[Arquivado] Análise HiJackThis

[Bruno Carazato 0]

Meu Antivirus tem identificado alguns virus na pasta do windows....ja postei muitos tópicos aki q forum solucionados...ams desta vez o problema é com meu nootebooke

 

 

obrigado

 

Bruno

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 00:24:28, on 16/1/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

 

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\csrss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\ARQUIV~1\GbPlugin\GbpSv.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\Explorer.exe

D:\WINDOWS\system32\spoolsv.exe

D:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

D:\WINDOWS\system32\csrcs.exe

D:\Arquivos de programas\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

D:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe

D:\WINDOWS\system32\ctfmon.exe

D:\Arquivos de programas\WIDCOMM\Bluetooth Software\BTTray.exe

D:\WINDOWS\system32\4868ae.exe

D:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe

D:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

D:\Arquivos de programas\IVT Corporation\BlueSoleil\BTNtService.exe

D:\Arquivos de programas\WIDCOMM\Bluetooth Software\bin\btwdins.exe

D:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

D:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\alg.exe

D:\Arquivos de programas\Internet Explorer\iexplore.exe

D:\Arquivos de programas\Windows Live\Toolbar\wltuser.exe

C:\HijHackThis\HiJackThis.exe

D:\WINDOWS\system32\wbem\wmiprvse.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/portal/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.speedapps.com/search.htm

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

F2 - REG:system.ini: Shell=Explorer.exe csrcs.exe

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - D:\Arquivos de programas\Scpad\scpsssh2.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - D:\Arquivos de programas\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Arquivos de programas\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - D:\Arquivos de programas\GbPlugin\gbieh.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - D:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: UCmore - The Search Accelerator Toolbar - {44BE0690-5429-47f0-85BB-3FFD8020233E} - D:\Arquivos de programas\TheSearchAccelerator\UCMTSAIE.dll (file missing)

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Arquivos de programas\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - D:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll

O4 - HKLM\..\Run: [roam slow curb balm] D:\Documents and Settings\All Users\Dados de aplicativos\Bait cake roam slow\STYLE PURE.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Arquivos de programas\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [avgnt] "D:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Microsoft® System Manager] D:\WINDOWS\system32\4868ae.exe

O4 - HKLM\..\RunServices: [csrcs] D:\WINDOWS\system32\csrcs.exe

O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [one way] D:\DOCUME~1\FABIO\DADOSD~1\GramFace\Does Loud.exe

O4 - HKCU\..\Run: [sys10] D:\DOCUME~1\FABIO\CONFIG~1\TempImages\sys13.exe

O4 - HKLM\..\Policies\Explorer\Run: [csrcs] D:\WINDOWS\system32\csrcs.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: UCmore XP - The Search Accelerator.lnk = ?

O4 - Global Startup: BTTray.lnk = ?

O4 - Global Startup: Acrobat Assistant.lnk = D:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Arquivos de programas\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Arquivos de programas\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: ADVFN 4v4 - http://br.advfn.com/p.php?pid=loadercab

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://D:\Arquivos de programas\Mystery Case Files - Madame Fate\Images\stg_drm.ocx

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversFWBInitialSetup1.0.0.15-3.cab

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {3A5A2021-0895-11D2-8817-0060089E0724} (GlobalEnglish Learning Technology) - http://corp.globalenglish.com/html/setup/cabs/ge.cab

O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://img2.orkut.com/activex/10035/photouploader.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1256416725546

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

O16 - DPF: {C298F7C6-958F-47AE-B811-C730070B5BD2} (EzWebView Control) - http://201.217.51.59/cab/Webview.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://D:\Arquivos de programas\Mystery Case Files - Madame Fate\Images\armhelper.ocx

O17 - HKLM\System\CCS\Services\Tcpip\..\{3847ACAC-FF7E-4EDD-B707-812DB52FBF2D}: NameServer = 201.10.1.2

O20 - Winlogon Notify: GbPluginBb - D:\Arquivos de programas\GbPlugin\gbieh.dll

O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - D:\Arquivos de programas\Scpad\scpLIB.dll

O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - D:\Arquivos de programas\Scpad\scpLIB.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - D:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - D:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - D:\Arquivos de programas\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - D:\Arquivos de programas\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Gbp Service (GbpSv) - - D:\ARQUIV~1\GbPlugin\GbpSv.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - D:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe

O23 - Service: ServiceLayer - Nokia. - D:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: SiS WirelessLan Service (SiSWLSvc) - SiS Corporation - (no file)

 

--

End of file - 11196 bytes

[wings 22]

Bom dia furiosb

 

1.

