[Resolvido!] sality aa

[wings 22]

*Abra o bloco de notas, selecione, copie e cole nele todo o conteúdo do código abaixo:

 

File::

C:\sdat4900.exe

 

*Salve o arquivo no desktop como CFScript.txt

*Arraste o arquivo para o Combofix conforme ilustração abaixo:

 

 

 

*Importante: enquanto o combofix estiver em execução, não use o mouse nem o teclado!!

 

*Ao final do procedimento, o programa será fechado automaticamente e será mostrado o relatório

*Cole o relatório criado em C:\combofix.txt

[andersonekarol 0]

ComboFix 09-12-20.08 - Administrador 28/12/2009 9:00.6.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.511.324 [GMT -2:00]

Executando de: c:\documents and settings\Administrador\Desktop\ComboFix.exe

Comandos utilizados :: c:\documents and settings\Administrador\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

 

FILE ::

"C:\sdat4900.exe"

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Dir.Tmp

C:\sdat4900.exe

 

.

(((((((((((((((( Arquivos/Ficheiros criados de 2009-11-28 to 2009-12-28 ))))))))))))))))))))))))))))

.

 

2009-12-22 17:10 . 2009-12-22 17:10 7680 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\Thinstall\PDF Editor 2\100003e800002i\PDFEdit.exe

2009-12-22 17:08 . 2009-12-22 17:10 -------- d-----w- c:\arquivos de programas\PDF Editor 2

2009-12-22 17:08 . 2009-12-22 17:08 74752 ----a-w- c:\windows\cadkasdeinst01e.exe

2009-12-21 11:48 . 2009-12-04 12:41 151816 ----a-w- c:\documents and settings\Administrador\SalityKiller.exe.exe

2009-12-21 11:26 . 2009-12-21 11:26 -------- d--h--w- c:\windows\system32\GroupPolicy

2009-12-18 19:58 . 2009-12-18 19:58 -------- d-----w- c:\documents and settings\Administrador\DoctorWeb

2009-12-18 19:04 . 2009-12-21 10:31 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Autorun Eater

2009-12-18 18:57 . 2009-12-18 18:57 -------- d-sh--w- c:\documents and settings\s123456\IETldCache

2009-12-18 18:57 . 2009-12-18 18:57 -------- d-----w- c:\documents and settings\s123456\Menu Iniciar

2009-12-18 18:05 . 2009-12-18 18:10 7168 ----a-w- c:\windows\system32\drivers\uteznzg0.sys

2009-12-18 17:29 . 2009-12-18 17:29 -------- d-----w- c:\arquivos de programas\Trend Micro

2009-12-18 13:17 . 2009-10-22 14:54 37392 ----a-w- c:\windows\system32\drivers\66125102.sys

2009-12-18 13:17 . 2009-10-10 00:31 315408 ----a-w- c:\windows\system32\drivers\6612510.sys

2009-12-18 13:17 . 2009-09-25 18:59 128016 ----a-w- c:\windows\system32\drivers\66125101.sys

2009-12-18 11:08 . 2009-12-18 11:08 -------- d-----r- c:\documents and settings\LocalService\Favoritos

2009-12-18 11:06 . 2008-10-09 11:02 53618 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Avira\AntiVir Desktop\CONFIG\aebb.dll

2009-12-18 10:42 . 2009-12-18 10:42 -------- d-----w- c:\windows\system32\wbem\Repository

2009-12-16 14:40 . 2009-12-16 14:40 7680 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\Thinstall\PDF Editor 2\400000600002i\AcroRd32Info.exe

2009-12-16 14:40 . 2009-12-16 14:40 7680 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\Thinstall\PDF Editor 2\1000000b00002i\verclsid.exe

2009-12-15 15:59 . 2009-12-15 15:59 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\AnvSoft

2009-12-15 10:58 . 2009-12-18 18:56 -------- d-----w- c:\arquivos de programas\GbPlugin

2009-12-14 17:11 . 2009-12-18 18:57 -------- d--h--w- c:\documents and settings\Administrador\Recent(2)

2009-12-12 03:55 . 2005-07-25 18:57 4779 ----a-w- c:\windows\mozilla.vbs

2009-12-12 03:55 . 2005-08-01 12:07 32768 ----a-w- c:\windows\system\grouppol.dll

2009-12-12 03:55 . 2005-08-01 12:07 32768 ----a-w- c:\windows\grouppol.dll

2009-12-11 17:30 . 1999-02-04 20:24 515598 ----a-w- C:\Darius Force.zip

2009-12-11 17:25 . 2000-04-17 16:13 347480 ----a-w- C:\Super Mario World (Brasil).zip

2009-12-11 17:25 . 1999-02-03 22:03 1325273 ----a-w- C:\Super Mario World 2.zip

2009-12-11 17:22 . 1999-02-20 13:58 347560 ----a-w- C:\Super Mario World.zip

2009-12-11 17:19 . 2009-12-18 18:57 -------- d-----w- C:\super ness

2009-12-11 17:17 . 2009-12-18 18:57 -------- d-----w- C:\jogos

2009-12-11 04:49 . 2009-12-11 04:54 -------- d-----w- c:\documents and settings\s123456\Dados de aplicativos\Media Player Classic

2009-12-11 04:23 . 2009-12-28 11:05 -------- d--h--w- c:\documents and settings\s123456\Configurações locais

2009-12-11 04:23 . 2009-12-11 04:49 -------- d-----w- c:\documents and settings\s123456\Dados de aplicativos

2009-12-11 04:23 . 2009-12-18 18:57 -------- d-----w- c:\documents and settings\s123456

2009-12-11 04:23 . 2009-12-14 17:11 -------- d-----w- c:\documents and settings\s123456\Favoritos

2009-12-04 14:51 . 2009-12-04 12:41 151816 ----a-w- C:\SalityKiller.exe.exe

2009-12-02 13:31 . 2009-12-02 13:32 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\Media Player Classic

2009-12-02 04:13 . 2009-12-02 04:13 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Hewlett-Packard

2009-12-01 12:37 . 2009-12-01 12:39 -------- d-----w- c:\arquivos de programas\Readiris Pro 11

2009-12-01 12:36 . 2009-12-01 12:36 -------- d-----w- c:\arquivos de programas\Arquivos comuns\InstallShield

2009-12-01 12:35 . 2009-12-01 12:35 -------- d-----w- c:\arquivos de programas\Hewlett-Packard

2009-12-01 12:35 . 2009-12-02 04:13 -------- d-----w- C:\Program Files

2009-12-01 12:35 . 2006-08-11 15:02 104960 ----a-r- c:\windows\hporclnr.exe

2009-12-01 12:33 . 2009-12-01 12:34 -------- d-----w- c:\arquivos de programas\HP

2009-12-01 12:33 . 2008-04-13 07:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys

2009-12-01 12:33 . 2008-04-13 07:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2009-12-01 12:33 . 2001-09-05 19:20 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll

2009-12-01 12:33 . 2001-09-05 19:20 87040 ----a-w- c:\windows\system32\wiafbdrv.dll

2009-12-01 12:14 . 2005-10-07 23:29 445440 ----a-w- c:\windows\system32\ltimg13n.dll

2009-12-01 12:12 . 2009-12-01 12:12 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\HP

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-22 15:19 . 2009-11-17 13:12 1 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\BrOffice.org\3\user\uno_packages\cache\stamp.sys

2009-12-21 20:07 . 2009-11-09 17:12 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\avg8

