[Resolvido!] TROJAN no atapi.sys

[Fabricio78 0]

o AVG identificou um Cavalo de Tróia Packed.Protector no atapi.sys e não foi capaz de removê-lo.

O arquivo encontra-se em G:\WINDOWS\system32\drivers\atapi.sys não consigo de maneira nenhuma me livrar deste trojan e ainda no gerenciador de tarefas aparece o svchost.exe ocupando 50% do cpu. O resultado do hijackthis foi o seguinte:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:16:02, on 7/12/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

G:\WINDOWS\System32\smss.exe

G:\WINDOWS\system32\csrss.exe

G:\WINDOWS\system32\winlogon.exe

G:\WINDOWS\system32\services.exe

G:\WINDOWS\system32\lsass.exe

G:\WINDOWS\system32\svchost.exe

G:\WINDOWS\system32\svchost.exe

G:\WINDOWS\System32\svchost.exe

G:\WINDOWS\System32\svchost.exe

G:\WINDOWS\System32\svchost.exe

G:\WINDOWS\system32\spoolsv.exe

G:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

G:\Arquivos de programas\Java\jre6\bin\jqs.exe

G:\WINDOWS\system32\nvsvc32.exe

G:\WINDOWS\Explorer.EXE

G:\WINDOWS\system32\slserv.exe

G:\ARQUIV~1\AVG\AVG8\avgemc.exe

G:\ARQUIV~1\AVG\AVG8\avgrsx.exe

G:\ARQUIV~1\AVG\AVG8\avgnsx.exe

G:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

G:\Arquivos de programas\Microsoft IntelliType Pro\type32.exe

G:\Arquivos de programas\Microsoft IntelliPoint\point32.exe

G:\WINDOWS\SOUNDMAN.EXE

G:\Arquivos de programas\Turbo\Manager\desp2k.exe

G:\WINDOWS\WinLogT.exe

G:\ARQUIV~1\AVG\AVG8\avgtray.exe

G:\WINDOWS\system32\RUNDLL32.EXE

G:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

G:\Arquivos de programas\Java\jre6\bin\jusched.exe

G:\WINDOWS\system32\av_md.exe

G:\Arquivos de programas\DNA\btdna.exe

G:\Arquivos de programas\AVG\AVG8\avgcsrvx.exe

G:\WINDOWS\system32\ctfmon.exe

G:\WINDOWS\System32\svchost.exe

G:\Arquivos de programas\Microsoft Office\Office\1046\OLFSNT40.EXE

G:\WINDOWS\System32\svchost.exe

G:\WINDOWS\System32\svchost.exe

G:\WINDOWS\System32\svchost.exe

G:\WINDOWS\System32\svchost.exe

G:\WINDOWS\System32\svchost.exe

G:\WINDOWS\System32\svchost.exe

G:\WINDOWS\System32\svchost.exe

G:\WINDOWS\System32\svchost.exe

G:\WINDOWS\System32\alg.exe

G:\WINDOWS\system32\taskmgr.exe

G:\WINDOWS\System32\wbem\wmiapsrv.exe

G:\Arquivos de programas\Motherboard Monitor 5\MBM5.exe

G:\Arquivos de programas\Google\Chrome\Application\chrome.exe

G:\Arquivos de programas\Google\Chrome\Application\chrome.exe

G:\Arquivos de programas\Google\Chrome\Application\chrome.exe

G:\Arquivos de programas\Google\Chrome\Application\chrome.exe

G:\Documents and Settings\Fabricio\Meus documentos\downloads\HiJackThis.exe

G:\WINDOWS\System32\wbem\wmiprvse.exe

G:\Arquivos de programas\AVG\AVG8\avgcsrvx.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.c...61&gct=&gc=1&q=

R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - G:\Arquivos de programas\AskSearch\bin\DefaultSearch.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - G:\Arquivos de programas\AVG\AVG8\avgssie.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - G:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - G:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - G:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - G:\Arquivos de programas\AVG\AVG8\Toolbar\IEToolbar.dll

O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)

O4 - HKLM\..\Run: [RemoteControl] "G:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] G:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [ASUS Probe] G:\Program Files\ASUS\Asus Probe\AsusProb.exe

O4 - HKLM\..\Run: [type32] "G:\Arquivos de programas\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [intelliPoint] "G:\Arquivos de programas\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [desp2k] G:\Arquivos de programas\Turbo\Manager\desp2k.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [WinLogT] G:\WINDOWS\WinLogT.exe

O4 - HKLM\..\Run: [AVG8_TRAY] G:\ARQUIV~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [TkBellExe] "G:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [DAEMON Tools-1033] "G:\Arquivos de programas\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [sunJavaUpdateSched] "G:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [sysgif32] G:\WINDOWS\TEMP\~TM28.tmp

O4 - HKLM\..\Run: [av_md] G:\WINDOWS\system32\av_md.exe

O4 - HKLM\..\Run: [Regedit32] G:\WINDOWS\system32\regedit.exe

O4 - HKCU\..\Run: [bitTorrent DNA] "G:\Arquivos de programas\DNA\btdna.exe"

O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [av_md] G:\Documents and Settings\Fabricio\av_md.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Startup: siszyd32.exe

O4 - Global Startup: Microsoft Office.lnk = G:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = G:\Arquivos de programas\Microsoft Office\Office\1046\OLFSNT40.EXE

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://G:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Arquivos de programas\Messenger\msmsgs.exe

O12 - Plugin for .spop: G:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (MSN Games – Matchmaking) - http://sympatico.zon...UI.cab55579.cab

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.co.../sysreqlab3.cab

O16 - DPF: {339234B4-4E14-4280-B8B4-8BAE5AF99063} (Chess Object) - http://sympatico.zon...rp.cab55579.cab

O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://sympatico.zon...dy.cab55579.cab

O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (MSN Games – Game Chat) - http://sympatico.zon...at.cab55579.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1192631346109

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab

O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/...no.cab55579.cab

O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games – Hearts) - http://zone.msn.com/...tz.cab70018.cab

O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/...he.cab79352.cab

O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/...vl.cab55579.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...k.cab102118.cab

O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://sympatico.zon...xy.cab55579.cab

O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/...rp.cab56961.cab

O16 - DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} (CheckersZPA Object) - http://zone.msn.com/...PA.cab55579.cab

O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (MSN Games – Backgammon) - http://zone.msn.com/...on.cab64162.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{94E8DE38-24F6-4126-B69E-3AA78F770265}: Domain = @

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - G:\Arquivos de programas\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - G:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - G:\ARQUIV~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - G:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Google Update Service (gupdate1ca391a32c9cf60) (gupdate1ca391a32c9cf60) - Google Inc. - G:\Arquivos de programas\Google\Update\GoogleUpdate.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - G:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SmartLinkService (SLService) - - G:\WINDOWS\SYSTEM32\slserv.exe

 

--

End of file - 10197 bytes

 

POR FAVOR AJUDEM

[wings 22]

Boa tarde Fabricio78

 

 

1.

*Baixe o MalwareBytes Anti-malware e salve-o no desktop:

*Instale o programa

*Ao finalizar, se alguma atualização existir,o download será automático. Aguarde...

*Terminada a atualização, o programa será aberto automaticamente.

*Na aba [Verificação], selecione a opção [Verificação completa]

*Clique em [Verificar] e selecione as unidades a serem examinadas

*Remova o que for encontrado

*Ao término do scan poderá ser interrogado se deseja remover objetos da memória. Clique [sIM] e finalmente clique em [OK]. Um relatório (mbam-log-ano-mês-data.txt) será apresentado.