*Abra o Internet Explorer, clique em [Ferramentas] > [Opções da Internet] > [segurança] > [sites Confiáveis] > [sites], no campo "Adicionar este site à zona" coloque: http://lop.com e clique em [Adicionar]

*Desmarque a opção: "Exigir Verificação do Servidor(https)"

*Clique [Ok] em todas as janelas.

*Desative seu antivírus temporariamente

 

Clique com o botão direito do mouse no ícone do Avira ao lado do relógio > clique na opção "AntiVir Guard enable".

*Faça o download do LopUninstall e salve-o no desktop

*Execute-o. Digite os números e clique em [uninstall]

 

2.

*Baixe o MalwareBytes Anti-malware e salve-o no desktop:

*Instale o programa

*Se alguma atualização existir,o download será automático. Aguarde...

*O programa será aberto automaticamente.

*Na aba [Verificação], selecione a opção [Verificação completa]

*Clique em [Verificar] e selecione as unidades a serem examinadas

*Ao término do scan, poderá ser interrogado se deseja remover objetos da memória. Clique [sIM] > [OK] > [Mostrar Resultados]

*Selecione todas as entradas e clique em [Remover Selecionados]

*Um relatório (mbam-log-ano-mês-data.txt) será apresentado.

*Reinicie o PC

*Abra novamente o programa Malwarebytes e na aba [Logs] clique no arquivo mbam-log-ano-mês-data.txt

*Clique em [Abrir], copie, cole-o na sua próxima resposta e novo log do hijack

[Bruno Carazato 0]

Analise Malware

 

 

Malwarebytes' Anti-Malware 1.44

Versão do banco de dados: 3575

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

 

16/1/2010 13:14:31

mbam-log-2010-01-16 (13-14-31).txt

 

Tipo de Verificação: Completa (C:\|D:\|)

Objetos verificados: 193919

Tempo decorrido: 1 hour(s), 4 minute(s), 31 second(s)

 

Processos da Memória infectados: 0

Módulos de Memória Infectados: 0

Chaves do Registro infectadas: 28

Valores do Registro infectados: 5

Ítens do Registro infectados: 4

Pastas infectadas: 12

Arquivos infectados: 15

 

Processos da Memória infectados:

(Nenhum ítem malicioso foi detectado)

 

Módulos de Memória Infectados:

(Nenhum ítem malicioso foi detectado)

 

Chaves do Registro infectadas:

HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{12f02779-6d88-4958-8ad3-83c12d86adc7} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4d1c4e81-a32a-416b-bcdb-33b3ef3617d3} (Adware.Need2Find) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{12f02779-6d88-4958-8ad3-83c12d86adc7} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{4d1c4e81-a32a-416b-bcdb-33b3ef3617d3} (Adware.Need2Find) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{12f02779-6d88-4958-8ad3-83c12d86adc7} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\playmp3 (Adware.PLayMP3z) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\amty (Worm.Autorun) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\PlayMP3 (Adware.PLayMP3z) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Seekapp (Adware.SeekApp) -> Quarantined and deleted successfully.

 

Valores do Registro infectados:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{12f02779-6d88-4958-8ad3-83c12d86adc7} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{12f02779-6d88-4958-8ad3-83c12d86adc7} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\csrcs (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\kr_done1 (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft® system manager (Backdoor.IRCBot) -> Quarantined and deleted successfully.