2009-12-21 13:08 . 2009-12-14 17:15 2754 ----a-w- c:\windows\system32\PerfStringBackup.TMP

2009-12-21 13:08 . 2008-04-14 10:00 62474 ----a-w- c:\windows\system32\perfc016.dat

2009-12-21 13:08 . 2008-04-14 10:00 416384 ----a-w- c:\windows\system32\perfh016.dat

2009-12-15 16:39 . 2009-11-19 05:39 1744 ----a-w- c:\windows\system32\d3d9caps.dat

2009-12-15 10:59 . 2009-11-28 08:58 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\GbPlugin

2009-12-10 04:16 . 2009-11-27 09:38 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-12-04 11:55 . 2009-11-17 07:00 1632 ----a-w- c:\windows\system32\d3d8caps.dat

2009-12-03 07:09 . 2009-11-17 12:40 -------- d-----w- c:\arquivos de programas\IBM3270

2009-12-01 12:14 . 2009-12-01 12:12 -------- d--h--w- c:\arquivos de programas\Agilent-HP

2009-11-28 07:08 . 2009-11-28 07:08 7680 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\Thinstall\PDF Editor 2\400000ea00002i\AdobeARM.exe

2009-11-28 07:07 . 2009-11-28 07:07 7680 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\Thinstall\PDF Editor 2\4000005400002i\AcroRd32.exe

2009-11-28 07:02 . 2009-11-28 07:02 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\Thinstall

2009-11-27 07:29 . 2009-11-27 07:29 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Avira

2009-11-27 07:29 . 2009-11-27 07:29 -------- d-----w- c:\arquivos de programas\Avira

2009-11-24 13:30 . 2009-11-17 09:54 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Microsoft Help

2009-11-24 10:10 . 2009-11-24 10:10 -------- d-----w- c:\arquivos de programas\7-Zip

2009-11-19 05:09 . 2009-11-19 05:09 -------- d-----w- c:\arquivos de programas\Lexmark

2009-11-18 11:04 . 2009-11-18 11:04 -------- d-----w- c:\arquivos de programas\Lexmark_HostCD

2009-11-18 05:51 . 2009-11-09 17:02 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Adobe

2009-11-18 05:16 . 2009-11-18 05:16 -------- d-----w- c:\arquivos de programas\GPLGS

2009-11-18 05:14 . 2009-11-18 05:14 -------- d-----w- c:\arquivos de programas\Acro Software

2009-11-17 13:10 . 2009-11-17 13:10 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\BrOffice.org

2009-11-17 11:50 . 2009-11-17 11:50 -------- d-----w- c:\arquivos de programas\EPSON

2009-11-17 10:03 . 2001-12-31 19:34 1 ----a-w- c:\documents and settings\AET-\Dados de aplicativos\BrOffice.org\3\user\uno_packages\cache\stamp.sys

2009-11-17 10:00 . 2009-11-17 10:00 -------- d-----w- c:\arquivos de programas\Microsoft Works

2009-11-17 10:00 . 2009-11-17 10:00 -------- d-----w- c:\arquivos de programas\MSBuild

2009-11-11 05:27 . 2009-11-09 16:34 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-11-11 04:59 . 2009-11-11 04:59 -------- d-----w- c:\arquivos de programas\Marcos Velasco Security

2009-11-11 04:59 . 2009-11-11 04:59 -------- d-----w- c:\arquivos de programas\CCleaner

2009-11-11 04:44 . 2009-11-11 04:46 2064152 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\avg8\update\backup\avgcorex.dll

2009-11-11 04:44 . 2009-11-11 04:46 1090224 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\avg8\update\backup\AVGToolbarInstall.exe

2009-11-11 04:44 . 2009-11-11 04:46 3513624 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\avg8\update\backup\avgui.exe

2009-11-11 04:44 . 2009-11-11 04:46 2028312 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\avg8\update\backup\avgtray.exe

2009-11-09 17:30 . 2009-11-09 17:30 -------- d-----w- c:\documents and settings\AET-\Dados de aplicativos\Media Player Classic

2009-11-09 17:30 . 2009-11-09 17:30 -------- d-----w- c:\documents and settings\AET-\Dados de aplicativos\bsplayer

2009-11-09 17:30 . 2009-11-09 17:30 -------- d-----w- c:\arquivos de programas\K-Lite Codec Pack

2009-11-09 17:28 . 2009-11-09 17:28 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Nero

2009-11-09 17:24 . 2009-11-09 17:24 -------- d-----w- c:\arquivos de programas\Ahead

2009-11-09 17:24 . 2009-11-09 17:24 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Ahead

2009-11-09 17:23 . 2009-11-09 17:20 -------- d-----w- c:\arquivos de programas\Java

2009-11-09 17:19 . 2009-11-09 17:19 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Java

2009-11-09 17:18 . 2009-11-09 17:18 -------- d-----w- c:\arquivos de programas\BrOffice.org 3

2009-11-09 17:13 . 2009-11-11 04:45 11952 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\avg8\update\backup\avgrsstx.dll

2009-11-09 17:13 . 2009-11-11 04:46 325896 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\avg8\update\backup\avgldx86.sys

2009-11-09 17:13 . 2009-11-11 04:45 27784 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\avg8\update\backup\avgmfx86.sys

2009-11-09 17:05 . 2009-11-09 17:05 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\WinZip

2009-11-09 16:37 . 2009-11-09 16:37 -------- d-----w- c:\arquivos de programas\microsoft frontpage

2009-11-09 16:35 . 2009-11-09 16:35 -------- d-----w- c:\arquivos de programas\Windows Media Connect 2

2009-11-09 16:33 . 2009-11-09 16:33 -------- d-----w- c:\arquivos de programas\Serviços on-line

2009-11-09 16:32 . 2009-11-09 16:32 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Serviços

2009-11-09 16:31 . 2009-11-09 16:31 21844 ----a-w- c:\windows\system32\emptyregdb.dat

2009-11-05 04:09 . 2009-11-18 05:14 87552 ----a-w- c:\windows\system32\cpwmon2k.dll

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LMab1err"="c:\arquivos de programas\Lexmark\ErrorApp\LMab1err.exe" [2007-05-11 713648]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GrooveMonitor"="c:\arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]

"avgnt"="c:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2005-12-22 98304]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"HideShutdownScripts"= 1 (0x1)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"ProfileQuotaMessage"= Você ultrapassou o espaço de armazenamento de seu perfil. Para poder efetuar logoff, você precisa mover alguns itens do perfil para a rede ou para o armazenamento local.