*Reinicie o PC

*Abra novamente o programa Malwarebytes e na aba [Logs] clique no arquivo mbam-log-ano-mês-data.txt

*Clique em [Abrir], copie, cole-o na sua próxima resposta

[Fabricio78 0]

eu havia feito isto um pouco antes de ler sua resposta. Quando reiniciei o avg não acusou nada, no entanto o scvhost.exe um deles pois tem vários continua ocupando 50% da cpu. Segue abaixo o resultado que pediu do malwarebytes.

 

Malwarebytes' Anti-Malware 1.42

Versão do banco de dados: 3310

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

 

7/12/2009 15:02:48

mbam-log-2009-12-07 (15-02-48).txt

 

Tipo de Verificação: Rápida

Objetos verificados: 115870

Tempo decorrido: 23 minute(s), 10 second(s)

 

Processos da Memória infectados: 1

Módulos de Memória Infectados: 0

Chaves do Registro infectadas: 4

Valores do Registro infectados: 4

Ítens do Registro infectados: 1

Pastas infectadas: 1

Arquivos infectados: 4

 

Processos da Memória infectados:

G:\WINDOWS\system32\av_md.exe (Backdoor.Bot) -> Unloaded process successfully.

 

Módulos de Memória Infectados:

(Nenhum ítem malicioso foi detectado)

 

Chaves do Registro infectadas:

HKEY_CLASSES_ROOT\CLSID\{54645654-2225-4455-44a1-9f4543d34546} (Trojan.Clicker) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bc4be15d-6a34-4356-9e97-79e43da32b1d} (Adware.Shopper) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\OneStepSearch (Adware.OneStepSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Relevant Knowledge (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

 

Valores do Registro infectados:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\av_md (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysgif32 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\regedit32 (Trojan.Agent) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\av_md (Trojan.Dropper) -> Quarantined and deleted successfully.

 

Ítens do Registro infectados:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

 

Pastas infectadas:

G:\Arquivos de programas\OneStepSearch (Adware.OneStepSearch) -> Quarantined and deleted successfully.

 

Arquivos infectados:

G:\WINDOWS\system32\av_md.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

G:\WINDOWS\system32\config\SystemProfile\av_md.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

G:\WINDOWS\Temp\~TM29.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.

G:\Documents and Settings\Fabricio\oashdihasidhasuidhiasdhiashdiuasdhasd (Malware.Trace) -> Quarantined and deleted successfully.

[wings 22]

1.

*Abra o programa Malwarebytes e na aba [Quarentena], selecione todos os resultados e clique em [Remover tudo]

*Clique na aba [Logs], selecione o relatório e clique em [Remover]

 

2.

*Novo log do hijack

[Fabricio78 0]

Durante a execução do hijack o avg acusou novamente o trojan. segue o resultado.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:57:11, on 7/12/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

G:\WINDOWS\System32\smss.exe

G:\WINDOWS\system32\csrss.exe

G:\WINDOWS\system32\winlogon.exe

G:\WINDOWS\system32\services.exe

G:\WINDOWS\system32\lsass.exe

G:\WINDOWS\system32\svchost.exe

G:\WINDOWS\system32\svchost.exe

G:\WINDOWS\System32\svchost.exe

G:\WINDOWS\System32\svchost.exe

G:\WINDOWS\System32\svchost.exe

G:\WINDOWS\system32\spoolsv.exe

G:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

G:\Arquivos de programas\Java\jre6\bin\jqs.exe

G:\WINDOWS\system32\nvsvc32.exe

G:\WINDOWS\system32\slserv.exe

G:\WINDOWS\Explorer.EXE

G:\ARQUIV~1\AVG\AVG8\avgemc.exe

G:\ARQUIV~1\AVG\AVG8\avgrsx.exe

G:\ARQUIV~1\AVG\AVG8\avgnsx.exe

G:\Arquivos de programas\AVG\AVG8\avgcsrvx.exe

G:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

G:\Arquivos de programas\Microsoft IntelliType Pro\type32.exe

G:\Arquivos de programas\Microsoft IntelliPoint\point32.exe

G:\WINDOWS\SOUNDMAN.EXE

G:\Arquivos de programas\Turbo\Manager\desp2k.exe

G:\WINDOWS\WinLogT.exe

G:\ARQUIV~1\AVG\AVG8\avgtray.exe

G:\WINDOWS\system32\RUNDLL32.EXE

G:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

G:\Arquivos de programas\Java\jre6\bin\jusched.exe

G:\Arquivos de programas\DNA\btdna.exe

G:\WINDOWS\system32\ctfmon.exe

G:\Arquivos de programas\Microsoft Office\Office\1046\OLFSNT40.EXE

G:\WINDOWS\System32\alg.exe

G:\WINDOWS\system32\taskmgr.exe

G:\WINDOWS\System32\wbem\wmiapsrv.exe

G:\Arquivos de programas\Google\Chrome\Application\chrome.exe

G:\Arquivos de programas\Google\Chrome\Application\chrome.exe

G:\Arquivos de programas\Google\Chrome\Application\chrome.exe

G:\Arquivos de programas\Motherboard Monitor 5\MBM5.exe

G:\WINDOWS\system32\wscntfy.exe

G:\Documents and Settings\Fabricio\Meus documentos\downloads\HiJackThis.exe

G:\WINDOWS\System32\wbem\wmiprvse.exe

G:\Arquivos de programas\AVG\AVG8\avgcsrvx.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=101761&gct=&gc=1&q=

R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - G:\Arquivos de programas\AskSearch\bin\DefaultSearch.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - G:\Arquivos de programas\AVG\AVG8\avgssie.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - G:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - G:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - G:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - G:\Arquivos de programas\AVG\AVG8\Toolbar\IEToolbar.dll

O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)

O4 - HKLM\..\Run: [RemoteControl] "G:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] G:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [ASUS Probe] G:\Program Files\ASUS\Asus Probe\AsusProb.exe

O4 - HKLM\..\Run: [type32] "G:\Arquivos de programas\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [intelliPoint] "G:\Arquivos de programas\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [desp2k] G:\Arquivos de programas\Turbo\Manager\desp2k.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [WinLogT] G:\WINDOWS\WinLogT.exe

O4 - HKLM\..\Run: [AVG8_TRAY] G:\ARQUIV~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [TkBellExe] "G:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [DAEMON Tools-1033] "G:\Arquivos de programas\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [sunJavaUpdateSched] "G:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [bitTorrent DNA] "G:\Arquivos de programas\DNA\btdna.exe"

O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Startup: siszyd32.exe

O4 - Global Startup: Microsoft Office.lnk = G:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = G:\Arquivos de programas\Microsoft Office\Office\1046\OLFSNT40.EXE

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://G:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Arquivos de programas\Messenger\msmsgs.exe

O12 - Plugin for .spop: G:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (MSN Games – Matchmaking) - http://sympatico.zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab

O16 - DPF: {339234B4-4E14-4280-B8B4-8BAE5AF99063} (Chess Object) - http://sympatico.zone.msn.com/bingame/zpagames/zpa_kqrp.cab55579.cab

O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://sympatico.zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab

O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (MSN Games – Game Chat) - http://sympatico.zone.msn.com/binframework/v10/ZPAChat.cab55579.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192631346109

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab

O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/bingame/zpagames/zpa_dmno.cab55579.cab

O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games – Hearts) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab70018.cab

O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab

O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab

O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://sympatico.zone.msn.com/binframework/v10/StProxy.cab55579.cab

O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab

O16 - DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} (CheckersZPA Object) - http://zone.msn.com/bingame/zpagames/CheckersZPA.cab55579.cab

O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (MSN Games – Backgammon) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{94E8DE38-24F6-4126-B69E-3AA78F770265}: Domain = @

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - G:\Arquivos de programas\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - G:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - G:\ARQUIV~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - G:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Google Update Service (gupdate1ca391a32c9cf60) (gupdate1ca391a32c9cf60) - Google Inc. - G:\Arquivos de programas\Google\Update\GoogleUpdate.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - G:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SmartLinkService (SLService) - - G:\WINDOWS\SYSTEM32\slserv.exe

 

--

End of file - 9591 bytes

[wings 22]

*Baixe o AD-Remover e salve-o no desktop

*Duplo clique em AD-R.exe e instale o programa.