 

Ítens do Registro infectados:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe csrcs.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

 

Pastas infectadas:

D:\Documents and Settings\All Users\Dados de aplicativos\Seekapp (Adware.SeekApp) -> Quarantined and deleted successfully.

D:\Arquivos de programas\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.

D:\Arquivos de programas\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.

D:\Arquivos de programas\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.

D:\Arquivos de programas\FunWebProducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully.

D:\Arquivos de programas\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

D:\Arquivos de programas\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.

D:\Arquivos de programas\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.

D:\Arquivos de programas\MyWebSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.

D:\Arquivos de programas\PlayMP3z (Adware.PLayMP3z) -> Quarantined and deleted successfully.

D:\Arquivos de programas\Seekapp (Adware.SeekApp) -> Quarantined and deleted successfully.

D:\Documents and Settings\FABIO\Menu Iniciar\Programas\PlayMP3z (Adware.PLayMP3z) -> Quarantined and deleted successfully.

 

Arquivos infectados:

D:\Documents and Settings\All Users\Dados de aplicativos\Seekapp\seekapp122.exe (Adware.SeekApp) -> Quarantined and deleted successfully.

D:\Documents and Settings\FABIO\Meus documentos\Casa Arq\FÁBIO\Programas SRF\IRPF2004\DARF32CBX.DLL (Trojan.Agent) -> Quarantined and deleted successfully.

D:\Arquivos de programas\Programas RFB\IRPF2008windows\DARF32CBX.DLL (Trojan.Agent) -> Quarantined and deleted successfully.

D:\Arquivos de programas\Programas SRF\IRPF2007\DARF32CBX.DLL (Trojan.Agent) -> Quarantined and deleted successfully.

D:\Arquivos de programas\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.

D:\Arquivos de programas\MyWebSearch\bar\History\search2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.

D:\Arquivos de programas\PlayMP3z\uninstall.exe (Adware.PLayMP3z) -> Quarantined and deleted successfully.

D:\Documents and Settings\FABIO\Menu Iniciar\Programas\PlayMP3z\Run PlayMP3z.lnk (Adware.PLayMP3z) -> Quarantined and deleted successfully.

D:\WINDOWS\system32\kr_done1 (Malware.Trace) -> Quarantined and deleted successfully.

D:\WINDOWS\Fonts\acrsecB.fon (Trojan.Agent) -> Quarantined and deleted successfully.

D:\WINDOWS\Fonts\acrsecI.fon (Trojan.Agent) -> Quarantined and deleted successfully.

D:\2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

D:\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

D:\WINDOWS\smdat32m.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

D:\WINDOWS\smdat32a.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

 

 

 

 

 

Analise HijackThis

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:25:04, on 16/1/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

 

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\csrss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\ARQUIV~1\GbPlugin\GbpSv.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\Explorer.EXE

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\system32\spoolsv.exe

D:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

D:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

D:\Arquivos de programas\IVT Corporation\BlueSoleil\BTNtService.exe

D:\Arquivos de programas\WIDCOMM\Bluetooth Software\bin\btwdins.exe

D:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

D:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\alg.exe

D:\WINDOWS\system32\wscntfy.exe

D:\Arquivos de programas\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

D:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe

D:\WINDOWS\system32\ctfmon.exe

D:\Arquivos de programas\WIDCOMM\Bluetooth Software\BTTray.exe

D:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe

D:\Arquivos de programas\Internet Explorer\iexplore.exe

D:\Arquivos de programas\Windows Live\Toolbar\wltuser.exe

C:\HijHackThis\HiJackThis.exe

D:\WINDOWS\system32\wbem\wmiprvse.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/portal/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.speedapps.com/search.htm

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - D:\Arquivos de programas\Scpad\scpsssh2.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - D:\Arquivos de programas\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Arquivos de programas\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - D:\Arquivos de programas\GbPlugin\gbieh.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - D:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: UCmore - The Search Accelerator Toolbar - {44BE0690-5429-47f0-85BB-3FFD8020233E} - D:\Arquivos de programas\TheSearchAccelerator\UCMTSAIE.dll (file missing)

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Arquivos de programas\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - D:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll

O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Arquivos de programas\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [avgnt] "D:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\RunServices: [csrcs] D:\WINDOWS\system32\csrcs.exe

O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sys10] D:\DOCUME~1\FABIO\CONFIG~1\TempImages\sys13.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: UCmore XP - The Search Accelerator.lnk = ?