"HideLogonScripts"= 1 (0x1)

"MaxProfileSize"= 30000 (0x7530)

"WarnUserTimeout"= 15 (0xf)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSetTaskbar"= 1 (0x1)

"NoFileAssociate"= 1 (0x1)

 

[HKLM\~\startupfolder\C:^Documents and Settings^Administrador^Menu Iniciar^Programas^Inicializar^BrOffice.org 3.1.lnk]

backup=c:\windows\pss\BrOffice.org 3.1.lnkStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Administrador^Menu Iniciar^Programas^Inicializar^Recorte de tela e Iniciador do OneNote 2007.lnk]

backup=c:\windows\pss\Recorte de tela e Iniciador do OneNote 2007.lnkStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Administrador^Menu Iniciar^Programas^Inicializar^setup_9.0.0.722_18.12.2009_14-46.lnk]

path=c:\documents and settings\Administrador\Menu Iniciar\Programas\Inicializar\setup_9.0.0.722_18.12.2009_14-46.lnk

backup=c:\windows\pss\setup_9.0.0.722_18.12.2009_14-46.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2009-09-04 07:38 935288 ----a-r- c:\arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-10-02 23:38 35696 ----a-w- c:\arquivos de programas\Adobe\Reader 9.0\Reader\reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP OrderReminder Cleaner]

2006-08-11 15:02 104960 ----a-r- c:\windows\hporclnr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPUsageTracking]

2006-04-23 14:32 36864 ----a-w- c:\arquivos de programas\Hewlett-Packard\HP UT\bin\hppusg.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\WINDOWS\\system32\\LMabcoms.exe"=

 

R0 66125102;66125102 Boot Guard Driver;c:\windows\system32\drivers\66125102.sys [18/12/2009 11:17 37392]

R1 66125101;66125101;c:\windows\system32\drivers\66125101.sys [18/12/2009 11:17 128016]

R1 setup_9.0.0.722_18.12.2009_14-46drv;setup_9.0.0.722_18.12.2009_14-46drv;c:\windows\system32\drivers\6612510.sys [18/12/2009 11:17 315408]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [27/11/2009 07:38 108289]

S3 uteznzg0;AVZ Kernel Driver;c:\windows\system32\drivers\uteznzg0.sys [18/12/2009 16:05 7168]

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{31IOP6M8-1DAB-81AD-BOK1-26OC5H3565645}]

2001-12-31 19:31 0 ----a-w- c:\tender\InterPol\NkeY.exe

.

------- Scan Suplementar -------

.

uStart Page = www.pmmg.mg.gov.br

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\fognkhzu.default\

FF - prefs.js: browser.startup.homepage - hxxps://intranet.policiamilitar.mg.gov.br/

FF - prefs.js: network.proxy.type - 2

FF - component: c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\fognkhzu.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E886C}\components\GbMzhBb.dll

FF - plugin: c:\arquivos de programas\Java\jre1.7.0\bin\npjava11.dll

FF - plugin: c:\arquivos de programas\Java\jre1.7.0\bin\npjava12.dll

FF - plugin: c:\arquivos de programas\Java\jre1.7.0\bin\npjava13.dll

FF - plugin: c:\arquivos de programas\Java\jre1.7.0\bin\npjava14.dll

FF - plugin: c:\arquivos de programas\Java\jre1.7.0\bin\npjava32.dll

FF - plugin: c:\arquivos de programas\Java\jre1.7.0\bin\npjpi170.dll

FF - plugin: c:\arquivos de programas\Java\jre1.7.0\bin\npoji610.dll

FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\npOGAPlugin.dll

 

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

 

**************************************************************************

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos:

 

**************************************************************************

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

 

[HKEY_USERS\S-1-5-21-117609710-796845957-1606980848-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f5,cb,44,6f,99,b0,92,40,95,8b,58,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f5,cb,44,6f,99,b0,92,40,95,8b,58,\

.

Tempo para conclusão: 2009-12-28 09:07:31

ComboFix-quarantined-files.txt 2009-12-28 11:07

ComboFix2.txt 2009-12-22 10:39

ComboFix3.txt 2009-12-21 19:54

ComboFix4.txt 2009-12-21 15:17

 

Pré-execução: 11 pasta(s) 24.337.661.952 bytes disponíveis

Pós execução: 12 pasta(s) 24.306.282.496 bytes disponíveis

 

- - End Of File - - A58D15085A12E54EED9D80871FCED083

[andersonekarol 0]

bom dia Wings,

estou desconfiado que este virus esta vindo da rede,ou está no nosso servidor.

[wings 22]

Bom dia andersonekarol

 

 

O log do combofix está limpo.

 

 

1.

*Delete o arquivo C:\sality.exe.exe

 

2.

*Clique em [iniciar] > [Executar] > digite: combofix /uninstall

*Clique OK

*Delete o arquivo C:\combofix.txt

3.

*Baixe o DrWebCureit e salve-o no desktop

*Duplo clique em launch.exe

*Clique em [Opções] e altere a linguagem para Português

*Na aba [Verificar] selecione a opção [Verificação completa] e clique na seta para iniciar o scan.

*Ao término, clique em [Ficheiro] e selecione a opção [Guardar lista de relatórios] e salve no desktop

*Cole o relatório criado no desktop

[andersonekarol 0]

não achei o

C:\sality.exe.exe

acho que não ta aqui não.

[andersonekarol 0]

enquadramento Cb Johnderson 2007.xls C:\Documents and Settings\Administrador\Meus documentos\volume\backup 30out09\MEU PÚBLICO\enquadramentos Provavelmente Office.Exploit Incurável.Eliminado.

enquadramento Cb Johnderson 2007.xls C:\Documents and Settings\Administrador\Meus documentos\volume\backup 30out09\MEU PÚBLICO\enquadramentos\Enquadramento 2007 Provavelmente Office.Exploit Incurável.Eliminado.

pv.exe C:\Arquivos de programas\Agilent-HP\{db1b753d-2c87-42d8-8a92-2ee068ec791e}\OrderReminder\data\uninstall Program.PrcView.3741

4b61123e.qua\data001 C:\Documents and Settings\All Users\Dados de aplicativos\Avira\AntiVir Desktop\INFECTED\4b61123e.qua Win32.Sector.16

pv.exe C:\Program Files\Hewlett-Packard\OrderReminder\uninstall Program.PrcView.3741

A0026765.bat C:\System Volume Information\_restore{164D03CF-7EF6-41FA-9CA1-05A141FAF394}\RP57 Provavelmente BATCH.Virus

A0027830.bat C:\System Volume Information\_restore{164D03CF-7EF6-41FA-9CA1-05A141FAF394}\RP57 Provavelmente BATCH.Virus

A0027956.bat C:\System Volume Information\_restore{164D03CF-7EF6-41FA-9CA1-05A141FAF394}\RP57 Provavelmente BATCH.Virus

A0028257.bat C:\System Volume Information\_restore{164D03CF-7EF6-41FA-9CA1-05A141FAF394}\RP59 Provavelmente BATCH.Virus

A0028389.bat C:\System Volume Information\_restore{164D03CF-7EF6-41FA-9CA1-05A141FAF394}\RP59 Provavelmente BATCH.Virus

A0028457.exe C:\System Volume Information\_restore{164D03CF-7EF6-41FA-9CA1-05A141FAF394}\RP59 Win32.Sector.16 Desinfectado.

A0029529.bat C:\System Volume Information\_restore{164D03CF-7EF6-41FA-9CA1-05A141FAF394}\RP59 Provavelmente BATCH.Virus

A0029656.exe\32788R22FWJFW\List-C.bat C:\System Volume Information\_restore{164D03CF-7EF6-41FA-9CA1-05A141FAF394}\RP59\A0029656.exe Provavelmente BATCH.Virus

A0029656.exe C:\System Volume Information\_restore{164D03CF-7EF6-41FA-9CA1-05A141FAF394}\RP59 O arquivo contém objectos infectados Movido.

A0029692.bat C:\System Volume Information\_restore{164D03CF-7EF6-41FA-9CA1-05A141FAF394}\RP59 Provavelmente BATCH.Virus

[andersonekarol 0]

eu devo selecionar todos e curar, mover ou eliminar?

mais uma coisa,

você acha que devo trocar de anti-virus?

estou usando o avira.

