de programas\MSN Messenger\msnmsgr.exe" [2009-07-26 6930432]

"Google Update"="d:\documents and settings\Administrador\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" [2009-07-25 210928]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2004-08-04 117760]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableTaskMgr"= 1 (0x1)

"DisableRegistryTools"= 1 (0x1)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399003}"= "c:\arquivos de programas\GbPlugin\gbiehcef.dll" [2009-05-13 286792]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginCef]

2009-05-13 12:19 286792 ----a-w- c:\arquivos de programas\GbPlugin\gbiehcef.dll

 

A chave SafeBoot necessita de ser reparada. Esta máquina não pode entrar em Modo de Segurança.

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]

@="Driver Group"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]

@="DiskDrive"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]

@="Hdc"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]

@="Keyboard"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]

@="Mouse"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]

@="System"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]

@="Volume"

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

"UacDisableNotify"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusOverride"=dword:00000001

"AntiVirusDisableNotify"=dword:00000001

"FirewallDisableNotify"=dword:00000001

"FirewallOverride"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"UacDisableNotify"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"d:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1006MC.EXE"=

"d:\\Arquivos de programas\\DNA\\btdna.exe"=

"c:\\Arquivos de programas\\BitTorrent\\bittorrent.exe"=

"c:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

"d:\\Documents and Settings\\Administrador\\Configurações locais\\Dados de aplicativos\\Google\\Update\\GoogleUpdate.exe"=

"d:\\Documents and Settings\\Administrador\\Configurações locais\\Dados de aplicativos\\Google\\Update\\1.2.183.7\\GoogleCrashHandler.exe"=

"d:\\WINDOWS\\system32\\dwwin.exe"=

"d:\\WINDOWS\\system32\\cmd.exe"=

"d:\\WINDOWS\\system32\\CF18773.exe"=

 

R0 GbpKm;Gbp KernelMode;d:\windows\system32\drivers\gbpkm.sys [11/2/2009 23:01 26568]

R2 GbpSv;Gbp Service;c:\arquiv~1\GbPlugin\GbpSv.exe [15/7/2009 10:22 53320]

R3 AsusACPI;ASUS ACPI Driver;d:\windows\system32\drivers\ASUSACPI.SYS [25/1/2009 23:06 11264]

 

--- =Outros Serviços/Drivers Na Memória ---

 

*NewlyCreated* - DAC970NT

.

Conteúdo da pasta 'Tarefas Agendadas'

.

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.uol.com.br/

uDefault_Search_URL = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - d:\windows\system32\GPhotos.scr/200

IE: E&xportar para o Microsoft Excel - d:\arquiv~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} - hxxps://imagem.caixa.gov.br/cab/gbpdist.cab

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-27 02:22

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\•€|ÿÿÿÿ"•€|þ»Òw*]

"6140110900063D11C8EF10054038389C"="D?\\WINDOWS\\system32\\FM20ENU.DLL"

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'winlogon.exe'(564)

c:\arquivos de programas\GbPlugin\gbiehcef.dll

.

------------------------ Outros Processos em Execução ------------------------

.

c:\arquivos de programas\Java\jre6\bin\jqs.exe

d:\windows\system32\wbem\wmiapsrv.exe

.

**************************************************************************

.

Tempo para conclusão: 2009-07-27 2:25 - Máquina reiniciou

ComboFix-quarantined-files.txt 2009-07-27 05:25

 

Pré-execução: 1.014.001.664 bytes disponíveis

Pós execução: 1.047.150.592 bytes disponíveis

 

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

d:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

 

175

[DigRam 144]

Boa Tarde! EGH

 

<@> Baixe: < SafeBootKeyRepair >

<@> Salve-a,diretamente,no Disco-local ©.

<@> Execute-a!E,ao terminar,gerará um relatório: C:\SafeBoot_Repair.txt <-- Não poste!

<><><><><><><><><><>

<@> Baixe: < AVPTool > ( by Kaspersky Labs )

<@> Salve-o em Arquivos de Programas,e instale-o aí mesmo!