*Duplo clique no ícone criado no desktop e clique em [Oui]

*Tecle L > [ENTER]

*Cole o relatório criado em C:\Ad-Report-CLEAN.log

[Fabricio78 0]

Segue o relatório ad-report:

 

.

======= LOGFILE OF AD-REMOVER 1.1.4.6_E | ONLY XP/VISTA/7 =======

.

Updated by C_XX on 06.12.2009 at 17:18

Contact: AdRemover.contact@gmail.com

Website: http://pagesperso-orange.fr/NosTools/ad_remover.html

.

Launch at: 16:39:56, seg 07/12/2009 | Normal Boot | Option: CLEAN

Executed from: G:\Arquivos de programas\Ad-Remover\

Operating system: Microsoft® Windows XP™ Service Pack 2 versÆo 5.1.2600

Computer Name: FABRICIO-6ZLWC3 | Current user: Fabricio

.

============== NEUTRALIZED ELEMENT(S) ==============

.

 

G:\Arquivos de programas\AskSearch

G:\Arquivos de programas\Mozilla FireFox\Components\AskSearch.js

G:\WINDOWS\Prefetch\ASKINSTALLCHECKER.EXE-2E877AE0.pf

 

(!) -- Temp files deleted.

 

.

HKCU\software\microsoft\internet explorer\searchscopes\{CF739809-1C6C-47C0-85B9-569DBB141420}

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{C94E154B-1459-4A47-966B-4B843BEFC7DB}

HKLM\software\AskBarDis

.

============== Added scan ==============

.

.

* Mozilla FireFox Version [unable to get version] *

.

ProfilePath: gc2wcfwt.default (Fabricio)

.

(Fabricio, prefs.js) Browser.search.defaultenginename, Google

(Fabricio, prefs.js) Browser.search.defaulturl, hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

(Fabricio, prefs.js) Browser.search.selectedEngine, Google

.

.

* Internet Explorer Version 6.0.2900.2180 *

.

[HKEY_CURRENT_USER\..\Internet Explorer\Main]

.

Do404Search: 01000000

Local Page: G:\WINDOWS\system32\blank.htm

Show_ToolBar: yes

Start Page: hxxp://fr.msn.com/

Search Bar: hxxp://go.microsoft.com/fwlink/?linkid=54896

Enable Browser Extensions: yes

Use Search Asst: no

Use Custom Search URL: 1 (0x1)

Default_search_url: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

Default_page_url: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

.

[HKEY_LOCAL_MACHINE\..\Internet Explorer\Main]

.

Default_Page_URL: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Default_Search_URL: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

Search Page: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

Delete_Temp_Files_On_Exit: yes

Local Page: %SystemRoot%\system32\blank.htm

Start Page: hxxp://fr.msn.com/

Search bar: hxxp://search.msn.com/spbasic.htm

.

[HKEY_LOCAL_MACHINE\..\Internet Explorer\ABOUTURLS]

.

Tabs: res://ieframe.dll/tabswelcome.htm

.

============== Suspect (Cracks, Serials, ...) ==============

.

G:\Documents and Settings\Fabricio\Dados de aplicativos\BitTorrent\Big Wet Butts - Fill My Cracks And Fuck My Ass - Bridgette B.torrent

G:\Documents and Settings\Fabricio\Dados de aplicativos\BitTorrent\CRACK IE 7 IN FOUR STEPS WITH SOFTWARE INSTALLATION.torrent

G:\Documents and Settings\Fabricio\Dados de aplicativos\BitTorrent\DivX Pro v7.2.0 (DivX Player + Author + Conventer) + Keygen [h33t] - CaZoR.torrent

G:\Documents and Settings\Fabricio\Dados de aplicativos\BitTorrent\Passware kit enterprise 9.0 Full incl serial (150+ file formats password recovery) [aram89] [H33T].torrent

G:\Documents and Settings\Fabricio\Dados de aplicativos\BitTorrent\Raven - IN THE CRACK (pussyquake).wmv.torrent

G:\Documents and Settings\Fabricio\Dados de aplicativos\BitTorrent\RealPlayer 11 Gold + Crack [h33t] [dopeboy].torrent

G:\Documents and Settings\Fabricio\Dados de aplicativos\BitTorrent\The.Crack.Pack.XXX.DVDRip.XviD-NYMPHO.torrent

G:\Documents and Settings\Fabricio\Dados de aplicativos\BitTorrent\WinAmp Pro v5.541.2189+Keygen[h33t]MasterUploader.torrent

G:\Documents and Settings\Fabricio\Favoritos\Full Games America's Army Special Forces (Link-Up) v2.6 Full Install - Demo Movie Patch Download Section - GamersHell.com.url

G:\Documents and Settings\Fabricio\Favoritos\SerialNews.org - le mans 24hours.url

G:\Documents and Settings\Fabricio\Meus documentos\2009 AGOSTOPROG\ConvertXtoDVD 3.7.2.188\Keygen.exe

G:\Documents and Settings\Fabricio\Meus documentos\COMPLETOS DO EMULE\PROG\Divx 7 Pro\DivX 7 Keygen [FFF].exe

G:\Documents and Settings\Fabricio\Meus documentos\COMPLETOS DO EMULE\PROG\WinAmp Pro v5.541.2189+Keygen[h33t]MasterUploader\MasterUploader.nfo

G:\Documents and Settings\Fabricio\Meus documentos\COMPLETOS DO EMULE\PROG\WinAmp Pro v5.541.2189+Keygen[h33t]MasterUploader\Keygen\KeyMaker.exe

G:\Documents and Settings\Fabricio\Meus documentos\COMPLETOS DO EMULE\PROG\WinAmp Pro v5.541.2189+Keygen[h33t]MasterUploader\Setup\winamp5541_pro_all.exe

G:\Documents and Settings\Fabricio\Meus documentos\COMPLETOS DREAMULE\crack\[eMulinha.info].Need.For.Speed.Pro.Street-RELOADED-ENG.nfo

G:\Documents and Settings\Fabricio\Meus documentos\COMPLETOS DREAMULE\PROG\[eMulinha].Infernal.Multi5.CRACKED-QUARTEX.nfo

G:\Documents and Settings\Fabricio\Meus documentos\Crack\Grand_Theft_Auto_San_Andreas_Tradu__o_Portugu_s_Brasil.zip

G:\Documents and Settings\Fabricio\Meus documentos\Crack\NFS CARBON\nfsc_br_www[1].gamevicio.com.br_.exe

G:\Documents and Settings\Fabricio\Meus documentos\downloads\OTHER\Internet Explorer 7 Portugues Brasil Final Crackeado 15nov06 Nao Requer Windows Original Pt-Br.rar

G:\Documents and Settings\Fabricio\Meus documentos\drivers\CRACK`S\FIFA06.exe

.