[wings 22]

Boa noite andersonekarol

 

1.

*Clique com o botão direito do mouse em "Meu computador" > selecione "Propriedades" > "Restauração do Sistema" > marque: "Desativar restauração do sistema" > OK > SIM

 

 

2.

*Ative novamente a restauração do sistema pelo mesmo caminho.

 

3.

*Delete o DrWebCureit e seu relatório.

 

 

Mantenha o Avira como antivírus.

 

 

Seu PC está limpo.

[andersonekarol 0]

muito obrigado wings, pelo seu conhecimento e dedicação resolvendo o problema em pouco tempo, Deus te abençoe muito!

tanks!!!

[andersonekarol 0]

vixi reiniciei a maquina e voltou tudo de novo

[wings 22]

vixi reiniciei a maquina e voltou tudo de novo

 

Voltou tudo o quê?

 

Caso esteja em rede, podem haver outros PC's contaminados compartilhando pastas e arquivos. Caso, seja isso é preciso ver PC por PC e retirar cada um da rede após a limpeza. Agora, se só for este PC, recomendo que formate e não salve nenhum arquivo .exe.

[andersonekarol 0]

eu perdi o acesso ao painel de controle e ao executar, e ao miniaplicativo video,

me parece que é o compartilhamento com o publico daqui que ta trazendo o virus vou desabilita-lo,

segue relatorio atual do combifix.

 

ComboFix 10-01-03.05 - Administrador 04/01/2010 11:55:36.7.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.511.175 [GMT -2:00]

Executando de: c:\documents and settings\Administrador\Desktop\ComboFix.exe

Comandos utilizados :: c:\documents and settings\Administrador\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-PTB.exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

 

(((((((((((((((( Arquivos/Ficheiros criados de 2009-12-04 to 2010-01-04 ))))))))))))))))))))))))))))

.

 

2009-12-21 11:48 . 2009-12-04 12:41 151816 ----a-w- c:\documents and settings\Administrador\SalityKiller.exe.exe

2009-12-21 11:26 . 2009-12-21 11:26 -------- d--h--w- c:\windows\system32\GroupPolicy

2009-12-18 19:58 . 2009-12-28 17:59 -------- d-----w- c:\documents and settings\Administrador\DoctorWeb

2009-12-18 19:04 . 2009-12-21 10:31 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Autorun Eater

2009-12-18 18:57 . 2009-12-18 18:57 -------- d-sh--w- c:\documents and settings\s123456\IETldCache

2009-12-18 18:57 . 2009-12-18 18:57 -------- d-----w- c:\documents and settings\s123456\Menu Iniciar

2009-12-18 18:05 . 2009-12-18 18:10 7168 ----a-w- c:\windows\system32\drivers\uteznzg0.sys

2009-12-18 17:29 . 2009-12-18 17:29 -------- d-----w- c:\arquivos de programas\Trend Micro

2009-12-18 13:17 . 2009-10-22 14:54 37392 ----a-w- c:\windows\system32\drivers\66125102.sys

2009-12-18 13:17 . 2009-10-10 00:31 315408 ----a-w- c:\windows\system32\drivers\6612510.sys

2009-12-18 13:17 . 2009-09-25 18:59 128016 ----a-w- c:\windows\system32\drivers\66125101.sys

2009-12-18 11:08 . 2009-12-18 11:08 -------- d-----r- c:\documents and settings\LocalService\Favoritos

2009-12-18 11:06 . 2008-10-09 11:02 53618 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Avira\AntiVir Desktop\CONFIG\aebb.dll

2009-12-16 14:40 . 2009-12-16 14:40 7680 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\Thinstall\PDF Editor 2\400000600002i\AcroRd32Info.exe

2009-12-16 14:40 . 2009-12-16 14:40 7680 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\Thinstall\PDF Editor 2\1000000b00002i\verclsid.exe

2009-12-15 15:59 . 2009-12-15 15:59 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\AnvSoft

2009-12-15 10:58 . 2009-12-18 18:56 -------- d-----w- c:\arquivos de programas\GbPlugin

2009-12-14 17:11 . 2009-12-18 18:57 -------- d--h--w- c:\documents and settings\Administrador\Recent(2)

2009-12-12 03:55 . 2005-07-25 18:57 4779 ----a-w- c:\windows\mozilla.vbs

2009-12-12 03:55 . 2005-08-01 12:07 32768 ----a-w- c:\windows\system\grouppol.dll

2009-12-12 03:55 . 2005-08-01 12:07 32768 ----a-w- c:\windows\grouppol.dll

2009-12-11 17:19 . 2009-12-18 18:57 -------- d-----w- C:\super ness

2009-12-11 17:17 . 2009-12-18 18:57 -------- d-----w- C:\jogos

2009-12-11 04:49 . 2009-12-11 04:54 -------- d-----w- c:\documents and settings\s123456\Dados de aplicativos\Media Player Classic

2009-12-11 04:23 . 2010-01-04 14:00 -------- d--h--w- c:\documents and settings\s123456\Configurações locais

2009-12-11 04:23 . 2009-12-11 04:49 -------- d-----w- c:\documents and settings\s123456\Dados de aplicativos

2009-12-11 04:23 . 2010-01-04 12:15 -------- d-----w- c:\documents and settings\s123456

2009-12-11 04:23 . 2009-12-14 17:11 -------- d-----w- c:\documents and settings\s123456\Favoritos

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-04 13:48 . 2010-01-04 13:06 14 ----a-w- C:\Dir.Tmp

2010-01-04 12:38 . 2008-04-14 10:00 62474 ----a-w- c:\windows\system32\perfc016.dat

2010-01-04 12:38 . 2008-04-14 10:00 416384 ----a-w- c:\windows\system32\perfh016.dat

2009-12-29 10:46 . 2009-11-17 13:12 1 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\BrOffice.org\3\user\uno_packages\cache\stamp.sys

2009-12-22 17:10 . 2009-12-22 17:10 7680 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\Thinstall\PDF Editor 2\100003e800002i\PDFEdit.exe

2009-12-22 17:10 . 2009-12-22 17:08 -------- d-----w- c:\arquivos de programas\PDF Editor 2

2009-12-22 17:08 . 2009-12-22 17:08 74752 ----a-w- c:\windows\cadkasdeinst01e.exe

2009-12-21 20:07 . 2009-11-09 17:12 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\avg8

2009-12-15 16:39 . 2009-11-19 05:39 1744 ----a-w- c:\windows\system32\d3d9caps.dat

2009-12-15 10:59 . 2009-11-28 08:58 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\GbPlugin

2009-12-10 04:16 . 2009-11-27 09:38 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-12-04 11:55 . 2009-11-17 07:00 1632 ----a-w- c:\windows\system32\d3d8caps.dat

2009-12-03 07:09 . 2009-11-17 12:40 -------- d-----w- c:\arquivos de programas\IBM3270

2009-12-02 13:32 . 2009-12-02 13:31 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\Media Player Classic

2009-12-02 04:13 . 2009-12-02 04:13 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Hewlett-Packard

2009-12-01 12:39 . 2009-12-01 12:37 -------- d-----w- c:\arquivos de programas\Readiris Pro 11

2009-12-01 12:36 . 2009-12-01 12:36 -------- d-----w- c:\arquivos de programas\Arquivos comuns\InstallShield

2009-12-01 12:35 . 2009-12-01 12:35 -------- d-----w- c:\arquivos de programas\Hewlett-Packard