<@> Reinicie o computador,em Modo de Segurança! <-- Importante!

<@> Dê início ao exame,clicando em "Scan".

<@> A verificação é muito demorada. <-- Aguarde!

<@> Caso seja encontrada infecções,clique em "disinfect" se a opção estiver habilitada.

<@> Evite,por enquanto,a opção "Delete".

<@> Terminando,clique na aba Events.

<@> Desmarque a caixa de seleção "Show all events".

<@> Clique em "Save to file".

<@> Nomeie-o e salve-o no desktop! <-- Relatório para postagem!

<@> Poste,também,HijackThis atualizado.

 

Abraços!

[EGH 0]

Olá

 

Seguem os logs do kaspersky e do hijackthis.

 

obrigado

 

Scan

----

Scanned: 168749

Detected: 29

Untreated: 0

Start time: 28/7/2009 15:45:59

Duration: 01:34:46

Finish time: 28/7/2009 17:20:45

 

 

Detected

--------

Status Object

------ ------

will be disinfected when the computer is restarted: virus Virus.Win32.Sality.aa File: D:\WINDOWS\Explorer.EXE

disinfected: virus Virus.Win32.Sality.aa File: d:\documents and settings\administrador\configurações locais\dados de aplicativos\google\update\googleupdate.exe

disinfected: virus Virus.Win32.Sality.aa File: C:\Meus Documentos\Downloads\chrome_installer.exe

disinfected: virus Virus.Win32.Sality.aa File: c:\arquivos de programas\msn messenger\msnmsgr.exe

disinfected: virus Virus.Win32.Sality.aa File: d:\documents and settings\administrador\configurações locais\dados de aplicativos\google\chrome\application\chrome.exe

disinfected: virus Virus.Win32.Sality.aa File: C:\Arquivos de programas\KLC\SMAC\patch.exe

disinfected: virus Virus.Win32.Sality.aa File: C:\Arquivos de programas\Microsoft Office\OFFICE11\EXCEL.EXE

disinfected: virus Virus.Win32.Sality.aa File: C:\Arquivos de programas\TrueCrypt\TrueCrypt Format.exe

disinfected: virus Virus.Win32.Sality.aa File: C:\Arquivos de programas\TrueCrypt\TrueCrypt.exe

disinfected: virus Virus.Win32.Sality.aa File: d:\arquivos de programas\internet explorer\iexplore.exe

disinfected: virus Virus.Win32.Sality.aa File: D:\ComboFix\CF18773.exe

disinfected: virus Virus.Win32.Sality.aa File: D:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\3.0.191.3\Installer\setup.exe

disinfected: virus Virus.Win32.Sality.aa File: D:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Update\1.2.183.7\GoogleCrashHandler.exe

disinfected: virus Virus.Win32.Sality.aa File: D:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Update\1.2.183.7\GoogleUpdate.exe

disinfected: virus Virus.Win32.Sality.aa File: D:\Documents and Settings\Administrador\Desktop\Virus Removal Tool\is-JL489\minst.exe

disinfected: virus Virus.Win32.Sality.aa File: D:\Documents and Settings\All Users\Documentos\TrueCrypt Setup 6.2a.exe

disinfected: virus Virus.Win32.Sality.aa File: D:\Documents and Settings\All Users\Documentos\windows-kb890830-v2.9.exe

disinfected: virus Virus.Win32.Sality.aa File: D:\Documents and Settings\All Users\Documentos\WindowsXP-KB958644-x86-PTB.exe

disinfected: virus Virus.Win32.Sality.aa File: D:\Documents and Settings\All Users\Documentos\progs\Ad-AwareAE.exe

disinfected: virus Virus.Win32.Sality.aa File: D:\Documents and Settings\All Users\Documentos\progs\Firefox Setup 3.0.9.exe