===================================

.

530 Byte(s) - G:\Ad-Report-CLEAN[1].log

5262 Byte(s) - G:\Ad-Report-CLEAN[2].log

.

0 File(s) - G:\DOCUME~1\Fabricio\CONFIG~1\Temp

1 File(s) - G:\WINDOWS\Temp

.

18 File(s) - G:\Arquivos de programas\Ad-Remover\BACKUP

3 File(s) - G:\Arquivos de programas\Ad-Remover\QUARANTINE

.

End at: 16:56:36 | seg 07/12/2009 - CLEAN[2]

.

============== E.O.F ==============

.

[wings 22]

1.

*Execute novamente o AD-Remover

*Tecle D > [ENTER]

 

2.

*Desative temporariamente seu antivírus

*Baixe o ComboFix e salve-o no desktop

*Duplo-clique no arquivo Combofix.exe

*Aceite o contrato

*Se o console de recuperação do Windows já estiver instalado, o ComboFix irá continuar o processo automaticamente. Caso não esteja uma janela, conforme abaixo, será aberta. Aceite a instalação do mesmo.

 

 

*Após a instalação, clique em [sim] para continuar.

 

*Importante: enquanto o ComboFix estiver em execução, não use o mouse nem o teclado!!..... Para interromper o procedimento tecle N ou 2 e depois ENTER.

 

*O programa será fechado automaticamente

 

*Cole o relatório criado em C:\combofix.txt

[Fabricio78 0]

mesmo fechando o avg o combofix diz que ele esta ativo e que pode danificar a máquina como resolvo isto para rodar o combofix em segurança, tenho de desativar tbém o firewal.

 

Quais os riscos que o combofix apresenta?

[wings 22]

Não tem risco nenhum, desde que usado com orientação.

 

 

Para desativar o AVG:

 

Iniciar > Programas > AVG

Abra a Interface do usuário do AVG

Clique duas vezes na Proteção Residente

Desmarque a opção "Proteção Residente ativa"

Salve as alterações

[Fabricio78 0]

Não sei se deu certo pois tive de ir trabalhar e quando voltei havia o resultado abaixo, foi muito demorado:

 

ComboFix 09-12-06.A3 - Fabricio 07/12/2009 17:51.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.1535.864 [GMT -2:00]

Executando de: g:\documents and settings\Fabricio\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

g:\documents and settings\Fabricio\Dados de aplicativos\inst.exe

g:\documents and settings\Fabricio\Menu Iniciar\Programas\Inicializar\siszyd32.exe

g:\windows\system32\config\systemprofile\oashdihasidhasuidhiasdhiashdiuasdhasd

g:\windows\system32\drivers\npf.sys

g:\windows\system32\Packet.dll

g:\windows\system32\pthreadVC.dll

g:\windows\system32\wpcap.dll

 

A cópia de g:\windows\system32\Drivers\atapi.sys foi encontrada e desinfectada

Cópia restaurada de - g:\windows\ServicePackFiles\i386\atapi.sys

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_NPF

-------\Service_NPF

 

 

(((((((((((((((( Arquivos/Ficheiros criados de 2009-11-07 to 2009-12-07 ))))))))))))))))))))))))))))

.

 

2009-12-07 18:18 . 2009-12-07 19:09 -------- d-----w- g:\arquivos de programas\Ad-Remover

2009-12-07 16:34 . 2009-12-07 16:34 -------- d-----w- g:\documents and settings\Fabricio\Dados de aplicativos\Malwarebytes

2009-12-07 16:34 . 2009-12-03 18:14 38224 ----a-w- g:\windows\system32\drivers\mbamswissarmy.sys

2009-12-07 16:34 . 2009-12-07 16:34 -------- d-----w- g:\documents and settings\All Users\Dados de aplicativos\Malwarebytes

2009-12-07 16:34 . 2009-12-07 16:34 -------- d-----w- g:\arquivos de programas\Malwarebytes' Anti-Malware

2009-12-07 16:34 . 2009-12-03 18:13 19160 ----a-w- g:\windows\system32\drivers\mbam.sys

2009-12-07 11:21 . 2009-12-07 11:21 116 ----a-w- g:\windows\system32\fjhdyfhsn.bat

2009-12-06 18:15 . 2001-08-17 23:56 7552 -c--a-w- g:\windows\system32\dllcache\sonypvu1.sys

2009-12-06 18:15 . 2001-08-17 23:56 7552 ----a-w- g:\windows\system32\drivers\SONYPVU1.SYS

2009-11-23 19:09 . 2009-11-23 19:09 152576 ----a-w- g:\documents and settings\Fabricio\Dados de aplicativos\Sun\Java\jre1.6.0_17\lzma.dll

2009-11-23 19:09 . 2009-11-23 19:09 79488 ----a-w- g:\documents and settings\Fabricio\Dados de aplicativos\Sun\Java\jre1.6.0_17\gtapi.dll

2009-11-20 18:19 . 2009-11-20 18:19 -------- d-----w- g:\arquivos de programas\Microsoft Silverlight

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

4423-08-09 18:19 . 1857-01-01 00:00 56832 ----a-w- g:\windows\system32\iyvu9_32.dll

4423-08-09 18:19 . 1857-01-01 00:00 143872 ----a-w- g:\windows\system32\iacenc.dll

2009-12-07 22:15 . 2008-02-11 19:18 -------- d-----w- g:\documents and settings\Fabricio\Dados de aplicativos\DNA

2009-12-07 22:15 . 2008-02-11 19:18 -------- d-----w- g:\arquivos de programas\DNA

2009-12-07 17:46 . 2008-02-11 19:18 -------- d-----w- g:\documents and settings\Fabricio\Dados de aplicativos\BitTorrent

2009-12-07 15:19 . 2006-05-06 04:29 -------- d-----w- g:\arquivos de programas\Spybot - Search & Destroy

2009-12-07 15:19 . 2006-05-06 04:29 -------- d-----w- g:\documents and settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2009-12-07 12:28 . 2009-12-07 12:28 0 ----a-w- g:\documents and settings\Fabricio\ntuser.tmp

2009-12-07 11:20 . 2009-12-07 11:20 16 ----a-w- g:\documents and settings\Fabricio\Dados de aplicativos\fvgqad.dat

2009-12-07 11:20 . 2009-12-07 11:20 4 ----a-w- g:\documents and settings\Fabricio\Dados de aplicativos\avdrn.dat

2009-11-30 18:42 . 2008-06-10 20:55 -------- d-----w- g:\arquivos de programas\DreMule

2009-11-23 19:11 . 2008-03-13 13:40 -------- d-----w- g:\arquivos de programas\Java

2009-11-13 20:09 . 2009-05-16 17:06 -------- d-----w- g:\arquivos de programas\BitTorrent

2009-11-01 10:59 . 2001-09-28 12:00 48846 ----a-w- g:\windows\system32\perfc016.dat

2009-11-01 10:59 . 2001-09-28 12:00 344734 ----a-w- g:\windows\system32\perfh016.dat

2009-10-28 04:11 . 2009-10-28 04:11 -------- d-----w- g:\arquivos de programas\Microsoft

2009-10-28 04:11 . 2008-06-11 23:10 -------- d-----w- g:\arquivos de programas\Windows Live

2009-10-28 04:10 . 2009-10-28 04:10 -------- d-----w- g:\arquivos de programas\Windows Live SkyDrive

2009-10-28 04:07 . 2009-10-28 04:07 -------- d-----w- g:\arquivos de programas\Arquivos comuns\Windows Live