2009-12-01 12:34 . 2009-12-01 12:33 -------- d-----w- c:\arquivos de programas\HP

2009-12-01 12:14 . 2009-12-01 12:12 -------- d--h--w- c:\arquivos de programas\Agilent-HP

2009-12-01 12:12 . 2009-12-01 12:12 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\HP

2009-11-28 07:08 . 2009-11-28 07:08 7680 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\Thinstall\PDF Editor 2\400000ea00002i\AdobeARM.exe

2009-11-28 07:07 . 2009-11-28 07:07 7680 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\Thinstall\PDF Editor 2\4000005400002i\AcroRd32.exe

2009-11-28 07:02 . 2009-11-28 07:02 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\Thinstall

2009-11-27 07:29 . 2009-11-27 07:29 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Avira

2009-11-27 07:29 . 2009-11-27 07:29 -------- d-----w- c:\arquivos de programas\Avira

2009-11-24 13:30 . 2009-11-17 09:54 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Microsoft Help

2009-11-24 10:10 . 2009-11-24 10:10 -------- d-----w- c:\arquivos de programas\7-Zip

2009-11-19 05:09 . 2009-11-19 05:09 -------- d-----w- c:\arquivos de programas\Lexmark

2009-11-18 11:04 . 2009-11-18 11:04 -------- d-----w- c:\arquivos de programas\Lexmark_HostCD

2009-11-18 05:51 . 2009-11-09 17:02 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Adobe

2009-11-18 05:16 . 2009-11-18 05:16 -------- d-----w- c:\arquivos de programas\GPLGS

2009-11-18 05:14 . 2009-11-18 05:14 -------- d-----w- c:\arquivos de programas\Acro Software

2009-11-17 13:10 . 2009-11-17 13:10 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\BrOffice.org

2009-11-17 11:50 . 2009-11-17 11:50 -------- d-----w- c:\arquivos de programas\EPSON

2009-11-17 10:03 . 2001-12-31 19:34 1 ----a-w- c:\documents and settings\AET-\Dados de aplicativos\BrOffice.org\3\user\uno_packages\cache\stamp.sys

2009-11-17 10:00 . 2009-11-17 10:00 -------- d-----w- c:\arquivos de programas\Microsoft Works

2009-11-17 10:00 . 2009-11-17 10:00 -------- d-----w- c:\arquivos de programas\MSBuild

2009-11-11 05:27 . 2009-11-09 16:34 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-11-11 04:59 . 2009-11-11 04:59 -------- d-----w- c:\arquivos de programas\Marcos Velasco Security

2009-11-11 04:59 . 2009-11-11 04:59 -------- d-----w- c:\arquivos de programas\CCleaner

2009-11-11 04:44 . 2009-11-11 04:46 2064152 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\avg8\update\backup\avgcorex.dll

2009-11-11 04:44 . 2009-11-11 04:46 1090224 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\avg8\update\backup\AVGToolbarInstall.exe

2009-11-11 04:44 . 2009-11-11 04:46 3513624 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\avg8\update\backup\avgui.exe

2009-11-11 04:44 . 2009-11-11 04:46 2028312 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\avg8\update\backup\avgtray.exe

2009-11-09 17:30 . 2009-11-09 17:30 -------- d-----w- c:\documents and settings\AET-\Dados de aplicativos\Media Player Classic

2009-11-09 17:30 . 2009-11-09 17:30 -------- d-----w- c:\documents and settings\AET-\Dados de aplicativos\bsplayer

2009-11-09 17:30 . 2009-11-09 17:30 -------- d-----w- c:\arquivos de programas\K-Lite Codec Pack

2009-11-09 17:28 . 2009-11-09 17:28 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Nero

2009-11-09 17:24 . 2009-11-09 17:24 -------- d-----w- c:\arquivos de programas\Ahead

2009-11-09 17:24 . 2009-11-09 17:24 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Ahead

2009-11-09 17:23 . 2009-11-09 17:20 -------- d-----w- c:\arquivos de programas\Java

2009-11-09 17:19 . 2009-11-09 17:19 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Java

2009-11-09 17:18 . 2009-11-09 17:18 -------- d-----w- c:\arquivos de programas\BrOffice.org 3

2009-11-09 17:13 . 2009-11-11 04:45 11952 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\avg8\update\backup\avgrsstx.dll

2009-11-09 17:13 . 2009-11-11 04:46 325896 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\avg8\update\backup\avgldx86.sys

2009-11-09 17:13 . 2009-11-11 04:45 27784 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\avg8\update\backup\avgmfx86.sys

2009-11-09 17:05 . 2009-11-09 17:05 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\WinZip

2009-11-09 16:37 . 2009-11-09 16:37 -------- d-----w- c:\arquivos de programas\microsoft frontpage

2009-11-09 16:35 . 2009-11-09 16:35 -------- d-----w- c:\arquivos de programas\Windows Media Connect 2

2009-11-09 16:33 . 2009-11-09 16:33 -------- d-----w- c:\arquivos de programas\Serviços on-line

2009-11-09 16:32 . 2009-11-09 16:32 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Serviços

2009-11-09 16:31 . 2009-11-09 16:31 21844 ----a-w- c:\windows\system32\emptyregdb.dat

2009-11-05 04:09 . 2009-11-18 05:14 87552 ----a-w- c:\windows\system32\cpwmon2k.dll

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LMab1err"="c:\arquivos de programas\Lexmark\ErrorApp\LMab1err.exe" [2007-05-11 713648]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GrooveMonitor"="c:\arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]

"avgnt"="c:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2005-12-22 98304]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"HideShutdownScripts"= 1 (0x1)

"EnableLUA"= 0 (0x0)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"ProfileQuotaMessage"= Você ultrapassou o espaço de armazenamento de seu perfil. Para poder efetuar logoff, você precisa mover alguns itens do perfil para a rede ou para o armazenamento local.

"HideLogonScripts"= 1 (0x1)

"MaxProfileSize"= 30000 (0x7530)

"WarnUserTimeout"= 15 (0xf)

"DisableTaskMgr"= 1 (0x1)

"DisableRegistryTools"= 1 (0x1)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSetTaskbar"= 1 (0x1)

"NoFileAssociate"= 1 (0x1)

"EditLevel"= 0 (0x0)

 

[HKLM\~\startupfolder\C:^Documents and Settings^Administrador^Menu Iniciar^Programas^Inicializar^BrOffice.org 3.1.lnk]

backup=c:\windows\pss\BrOffice.org 3.1.lnkStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Administrador^Menu Iniciar^Programas^Inicializar^Recorte de tela e Iniciador do OneNote 2007.lnk]

backup=c:\windows\pss\Recorte de tela e Iniciador do OneNote 2007.lnkStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Administrador^Menu Iniciar^Programas^Inicializar^setup_9.0.0.722_18.12.2009_14-46.lnk]

path=c:\documents and settings\Administrador\Menu Iniciar\Programas\Inicializar\setup_9.0.0.722_18.12.2009_14-46.lnk

backup=c:\windows\pss\setup_9.0.0.722_18.12.2009_14-46.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2009-09-04 07:38 935288 ----a-r- c:\arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-10-02 23:38 35696 ----a-w- c:\arquivos de programas\Adobe\Reader 9.0\Reader\reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP OrderReminder Cleaner]

2006-08-11 15:02 104960 ----a-r- c:\windows\hporclnr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPUsageTracking]

2006-04-23 14:32 36864 ----a-w- c:\arquivos de programas\Hewlett-Packard\HP UT\bin\hppusg.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallDisableNotify"=dword:00000001

"FirewallOverride"=dword:00000001

"UacDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\WINDOWS\\system32\\LMabcoms.exe"=

"c:\\sdat4900.exe"=

 

R0 66125102;66125102 Boot Guard Driver;c:\windows\system32\drivers\66125102.sys [18/12/2009 11:17 37392]

R1 66125101;66125101;c:\windows\system32\drivers\66125101.sys [18/12/2009 11:17 128016]

R1 setup_9.0.0.722_18.12.2009_14-46drv;setup_9.0.0.722_18.12.2009_14-46drv;c:\windows\system32\drivers\6612510.sys [18/12/2009 11:17 315408]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [27/11/2009 07:38 108289]

R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\trktk.sys --> c:\windows\system32\drivers\trktk.sys [?]