disinfected: virus Virus.Win32.Sality.aa File: d:\windows\regedit.exe

disinfected: virus Virus.Win32.Sality.aa File: D:\WINDOWS\system32\cmd.exe

disinfected: virus Virus.Win32.Sality.aa File: D:\WINDOWS\system32\grpconv.exe

disinfected: virus Virus.Win32.Sality.aa File: d:\windows\system32\rundll32.exe

disinfected: virus Virus.Win32.Sality.aa File: d:\windows\system32\zipfldr.dll

disinfected: virus Virus.Win32.Sality.aa File: e:\hijackthis.exe

disinfected: virus Virus.Win32.Sality.aa File: E:\nfqh.exe

disinfected: virus Virus.Win32.Sality.aa File: D:\DriveKey\HPUSBF.EXE

disinfected: virus Virus.Win32.Sality.aa File: D:\DriveKey\HPUSBFW.EXE

 

 

Events

------

Time Name Status Reason

---- ---- ------ ------

28/7/2009 15:46:37 File: D:\WINDOWS\Explorer.EXE detected virus 'Virus.Win32.Sality.aa'

28/7/2009 15:46:46 File: d:\windows\explorer.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 15:46:50 File: D:\WINDOWS\explorer.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 15:46:52 File: d:\documents and settings\administrador\configurações locais\dados de aplicativos\google\update\googleupdate.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 15:46:52 File: d:\documents and settings\administrador\configurações locais\dados de aplicativos\google\update\googleupdate.exe not disinfected postponed

28/7/2009 15:47:29 File: C:\Meus Documentos\Downloads\chrome_installer.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 15:47:29 File: C:\Meus Documentos\Downloads\chrome_installer.exe not disinfected postponed

28/7/2009 15:48:06 File: D:\WINDOWS\Explorer.EXE detected virus 'Virus.Win32.Sality.aa'

28/7/2009 15:48:14 File: d:\windows\explorer.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 15:48:18 File: D:\WINDOWS\explorer.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 15:48:19 File: c:\arquivos de programas\msn messenger\msnmsgr.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 15:48:19 File: c:\arquivos de programas\msn messenger\msnmsgr.exe not disinfected postponed

28/7/2009 15:48:20 File: d:\documents and settings\administrador\configurações locais\dados de aplicativos\google\update\googleupdate.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 15:48:20 File: d:\documents and settings\administrador\configurações locais\dados de aplicativos\google\update\googleupdate.exe not disinfected postponed

28/7/2009 15:48:46 File: d:\documents and settings\administrador\configurações locais\dados de aplicativos\google\chrome\application\chrome.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 15:48:46 File: d:\documents and settings\administrador\configurações locais\dados de aplicativos\google\chrome\application\chrome.exe not disinfected postponed

28/7/2009 15:54:27 File: C:\Arquivos de programas\KLC\SMAC\patch.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 15:54:27 File: C:\Arquivos de programas\KLC\SMAC\patch.exe not disinfected postponed

28/7/2009 15:54:29 File: C:\Arquivos de programas\Microsoft Office\OFFICE11\EXCEL.EXE detected virus 'Virus.Win32.Sality.aa'

28/7/2009 15:54:29 File: C:\Arquivos de programas\Microsoft Office\OFFICE11\EXCEL.EXE not disinfected postponed

28/7/2009 15:57:01 File: C:\Arquivos de programas\MSN Messenger\msnmsgr.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 15:57:01 File: C:\Arquivos de programas\MSN Messenger\msnmsgr.exe not disinfected postponed

28/7/2009 15:57:14 File: C:\Arquivos de programas\TrueCrypt\TrueCrypt Format.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 15:57:14 File: C:\Arquivos de programas\TrueCrypt\TrueCrypt Format.exe not disinfected postponed

28/7/2009 15:57:15 File: C:\Arquivos de programas\TrueCrypt\TrueCrypt.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 15:57:15 File: C:\Arquivos de programas\TrueCrypt\TrueCrypt.exe not disinfected postponed

28/7/2009 15:57:52 File: C:\Meus Documentos\Downloads\chrome_installer.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 15:57:52 File: C:\Meus Documentos\Downloads\chrome_installer.exe not disinfected postponed