O4 - Global Startup: BTTray.lnk = ?

O4 - Global Startup: Acrobat Assistant.lnk = D:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Arquivos de programas\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Arquivos de programas\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O15 - Trusted Zone: http://*.lop.com

O16 - DPF: ADVFN 4v4 - http://br.advfn.com/p.php?pid=loadercab

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://D:\Arquivos de programas\Mystery Case Files - Madame Fate\Images\stg_drm.ocx

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {3A5A2021-0895-11D2-8817-0060089E0724} (GlobalEnglish Learning Technology) - http://corp.globalenglish.com/html/setup/cabs/ge.cab

O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://img2.orkut.com/activex/10035/photouploader.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1256416725546

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

O16 - DPF: {C298F7C6-958F-47AE-B811-C730070B5BD2} (EzWebView Control) - http://201.217.51.59/cab/Webview.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://D:\Arquivos de programas\Mystery Case Files - Madame Fate\Images\armhelper.ocx

O17 - HKLM\System\CCS\Services\Tcpip\..\{3847ACAC-FF7E-4EDD-B707-812DB52FBF2D}: NameServer = 201.10.1.2

O20 - Winlogon Notify: GbPluginBb - D:\Arquivos de programas\GbPlugin\gbieh.dll

O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - D:\Arquivos de programas\Scpad\scpLIB.dll

O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - D:\Arquivos de programas\Scpad\scpLIB.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - D:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - D:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - D:\Arquivos de programas\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - D:\Arquivos de programas\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Gbp Service (GbpSv) - - D:\ARQUIV~1\GbPlugin\GbpSv.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - D:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe

O23 - Service: ServiceLayer - Nokia. - D:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: SiS WirelessLan Service (SiSWLSvc) - SiS Corporation - (no file)

 

--

End of file - 10303 bytes

 

[marcoantonio51 0]

A ampulheta não pára de piscar e aparece toda hora um Alerta de prevenção de de execução de dados.

Já rodei o Hijack this e o log é:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)

Scan saved at 17:21:55, on 16/01/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\agrsmsvc.exe

C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\Arquivos de programas\Cisco Systems\VPN Client\cvpnd.exe

C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\HPZipm12.exe

C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Alwil Software\Avast4\ashDisp.exe

C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe

C:\Arquivos de programas\TrendMicro\HiJackThis\HiJackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\System32\WScript.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\dumprep.exe

C:\WINDOWS\System32\WScript.exe

C:\WINDOWS\System32\WScript.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\cmd.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://br.msn.com/?ocid=iehp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Arquivos de programas\Windows Live\Messenger\wlchtc.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre6\bin\ssv.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {BFD16BFB-E9C0-4444-B24E-938C42AB8D6C} - C:\WINDOWS\system32\javaw.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\Arquivos de programas\GbPlugin\gbieh.dll

O2 - BHO: G-Buster Browser Defense ISG - {C41A1C0E-EA6C-11D4-B1B8-444553540015} - C:\ARQUIV~1\GbPlugin\gbiehisg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [avast!] "C:\Arquivos de programas\Alwil Software\Avast4\ashDisp.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Enviar para Bluetooth - C:\Arquivos de programas\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O8 - Extra context menu item: Enviar para Dispositivo &Bluetooth... - C:\Arquivos de programas\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Arquivos de programas\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Arquivos de programas\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveSystemServices.dll