S3 uteznzg0;AVZ Kernel Driver;c:\windows\system32\drivers\uteznzg0.sys [18/12/2009 16:05 7168]

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{31IOP6M8-1DAB-81AD-BOK1-26OC5H3565645}]

2001-12-31 19:31 0 ----a-w- c:\tender\InterPol\NkeY.exe

.

.

------- Scan Suplementar -------

.

uStart Page = www.pmmg.mg.gov.br

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\fognkhzu.default\

FF - prefs.js: browser.startup.homepage - hxxps://intranet.policiamilitar.mg.gov.br/

FF - prefs.js: network.proxy.type - 2

FF - component: c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\fognkhzu.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E886C}\components\GbMzhBb.dll

FF - plugin: c:\arquivos de programas\Java\jre1.7.0\bin\npjava11.dll

FF - plugin: c:\arquivos de programas\Java\jre1.7.0\bin\npjava12.dll

FF - plugin: c:\arquivos de programas\Java\jre1.7.0\bin\npjava13.dll

FF - plugin: c:\arquivos de programas\Java\jre1.7.0\bin\npjava14.dll

FF - plugin: c:\arquivos de programas\Java\jre1.7.0\bin\npjava32.dll

FF - plugin: c:\arquivos de programas\Java\jre1.7.0\bin\npjpi170.dll

FF - plugin: c:\arquivos de programas\Java\jre1.7.0\bin\npoji610.dll

FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\npOGAPlugin.dll

 

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-04 12:00

Windows 5.1.2600 Service Pack 3 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

 

[HKEY_USERS\S-1-5-21-117609710-796845957-1606980848-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f5,cb,44,6f,99,b0,92,40,95,8b,58,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f5,cb,44,6f,99,b0,92,40,95,8b,58,\

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'explorer.exe'(1584)

c:\windows\system32\WININET.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Tempo para conclusão: 2010-01-04 12:02:55

ComboFix-quarantined-files.txt 2010-01-04 14:02

 

Pré-execução: 10 pasta(s) 24.356.442.112 bytes disponíveis

Pós execução: 11 pasta(s) 24.323.448.832 bytes disponíveis

 

- - End Of File - - 2958E3E19E33F21EA3D400C4D735BC87

[wings 22]

Envie o arquivo para análise em http://virscan.org

 

c:\windows\mozilla.vbs

 

 

Cole o link contendo o resultado.

[wings 22]

1.

*Baixe oRegUnlocker e salve-o no desktop

*Execute o programa e marque a opção "Realizar copia de seguridad de los cambios realizados"

*Em "A - Restricciones", selecione as opções:

1 - Eliminar restricciones del Sistema

2 - Eliminar restricciones del Explorador

*Clique em [Aplicar]

 

2.

*Abra o bloco de notas, selecione, copie e cole nele todo o conteúdo do código abaixo:

 

File::

c:\windows\mozilla.vbs

c:\windows\system32\drivers\trktk.sys

c:\windows\system32\drivers\uteznzg0.sys

c:\documents and settings\Administrador\SalityKiller.exe.exe

Registry::

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\sdat4900.exe"=-

Driver::

abp470n5

uteznzg0

*Salve o arquivo no desktop como CFScript.txt

*Arraste o arquivo para o Combofix conforme ilustração abaixo:

 

 

*Importante: enquanto o combofix estiver em execução, não use o mouse nem o teclado!!..para interromper o processo tecle N ou 2.

 

*Cole o relatório criado em C:\combofix.txt

[andersonekarol 0]

deu essa mensagem na hora de abrir o c:\windows\mozilla.vbs

 

"erro: o sistema não pode encontrar o arquivo especificado"

o que faço agora?

[andersonekarol 0]

bom dia!

o tecnico deu uma passada aqui e eu pedi pra tirar o pc do compartilhamento publico ai quando inicio o pc o virus não volta então acho que por enquanto estou livre deste virus,

tem como confirmar isso atraves de scaneamento do combofix ou do hijack?

[wings 22]

bom dia!

o tecnico deu uma passada aqui e eu pedi pra tirar o pc do compartilhamento publico ai quando inicio o pc o virus não volta então acho que por enquanto estou livre deste virus,

tem como confirmar isso atraves de scaneamento do combofix ou do hijack?

 

Cole um novo log do combofix do PC sem compartilhamento.

[andersonekarol 0]

ja estou indo!!!

[andersonekarol 0]

eis o ultimo relatorio.

 

 

 

ComboFix 10-01-04.01 - Administrador 05/01/2010 11:35:28.9.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.511.258 [GMT -2:00]

Executando de: c:\documents and settings\Administrador\Desktop\ComboFix.exe

Comandos utilizados :: c:\documents and settings\Administrador\Desktop\CFScript.txt

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

AV: Microsoft Security Essentials *On-access scanning enabled* (Outdated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

* AV residente está ativo

 

 

FILE ::

"c:\documents and settings\Administrador\SalityKiller.exe.exe"

"c:\windows\mozilla.vbs"

"c:\windows\system32\drivers\trktk.sys"

"c:\windows\system32\drivers\uteznzg0.sys"

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\Administrador\SalityKiller.exe.exe

c:\windows\mozilla.vbs

c:\windows\system32\drivers\uteznzg0.sys

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_ABP470N5

-------\Legacy_UTEZNZG0

-------\Service_abp470n5

-------\Service_uteznzg0

 

 

(((((((((((((((( Arquivos/Ficheiros criados de 2009-12-05 to 2010-01-05 ))))))))))))))))))))))))))))

.