2009-10-12 15:48 . 2006-11-28 21:56 -------- d-----w- g:\documents and settings\Fabricio\Dados de aplicativos\MSN6

2009-10-11 06:17 . 2008-12-17 09:20 411368 ----a-w- g:\windows\system32\deploytk.dll

2005-04-01 01:17 . 2006-05-04 20:44 40960 ----a-w- g:\arquivos de programas\Uninstall_CDS.exe

1999-04-01 15:53 . 1999-04-01 15:53 99840 ----a-w- g:\arquivos de programas\Arquivos comuns\IRAABOUT.DLL

1998-12-09 01:53 . 1998-12-09 01:53 70144 ----a-w- g:\arquivos de programas\Arquivos comuns\IRAMDMTR.DLL

1998-12-09 01:53 . 1998-12-09 01:53 48640 ----a-w- g:\arquivos de programas\Arquivos comuns\IRALPTTR.DLL

1998-12-09 01:53 . 1998-12-09 01:53 31744 ----a-w- g:\arquivos de programas\Arquivos comuns\IRAWEBTR.DLL

1998-12-09 01:53 . 1998-12-09 01:53 186368 ----a-w- g:\arquivos de programas\Arquivos comuns\IRAREG.DLL

1998-12-09 01:53 . 1998-12-09 01:53 17920 ----a-w- g:\arquivos de programas\Arquivos comuns\IRASRIAL.DLL

2006-05-03 09:06 . 2009-08-24 15:54 163328 --sh--r- g:\windows\system32\flvDX.dll

2007-02-21 10:47 . 2009-08-24 15:54 31232 --sh--r- g:\windows\system32\msfDX.dll

2008-03-16 12:30 . 2009-08-24 15:54 216064 --sh--r- g:\windows\system32\nbDX.dll

.

 

------- Sigcheck -------

 

[7] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . g:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys

[7] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . g:\windows\system32\dllcache\tcpip.sys

[-] 2006-04-20 . B4E29943B4B04BD5E7381546848E6669 . 359808 . . [5.1.2600.2892] . . g:\windows\system32\drivers\tcpip.sys

[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . g:\windows\$NtUninstallKB917953$\tcpip.sys

[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . g:\windows\ServicePackFiles\i386\tcpip.sys

[-] 2002-08-29 . 244A2F9816BC9B593957281EF577D976 . 332928 . . [5.1.2600.1106] . . g:\windows\$NtServicePackUninstall$\tcpip.sys

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "g:\arquivos de programas\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

 

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BitTorrent DNA"="g:\arquivos de programas\DNA\btdna.exe" [2009-11-13 323392]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RemoteControl"="g:\arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 32768]

"NeroFilterCheck"="g:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"ASUS Probe"="g:\program files\ASUS\Asus Probe\AsusProb.exe" [2002-12-06 617984]

"type32"="g:\arquivos de programas\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]

"IntelliPoint"="g:\arquivos de programas\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]

"SoundMan"="SOUNDMAN.EXE" [2004-11-15 77824]

"nwiz"="nwiz.exe" [2008-05-03 1630208]

"desp2k"="g:\arquivos de programas\Turbo\Manager\desp2k.exe" [2005-03-16 61440]

"NvCplDaemon"="g:\windows\system32\NvCpl.dll" [2008-05-03 13529088]

"WinLogT"="g:\windows\WinLogT.exe" [2006-03-30 500224]

"AVG8_TRAY"="g:\arquiv~1\AVG\AVG8\avgtray.exe" [2009-11-26 2029336]

"NvMediaCenter"="g:\windows\system32\NvMcTray.dll" [2008-05-03 86016]

"TkBellExe"="g:\arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" [2009-07-13 185896]

"DAEMON Tools-1033"="g:\arquivos de programas\D-Tools\daemon.exe" [2004-08-22 81920]

"SunJavaUpdateSched"="g:\arquivos de programas\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="g:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

 

g:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

Microsoft Office.lnk - g:\arquivos de programas\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

Symantec Fax Starter Edition Port.lnk - g:\arquivos de programas\Microsoft Office\Office\1046\OLFSNT40.EXE [1999-4-1 46080]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-25 13:13 11952 ----a-w- g:\windows\system32\avgrsstx.dll

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"g:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

"g:\\WINDOWS\\system32\\sessmgr.exe"=

"g:\\Arquivos de programas\\DNA\\btdna.exe"=

"g:\\Arquivos de programas\\BitTorrent\\bittorrent.exe"=

"g:\\Arquivos de programas\\AVG\\AVG8\\avgupd.exe"=

"g:\\Arquivos de programas\\DreMule\\emule.exe"=

"g:\\WINDOWS\\system32\\mmc.exe"=

"g:\\Arquivos de programas\\SopCast\\adv\\SopAdver.exe"=

"g:\\Arquivos de programas\\AVG\\AVG8\\avgemc.exe"=

"g:\\Arquivos de programas\\AVG\\AVG8\\avgnsx.exe"=

"g:\\Arquivos de programas\\Java\\jre6\\bin\\javaws.exe"=

"g:\\Arquivos de programas\\Java\\jre6\\bin\\java.exe"=

"g:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=

"g:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"g:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

 

R0 d347bus;d347bus;g:\windows\system32\drivers\d347bus.sys [20/8/2007 11:30 155136]

R0 d347prt;d347prt;g:\windows\system32\drivers\d347prt.sys [20/8/2007 11:30 5248]

R1 AvgLdx86;AVG AVI Loader Driver x86;g:\windows\system32\drivers\avgldx86.sys [13/5/2008 14:00 335240]

R1 AvgTdiX;AVG8 Network Redirector;g:\windows\system32\drivers\avgtdix.sys [13/5/2008 14:00 108552]

R2 avg8emc;AVG Free8 E-mail Scanner;g:\arquiv~1\AVG\AVG8\avgemc.exe [2/7/2008 18:29 908056]

R2 avg8wd;AVG8 WatchDog;g:\arquiv~1\AVG\AVG8\avgwdsvc.exe [24/11/2008 19:16 297752]

R2 PStrip;PStrip;g:\windows\system32\drivers\PStrip.sys [23/7/2001 21:31 21616]

R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);g:\windows\system32\drivers\RMSPPPOE.SYS [10/6/2002 00:09 31232]

S2 GF0003;GASIA GF0003 Filter Driver;g:\windows\system32\drivers\GF0003.sys [25/12/2007 19:18 9216]

S2 gupdate1ca391a32c9cf60;Google Update Service (gupdate1ca391a32c9cf60);g:\arquivos de programas\Google\Update\GoogleUpdate.exe [19/9/2009 09:13 133104]

.

------- Scan Suplementar -------

.

IE: E&xportar para o Microsoft Excel - g:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: DirectAnimation Java Classes

DPF: Microsoft XML Parser for Java

.

- - - - ORFÃOS REMOVIDOS - - - -

 

HKCU-Run-PowerBar - (no file)

AddRemove-Adobe Acrobat 5.0 - g:\windows\ISUNINST.EXE -fg:\arquivos de programas\Arquivos comuns\Adobe\Acrobat 5.0\NT\Uninst.isu -cg:\arquivos de programas\Arquivos comuns\Adobe\Acrobat 5.0\NT\Uninst.dll

AddRemove-ASUS Probe V2.24.09 - g:\program files\ASUS\Asus Probe\DeIsL1.isu -cg:\program files\ASUS\Asus Probe\probunis.dll

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-12-07 20:14

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

PowerBar = ????????????????????7F?w????????????l?@?l?@?<????E?w?????????????E?wl?@?l?@?????????????????v??w???w?????E?w?E?wp????????F?w???????? ??????????????wp???0??????????? Ent?F?w????????????????>!??2???9???????l?@?l?@?????MB?w????t?@?????l?@?8?@?l?@????s???????????

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

 

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

 

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A0DC988]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf764bfc3

\Driver\ACPI -> ACPI.sys @ 0xf7588cb8

\Driver\atapi -> 0x8a0dc988

IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x8059e19a

ParseProcedure -> ntoskrnl.exe @ 0x8057c74d

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x8059e19a

ParseProcedure -> ntoskrnl.exe @ 0x8057c74d

NDIS: -> SendCompleteHandler -> 0x0

PacketIndicateHandler -> 0x0

SendHandler -> 0x0

Warning: possible MBR rootkit infection !

user & kernel MBR OK

 

**************************************************************************

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

 

[HKEY_LOCAL_MACHINE\software\ASUS\ASUS Probe\2.24.09]

@DACL=(02 0000)

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'explorer.exe'(1916)

g:\windows\system32\WPDShServiceObj.dll

g:\windows\system32\PortableDeviceTypes.dll

g:\windows\system32\PortableDeviceApi.dll

.

------------------------ Outros Processos em Execução ------------------------

.

g:\arquivos de programas\Java\jre6\bin\jqs.exe

g:\windows\system32\nvsvc32.exe

g:\arquiv~1\AVG\AVG8\avgrsx.exe

g:\arquiv~1\AVG\AVG8\avgnsx.exe

g:\arquivos de programas\AVG\AVG8\avgcsrvx.exe

g:\windows\system32\wscntfy.exe

g:\windows\SOUNDMAN.EXE

g:\windows\System32\wbem\wmiapsrv.exe

g:\windows\system32\RUNDLL32.EXE

.

**************************************************************************

.

Tempo para conclusão: 2009-12-07 20:23 - Máquina reiniciou

ComboFix-quarantined-files.txt 2009-12-07 22:23

 

Pré-execução: 13 pasta(s) 31.711.059.968 bytes disponíveis

Pós execução: 16 pasta(s) 31.589.167.104 bytes disponíveis

 

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

C:\="Microsoft Windows"

 

- - End Of File - - 515F96462AB99FE4A446C79D074328DA

[wings 22]

Boa noite Fabricio78

 

 

*Abra o bloco de notas, selecione, copie e cole nele todo o conteúdo do código abaixo:

 

File::

g:\windows\system32\fjhdyfhsn.bat

g:\documents and settings\Fabricio\Dados de aplicativos\fvgqad.dat

g:\documents and settings\Fabricio\Dados de aplicativos\avdrn.dat

*Salve o arquivo no desktop como CFScript.txt

*Arraste o arquivo para o Combofix conforme ilustração abaixo:

 

 

*Importante: enquanto o combofix estiver em execução, não use o mouse nem o teclado!!..para interromper o processo tecle N ou 2.

 

*Cole o relatório criado em C:\combofix.txt e novo log do hijack

[Fabricio78 0]

Não compreendi devo abrir cada um destes arquivos e colar seu conteúdo no bloco de notas ou devo apenas colar exatamente os comandos que você colocou no quadro?

[Fabricio78 0]

para que são estes comandos?

[wings 22]

Para a remoção de arquivos maliciosos.

 

 

Leia com atenção o procedimento...

[Fabricio78 0]

COMBOFIX LOG:

 

ComboFix 09-12-07.04 - Fabricio 07/12/2009 23:18.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.1535.942 [GMT -2:00]

Executando de: g:\documents and settings\Fabricio\Desktop\ComboFix.exe

Comandos utilizados :: g:\documents and settings\Fabricio\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

 

FILE ::

"g:\documents and settings\Fabricio\Dados de aplicativos\avdrn.dat"

"g:\documents and settings\Fabricio\Dados de aplicativos\fvgqad.dat"

"g:\windows\system32\fjhdyfhsn.bat"

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

g:\documents and settings\Fabricio\Dados de aplicativos\avdrn.dat

g:\documents and settings\Fabricio\Dados de aplicativos\fvgqad.dat

g:\windows\system32\fjhdyfhsn.bat

 

.

(((((((((((((((( Arquivos/Ficheiros criados de 2009-11-08 to 2009-12-08 ))))))))))))))))))))))))))))

.

 

2009-12-07 18:18 . 2009-12-07 19:09 -------- d-----w- g:\arquivos de programas\Ad-Remover

2009-12-07 16:34 . 2009-12-07 16:34 -------- d-----w- g:\documents and settings\Fabricio\Dados de aplicativos\Malwarebytes

2009-12-07 16:34 . 2009-12-03 18:14 38224 ----a-w- g:\windows\system32\drivers\mbamswissarmy.sys

2009-12-07 16:34 . 2009-12-07 16:34 -------- d-----w- g:\documents and settings\All Users\Dados de aplicativos\Malwarebytes

2009-12-07 16:34 . 2009-12-07 16:34 -------- d-----w- g:\arquivos de programas\Malwarebytes' Anti-Malware

2009-12-07 16:34 . 2009-12-03 18:13 19160 ----a-w- g:\windows\system32\drivers\mbam.sys

2009-12-06 18:15 . 2001-08-17 23:56 7552 -c--a-w- g:\windows\system32\dllcache\sonypvu1.sys

2009-12-06 18:15 . 2001-08-17 23:56 7552 ----a-w- g:\windows\system32\drivers\SONYPVU1.SYS

2009-11-23 19:09 . 2009-11-23 19:09 152576 ----a-w- g:\documents and settings\Fabricio\Dados de aplicativos\Sun\Java\jre1.6.0_17\lzma.dll

2009-11-23 19:09 . 2009-11-23 19:09 79488 ----a-w- g:\documents and settings\Fabricio\Dados de aplicativos\Sun\Java\jre1.6.0_17\gtapi.dll

2009-11-20 18:19 . 2009-11-20 18:19 -------- d-----w- g:\arquivos de programas\Microsoft Silverlight

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

4423-08-09 18:19 . 1857-01-01 00:00 56832 ----a-w- g:\windows\system32\iyvu9_32.dll

4423-08-09 18:19 . 1857-01-01 00:00 143872 ----a-w- g:\windows\system32\iacenc.dll

2009-12-08 01:25 . 2008-02-11 19:18 -------- d-----w- g:\documents and settings\Fabricio\Dados de aplicativos\DNA

2009-12-07 22:15 . 2008-02-11 19:18 -------- d-----w- g:\arquivos de programas\DNA

2009-12-07 17:46 . 2008-02-11 19:18 -------- d-----w- g:\documents and settings\Fabricio\Dados de aplicativos\BitTorrent

2009-12-07 15:19 . 2006-05-06 04:29 -------- d-----w- g:\arquivos de programas\Spybot - Search & Destroy

2009-12-07 15:19 . 2006-05-06 04:29 -------- d-----w- g:\documents and settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2009-12-07 12:28 . 2009-12-07 12:28 0 ----a-w- g:\documents and settings\Fabricio\ntuser.tmp

2009-11-30 18:42 . 2008-06-10 20:55 -------- d-----w- g:\arquivos de programas\DreMule

2009-11-23 19:11 . 2008-03-13 13:40 -------- d-----w- g:\arquivos de programas\Java

2009-11-13 20:09 . 2009-05-16 17:06 -------- d-----w- g:\arquivos de programas\BitTorrent