28/7/2009 15:58:46 File: D:\Arquivos de programas\Internet Explorer\iexplore.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 15:58:46 File: D:\Arquivos de programas\Internet Explorer\iexplore.exe not disinfected postponed

28/7/2009 15:59:44 File: D:\ComboFix\CF18773.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 15:59:44 File: D:\ComboFix\CF18773.exe not disinfected postponed

28/7/2009 15:59:59 File: D:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 15:59:59 File: D:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe not disinfected postponed

28/7/2009 16:00:33 File: D:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\3.0.191.3\Installer\setup.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:00:33 File: D:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\3.0.191.3\Installer\setup.exe not disinfected postponed

28/7/2009 16:02:12 File: D:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:02:12 File: D:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe not disinfected postponed

28/7/2009 16:02:12 File: D:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Update\1.2.183.7\GoogleCrashHandler.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:02:12 File: D:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Update\1.2.183.7\GoogleCrashHandler.exe not disinfected postponed

28/7/2009 16:02:13 File: D:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Update\1.2.183.7\GoogleUpdate.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:02:13 File: D:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Update\1.2.183.7\GoogleUpdate.exe not disinfected postponed

28/7/2009 16:05:03 File: D:\Documents and Settings\Administrador\Desktop\Virus Removal Tool\is-JL489\minst.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:05:03 File: D:\Documents and Settings\Administrador\Desktop\Virus Removal Tool\is-JL489\minst.exe not disinfected postponed

28/7/2009 16:06:33 File: D:\Documents and Settings\All Users\Documentos\TrueCrypt Setup 6.2a.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:06:33 File: D:\Documents and Settings\All Users\Documentos\TrueCrypt Setup 6.2a.exe not disinfected postponed

28/7/2009 16:06:33 File: D:\Documents and Settings\All Users\Documentos\windows-kb890830-v2.9.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:06:33 File: D:\Documents and Settings\All Users\Documentos\windows-kb890830-v2.9.exe not disinfected postponed

28/7/2009 16:06:34 File: D:\Documents and Settings\All Users\Documentos\WindowsXP-KB958644-x86-PTB.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:06:34 File: D:\Documents and Settings\All Users\Documentos\WindowsXP-KB958644-x86-PTB.exe not disinfected postponed

28/7/2009 16:06:37 File: D:\Documents and Settings\All Users\Documentos\progs\Ad-AwareAE.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:06:37 File: D:\Documents and Settings\All Users\Documentos\progs\Ad-AwareAE.exe not disinfected postponed

28/7/2009 16:06:50 File: D:\Documents and Settings\All Users\Documentos\progs\Firefox Setup 3.0.9.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:06:50 File: D:\Documents and Settings\All Users\Documentos\progs\Firefox Setup 3.0.9.exe not disinfected postponed

28/7/2009 16:07:09 File: D:\WINDOWS\explorer.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:07:27 File: D:\WINDOWS\regedit.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:07:27 File: D:\WINDOWS\regedit.exe not disinfected postponed

28/7/2009 16:25:11 File: D:\WINDOWS\system32\cmd.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:25:11 File: D:\WINDOWS\system32\cmd.exe not disinfected postponed

28/7/2009 16:25:41 File: D:\WINDOWS\system32\grpconv.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:25:41 File: D:\WINDOWS\system32\grpconv.exe not disinfected postponed

28/7/2009 16:27:09 File: D:\WINDOWS\system32\rundll32.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:27:09 File: D:\WINDOWS\system32\rundll32.exe not disinfected postponed

28/7/2009 16:27:55 File: D:\WINDOWS\system32\zipfldr.dll detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:27:55 File: D:\WINDOWS\system32\zipfldr.dll not disinfected postponed

28/7/2009 16:31:39 File: E:\HiJackThis.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:31:39 File: E:\HiJackThis.exe not disinfected postponed

28/7/2009 16:31:41 File: E:\nfqh.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:31:41 File: E:\nfqh.exe not disinfected postponed

28/7/2009 16:38:19 File: C:\Arquivos de programas\KLC\SMAC\patch.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:38:19 File: C:\Arquivos de programas\KLC\SMAC\patch.exe not disinfected postponed

28/7/2009 16:38:21 File: C:\Arquivos de programas\Microsoft Office\OFFICE11\EXCEL.EXE detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:38:21 File: C:\Arquivos de programas\Microsoft Office\OFFICE11\EXCEL.EXE not disinfected postponed

28/7/2009 16:40:01 File: C:\Arquivos de programas\MSN Messenger\msnmsgr.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:40:01 File: C:\Arquivos de programas\MSN Messenger\msnmsgr.exe not disinfected postponed

28/7/2009 16:40:06 File: C:\Arquivos de programas\TrueCrypt\TrueCrypt Format.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:40:06 File: C:\Arquivos de programas\TrueCrypt\TrueCrypt Format.exe not disinfected postponed

28/7/2009 16:40:07 File: C:\Arquivos de programas\TrueCrypt\TrueCrypt.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:40:07 File: C:\Arquivos de programas\TrueCrypt\TrueCrypt.exe not disinfected postponed

28/7/2009 16:40:25 File: C:\Meus Documentos\Downloads\chrome_installer.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:40:25 File: C:\Meus Documentos\Downloads\chrome_installer.exe not disinfected postponed

28/7/2009 16:41:00 File: D:\Arquivos de programas\Internet Explorer\iexplore.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:41:00 File: D:\Arquivos de programas\Internet Explorer\iexplore.exe not disinfected postponed

28/7/2009 16:41:30 File: D:\ComboFix\CF18773.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:41:30 File: D:\ComboFix\CF18773.exe not disinfected postponed

28/7/2009 16:41:39 File: D:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:41:39 File: D:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe not disinfected postponed

28/7/2009 16:41:46 File: D:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\3.0.191.3\Installer\setup.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:41:46 File: D:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\3.0.191.3\Installer\setup.exe not disinfected postponed

28/7/2009 16:42:31 File: D:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:42:31 File: D:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe not disinfected postponed

28/7/2009 16:42:31 File: D:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Update\1.2.183.7\GoogleCrashHandler.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:42:31 File: D:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Update\1.2.183.7\GoogleCrashHandler.exe not disinfected postponed

28/7/2009 16:42:32 File: D:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Update\1.2.183.7\GoogleUpdate.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:42:32 File: D:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Update\1.2.183.7\GoogleUpdate.exe not disinfected postponed

28/7/2009 16:44:39 File: D:\Documents and Settings\Administrador\Desktop\Virus Removal Tool\is-JL489\minst.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:44:39 File: D:\Documents and Settings\Administrador\Desktop\Virus Removal Tool\is-JL489\minst.exe not disinfected postponed

28/7/2009 16:45:53 File: D:\Documents and Settings\All Users\Documentos\TrueCrypt Setup 6.2a.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:45:53 File: D:\Documents and Settings\All Users\Documentos\TrueCrypt Setup 6.2a.exe not disinfected postponed

28/7/2009 16:45:53 File: D:\Documents and Settings\All Users\Documentos\windows-kb890830-v2.9.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:45:53 File: D:\Documents and Settings\All Users\Documentos\windows-kb890830-v2.9.exe not disinfected postponed

28/7/2009 16:45:54 File: D:\Documents and Settings\All Users\Documentos\WindowsXP-KB958644-x86-PTB.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:45:54 File: D:\Documents and Settings\All Users\Documentos\WindowsXP-KB958644-x86-PTB.exe not disinfected postponed

28/7/2009 16:45:55 File: D:\Documents and Settings\All Users\Documentos\progs\Ad-AwareAE.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:45:55 File: D:\Documents and Settings\All Users\Documentos\progs\Ad-AwareAE.exe not disinfected postponed

28/7/2009 16:45:57 File: D:\Documents and Settings\All Users\Documentos\progs\Firefox Setup 3.0.9.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:45:57 File: D:\Documents and Settings\All Users\Documentos\progs\Firefox Setup 3.0.9.exe not disinfected postponed

28/7/2009 16:46:04 File: D:\DriveKey\HPUSBF.EXE detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:46:04 File: D:\DriveKey\HPUSBF.EXE not disinfected postponed

28/7/2009 16:46:04 File: D:\DriveKey\HPUSBFW.EXE detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:46:04 File: D:\DriveKey\HPUSBFW.EXE not disinfected postponed

28/7/2009 16:46:06 File: D:\WINDOWS\explorer.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:46:09 File: D:\WINDOWS\regedit.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:46:09 File: D:\WINDOWS\regedit.exe not disinfected postponed

28/7/2009 16:57:20 File: D:\WINDOWS\system32\cmd.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:57:20 File: D:\WINDOWS\system32\cmd.exe not disinfected postponed

28/7/2009 16:57:40 File: D:\WINDOWS\system32\grpconv.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:57:40 File: D:\WINDOWS\system32\grpconv.exe not disinfected postponed

28/7/2009 16:58:29 File: D:\WINDOWS\system32\rundll32.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:58:29 File: D:\WINDOWS\system32\rundll32.exe not disinfected postponed

28/7/2009 16:58:59 File: D:\WINDOWS\system32\zipfldr.dll detected virus 'Virus.Win32.Sality.aa'

28/7/2009 16:58:59 File: D:\WINDOWS\system32\zipfldr.dll not disinfected postponed

28/7/2009 17:00:32 File: E:\HiJackThis.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:00:32 File: E:\HiJackThis.exe not disinfected postponed

28/7/2009 17:00:33 File: E:\nfqh.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:00:33 File: E:\nfqh.exe not disinfected postponed