 

2010-01-05 13:25 . 2010-01-05 13:25 -------- d-----w- C:\RegUnlocker Backups

2010-01-05 12:39 . 2010-01-05 12:39 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Innovative Solutions

2010-01-05 12:37 . 2010-01-05 12:37 -------- d-----w- c:\arquivos de programas\EASEUS

2010-01-04 18:15 . 2010-01-04 18:16 -------- d-----w- c:\arquivos de programas\Microsoft Security Essentials

2010-01-04 18:07 . 2010-01-04 18:06 512096 ----a-w- c:\windows\system32\drivers\amon.sys

2010-01-04 18:07 . 2010-01-04 18:06 298104 ----a-w- c:\windows\system32\imon.dll

2010-01-04 18:07 . 2010-01-04 18:06 15424 ----a-w- c:\windows\system32\drivers\nod32drv.sys

2010-01-04 18:06 . 2010-01-05 13:35 -------- d-----w- c:\arquivos de programas\ESET

2010-01-04 12:15 . 2010-01-04 12:15 -------- d-----w- c:\windows\system32\wbem\Repository

2009-12-22 17:10 . 2009-12-22 17:10 7680 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\Thinstall\PDF Editor 2\100003e800002i\PDFEdit.exe

2009-12-22 17:08 . 2009-12-22 17:10 -------- d-----w- c:\arquivos de programas\PDF Editor 2

2009-12-22 17:08 . 2009-12-22 17:08 74752 ----a-w- c:\windows\cadkasdeinst01e.exe

2009-12-21 11:26 . 2009-12-21 11:26 -------- d--h--w- c:\windows\system32\GroupPolicy

2009-12-18 19:58 . 2009-12-28 17:59 -------- d-----w- c:\documents and settings\Administrador\DoctorWeb

2009-12-18 19:04 . 2009-12-21 10:31 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Autorun Eater

2009-12-18 18:57 . 2009-12-18 18:57 -------- d-sh--w- c:\documents and settings\s123456\IETldCache

2009-12-18 18:57 . 2009-12-18 18:57 -------- d-----w- c:\documents and settings\s123456\Menu Iniciar

2009-12-18 17:29 . 2009-12-18 17:29 -------- d-----w- c:\arquivos de programas\Trend Micro

2009-12-18 13:17 . 2009-10-22 14:54 37392 ----a-w- c:\windows\system32\drivers\66125102.sys

2009-12-18 13:17 . 2009-10-10 00:31 315408 ----a-w- c:\windows\system32\drivers\6612510.sys

2009-12-18 13:17 . 2009-09-25 18:59 128016 ----a-w- c:\windows\system32\drivers\66125101.sys

2009-12-18 11:08 . 2009-12-18 11:08 -------- d-----r- c:\documents and settings\LocalService\Favoritos

2009-12-16 14:40 . 2009-12-16 14:40 7680 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\Thinstall\PDF Editor 2\400000600002i\AcroRd32Info.exe

2009-12-16 14:40 . 2009-12-16 14:40 7680 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\Thinstall\PDF Editor 2\1000000b00002i\verclsid.exe

2009-12-15 15:59 . 2009-12-15 15:59 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\AnvSoft

2009-12-15 10:58 . 2009-12-18 18:56 -------- d-----w- c:\arquivos de programas\GbPlugin

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-05 11:39 . 2009-11-17 13:12 1 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\BrOffice.org\3\user\uno_packages\cache\stamp.sys

2010-01-04 18:06 . 2009-11-17 07:00 1632 ----a-w- c:\windows\system32\d3d8caps.dat

2010-01-04 13:48 . 2010-01-04 13:06 14 ----a-w- C:\Dir.Tmp

2010-01-04 12:38 . 2008-04-14 10:00 62474 ----a-w- c:\windows\system32\perfc016.dat

2010-01-04 12:38 . 2008-04-14 10:00 416384 ----a-w- c:\windows\system32\perfh016.dat

2009-12-21 20:07 . 2009-11-09 17:12 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\avg8

2009-12-15 16:39 . 2009-11-19 05:39 1744 ----a-w- c:\windows\system32\d3d9caps.dat

2009-12-15 10:59 . 2009-11-28 08:58 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\GbPlugin

2009-12-11 04:54 . 2009-12-11 04:49 -------- d-----w- c:\documents and settings\s123456\Dados de aplicativos\Media Player Classic

2009-12-10 04:16 . 2009-11-27 09:38 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-12-03 07:09 . 2009-11-17 12:40 -------- d-----w- c:\arquivos de programas\IBM3270

2009-12-02 13:32 . 2009-12-02 13:31 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\Media Player Classic

2009-12-02 04:13 . 2009-12-02 04:13 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Hewlett-Packard

2009-12-01 12:39 . 2009-12-01 12:37 -------- d-----w- c:\arquivos de programas\Readiris Pro 11

2009-12-01 12:36 . 2009-12-01 12:36 -------- d-----w- c:\arquivos de programas\Arquivos comuns\InstallShield

2009-12-01 12:35 . 2009-12-01 12:35 -------- d-----w- c:\arquivos de programas\Hewlett-Packard

2009-12-01 12:34 . 2009-12-01 12:33 -------- d-----w- c:\arquivos de programas\HP

2009-12-01 12:14 . 2009-12-01 12:12 -------- d--h--w- c:\arquivos de programas\Agilent-HP

2009-12-01 12:12 . 2009-12-01 12:12 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\HP

2009-11-28 07:08 . 2009-11-28 07:08 7680 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\Thinstall\PDF Editor 2\400000ea00002i\AdobeARM.exe

2009-11-28 07:07 . 2009-11-28 07:07 7680 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\Thinstall\PDF Editor 2\4000005400002i\AcroRd32.exe

2009-11-28 07:02 . 2009-11-28 07:02 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\Thinstall

2009-11-24 13:30 . 2009-11-17 09:54 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Microsoft Help

2009-11-24 10:10 . 2009-11-24 10:10 -------- d-----w- c:\arquivos de programas\7-Zip

2009-11-19 05:09 . 2009-11-19 05:09 -------- d-----w- c:\arquivos de programas\Lexmark

2009-11-18 11:04 . 2009-11-18 11:04 -------- d-----w- c:\arquivos de programas\Lexmark_HostCD

2009-11-18 05:51 . 2009-11-09 17:02 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Adobe

2009-11-18 05:16 . 2009-11-18 05:16 -------- d-----w- c:\arquivos de programas\GPLGS

2009-11-18 05:14 . 2009-11-18 05:14 -------- d-----w- c:\arquivos de programas\Acro Software

2009-11-17 13:10 . 2009-11-17 13:10 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\BrOffice.org

2009-11-17 11:50 . 2009-11-17 11:50 -------- d-----w- c:\arquivos de programas\EPSON

2009-11-17 10:03 . 2001-12-31 19:34 1 ----a-w- c:\documents and settings\AET-\Dados de aplicativos\BrOffice.org\3\user\uno_packages\cache\stamp.sys

2009-11-17 10:00 . 2009-11-17 10:00 -------- d-----w- c:\arquivos de programas\Microsoft Works

2009-11-17 10:00 . 2009-11-17 10:00 -------- d-----w- c:\arquivos de programas\MSBuild

2009-11-11 05:27 . 2009-11-09 16:34 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-11-11 04:59 . 2009-11-11 04:59 -------- d-----w- c:\arquivos de programas\Marcos Velasco Security

2009-11-11 04:59 . 2009-11-11 04:59 -------- d-----w- c:\arquivos de programas\CCleaner

2009-11-11 04:44 . 2009-11-11 04:46 2064152 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\avg8\update\backup\avgcorex.dll

2009-11-11 04:44 . 2009-11-11 04:46 1090224 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\avg8\update\backup\AVGToolbarInstall.exe

2009-11-11 04:44 . 2009-11-11 04:46 3587352 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\avg8\update\backup\avgui.exe

2009-11-11 04:44 . 2009-11-11 04:46 2102040 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\avg8\update\backup\avgtray.exe

2009-11-09 17:30 . 2009-11-09 17:30 -------- d-----w- c:\documents and settings\AET-\Dados de aplicativos\Media Player Classic

2009-11-09 17:30 . 2009-11-09 17:30 -------- d-----w- c:\documents and settings\AET-\Dados de aplicativos\bsplayer

2009-11-09 17:30 . 2009-11-09 17:30 -------- d-----w- c:\arquivos de programas\K-Lite Codec Pack