O20 - Winlogon Notify: GbPluginBb - C:\Arquivos de programas\GbPlugin\gbieh.dll

O20 - Winlogon Notify: GbPluginIsg - C:\ARQUIV~1\GbPlugin\gbiehisg.dll

O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe

O23 - Service: Dispositivo Celular da Apple (Apple Mobile Device) - Apple Inc. - C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Arquivos de programas\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Arquivos de programas\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Gbp Service (GbpSv) - - C:\ARQUIV~1\GbPlugin\GbpSv.exe

O23 - Service: Google Update Service (gupdate1ca4a7b1977afec) (gupdate1ca4a7b1977afec) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe

O23 - Service: iPod Service - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

O23 - Service: ServiceLayer - Nokia - C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe

 

--

End of file - 11182 bytes

[Bruno Carazato 0]

Porque você postou aki??

Por favor vamos prosseguir com o tratamento...

[wings 22]

marcoantonio51

 

 

Leia a regra 1 do fórum.

 

***********************************

 

Bom dia furiosb

 

1.

*Abra o Internet Explorer, clique em [Ferramentas] > [Opções da Internet] > [segurança] > [sites Confiáveis] > [sites], no campo "Adicionar este site à zona" selecione: http://lop.com e clique em [Remover]

*Marque a opção: "Exigir Verificação do Servidor(https)"

*Clique [Ok] em todas as janelas.

 

2.

*Delete o programa uninstall.exe localizado no desktop

 

3.

*Abra o programa Malwarebytes e na aba [Quarentena], selecione os arquivos abaixo:

 

D:\Documents and Settings\FABIO\Meus documentos\Casa Arq\FÁBIO\Programas SRF\IRPF2004\DARF32CBX.DLL

D:\Arquivos de programas\Programas RFB\IRPF2008windows\DARF32CBX.DLL

D:\Arquivos de programas\Programas SRF\IRPF2007\DARF32CBX.DLL

*Clique em Restaurar

 

4.

*Baixe o SDFix e salve-o no desktop

*Desative temporariamente seu antivírus

*Duplo clique em SDFix.exe e a ferramenta será instalada em C:\SDFix

*Reinicie o PC em Modo de Segurança (aperte F8 de forma intermitente durante a inicialização do PC e selecione "Modo Seguro")

*Na pasta C:\SDFix localize e execute o arquivo RunThis.bat

*Tecle [Y]

*Ao término, pressione qualquer tecla

*O PC será reiniciado automaticamente

*Ao reiniciar, a ferramenta novamente será executada

*Caso não ocorra a execução automática, execute novamente o arquivo RunThis.bat e tecle [F]

*Ao surgir "The FixTool has finished", pressione qualquer tecla

*Cole o relatório criado em C:\SDFix\Report.txt e novo log do hijack

[Bruno Carazato 0]

Quado Digito Y e do enter o rograma fecha e quando abro e dgito F e do enter da esse erro

 

[wings 22]

OK...

 

Delete o SDFix.

 

 

*Desative temporariamente seu antivírus

 

 

*Baixe o ComboFix e salve-o no desktop

*Duplo-clique no arquivo Combofix.exe

*Aceite o contrato

 

*Se o console de recuperação do Windows já estiver instalado, o ComboFix irá continuar o processo automaticamente. Caso não esteja uma janela, conforme abaixo, será aberta. Clique em [sIM] para aceitar a instalação do mesmo.

 

 

*Após a instalação, clique em [sIM] para continuar.

 

*Importante: enquanto o ComboFix estiver em execução, não use o mouse nem o teclado!!..... Para interromper o procedimento tecle N ou 2 e depois ENTER.

 

*O programa será fechado automaticamente

 

*Cole o relatório criado em C:\combofix.txt

[Bruno Carazato 0]

ComboFix 10-01-16.04 - FABIO 17/01/2010 15:59:50.1.1 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.446.157 [GMT -2:00]

Executando de: d:\documents and settings\FABIO\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {00000000-0000-0000-0000-000000000000}

AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804FD0EC-FFA4-00C8-0D24-347CA8A3377C}

AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804FD0EC-FFA4-00DA-0D24-347CA8A3377C}

AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804FD2B8-FFA4-00DA-0D24-347CA8A3377C}

AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804FD2B8-FFA4-00EB-0D24-347CA8A3377C}

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

D:\10.tmp

D:\11.tmp

D:\12.tmp

D:\13.tmp

D:\14.tmp

D:\15.tmp

D:\16.tmp

D:\17.tmp

D:\18.tmp

D:\19.tmp

D:\1A.tmp

D:\1B.tmp

D:\1C.tmp

D:\1D.tmp

D:\1E.tmp

D:\1F.tmp

D:\20.tmp

D:\21.tmp

D:\22.tmp

D:\23.tmp

D:\24.tmp

D:\25.tmp

D:\26.tmp

D:\27.tmp

D:\28.tmp

D:\29.tmp

D:\3.tmp

D:\5.tmp

D:\6.tmp

D:\7.tmp

D:\8.tmp

D:\9.tmp

D:\A.tmp

d:\arquivos de programas\Antivirus

d:\arquivos de programas\Antivirus\avg71free_375a691.exe

d:\arquivos de programas\Antivirus\setupeng.exe

d:\arquivos de programas\Need2Find

d:\arquivos de programas\Need2Find\bar\History\search

d:\arquivos de programas\thesearchaccelerator

d:\arquivos de programas\thesearchaccelerator\I_see_more.htm

d:\arquivos de programas\thesearchaccelerator\INSTALL.LOG

d:\arquivos de programas\thesearchaccelerator\logo.ico

d:\arquivos de programas\thesearchaccelerator\UCmorelogin.users.ucmore.com.4.5.2.0

d:\arquivos de programas\thesearchaccelerator\UNWISE.EXE

D:\B.tmp

D:\C.tmp

D:\D.tmp

D:\E.tmp

D:\F.tmp

d:\windows\icon.ico

d:\windows\system32\4868ae.exe

d:\windows\system32\AutoRun.inf

d:\windows\system32\msvcrt2.dll

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_ILVMONEYDRIVER53

-------\Legacy_UacFlt

-------\Service_UacFlt

 

 

(((((((((((((((( Arquivos/Ficheiros criados de 2009-12-17 to 2010-01-17 ))))))))))))))))))))))))))))

.

 

2010-01-16 11:51 . 2010-01-16 11:51 -------- d-----w- d:\documents and settings\FABIO\Dados de aplicativos\Malwarebytes

2010-01-16 11:51 . 2010-01-07 18:07 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys

2010-01-16 11:51 . 2010-01-16 11:51 -------- d-----w- d:\documents and settings\All Users\Dados de aplicativos\Malwarebytes

2010-01-16 11:51 . 2010-01-07 18:07 19160 ----a-w- d:\windows\system32\drivers\mbam.sys

2010-01-16 11:51 . 2010-01-16 11:51 -------- d-----w- d:\arquivos de programas\Malwarebytes' Anti-Malware

2010-01-16 03:14 . 2010-01-16 03:14 -------- d-----w- D:\FOUND.002

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-16 03:15 . 2009-05-22 23:21 204 ----a-w- d:\windows\system32\drivers\GbpKmAp.lst

2009-12-30 12:59 . 2009-05-22 23:22 30752 ----a-w- d:\windows\system32\drivers\gbpkm.sys

2009-12-07 20:26 . 2009-03-21 19:14 56816 ----a-w- d:\windows\system32\drivers\avgntflt.sys

2009-11-21 20:17 . 2001-09-06 16:00 83926 ----a-w- d:\windows\system32\perfc016.dat

2009-11-21 20:17 . 2001-09-06 16:00 480028 ----a-w- d:\windows\system32\perfh016.dat

2008-11-16 19:41 . 2008-07-04 12:15 51600 ----a-w- d:\arquivos de programas\megacubo_log.log

2008-03-22 01:40 . 2008-03-22 01:40 0 ----a-w- d:\arquivos de programas\temp01

2007-05-02 18:08 . 2007-05-02 18:08 149 ----a-w- d:\arquivos de programas\options.ini