2009-11-01 10:59 . 2001-09-28 12:00 48846 ----a-w- g:\windows\system32\perfc016.dat

2009-11-01 10:59 . 2001-09-28 12:00 344734 ----a-w- g:\windows\system32\perfh016.dat

2009-10-28 04:11 . 2009-10-28 04:11 -------- d-----w- g:\arquivos de programas\Microsoft

2009-10-28 04:11 . 2008-06-11 23:10 -------- d-----w- g:\arquivos de programas\Windows Live

2009-10-28 04:10 . 2009-10-28 04:10 -------- d-----w- g:\arquivos de programas\Windows Live SkyDrive

2009-10-28 04:07 . 2009-10-28 04:07 -------- d-----w- g:\arquivos de programas\Arquivos comuns\Windows Live

2009-10-12 15:48 . 2006-11-28 21:56 -------- d-----w- g:\documents and settings\Fabricio\Dados de aplicativos\MSN6

2009-10-11 06:17 . 2008-12-17 09:20 411368 ----a-w- g:\windows\system32\deploytk.dll

2005-04-01 01:17 . 2006-05-04 20:44 40960 ----a-w- g:\arquivos de programas\Uninstall_CDS.exe

1999-04-01 15:53 . 1999-04-01 15:53 99840 ----a-w- g:\arquivos de programas\Arquivos comuns\IRAABOUT.DLL

1998-12-09 01:53 . 1998-12-09 01:53 70144 ----a-w- g:\arquivos de programas\Arquivos comuns\IRAMDMTR.DLL

1998-12-09 01:53 . 1998-12-09 01:53 48640 ----a-w- g:\arquivos de programas\Arquivos comuns\IRALPTTR.DLL

1998-12-09 01:53 . 1998-12-09 01:53 31744 ----a-w- g:\arquivos de programas\Arquivos comuns\IRAWEBTR.DLL

1998-12-09 01:53 . 1998-12-09 01:53 186368 ----a-w- g:\arquivos de programas\Arquivos comuns\IRAREG.DLL

1998-12-09 01:53 . 1998-12-09 01:53 17920 ----a-w- g:\arquivos de programas\Arquivos comuns\IRASRIAL.DLL

2006-05-03 09:06 . 2009-08-24 15:54 163328 --sh--r- g:\windows\system32\flvDX.dll

2007-02-21 10:47 . 2009-08-24 15:54 31232 --sh--r- g:\windows\system32\msfDX.dll

2008-03-16 12:30 . 2009-08-24 15:54 216064 --sh--r- g:\windows\system32\nbDX.dll

.

 

------- Sigcheck -------

 

[7] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . g:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys

[7] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . g:\windows\system32\dllcache\tcpip.sys

[-] 2006-04-20 . B4E29943B4B04BD5E7381546848E6669 . 359808 . . [5.1.2600.2892] . . g:\windows\system32\drivers\tcpip.sys

[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . g:\windows\$NtUninstallKB917953$\tcpip.sys

[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . g:\windows\ServicePackFiles\i386\tcpip.sys

[-] 2002-08-29 . 244A2F9816BC9B593957281EF577D976 . 332928 . . [5.1.2600.1106] . . g:\windows\$NtServicePackUninstall$\tcpip.sys

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "g:\arquivos de programas\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

 

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BitTorrent DNA"="g:\arquivos de programas\DNA\btdna.exe" [2009-11-13 323392]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RemoteControl"="g:\arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 32768]

"NeroFilterCheck"="g:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"ASUS Probe"="g:\program files\ASUS\Asus Probe\AsusProb.exe" [2002-12-06 617984]

"type32"="g:\arquivos de programas\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]

"IntelliPoint"="g:\arquivos de programas\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]

"SoundMan"="SOUNDMAN.EXE" [2004-11-15 77824]

"nwiz"="nwiz.exe" [2008-05-03 1630208]

"desp2k"="g:\arquivos de programas\Turbo\Manager\desp2k.exe" [2005-03-16 61440]

"NvCplDaemon"="g:\windows\system32\NvCpl.dll" [2008-05-03 13529088]

"WinLogT"="g:\windows\WinLogT.exe" [2006-03-30 500224]

"AVG8_TRAY"="g:\arquiv~1\AVG\AVG8\avgtray.exe" [2009-11-26 2029336]

"NvMediaCenter"="g:\windows\system32\NvMcTray.dll" [2008-05-03 86016]

"TkBellExe"="g:\arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" [2009-07-13 185896]

"DAEMON Tools-1033"="g:\arquivos de programas\D-Tools\daemon.exe" [2004-08-22 81920]

"SunJavaUpdateSched"="g:\arquivos de programas\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="g:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

 

g:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

Microsoft Office.lnk - g:\arquivos de programas\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

Symantec Fax Starter Edition Port.lnk - g:\arquivos de programas\Microsoft Office\Office\1046\OLFSNT40.EXE [1999-4-1 46080]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-25 13:13 11952 ----a-w- g:\windows\system32\avgrsstx.dll

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"g:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

"g:\\WINDOWS\\system32\\sessmgr.exe"=

"g:\\Arquivos de programas\\DNA\\btdna.exe"=

"g:\\Arquivos de programas\\BitTorrent\\bittorrent.exe"=

"g:\\Arquivos de programas\\AVG\\AVG8\\avgupd.exe"=

"g:\\Arquivos de programas\\DreMule\\emule.exe"=

"g:\\WINDOWS\\system32\\mmc.exe"=

"g:\\Arquivos de programas\\SopCast\\adv\\SopAdver.exe"=

"g:\\Arquivos de programas\\AVG\\AVG8\\avgemc.exe"=

"g:\\Arquivos de programas\\AVG\\AVG8\\avgnsx.exe"=

"g:\\Arquivos de programas\\Java\\jre6\\bin\\javaws.exe"=

"g:\\Arquivos de programas\\Java\\jre6\\bin\\java.exe"=

"g:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=

"g:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"g:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

 

R0 d347bus;d347bus;g:\windows\system32\drivers\d347bus.sys [20/8/2007 11:30 155136]

R0 d347prt;d347prt;g:\windows\system32\drivers\d347prt.sys [20/8/2007 11:30 5248]

R1 AvgLdx86;AVG AVI Loader Driver x86;g:\windows\system32\drivers\avgldx86.sys [13/5/2008 14:00 335240]

R1 AvgTdiX;AVG8 Network Redirector;g:\windows\system32\drivers\avgtdix.sys [13/5/2008 14:00 108552]

R2 avg8emc;AVG Free8 E-mail Scanner;g:\arquiv~1\AVG\AVG8\avgemc.exe [2/7/2008 18:29 908056]

R2 avg8wd;AVG8 WatchDog;g:\arquiv~1\AVG\AVG8\avgwdsvc.exe [24/11/2008 19:16 297752]

R2 PStrip;PStrip;g:\windows\system32\drivers\PStrip.sys [23/7/2001 21:31 21616]

R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);g:\windows\system32\drivers\RMSPPPOE.SYS [10/6/2002 00:09 31232]

S2 GF0003;GASIA GF0003 Filter Driver;g:\windows\system32\drivers\GF0003.sys [25/12/2007 19:18 9216]

S2 gupdate1ca391a32c9cf60;Google Update Service (gupdate1ca391a32c9cf60);g:\arquivos de programas\Google\Update\GoogleUpdate.exe [19/9/2009 09:13 133104]

.

------- Scan Suplementar -------

.

IE: E&xportar para o Microsoft Excel - g:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: DirectAnimation Java Classes

DPF: Microsoft XML Parser for Java

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-12-07 23:29

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

 

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

 

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A0DC988]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf764bfc3

\Driver\ACPI -> ACPI.sys @ 0xf7588cb8

\Driver\atapi -> 0x8a0dc988

IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x8059e19a

ParseProcedure -> ntoskrnl.exe @ 0x8057c74d

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x8059e19a

ParseProcedure -> ntoskrnl.exe @ 0x8057c74d

NDIS: -> SendCompleteHandler -> 0x0

PacketIndicateHandler -> 0x0

SendHandler -> 0x0

Warning: possible MBR rootkit infection !

user & kernel MBR OK

 

**************************************************************************

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

 

[HKEY_LOCAL_MACHINE\software\ASUS\ASUS Probe\2.24.09]

@DACL=(02 0000)

.

Tempo para conclusão: 2009-12-07 23:34

ComboFix-quarantined-files.txt 2009-12-08 01:34

ComboFix2.txt 2009-12-07 22:23

 

Pré-execução: 15 pasta(s) 31.624.650.752 bytes disponíveis

Pós execução: 16 pasta(s) 31.591.981.056 bytes disponíveis

 

- - End Of File - - B54BE923E548269D09E66143EBBCBDBF

 

 

 

HIJACK LOG:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:48:10, on 7/12/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

G:\WINDOWS\System32\smss.exe

G:\WINDOWS\system32\winlogon.exe

G:\WINDOWS\system32\services.exe

G:\WINDOWS\system32\lsass.exe

G:\WINDOWS\system32\svchost.exe

G:\WINDOWS\System32\svchost.exe

G:\WINDOWS\system32\spoolsv.exe

G:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

G:\Arquivos de programas\Java\jre6\bin\jqs.exe

G:\WINDOWS\system32\nvsvc32.exe

G:\ARQUIV~1\AVG\AVG8\avgrsx.exe

G:\ARQUIV~1\AVG\AVG8\avgnsx.exe

G:\ARQUIV~1\AVG\AVG8\avgemc.exe

G:\Arquivos de programas\AVG\AVG8\avgcsrvx.exe

G:\WINDOWS\system32\wscntfy.exe

G:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

G:\Arquivos de programas\Microsoft IntelliType Pro\type32.exe

G:\Arquivos de programas\Microsoft IntelliPoint\point32.exe

G:\WINDOWS\SOUNDMAN.EXE

G:\WINDOWS\System32\wbem\wmiapsrv.exe

G:\WINDOWS\WinLogT.exe

G:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

G:\Arquivos de programas\Java\jre6\bin\jusched.exe

G:\Arquivos de programas\DNA\btdna.exe

G:\Arquivos de programas\Microsoft Office\Office\1046\OLFSNT40.EXE

G:\WINDOWS\System32\svchost.exe

G:\WINDOWS\system32\ctfmon.exe

G:\WINDOWS\System32\svchost.exe

G:\WINDOWS\explorer.exe

G:\Arquivos de programas\Google\Chrome\Application\chrome.exe

G:\Arquivos de programas\Google\Chrome\Application\chrome.exe

G:\Arquivos de programas\Google\Chrome\Application\chrome.exe

G:\Documents and Settings\Fabricio\Meus documentos\downloads\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=101761&gct=&gc=1&q=

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - G:\Arquivos de programas\AVG\AVG8\avgssie.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - G:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - G:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - G:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - G:\Arquivos de programas\AVG\AVG8\Toolbar\IEToolbar.dll

O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)

O4 - HKLM\..\Run: [RemoteControl] "G:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] G:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [ASUS Probe] G:\Program Files\ASUS\Asus Probe\AsusProb.exe

O4 - HKLM\..\Run: [type32] "G:\Arquivos de programas\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [intelliPoint] "G:\Arquivos de programas\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [desp2k] G:\Arquivos de programas\Turbo\Manager\desp2k.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [WinLogT] G:\WINDOWS\WinLogT.exe

O4 - HKLM\..\Run: [AVG8_TRAY] G:\ARQUIV~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [TkBellExe] "G:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [DAEMON Tools-1033] "G:\Arquivos de programas\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [sunJavaUpdateSched] "G:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [bitTorrent DNA] "G:\Arquivos de programas\DNA\btdna.exe"

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = G:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = G:\Arquivos de programas\Microsoft Office\Office\1046\OLFSNT40.EXE

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://G:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Arquivos de programas\Messenger\msmsgs.exe

O12 - Plugin for .spop: G:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (MSN Games – Matchmaking) - http://sympatico.zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab

O16 - DPF: {339234B4-4E14-4280-B8B4-8BAE5AF99063} (Chess Object) - http://sympatico.zone.msn.com/bingame/zpagames/zpa_kqrp.cab55579.cab

O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://sympatico.zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab

O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (MSN Games – Game Chat) - http://sympatico.zone.msn.com/binframework/v10/ZPAChat.cab55579.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192631346109

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab

O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/bingame/zpagames/zpa_dmno.cab55579.cab

O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games – Hearts) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab70018.cab

O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab

O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab

O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://sympatico.zone.msn.com/binframework/v10/StProxy.cab55579.cab

O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab

O16 - DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} (CheckersZPA Object) - http://zone.msn.com/bingame/zpagames/CheckersZPA.cab55579.cab

O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (MSN Games – Backgammon) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{94E8DE38-24F6-4126-B69E-3AA78F770265}: Domain = @

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - G:\Arquivos de programas\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - G:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - G:\ARQUIV~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - G:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Google Update Service (gupdate1ca391a32c9cf60) (gupdate1ca391a32c9cf60) - Google Inc. - G:\Arquivos de programas\Google\Update\GoogleUpdate.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - G:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SmartLinkService (SLService) - - G:\WINDOWS\SYSTEM32\slserv.exe

 

--

End of file - 9260 bytes

[wings 22]

1.

*Execute o hijack, clique em [Do a system scan only], selecione as entradas abaixo e clique em [Fix checked]

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.c...61&gct=&gc=1&q=

O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)

*Feche o hijack

 

2.

*Clique em [iniciar] > [Executar] > digite: combofix /uninstall

*Clique [OK]

 

 

*Clique em [Executar]

*Surgirá a mensagem: "ComboFix está desinstalado"

*Clique [OK]

*Delete a pasta C:\Combofix e o arquivo C:\combofix.txt, se ainda existirem.

 

3.

*Baixe o MBR.exe e salve-o em C:\

*Clique em Iniciar > Executar > digite: c:\mbr.exe -f

*Clique OK. Caso seja perguntado, permita que o programa seja executado. Ele abrirá e fechará rapidamente.

*Duplo clique em C:\mbr.exe

*Cole o relatório criado em C:\MBR.txt

[Fabricio78 0]

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

 

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

user & kernel MBR OK

[wings 22]

Bom dia Fabricio78

 

 

OK...o PC está limpo.

 

 

1.

*Delete os arquivos C:\mbr.exe e C:\mbr.txt

 

2.

*Faça o download e instale o CCleaner

*Abra o programa e na coluna da direita, desça até a opção "Avançado" e selecione "Dados Prefetch antigos"

*Clique em [Executar Limpeza]

*Em seguida, clique em [Registro] -> [Procurar erros] -> [Corrigir Erros Selecionados] -> [Corrigir Todos os Erros Selecionados]

 

 

Um abraço.

[Fabricio78 0]

Muito obrigado está perfeito.

ótimo trabalho realizado por você.

Um Abraço.