2009-11-09 17:28 . 2009-11-09 17:28 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Nero

2009-11-09 17:24 . 2009-11-09 17:24 -------- d-----w- c:\arquivos de programas\Ahead

2009-11-09 17:24 . 2009-11-09 17:24 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Ahead

2009-11-09 17:23 . 2009-11-09 17:20 -------- d-----w- c:\arquivos de programas\Java

2009-11-09 17:19 . 2009-11-09 17:19 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Java

2009-11-09 17:18 . 2009-11-09 17:18 -------- d-----w- c:\arquivos de programas\BrOffice.org 3

2009-11-09 17:13 . 2009-11-11 04:45 11952 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\avg8\update\backup\avgrsstx.dll

2009-11-09 17:13 . 2009-11-11 04:46 325896 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\avg8\update\backup\avgldx86.sys

2009-11-09 17:13 . 2009-11-11 04:45 27784 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\avg8\update\backup\avgmfx86.sys

2009-11-09 17:05 . 2009-11-09 17:05 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\WinZip

2009-11-09 16:37 . 2009-11-09 16:37 -------- d-----w- c:\arquivos de programas\microsoft frontpage

2009-11-09 16:35 . 2009-11-09 16:35 -------- d-----w- c:\arquivos de programas\Windows Media Connect 2

2009-11-09 16:33 . 2009-11-09 16:33 -------- d-----w- c:\arquivos de programas\Serviços on-line

2009-11-09 16:32 . 2009-11-09 16:32 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Serviços

2009-11-09 16:31 . 2009-11-09 16:31 21844 ----a-w- c:\windows\system32\emptyregdb.dat

2009-11-05 04:09 . 2009-11-18 05:14 87552 ----a-w- c:\windows\system32\cpwmon2k.dll

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LMab1err"="c:\arquivos de programas\Lexmark\ErrorApp\LMab1err.exe" [2007-05-11 713648]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GrooveMonitor"="c:\arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]

"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2005-12-22 98304]

"nod32kui"="c:\arquivos de programas\Eset\nod32kui.exe" [2010-01-04 949376]

"MSSE"="c:\arquivos de programas\Microsoft Security Essentials\msseces.exe" [2009-09-13 1048392]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"HideShutdownScripts"= 1 (0x1)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"ProfileQuotaMessage"= Você ultrapassou o espaço de armazenamento de seu perfil. Para poder efetuar logoff, você precisa mover alguns itens do perfil para a rede ou para o armazenamento local.

"HideLogonScripts"= 1 (0x1)

"MaxProfileSize"= 30000 (0x7530)

"WarnUserTimeout"= 15 (0xf)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSetTaskbar"= 1 (0x1)

"NoFileAssociate"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

 

[HKLM\~\startupfolder\C:^Documents and Settings^Administrador^Menu Iniciar^Programas^Inicializar^BrOffice.org 3.1.lnk]

backup=c:\windows\pss\BrOffice.org 3.1.lnkStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Administrador^Menu Iniciar^Programas^Inicializar^Recorte de tela e Iniciador do OneNote 2007.lnk]

backup=c:\windows\pss\Recorte de tela e Iniciador do OneNote 2007.lnkStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Administrador^Menu Iniciar^Programas^Inicializar^setup_9.0.0.722_18.12.2009_14-46.lnk]

backup=c:\windows\pss\setup_9.0.0.722_18.12.2009_14-46.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2009-09-04 07:38 935288 ----a-r- c:\arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-10-02 23:38 35696 ----a-w- c:\arquivos de programas\Adobe\Reader 9.0\Reader\reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP OrderReminder Cleaner]

2006-08-11 15:02 104960 ----a-r- c:\windows\hporclnr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPUsageTracking]

2006-04-23 14:32 36864 ----a-w- c:\arquivos de programas\Hewlett-Packard\HP UT\bin\hppusg.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallDisableNotify"=dword:00000001

"FirewallOverride"=dword:00000001

"UacDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\WINDOWS\\system32\\LMabcoms.exe"=

"c:\\Program Files\\Hewlett-Packard\\OrderReminder\\OrderReminder.exe"=

"c:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\GrooveMonitor.exe"=

 

R0 66125102;66125102 Boot Guard Driver;c:\windows\system32\drivers\66125102.sys [18/12/2009 11:17 37392]

R1 66125101;66125101;c:\windows\system32\drivers\66125101.sys [18/12/2009 11:17 128016]

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [4/1/2010 16:07 15424]

R1 setup_9.0.0.722_18.12.2009_14-46drv;setup_9.0.0.722_18.12.2009_14-46drv;c:\windows\system32\drivers\6612510.sys [18/12/2009 11:17 315408]

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{31IOP6M8-1DAB-81AD-BOK1-26OC5H3565645}]

2010-01-04 15:19 102400 ----a-w- c:\tender\InterPol\NkeY.exe

.

Conteúdo da pasta 'Tarefas Agendadas'

 

2010-01-05 c:\windows\Tasks\MP Scheduled Scan.job

- c:\arquivos de programas\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 19:36]

.

.

------- Scan Suplementar -------

.

uStart Page = www.pmmg.mg.gov.br

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\fognkhzu.default\

FF - prefs.js: browser.startup.homepage - hxxps://intranet.policiamilitar.mg.gov.br/

FF - prefs.js: network.proxy.type - 2

FF - component: c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\fognkhzu.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E886C}\components\GbMzhBb.dll

FF - plugin: c:\arquivos de programas\Java\jre1.7.0\bin\npjava11.dll

FF - plugin: c:\arquivos de programas\Java\jre1.7.0\bin\npjava12.dll

FF - plugin: c:\arquivos de programas\Java\jre1.7.0\bin\npjava13.dll

FF - plugin: c:\arquivos de programas\Java\jre1.7.0\bin\npjava14.dll

FF - plugin: c:\arquivos de programas\Java\jre1.7.0\bin\npjava32.dll

FF - plugin: c:\arquivos de programas\Java\jre1.7.0\bin\npjpi170.dll

FF - plugin: c:\arquivos de programas\Java\jre1.7.0\bin\npoji610.dll

FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\npOGAPlugin.dll

 

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-05 11:46

Windows 5.1.2600 Service Pack 3 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

 

[HKEY_USERS\S-1-5-21-117609710-796845957-1606980848-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f5,cb,44,6f,99,b0,92,40,95,8b,58,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f5,cb,44,6f,99,b0,92,40,95,8b,58,\

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'explorer.exe'(784)

c:\windows\system32\WININET.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Outros Processos em Execução ------------------------

.

c:\arquivos de programas\Microsoft Security Essentials\MsMpEng.exe

c:\arquivos de programas\Eset\nod32krn.exe

c:\windows\System32\spool\DRIVERS\W32X86\3\HP1005MC.EXE

c:\windows\system32\LMabcoms.exe

.

**************************************************************************

.

Tempo para conclusão: 2010-01-05 11:49:39 - Máquina reiniciou

ComboFix-quarantined-files.txt 2010-01-05 13:49

ComboFix2.txt 2010-01-04 15:57

ComboFix3.txt 2010-01-04 14:02

 

Pré-execução: 11 pasta(s) 12.004.962.304 bytes disponíveis

Pós execução: 12 pasta(s) 11.941.224.448 bytes disponíveis

 

- - End Of File - - BD9A87D09851EDC0DDBB43EB67B4AD8C

[wings 22]

OK...o log está limpo.

 

 

Como está a máquina agora?