2007-04-16 01:52 . 2007-04-16 11:06 174354 ----a-w- d:\arquivos de programas\Luxor[1].2.cracked.exe-YPOGEiOS.zip

2007-04-15 22:49 . 2007-04-16 11:06 18002074 ----a-w- d:\arquivos de programas\Luxor2Setup.exe

2007-01-02 12:47 . 2007-01-02 12:35 139264 ----a-w- d:\arquivos de programas\caesarbackup.exe

2007-01-02 09:38 . 2007-01-02 12:48 13 ----a-w- d:\arquivos de programas\ID

2006-12-29 20:13 . 2007-03-19 15:41 6936424 ----a-w- d:\arquivos de programas\zuma.exe

2006-10-09 15:14 . 2006-10-09 15:14 2392064 ----a-w- d:\arquivos de programas\EClea2_0.exe

2006-08-28 15:43 . 2007-05-02 18:02 1078784 ----a-w- d:\arquivos de programas\VDownloader.exe

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Adobe Photo Downloader"="d:\arquivos de programas\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-07-14 57344]

"avgnt"="d:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"Adobe Reader Speed Launcher"="d:\arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

"PcSync"="d:\arquivos de programas\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 1634304]

 

d:\documents and settings\FABIO\Menu Iniciar\Programas\Inicializar\

UCmore XP - The Search Accelerator.lnk - d:\windows\system32\rundll32.exe [2004-8-4 33280]

 

d:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

BTTray.lnk - d:\arquivos de programas\WIDCOMM\Bluetooth Software\BTTray.exe [2004-5-25 565309]

Acrobat Assistant.lnk - d:\arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]

Adobe Gamma Loader.lnk - d:\arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2009-3-18 110592]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]

2009-12-30 12:58 318240 ----a-w- d:\arquivos de programas\GbPlugin\gbieh.dll

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"d:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"55000:TCP"= 55000:TCP:UnitedFootball

"55500:UDP"= 55500:UDP:UnitedFootball

"55000:UDP"= 55000:UDP:UnitedFootball

"7298:TCP"= 7298:TCP:lkpwt

 

R0 GbpKm;Gbp KernelMode;d:\windows\system32\drivers\gbpkm.sys [22/5/2009 21:22 30752]

R0 sptd;sptd;d:\windows\system32\drivers\sptd.sys [18/5/2006 18:39 642560]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [21/3/2009 17:14 108289]

R2 GbpSv;Gbp Service;d:\arquiv~1\GbPlugin\GbpSv.exe [22/5/2009 21:22 54048]

S2 wbvjo;omaxswqoe;d:\windows\system32\svchost.exe -k netsvcs [4/8/2004 02:45 14336]

S3 npggsvc;nProtect GameGuard Service;d:\windows\system32\GameMon.des -service --> d:\windows\system32\GameMon.des -service [?]

S3 QsndEnum;QSound Virtual Audio Devices Bus Enumerator;d:\windows\system32\DRIVERS\QsndEnum.sys --> d:\windows\system32\DRIVERS\QsndEnum.sys [?]

S3 vaxscsi;vaxscsi;d:\windows\system32\drivers\vaxscsi.sys [18/5/2006 18:41 223128]

S3 XDva195;XDva195;\??\d:\windows\system32\XDva195.sys --> d:\windows\system32\XDva195.sys [?]

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

wbvjo

.

.

------- Scan Suplementar -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://www.terra.com.br/portal/

uInternet Settings,ProxyOverride = local

uSearchURL,(Default) = hxxp://www.speedapps.com/search.htm

TCP: {3847ACAC-FF7E-4EDD-B707-812DB52FBF2D} = 201.10.1.2

DPF: ADVFN 4v4 - hxxp://br.advfn.com/p.php?pid=loadercab

DPF: Microsoft XML Parser for Java

DPF: {3A5A2021-0895-11D2-8817-0060089E0724} - hxxp://corp.globalenglish.com/html/setup/cabs/ge.cab

DPF: {C298F7C6-958F-47AE-B811-C730070B5BD2} - hxxp://201.217.51.59/cab/Webview.cab

.