28/7/2009 17:01:59 File: d:\documents and settings\administrador\configurações locais\dados de aplicativos\google\update\googleupdate.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:17:23 File: d:\documents and settings\administrador\configurações locais\dados de aplicativos\google\update\googleupdate.exe disinfected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:17:23 File: c:\meus documentos\downloads\chrome_installer.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:17:38 File: c:\meus documentos\downloads\chrome_installer.exe disinfected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:17:40 File: c:\arquivos de programas\msn messenger\msnmsgr.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:17:41 File: c:\arquivos de programas\msn messenger\msnmsgr.exe disinfected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:17:43 File: d:\documents and settings\administrador\configurações locais\dados de aplicativos\google\chrome\application\chrome.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:17:43 File: d:\documents and settings\administrador\configurações locais\dados de aplicativos\google\chrome\application\chrome.exe disinfected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:17:47 File: c:\arquivos de programas\klc\smac\patch.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:17:48 File: c:\arquivos de programas\klc\smac\patch.exe disinfected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:17:50 File: c:\arquivos de programas\microsoft office\office11\excel.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:17:51 File: c:\arquivos de programas\microsoft office\office11\excel.exe disinfected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:17:53 File: c:\arquivos de programas\truecrypt\truecrypt format.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:17:53 File: c:\arquivos de programas\truecrypt\truecrypt format.exe disinfected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:17:55 File: c:\arquivos de programas\truecrypt\truecrypt.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:17:56 File: c:\arquivos de programas\truecrypt\truecrypt.exe disinfected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:17:58 File: d:\arquivos de programas\internet explorer\iexplore.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:18:01 File: d:\arquivos de programas\internet explorer\iexplore.exe disinfected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:18:08 File: d:\combofix\cf18773.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:18:15 File: d:\combofix\cf18773.exe disinfected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:18:17 File: d:\documents and settings\administrador\configurações locais\dados de aplicativos\google\chrome\application\3.0.191.3\installer\setup.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:18:21 File: d:\documents and settings\administrador\configurações locais\dados de aplicativos\google\chrome\application\3.0.191.3\installer\setup.exe disinfected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:18:22 File: d:\documents and settings\administrador\configurações locais\dados de aplicativos\google\update\1.2.183.7\googlecrashhandler.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:18:22 File: d:\documents and settings\administrador\configurações locais\dados de aplicativos\google\update\1.2.183.7\googlecrashhandler.exe disinfected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:18:23 File: d:\documents and settings\administrador\configurações locais\dados de aplicativos\google\update\1.2.183.7\googleupdate.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:18:24 File: d:\documents and settings\administrador\configurações locais\dados de aplicativos\google\update\1.2.183.7\googleupdate.exe disinfected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:18:24 File: d:\documents and settings\administrador\desktop\virus removal tool\is-jl489\minst.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:18:25 File: d:\documents and settings\administrador\desktop\virus removal tool\is-jl489\minst.exe disinfected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:18:25 File: d:\documents and settings\all users\documentos\truecrypt setup 6.2a.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:18:33 File: d:\documents and settings\all users\documentos\truecrypt setup 6.2a.exe disinfected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:18:36 File: d:\documents and settings\all users\documentos\windows-kb890830-v2.9.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:18:48 File: d:\documents and settings\all users\documentos\windows-kb890830-v2.9.exe disinfected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:19:11 File: d:\documents and settings\all users\documentos\windowsxp-kb958644-x86-ptb.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:19:12 File: d:\documents and settings\all users\documentos\windowsxp-kb958644-x86-ptb.exe disinfected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:19:14 File: d:\documents and settings\all users\documentos\progs\ad-awareae.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:20:03 File: d:\documents and settings\all users\documentos\progs\ad-awareae.exe disinfected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:20:15 File: d:\documents and settings\all users\documentos\progs\firefox setup 3.0.9.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:20:23 File: d:\documents and settings\all users\documentos\progs\firefox setup 3.0.9.exe disinfected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:20:30 File: d:\windows\regedit.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:20:30 File: d:\windows\regedit.exe disinfected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:20:31 File: d:\windows\system32\cmd.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:20:31 File: d:\windows\system32\cmd.exe disinfected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:20:31 File: d:\windows\system32\grpconv.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:20:32 File: d:\windows\system32\grpconv.exe disinfected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:20:33 File: d:\windows\system32\rundll32.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:20:33 File: d:\windows\system32\rundll32.exe disinfected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:20:33 File: d:\windows\system32\zipfldr.dll detected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:20:34 File: d:\windows\system32\zipfldr.dll disinfected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:20:34 File: e:\hijackthis.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:20:37 File: e:\hijackthis.exe disinfected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:20:40 File: e:\nfqh.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:20:42 File: e:\nfqh.exe disinfected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:20:44 File: d:\drivekey\hpusbf.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:20:44 File: d:\drivekey\hpusbf.exe disinfected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:20:44 File: d:\drivekey\hpusbfw.exe detected virus 'Virus.Win32.Sality.aa'

28/7/2009 17:20:45 File: d:\drivekey\hpusbfw.exe disinfected virus 'Virus.Win32.Sality.aa'

 

 

Statistics

----------

Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted

------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------

 

 

Settings

--------

Parameter Value

--------- -----

Security Level Recommended

Action Prompt for action when the scan is complete

Run mode Manually

File types Scan all files

Scan only new and changed files No

Scan archives All

Scan embedded OLE objects All

Skip if object is larger than No

Skip if scan takes longer than No

Parse email formats No

Scan password-protected archives No

Enable iChecker technology No

Enable iSwift technology No

Show detected threats on "Detected" tab Yes

Rootkits search Yes

Deep rootkits search No

Use heuristic analyzer Yes

 

 

Quarantine

----------

Status Object Size Added

------ ------ ---- -----

 

 

Backup

------

Status Object Size

------ ------ ----

Infected: virus Virus.Win32.Sality.aa d:\windows\explorer.exe 1 MB

Infected: virus Virus.Win32.Sality.aa d:\windows\regedit.exe 215 KB

 

 

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:22:28, on 28/7/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Safe mode

 

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\Explorer.EXE

E:\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - c:\Arquivos de programas\GbPlugin\gbiehcef.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [Google Update] "D:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /c

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: is-JL489.lnk = D:\Documents and Settings\Administrador\Desktop\Virus Removal Tool\is-JL489\startup.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://D:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://D:\ARQUIV~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233346427359

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://imagem.caixa.gov.br/cab/gbpdist.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: GbPluginCef - c:\Arquivos de programas\GbPlugin\gbiehcef.dll

O23 - Service: Gbp Service (GbpSv) - - c:\ARQUIV~1\GbPlugin\GbpSv.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - c:\Arquivos de programas\Java\jre6\bin\jqs.exe

 

--

End of file - 4108 bytes

[DigRam 144]

Boa Tarde! EGH

 

<@> Baixe: < DrWebCureIt >

<@> Caso tenha dificuldades para o download,utilize outro computador ou proxy.

<@> Vá em: < Proxify >

<@> Digite,na caixa,a URL ao DrWebCureIt.

<@> Clique em Proxify.

<@> Salve a ferramenta no desktop!

<@> Reinicie o computador em Modo de Segurança.

<@> Inicie a instalação/execução,com um duplo-clique em drweb-cureit.

<@> Na janela que abrir,clique em Iniciar --> OK.

<@> Será dado início a "Verificação rápida" --> Feche a janela de propaganda!

<@> Terminando,marque a caixa de "Verificação Completa".

<@> Click em "Options" --> Em Change settings,desmarque a "Heuristic analysis".

 

Neste modo são verificados os seguintes objectos:

 

* Sectores de Arranque de Todos os Discos. <--

 

* Todas as Unidades Removíveis. <--

 

* Todos os Discos Locais. <--

<@> Clique em "Iniciar verificação" --> Aguarde!

<@> Surgindo mensagens para mover ou desinfectar arquivos,clique em Sim.

<@> Terminando,clique em "Ficheiro" --> "Guardar lista de relatórios".

<@> Procure salvá-lo em um local adequado. ( DrWeb.csv ) <-- Converta em Texto!

<@> Poste: DrWeb.csv + HijackThis,atualizado.

 

Abraços!

[EGH 0]

olá

Baixei o drwed-cureit mas não consigo executá-lo no netbook infectado.

Clico nele e nada acontece...

 

Abraços

[DigRam 144]

olá

Baixei o drwed-cureit mas não consigo executá-lo no netbook infectado.

Clico nele e nada acontece...

 

Abraços

<><><><><><><><><><>

Opa! EGH

 

<@> Baixe: < sality_off.zip >

<@> Extraia seu conteúdo,para o C:\. <-- Disco local ©

<@> Desative seu antivírus temporariamente!

<@> Ps: A vacina será executada,simultaneamente,em 2 janelas:

 

<1> A primeira janela:

 

<@> Vá em Iniciar --> Executar > Digite: C:\Sality_off.exe -m

 

 

<@> Clique OK!

<@> Ps: Aguarde a finalização,que é demorada!

 

<2> A segunda janela:

 

<@> Dê duplo-clique em: C:\Sality_off.exe

<@> Ps: Aguarde a finalização,que é demorada!

<@> Terminando,aperte ENTER!

<><><><><><><><><><>

<@> Baixe: < a-squared Free 4.5 >

 

<!> Link Opcional: < >

 

<@> Salve-o em Arquivos de programas.

<@> Abra o programa e clique em: Atualizar agora --> Aguarde!

<@> Terminando,clique em: "Scan PC"

<@> Escolha a opção: "A fundo" --> Clique,à seguir,em "Analisar".

<@> Terminando,marque as caixinhas dos ítens encontrados e clique em "Enviar marcados à Quarentena".

<@> Salve e poste o relatório desta verificação. ( a2scan_xxyy09-xxxxxx.txt ) <--

<@> Poste,também,HijackThis atualizado.

 

Abraços!

[EGH 0]

Olá

Obrigado pelas dicas.

Agora o xp parece que dançou de vez. Vou formatar e começar tudo de novo, já queria ter feito isso antes.

Obrigado de novo!

 

Abraços

[DigRam 144]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.