- - - - ORFÃOS REMOVIDOS - - - -

 

HKCU-Run-sys10 - d:\docume~1\FABIO\CONFIG~1\TempImages\sys13.exe

Notify-WgaLogon - (no file)

AddRemove-AltnetDM - c:\program files\Altnet\Download Manager\AltnetUninstall.exe

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-17 16:10

Windows 5.1.2600 Service Pack 2 FAT NTAPI

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

 

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

 

device: opened successfully

user: error reading MBR

called modules: ntkrnlpa.exe >>UNKNOWN [0x847DBA40]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> 0x847dba40

\Driver\ACPI -> ACPI.sys @ 0xf7301cb8

\Driver\atapi -> atapi.sys @ 0xf727a2f0

IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: -> SendCompleteHandler -> 0x0

PacketIndicateHandler -> 0x0

SendHandler -> 0x0

Warning: possible MBR rootkit infection !

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

"ImagePath"="d:\windows\system32\GameMon.des -service"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wbvjo]

"ServiceDll"="d:\windows\system32\uswqxon.dll"

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•6~*]

"6140110900063D11C8EF10054038389C"="D?\\WINDOWS\\system32\\FM20ENU.DLL"

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'winlogon.exe'(780)

d:\arquivos de programas\GbPlugin\gbieh.dll

 

- - - - - - - > 'explorer.exe'(3700)

d:\windows\system32\msi.dll

d:\windows\system32\ieframe.dll

d:\arquivos de programas\Scpad\scpLIB.dll

d:\arquivos de programas\Scpad\scpMIB.dll

d:\arquivos de programas\Scpad\sshib.dll

d:\windows\system32\WPDShServiceObj.dll

d:\arquivos de programas\GbPlugin\gbieh.dll

d:\windows\system32\btncopy.dll

d:\arquivos de programas\Nokia\Nokia PC Suite 6\PhoneBrowser.dll

d:\arquivos de programas\Nokia\Nokia PC Suite 6\PCSCM.dll

d:\arquivos de programas\PC Connectivity Solution\ConnAPI.DLL

d:\arquivos de programas\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_por-br.nlr

d:\arquivos de programas\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr

d:\windows\system32\PortableDeviceTypes.dll

d:\windows\system32\PortableDeviceApi.dll

.

------------------------ Outros Processos em Execução ------------------------

.

d:\arquivos de programas\Avira\AntiVir Desktop\avguard.exe

d:\arquivos de programas\IVT Corporation\BlueSoleil\BTNtService.exe

d:\arquivos de programas\WIDCOMM\Bluetooth Software\bin\btwdins.exe

d:\arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

d:\arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

d:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Tempo para conclusão: 2010-01-17 16:13:42 - Máquina reiniciou

ComboFix-quarantined-files.txt 2010-01-17 18:13

 

Pré-execução: 4.356.177.920 bytes disponíveis

Pós execução: 4.453.007.360 bytes disponíveis

 

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

 

- - End Of File - - EA7271B7926FBA0113ABE35B0087E590

 

[wings 22]

Boa tarde....

 

 

*Abra o bloco de notas, selecione, copie e cole nele todo o conteúdo do código abaixo:

 

File::

d:\windows\system32\uswqxon.dll

FileLook::

d:\arquivos de programas\temp01

d:\arquivos de programas\options.ini

Registry::

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"7298:TCP"=-

NetSvc::

wbvjo

Driver::

wbvjo

*Salve o arquivo no desktop como CFScript.txt

*Arraste o arquivo para o Combofix conforme ilustração abaixo:

 

 

*Importante: enquanto o combofix estiver em execução, não use o mouse nem o teclado!!..para interromper o processo tecle N ou 2.

*Cole o relatório criado em C:\combofix.txt e novo log do hijack

[Mário Monteiro 179]

Tópico Arquivado

 

Como o autor não respondeu por mais de 30 dias, o tópico foi arquivado.

 

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura.