Ir para conteúdo

POWERED BY:

Arquivado

Este tópico foi arquivado e está fechado para novas respostas.

bugao1

[Arquivado] Analise meu log

Recommended Posts

Olá, sou novo nessa área segurança e malwares,meu pc está com muitos virus eu estou usando o AVG e sempre aparece os mesmos virus toda vez que reinicio sempre mando pra quarentena ai quando reinicio o pc volta tudo denovo, lendo alguns post desidir baixar o HijackThis e postar um log ;

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 14:11:33, on 23/1/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Unable to get Internet Explorer version!

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\Documents and Settings\All Users\Dados de aplicativos\iexplore7.exe

C:\Windows\avg.exe

C:\Windows\System32\cmd.exe

C:\Arquivos de programas\AVG\AVG9\avgwdsvc.exe

C:\Arquivos de programas\AVG\AVG9\avgnsx.exe

C:\Arquivos de programas\AVG\AVG9\avgemc.exe

C:\Arquivos de programas\AVG\AVG9\avgrsx.exe

C:\Arquivos de programas\AVG\AVG9\avgchsvx.exe

C:\Arquivos de programas\AVG\AVG9\avgcsrvx.exe

C:\Arquivos de programas\AVG\AVG9\avgcsrvx.exe

C:\Arquivos de programas\AVG\AVG9\avgtray.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\WINDOWS\System32\svchost.exe

C:\Documents and Settings\Administrador\Desktop\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.live.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.compartilhando.org/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.live.com/sphome.aspx

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Arquivos de programas\AVG\AVG9\Toolbar\IEToolbar.dll

F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\eksplorasi.exe"

O1 - Hosts: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

O1 - Hosts: <html lang='en'>

O1 - Hosts: <head>

O1 - Hosts: <meta name="description" content="Yahoo! GeoCities offers you a free web site and all the tools you need to build a dynamic site. Features include easy-to-use site building tools, online help, web site statistics, secure and reliable hosting, and an intuitive control panel.">

O1 - Hosts: <title>Yahoo! GeoCities: Get a web site with easy-to-use site building tools.</title>

O1 - Hosts: <link rel="stylesheet" type="text/css" media="all" href="http://l.yimg.com/a/combo?yui/2.5.2/build/reset-fonts-grids/reset-fonts-grids.css&smbiz/css/headfoot_6.css&smbiz/css/ysbs_glossary_1.css">

O1 - Hosts: <link rel="stylesheet" type="text/css" media="all" href="http://us.i1.yimg.com/us.yimg.com/lib/smbiz/css/geocities_84954.css">

O1 - Hosts: <style>

O1 - Hosts: h1 { line-height:30px;height:30px; padding-left:15px; font-weight:bold;font-size:1.6em;color:#1f296a;}

O1 - Hosts: .services li { margin-left:1.0em; padding-left:0.5em; background:url("http://l.yimg.com/a/lib/smbiz/i/geo_bullet_3x3_1.gif") no-repeat 0 0.5em; margin-bottom:0.5em;margin-left:1.5em;margin-right:0.5em;width:6em}

O1 - Hosts: .services li {float:left; width:17em; font-size:116%;margin-top:0.8em}

O1 - Hosts: .services { font-size:116%; padding-bottom:20px }

O1 - Hosts: .learnmore a {color:#2882DE;font-size:16px}

O1 - Hosts: .image_web {float:right; margin:15px 0 0 15px}

O1 - Hosts: p {margin:20px;font-size:1em;}

O1 - Hosts: h2 {margin:20px 0 0 20px;color:#1F296;font-weight:bold;font-size:1.25em;color:#1f296a;}

O1 - Hosts: h3 {margin:20px;color:#1F296;font-weight:bold;font-size:1.15em;color:#1f296a;}

O1 - Hosts: li.rule {border-top:solid 1px #DBE1E6;}

O1 - Hosts: </style>

O1 - Hosts: </head>

O1 - Hosts: <body>

O1 - Hosts: <!-- following code added by server. PLEASE REMOVE -->

O1 - Hosts: <!-- preceding code added by server. PLEASE REMOVE -->

O1 - Hosts: <div class="ez-mw" style ="height:900px;width:905px">

O1 - Hosts: <div class="ez-wri ez-oh" style="width:900px">

O1 - Hosts: <div class="ez-box">

O1 - Hosts: <link type="text/css" rel="stylesheet" href="http://l.yimg.com/a/lib/uh/15/css/uh-1.0.28.css">

O1 - Hosts: <style type="text/css">

O1 - Hosts: div#headerblock div{font-family:arial;}

O1 - Hosts: </style>

O1 - Hosts: <div id="ygma"><div id="ygmaheader"><div class="bd sp"><div id="ymenu" class="ygmaclr"><div id="mepanel"><ul id="mepanel-nav"><li class="me1"><em>New User? <a class="ygmasignup" title="Sign Up" href="http://us.ard.yahoo.com/SIG=15u88cce2/M=650008.13654023.13693397.13153904/D=smallbiz/S=2023010636:HEAD/Y=YAHOO/EXP=1252098940/L=HzY9i9j8aIuVH8pzSp2qoCoWz37hF0qhZ1wABADc/B=RCQ9Atj8a20-/J=1252091740846210/K=88LB2KvJxEkW95HaZ4xf4Q/A=5836007/R=2/SIG=13j8rdsqp/*https://edit.yahoo.com/config/eval_register?.done=http://smallbusiness.yahoo.com%2findex.html&.src=smbiz&.intl=us">Sign Up</a></em></li><li class="me2"><a title="Sign In" href="http://us.ard.yahoo.com/SIG=15u88cce2/M=650008.13654023.13693397.13153904/D=smallbiz/S=2023010636:HEAD/Y=YAHOO/EXP=1252098940/L=HzY9i9j8aIuVH8pzSp2qoCoWz37hF0qhZ1wABADc/B=RCQ9Atj8a20-/J=1252091740846210/K=88LB2KvJxEkW95HaZ4xf4Q/A=5836007/R=3/SIG=13cm6p12o/*https://login.yahoo.com/config/login?.done=http://geocities.yahoo.com&.src=smbiz&.intl=us">Sign In</a></li>

O1 - Hosts: <li class="me3"><a href="http://us.ard.yahoo.com/SIG=15uqalioe/M=650008.13654021.13693393.13153902/D=smallbiz/S=2023010636:HEAD/Y=YAHOO/EXP=1252098025/L=j.Ah_9j8aIuVH8pzSp2qoCg9z37hF0qhY8gACN48/B=zgw4Atj8a20-/J=1252090825225621/K=pmFpaSqI9UgVSmAu3nNNgw/A=5836006/R=7/SIG=11hjute28/*http://help.yahoo.com/l/us/yahoo/geocities/"'>http://us.ard.yahoo.com/SIG=15uqalioe/M=650008.13654021.13693393.13153902/D=smallbiz/S=2023010636:HEAD/Y=YAHOO/EXP=1252098025/L=j.Ah_9j8aIuVH8pzSp2qoCg9z37hF0qhY8gACN48/B=zgw4Atj8a20-/J=1252090825225621/K=pmFpaSqI9UgVSmAu3nNNgw/A=5836006/R=7/SIG=11hjute28/*http://help.yahoo.com/l/us/yahoo/geocities/" target="_top" title="Yahoo! Help Central">Help</a></li>

O1 - Hosts: </ul></div><div id="ygmapromo"><a style="font-weight:bold;" id="ygmaie8" href="http://us.ard.yahoo.com/SIG=15vud5jbf/M=650008.13445975.13532322.12832737/D=smallbiz/S=2023010636:HPRM2/Y=YAHOO/EXP=1252098025/L=j.Ah_9j8aIuVH8pzSp2qoCg9z37hF0qhY8gACN48/B=0Qw4Atj8a20-/J=1252090825225621/K=pmFpaSqI9UgVSmAu3nNNgw/A=5706923/R=0/SIG=117bakia1/*http://toolbar.yahoo.com/?.cpdl=ushdl" target="_top">Get Yahoo! Toolbar<abbr title="Yahoo! Toolbar"></abbr></a>

O1 - Hosts: <script language=javascript>

O1 - Hosts: if(window.yzq_d==null)window.yzq_d=new Object();

O1 - Hosts: window.yzq_d['0Qw4Atj8a20-']='&U=13hn349r9%2fN%3d0Qw4Atj8a20-%2fC%3d650008.13445975.13532322.12832737%2fD%3dHPRM2%2fB%3d5706923%2fV%3d1';

O1 - Hosts: </script>

O1 - Hosts: <noscript><img width=1 height=1 alt="" src="http://us.bc.yahoo.com/b?P=j.Ah_9j8aIuVH8pzSp2qoCg9z37hF0qhY8gACN48&T=144j596l3%2fX%3d1252090825%2fE%3d2023010636%2fR%3dsmallbiz%2fK%3d5%2fV%3d2.1%2fW%3dH%2fY%3dYAHOO%2fF%3d1861688409%2fQ%3d-1%2fS%3d1%2fJ%3d8B68FCD8&U=13hn349r9%2fN%3d0Qw4Atj8a20-%2fC%3d650008.13445975.13532322.12832737%2fD%3dHPRM2%2fB%3d5706923%2fV%3d1"></noscript></div>

O1 - Hosts: <div id="pa"><div id="pa-wrapper"><ul id="pa2-nav" class="sp"><li class="pa1 sp"><a class="sp" href="http://us.ard.yahoo.com/SIG=15uqalioe/M=650008.13654021.13693393.13153902/D=smallbiz/S=2023010636:HEAD/Y=YAHOO/EXP=1252098025/L=j.Ah_9j8aIuVH8pzSp2qoCg9z37hF0qhY8gACN48/B=zgw4Atj8a20-/J=1252090825225621/K=pmFpaSqI9UgVSmAu3nNNgw/A=5836006/R=8/SIG=10jmd0d5u/*http://yahoo.com/"'>http://us.ard.yahoo.com/SIG=15uqalioe/M=650008.13654021.13693393.13153902/D=smallbiz/S=2023010636:HEAD/Y=YAHOO/EXP=1252098025/L=j.Ah_9j8aIuVH8pzSp2qoCg9z37hF0qhY8gACN48/B=zgw4Atj8a20-/J=1252090825225621/K=pmFpaSqI9UgVSmAu3nNNgw/A=5836006/R=8/SIG=10jmd0d5u/*http://yahoo.com/" title="Yahoo!" target="_top">Yahoo!</a></li><li class="pa2 sp"><a class="sp" href="http://us.ard.yahoo.com/SIG=15uqalioe/M=650008.13654021.13693393.13153902/D=smallbiz/S=2023010636:HEAD/Y=YAHOO/EXP=1252098025/L=j.Ah_9j8aIuVH8pzSp2qoCg9z37hF0qhY8gACN48/B=zgw4Atj8a20-/J=1252090825225621/K=pmFpaSqI9UgVSmAu3nNNgw/A=5836006/R=9/SIG=10n3m6b64/*http://mail.yahoo.com"'>http://us.ard.yahoo.com/SIG=15uqalioe/M=650008.13654021.13693393.13153902/D=smallbiz/S=2023010636:HEAD/Y=YAHOO/EXP=1252098025/L=j.Ah_9j8aIuVH8pzSp2qoCg9z37hF0qhY8gACN48/B=zgw4Atj8a20-/J=1252090825225621/K=pmFpaSqI9UgVSmAu3nNNgw/A=5836006/R=9/SIG=10n3m6b64/*http://mail.yahoo.com" title="Yahoo! Mail" target="_top">Mail</a></li></ul><div id="pa-left" class="sp"></div><ul id="pa-nav" class="sp"><li class="pa3 sp"><a class="sp" href="http://us.ard.yahoo.com/SIG=15uqalioe/M=650008.13654021.13693393.13153902/D=smallbiz/S=2023010636:HEAD/Y=YAHOO/EXP=1252

O1 - Hosts: <script language=javascript>

O1 - Hosts: if(window.yzq_d==null)window.yzq_d=new Object();

O1 - Hosts: window.yzq_d['zgw4Atj8a20-']='&U=13gmetml2%2fN%3dzgw4Atj8a20-%2fC%3d650008.13654021.13693393.13153902%2fD%3dHEAD%2fB%3d5836006%2fV%3d1';

O1 - Hosts: </script>

O1 - Hosts: </div>

O1 - Hosts: </div>

O1 - Hosts: <div class="ez-wr" style="width:898px;margin-top:1.5em">

O1 - Hosts: <Div class="ez-l2a" id="wrapper">

O1 - Hosts: <div class="ez-l2a-1 " style="width:898px">

O1 - Hosts: <div class="ez-box">

O1 - Hosts: <div class="ez-wr" >

O1 - Hosts: <div class="ez-box" style="width:898px">

O1 - Hosts: <h1>Sorry, the GeoCities web site you were trying to reach is no longer available.</h1>

O1 - Hosts: </div>

O1 - Hosts: </div>

O1 - Hosts: <div class="ez-wr">

O1 - Hosts: <div class="ez-box" id="boxyahoourls">

O1 - Hosts: <p> GeoCities has closed, but there's a lot more to explore on Yahoo!</p>

O1 - Hosts: <h2>Visit one of these popular Yahoo! sites:</h2>

O1 - Hosts: <ul class= "services">

O1 - Hosts: <li><a href="http://mail.yahoo.com">Yahoo! Mail</a></li>

O1 - Hosts: <li><a href="http://smallbusiness.yahoo.com/webhosting">Web Hosting</a></li>

O1 - Hosts: <li><a href="http://news.yahoo.com">News</a></li>

O1 - Hosts: <li><a href="http://games.yahoo.com">Games</a></li>

O1 - Hosts: <li><a href="http://sports.yahoo.com/">Sports</a> </li>

O1 - Hosts: <li><a href="http://movies.yahoo.com">Movies</a></li>

O1 - Hosts: <li><a href="http://finance.yahoo.com">Finance</a></li>

O1 - Hosts: <li><a href="http://maps.yahoo.com">Maps</a></li>

O1 - Hosts: </ul>

O1 - Hosts: </div>

O1 - Hosts: <li class="rule"><!----></li>

O1 - Hosts: <p>The GeoCities site you were looking for may have been preserved in the Internet Archive's Wayback Machine. To find out, <a href="http://www.archive.org/web/web.php" target="_blank">visit Archive.org</a> and enter the site's web address in the field provided.</p>

O1 - Hosts: <li class="rule"><!----></li>

O1 - Hosts: </div>

O1 - Hosts: </div>

O1 - Hosts: </div>

O1 - Hosts: </div>

O1 - Hosts: <div class="ez-wr">

O1 - Hosts: <div class="ez-box" style="text-align:center; margin-top:25px;">

O1 - Hosts: <font size="-2" face="verdana">Copyright © 2009 <a href="http://yahoo.com/">Yahoo!</a> Inc. All rights reserved.

O1 - Hosts: <ul>

O1 - Hosts: <li style="display:inline;"><a target="_top" href="http://privacy.yahoo.com/privacy/us/geo/">Privacy Policy</a></li> -

O1 - Hosts: <li style="display:inline;"><a target="_top" href="http://docs.yahoo.com/info/copyright/copyright.html">Copyright Policy</a></li> -

O1 - Hosts: <li style="display:inline;"><a target="_top" href="http://docs.yahoo.com/info/guidelines/community.html">Guidelines</a

O1 - Hosts: ></li> -

O1 - Hosts: <li style="display:inline;"><a target="_top" href="http://smallbusiness.yahoo.com/tos/tos.php">Terms of Service

O1 - Hosts: </a></li> -

O1 - Hosts: <li style="display:inline;"><a target="_top" href="http://help.yahoo.com/help/us/geo/">Help</a></li>

O1 - Hosts: </ul>

O1 - Hosts: </font>

O1 - Hosts: </div>

O1 - Hosts: </div>

O1 - Hosts: </div>

O1 - Hosts: </body>

O1 - Hosts: </html>

O1 - Hosts: <!-- text below generated by server. PLEASE REMOVE --></object></layer></div></span></style></noscript></table></script></applet>

O1 - Hosts: <IMG SRC="http://geo.yahoo.com/serv?s=19190039&t=1261326341&f=us-w8" ALT=1 WIDTH=1 HEIGHT=1>

O2 - BHO: (no name) - {17AFA25C-5B2F-4B73-8AA7-DCFDF866E0C0} - C:\WINDOWS\system32\wqfwhtzg.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Arquivos de programas\AVG\AVG9\avgssie.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Arquivos de programas\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\ARQUIV~1\MICROS~1\Office12\GRA8E1~1.DLL

O2 - BHO: (no name) - {74E97E07-D1BB-49E4-AFBA-1E9A52667514} - c:\windows\system32\hpdsbug.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Arquivos de programas\AVG\AVG9\Toolbar\IEToolbar.dll

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\Arquivos de programas\GbPlugin\gbiehcef.dll (file missing)

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Arquivos de programas\AVG\AVG9\Toolbar\IEToolbar.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_05\bin\jusched.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [isass] C:\WINDOWS\system32\Issas.exe

O4 - HKLM\..\Run: [Test Lies 1 About] C:\Documents and Settings\All Users\Dados de aplicativos\Meal Grey Test Lies\window hold.exe

O4 - HKLM\..\Run: [bron-Spizaetus] "C:\WINDOWS\ShellNew\sempalong.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [leccoq2] C:\windows\profissa.exe

O4 - HKLM\..\Run: [hotmail] C:\windows\pgg.exe

O4 - HKLM\..\Run: [autoenvio] C:\windows\msnngrx.exe

O4 - HKLM\..\Run: [tDefault] c:\windows\system32\znwlh.exe

O4 - HKLM\..\Run: [settings] c:\windows\zykgu.exe

O4 - HKLM\..\Run: [systemT] c:\windows\system\emfhk.exe

O4 - HKLM\..\Run: [b8487C] C:\WINDOWS\system32\164A02\B8487C.EXE

O4 - HKLM\..\Run: [iexplore7.exe] C:\Documents and Settings\All Users\Dados de aplicativos\iexplore7.exe

O4 - HKLM\..\Run: [] C:\Windows\avg.exe

O4 - HKLM\..\Run: [AVG9_TRAY] C:\ARQUIV~1\AVG\AVG9\avgtray.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [isass] C:\WINDOWS\system32\Issas.exe

O4 - HKCU\..\Run: [City cash] C:\DOCUME~1\ADMINI~1\DADOSD~1\ERRORB~1\settings lite stop.exe

O4 - HKCU\..\Run: [MessengerPlus3] "C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe" /WinStart

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\smss.exe"

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [cdoosoft] C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\herss.exe

O4 - HKCU\..\Run: [J8RPLTROBQ] C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\c.exe

O4 - HKCU\..\Run: [mwsioz] C:\Documents and Settings\Administrador\mwsioz.exe

O4 - HKCU\..\Run: [nuoiv] C:\Documents and Settings\Administrador\nuoiv.exe

O4 - HKCU\..\Run: [LEO0WTUNO7] C:\WINDOWS\msc.exe

O4 - HKCU\..\Run: [explorer] C:\windows\killer.exe

O4 - HKCU\..\Run: [RSetting] c:\windows\inf\lqxad.exe

O4 - HKCU\..\Run: [userTools] c:\arquivos de programas\arquivos comuns\vynzl.exe

O4 - HKCU\..\Run: [CheckS] c:\windows\config\ysnkx.exe

O4 - HKCU\..\Run: [DeviceSys] c:\windows\system32\dsdlx.exe

O4 - HKCU\..\RunServices: [isass] C:\WINDOWS\system32\Issas.exe

O4 - Startup: B8487C.lnk = C:\WINDOWS\system32\164A02\B8487C.EXE

O4 - Startup: Recorte de tela e Iniciador do OneNote 2007.lnk = C:\Arquivos de programas\Microsoft Office\Office12\ONENOTEM.EXE

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~1\Office12\REFIEBAR.DLL

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://www.compartilhando.org/

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://imagem.caixa.gov.br/cab/gbpdist.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{9FC043E4-5F90-4654-B618-E93393357878}: NameServer = 200.172.83.136 200.209.133.130

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\ARQUIV~1\MICROS~1\Office12\GR99D3~1.DLL

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Arquivos de programas\AVG\AVG9\avgpp.dll

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Arquivos de programas\Windows Live\Mail\mailcomm.dll

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\ARQUIV~1\ARQUIV~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O20 - Winlogon Notify: GbPluginCef - C:\Arquivos de programas\GbPlugin\gbiehCef.dll (file missing)

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O20 - Winlogon Notify: hyncjpmy - C:\WINDOWS\SYSTEM32\hpdsbug.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Arquivos de programas\AVG\AVG9\avgemc.exe

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Arquivos de programas\AVG\AVG9\avgwdsvc.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: Serviço Windows Live Proteção para a Família (fsssvc) - Unknown owner - C:\Arquivos de programas\Windows Live\Family Safety\fsssvc.exe (file missing)

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\ARQUIV~1\GbPlugin\GbpSv.exe (file missing)

O23 - Service: NBService - Unknown owner - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe (file missing)

O23 - Service: Microsoft Office Diagnostics Service (odserv) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\OFFICE12\ODSERV.EXE

O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Source Engine\OSE.EXE

 

 

 

 

 

 

 

Lendo sobre, eu desidi baixar o FindyKill fiz o scan e o log logo abaixo ;

 

 

############################## | FindyKill V5.027 |

 

# User : Administrador (Administradores) # ANDREY

# Update on 21/01/2010 by El Desaparecido

# Start at: 20:36:35 | 23/1/2010

# Website : http://pagesperso-orange.fr/NosTools/index.html

# Contact : FindyKill.Contact@gmail.com

 

# Processador Intel Pentium II

# Microsoft Windows XP Professional (5.1.2600 32-bit) # Service Pack 2

# Internet Explorer 6.0.2900.2180

# Windows Firewall Status : Enabled

# AV : ESET NOD32 Antivirus 3.0 3.0 [ (!) Disabled | Updated ]

 

# C:\ # Disco fixo local # 51,39 Go (34,72 Go free) # NTFS

# D:\ # Disco fixo local # 97,65 Go (96,01 Go free) # NTFS

# E:\ # Disco CD-ROM

# G:\ # Disco removível

# H:\ # Disco removível

# I:\ # Disco removível

# J:\ # Disco removível

 

############################## | Processos ativos |

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\AVG\AVG9\avgchsvx.exe

C:\Arquivos de programas\AVG\AVG9\avgrsx.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\AVG\AVG9\avgwdsvc.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Arquivos de programas\AVG\AVG9\avgnsx.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\AVG\AVG9\avgemc.exe

C:\Arquivos de programas\AVG\AVG9\avgsrmax.exe

C:\Arquivos de programas\AVG\AVG9\avgcsrvx.exe

C:\Arquivos de programas\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

################## | C: |

 

Supprimido ! C:\autorun.inf

 

################## | C:\WINDOWS |

 

 

################## | C:\WINDOWS\Prefetch |

 

 

################## | C:\WINDOWS\system32 |

 

 

################## | C:\WINDOWS\system32\drivers |

 

 

################## | C:\Documents and Settings\Administrador\Dados de aplicativos |

 

 

################## | Supressão Outros ... |

 

################## | Temporary Internet Files |

 

 

################## | Registro |

 

 

################## | Crack > Keygen > Serial |

 

 

################## | Estado |

 

# Safe mode restaurado !

 

# Affichagem dos arquivos ocultos : OK

 

# Ndisuio -> Start = 3 ( Good = 3 | Bad = 4 )

# Ip6Fw -> Start = 2 ( Good = 2 | Bad = 4 )

# SharedAccess -> Start = 2 ( Good = 2 | Bad = 4 )

# wuauserv -> Start = 2 ( Good = 2 | Bad = 4 )

# wscsvc -> Start = 2 ( Good = 2 | Bad = 4 )

 

################## | PEH |

 

 

################## | ! Fim do relatório # FindyKill V5.027 ! |

Compartilhar este post


Link para o post
Compartilhar em outros sites

Bom dia....

 

 

1.

*Baixe o HostsXpert e salve-o no desktop

*Extraia o seu conteúdo para o desktop e execute-o. Clique em > [Restore Microsoft's Hosts File]

 

2.

*Baixe o Bankerfix e salve-o no desktop

*Desative temporariamente seu antivírus

Iniciar > Programas > AVG

Abra a Interface do usuário do AVG

Clique duas vezes na Proteção Residente

Desmarque a opção "Proteção Residente ativa"

Salve as alterações

*Duplo clique em bankerfix.exe.

*Clique [OK] > [sIM] (se pedir alguma atualização) > [OK]

*Tecle [ENTER] e aguarde.

*Ao término tecle [ENTER]

*Cole o relatório criado em C:\LinhaDefensiva\relatorio.txt e novo log do hijack

Compartilhar este post


Link para o post
Compartilhar em outros sites

Bom dia....

 

 

1.

*Baixe o HostsXpert'>http://www.funkytoad.com/download/HostsXpert.zip"]HostsXpert e salve-o no desktop

*Extraia o seu conteúdo para o desktop e execute-o. Clique em > [Restore Microsoft's Hosts File]

 

2.

*Baixe o Bankerfix'>http://www.linhadefensiva.org/dl/bankerfix"]Bankerfix e salve-o no desktop

*Desative temporariamente seu antivírus

Iniciar > Programas > AVG

Abra a Interface do usuário do AVG

Clique duas vezes na Proteção Residente

Desmarque a opção "Proteção Residente ativa"

Salve as alterações

*Duplo clique em bankerfix.exe.

*Clique [OK] > [sIM] (se pedir alguma atualização) > [OK]

*Tecle [ENTER] e aguarde.

*Ao término tecle [ENTER]

*Cole o relatório criado em C:\LinhaDefensiva\relatorio.txt e novo log do hijack

 

 

 

Olá, fiz como você disse, Relatório :

 

BankerFix 3.1 VALKYRIE - Removedor de Bankers

Linha Defensiva | http://www.linhadefensiva.org

http://www.linhadefensiva.org/bankerfix/

-------------------------------------------------------

Data: 2010-01-24 - 10:34

-------------------------------------------------------

Lista de Definição: 2010-01-14-1 | CORE: 2010-01-14-1

=======================================================

 

Arquivo infectado detectado: C:\cleanup.bat

Arquivo infectado removido com sucesso!

 

Arquivo infectado detectado: C:\cleanup.exe

Arquivo infectado removido com sucesso!

 

Arquivo infectado detectado: C:\novo.exe

Arquivo infectado removido com sucesso!

 

Arquivo infectado detectado: C:\WINDOWS\avg.exe

Arquivo infectado removido com sucesso!

 

Arquivo infectado detectado: C:\WINDOWS\Temp\Perflib_Perfdata_4dc.dat

Arquivo infectado removido com sucesso!

 

 

 

----- Fim -------------------------

 

 

Log do HijackThis

 

 

Logfile of HijackThis v1.99.1

Scan saved at 11:11:21, on 24/1/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Unable to get Internet Explorer version!

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\AVG\AVG9\avgchsvx.exe

C:\Arquivos de programas\AVG\AVG9\avgrsx.exe

C:\Arquivos de programas\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\AVG\AVG9\avgwdsvc.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\AVG\AVG9\avgnsx.exe

C:\Arquivos de programas\AVG\AVG9\avgemc.exe

C:\Arquivos de programas\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\Documents and Settings\All Users\Dados de aplicativos\iexplore7.exe

C:\Windows\System32\cmd.exe

C:\WINDOWS\system32\dwwin.exe

C:\WINDOWS\Explorer.exe

C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\winxuwoo.exe

C:\Documents and Settings\Administrador\Desktop\HostsXpert\HostsXpert.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\w3e5ac4.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Administrador\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.live.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.compartilhando.org/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.live.com/sphome.aspx

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Arquivos de programas\AVG\AVG9\Toolbar\IEToolbar.dll

F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\eksplorasi.exe"

O2 - BHO: (no name) - {17AFA25C-5B2F-4B73-8AA7-DCFDF866E0C0} - C:\WINDOWS\system32\wqfwhtzg.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Arquivos de programas\AVG\AVG9\avgssie.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Arquivos de programas\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\ARQUIV~1\MICROS~1\Office12\GRA8E1~1.DLL

O2 - BHO: (no name) - {74E97E07-D1BB-49E4-AFBA-1E9A52667514} - c:\windows\system32\hpdsbug.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Arquivos de programas\AVG\AVG9\Toolbar\IEToolbar.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Arquivos de programas\AVG\AVG9\Toolbar\IEToolbar.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_05\bin\jusched.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [Test Lies 1 About] C:\Documents and Settings\All Users\Dados de aplicativos\Meal Grey Test Lies\window hold.exe

O4 - HKLM\..\Run: [bron-Spizaetus] "C:\WINDOWS\ShellNew\sempalong.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [leccoq2] C:\windows\profissa.exe

O4 - HKLM\..\Run: [autoenvio] C:\windows\msnngrx.exe

O4 - HKLM\..\Run: [tDefault] c:\windows\system32\znwlh.exe

O4 - HKLM\..\Run: [settings] c:\windows\zykgu.exe

O4 - HKLM\..\Run: [systemT] c:\windows\system\emfhk.exe

O4 - HKLM\..\Run: [b8487C] C:\WINDOWS\system32\164A02\B8487C.EXE

O4 - HKLM\..\Run: [iexplore7.exe] C:\Documents and Settings\All Users\Dados de aplicativos\iexplore7.exe

O4 - HKLM\..\Run: [AVG9_TRAY] C:\ARQUIV~1\AVG\AVG9\avgtray.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [isass] C:\WINDOWS\system32\Issas.exe

O4 - HKCU\..\Run: [City cash] C:\DOCUME~1\ADMINI~1\DADOSD~1\ERRORB~1\settings lite stop.exe

O4 - HKCU\..\Run: [MessengerPlus3] "C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe" /WinStart

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\smss.exe"

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [cdoosoft] C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\herss.exe

O4 - HKCU\..\Run: [J8RPLTROBQ] C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\c.exe

O4 - HKCU\..\Run: [mwsioz] C:\Documents and Settings\Administrador\mwsioz.exe

O4 - HKCU\..\Run: [nuoiv] C:\Documents and Settings\Administrador\nuoiv.exe

O4 - HKCU\..\Run: [LEO0WTUNO7] C:\WINDOWS\msc.exe

O4 - HKCU\..\Run: [RSetting] c:\windows\inf\lqxad.exe

O4 - HKCU\..\Run: [userTools] c:\arquivos de programas\arquivos comuns\vynzl.exe

O4 - HKCU\..\Run: [CheckS] c:\windows\config\ysnkx.exe

O4 - HKCU\..\Run: [DeviceSys] c:\windows\system32\dsdlx.exe

O4 - HKCU\..\RunServices: [isass] C:\WINDOWS\system32\Issas.exe

O4 - Startup: B8487C.lnk = C:\WINDOWS\system32\164A02\B8487C.EXE

O4 - Startup: Recorte de tela e Iniciador do OneNote 2007.lnk = C:\Arquivos de programas\Microsoft Office\Office12\ONENOTEM.EXE

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~1\Office12\REFIEBAR.DLL

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://www.compartilhando.org/

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://imagem.caixa.gov.br/cab/gbpdist.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{9FC043E4-5F90-4654-B618-E93393357878}: NameServer = 200.172.83.136 200.209.133.130

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\ARQUIV~1\MICROS~1\Office12\GR99D3~1.DLL

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Arquivos de programas\AVG\AVG9\avgpp.dll

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Arquivos de programas\Windows Live\Mail\mailcomm.dll

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\ARQUIV~1\ARQUIV~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O20 - Winlogon Notify: GbPluginCef - C:\Arquivos de programas\GbPlugin\gbiehCef.dll (file missing)

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O20 - Winlogon Notify: hyncjpmy - C:\WINDOWS\SYSTEM32\hpdsbug.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Arquivos de programas\AVG\AVG9\avgemc.exe

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Arquivos de programas\AVG\AVG9\avgwdsvc.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: Serviço Windows Live Proteção para a Família (fsssvc) - Unknown owner - C:\Arquivos de programas\Windows Live\Family Safety\fsssvc.exe (file missing)

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\ARQUIV~1\GbPlugin\GbpSv.exe (file missing)

O23 - Service: Microsoft Office Groove Audit Service - Unknown owner - C:\Arquivos de programas\Microsoft Office\Office12\GrooveAuditService.exe

O23 - Service: NBService - Unknown owner - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe (file missing)

O23 - Service: Microsoft Office Diagnostics Service (odserv) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\OFFICE12\ODSERV.EXE

O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Source Engine\OSE.EXE

 

 

Lembrando, a maioria das vezes que eu reinicio o pc o ant-virus é apagado sozinho .

Compartilhar este post


Link para o post
Compartilhar em outros sites

Eu sei...o PC está bastante contaminado. A limpeza será por partes.

 

 

1.

*Delete o Bankerfix e a pasta C:\LinhaDefensiva

 

2.

*Desative seu antivírus temporariamente

*Faça o download do LopUninstall e salve-o no desktop

*Execute-o. Digite os números e clique em [uninstall]

 

3.

*Baixe o EliTriip e salve-o no desktop

*Duplo clique em EliTriip.exe e aguarde o término

 

4.

*Baixe o RegUnlocker e salve-o no desktop

*Execute o programa

*Em A - Restricciones, selecione as opções:

 

1 - Eliminar restricciones del Sistema

2 - Eliminar restricciones del Explorador

*Clique em [Aplicar]

 

5.

*Baixe o SalityKiller e salve-o no desktop

*Extraia o seu conteúdo para C:\

*Desative a Restauração do Sistema

 

Clique com o botão direito do mouse em Meu Computador > Propriedades > Restauração do Sistema > Desativar Restauração do Sistema > OK > Sim

*Desative seu antivírus temporariamente

*Este programa irá rodar em 2 janelas distintas ao mesmo tempo!!

 

*A primeira janela:

*Clique em [iniciar] > [Executar] > digite: C:\salitykiller.exe -m

*Clique [OK]

*Mantenha a janela rodando. Não feche-a!! Se desejar, minimize-a.

 

*A segunda janela:

*Clique em [iniciar] > [Executar] > digite: C:\salitykiller.exe -y -x -j -l sality.txt -v

*Clique [OK]

*Ao término, a janela 2 será fechada automaticamente. Feche, então, a janela 1.

 

*Cole o relatório criado em C:\sality.txt. Como ele deve ser grande, cole o resumo localizado no final do arquivo conforme o texto em destaque:

 

Infected files: 6382

19:59:42 Infected processes: 0

19:59:42 Infected threads: 0

19:59:42 Cured files: 5808

19:59:42 Executed registry scripts: 1

 

Cole também um log do hijack e o relatório criado em C:\infosat.txt

Compartilhar este post


Link para o post
Compartilhar em outros sites

Eu sei...o PC está bastante contaminado. A limpeza será por partes.

 

 

1.

*Delete o Bankerfix e a pasta C:\LinhaDefensiva

 

2.

*Desative seu antivírus temporariamente

*Faça o download do LopUninstall'>http://lop.com/new_uninstall.exe"]LopUninstall e salve-o no desktop

*Execute-o. Digite os números e clique em [uninstall]

 

3.

*Baixe o EliTriip'>http://www.zonavirus.com/datos/descargas/73/EliTriip.asp"]EliTriip e salve-o no desktop

*Duplo clique em EliTriip.exe e aguarde o término

 

4.

*Baixe o RegUnlocker'>http://www.codehard.com.ar/file_download/1/RegUnlocker.exe"]RegUnlocker e salve-o no desktop

*Execute o programa

*Em A - Restricciones, selecione as opções:

 

1 - Eliminar restricciones del Sistema

2 - Eliminar restricciones del Explorador

*Clique em [Aplicar]

 

5.

*Baixe o SalityKiller'>http://wings.site90.net/Viroses/salitykiller.zip"]SalityKiller e salve-o no desktop

*Extraia o seu conteúdo para C:\

*Desative a Restauração do Sistema

 

Clique com o botão direito do mouse em Meu Computador > Propriedades > Restauração do Sistema > Desativar Restauração do Sistema > OK > Sim

*Desative seu antivírus temporariamente

*Este programa irá rodar em 2 janelas distintas ao mesmo tempo!!

 

*A primeira janela:

*Clique em [iniciar] > [Executar] > digite: C:\salitykiller.exe -m

*Clique [OK]

*Mantenha a janela rodando. Não feche-a!! Se desejar, minimize-a.

 

*A segunda janela:

*Clique em [iniciar] > [Executar] > digite: C:\salitykiller.exe -y -x -j -l sality.txt -v

*Clique [OK]

*Ao término, a janela 2 será fechada automaticamente. Feche, então, a janela 1.

 

*Cole o relatório criado em C:\sality.txt. Como ele deve ser grande, cole o resumo localizado no final do arquivo conforme o texto em destaque:

 

Infected files: 6382

19:59:42 Infected processes: 0

19:59:42 Infected threads: 0

19:59:42 Cured files: 5808

19:59:42 Executed registry scripts: 1

 

Cole também um log do hijack e o relatório criado em C:\infosat.txt

 

 

 

Olá desculpe a demora pra responder, sobre o EliTriip eu baixei e instalei mais depois ele travou e não voltou a funcionar, sobre o SalityKiller eu segui o tutorial e deixei rodando no meu pc , após 12 horas que eu iniciei o SalityKiller ele ainda não tinha terminado. Meu pc desligou. Ps: As vezes quando alguem toma banho aqui em casa o pc desliga sozinha porque a energia caí. Queria saber o que eu faço, prossigo com os procedimentos denovo que você me informou ? Lembrando meu gerenciador de tarefas voltou a funcionar.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Sim....

 

Delete o EliTriip

 

Delete o progama uninstall.

 

Refaça o procedimento do RegUnlocker.

 

Refaça o procedimento do SalityKiller.

 

Cole o relatório e novo log do hijack.

 

Obs.

 

Observe que há um espaço entre C:\salitykiller.exe e -m assim como em C:\salitykiller.exe -y -x -j -l sality.txt -v

Compartilhar este post


Link para o post
Compartilhar em outros sites

Sim....

 

Delete o EliTriip

 

Delete o progama uninstall.

 

Refaça o procedimento do RegUnlocker.

 

Refaça o procedimento do SalityKiller.

 

Cole o relatório e novo log do hijack.

 

Obs.

 

Observe que há um espaço entre C:\salitykiller.exe e -m assim como em C:\salitykiller.exe -y -x -j -l sality.txt -v

 

Relatório

 

 

9:44:40:46 Infected files: 21

9:44:40:46 Infected processes: 1

9:44:40:46 Infected threads: 2

9:44:40:46 Cured files: 20

9:44:40:46 Executed registry scripts: 1

 

 

Log do HijackThis

 

 

Logfile of HijackThis v1.99.1

Scan saved at 10:05:19, on 27/1/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Unable to get Internet Explorer version!

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\AVG\AVG9\avgchsvx.exe

C:\Arquivos de programas\AVG\AVG9\avgrsx.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\AVG\AVG9\avgwdsvc.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Arquivos de programas\AVG\AVG9\avgnsx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Notepad.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\winrrna.exe

C:\Documents and Settings\Administrador\Desktop\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Arquivos de programas\AVG\AVG9\Toolbar\IEToolbar.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Arquivos de programas\AVG\AVG9\avgssie.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Arquivos de programas\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\ARQUIV~1\MICROS~1\Office12\GRA8E1~1.DLL

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Arquivos de programas\AVG\AVG9\Toolbar\IEToolbar.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Arquivos de programas\AVG\AVG9\Toolbar\IEToolbar.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [AVG9_TRAY] C:\ARQUIV~1\AVG\AVG9\avgtray.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - Startup: B8487C.lnk = C:\WINDOWS\system32\164A02\B8487C.EXE

O4 - Startup: Recorte de tela e Iniciador do OneNote 2007.lnk = C:\Arquivos de programas\Microsoft Office\Office12\ONENOTEM.EXE

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~1\Office12\REFIEBAR.DLL

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://www.compartilhando.org/

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://imagem.caixa.gov.br/cab/gbpdist.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{9FC043E4-5F90-4654-B618-E93393357878}: NameServer = 200.172.83.136 200.209.133.130

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\ARQUIV~1\MICROS~1\Office12\GR99D3~1.DLL

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Arquivos de programas\AVG\AVG9\avgpp.dll

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Arquivos de programas\Windows Live\Mail\mailcomm.dll

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\ARQUIV~1\ARQUIV~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Arquivos de programas\AVG\AVG9\avgwdsvc.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: Serviço Windows Live Proteção para a Família (fsssvc) - Unknown owner - C:\Arquivos de programas\Windows Live\Family Safety\fsssvc.exe (file missing)

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\ARQUIV~1\GbPlugin\GbpSv.exe (file missing)

O23 - Service: Microsoft Office Groove Audit Service - Unknown owner - C:\Arquivos de programas\Microsoft Office\Office12\GrooveAuditService.exe

O23 - Service: NBService - Unknown owner - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe (file missing)

O23 - Service: Microsoft Office Diagnostics Service (odserv) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\OFFICE12\ODSERV.EXE

O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Source Engine\OSE.EXE

Compartilhar este post


Link para o post
Compartilhar em outros sites

Ainda há sinais do Sality em atividade.

 

1.

Delete o arquivo C:\sality.txt

 

2.

Reinicie o PC em Modo de Segurança (aperte F8 de forma intermitente durante a inicialização do PC e selecione "Modo Seguro")

 

3.

Repita os procedimentos do RegUnlocker e do SalityKiller

 

Ao término, reinicie o PC em Modo Normal e novo log do hijack.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Ainda há sinais do Sality em atividade.

 

1.

Delete o arquivo C:\sality.txt

 

2.

Reinicie o PC em Modo de Segurança (aperte F8 de forma intermitente durante a inicialização do PC e selecione "Modo Seguro")

 

3.

Repita os procedimentos do RegUnlocker e do SalityKiller

 

Ao término, reinicie o PC em Modo Normal e novo log do hijack.

 

Boa tarde, eu botei no modo de segurança ai quando tava carregando o windows professional ai apareceu uma tela azul e reinicio o pc, tentei várias vezes mais sempre aparecia essa tela azul e uns negoços escritos em branco não deu pra mim ler porque era muito rápido ai botei ÚLTIMA CONFIGURAÇÃO VÁLIDA e segui os procedimentos que você me indicou.

 

Relatório do SalityKiller :

 

 

14:20:50:921 Infected files: 1

14:20:50:921 Infected processes: 1

14:20:50:921 Infected threads: 0

14:20:50:937 Cured files: 0

14:20:50:937 Executed registry scripts: 1

 

Log do HijackThis :

 

 

Logfile of HijackThis v1.99.1

Scan saved at 14:59:49, on 27/1/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Unable to get Internet Explorer version!

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\AVG\AVG9\avgchsvx.exe

C:\Arquivos de programas\AVG\AVG9\avgrsx.exe

C:\Arquivos de programas\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\AVG\AVG9\avgwdsvc.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\AVG\AVG9\avgnsx.exe

C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Notepad.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Administrador\Desktop\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Arquivos de programas\AVG\AVG9\Toolbar\IEToolbar.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Arquivos de programas\AVG\AVG9\avgssie.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Arquivos de programas\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\ARQUIV~1\MICROS~1\Office12\GRA8E1~1.DLL

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Arquivos de programas\AVG\AVG9\Toolbar\IEToolbar.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll (file missing)

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll (file missing)

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Arquivos de programas\AVG\AVG9\Toolbar\IEToolbar.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [AVG9_TRAY] C:\ARQUIV~1\AVG\AVG9\avgtray.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: B8487C.lnk = C:\WINDOWS\system32\164A02\B8487C.EXE

O4 - Startup: Recorte de tela e Iniciador do OneNote 2007.lnk = C:\Arquivos de programas\Microsoft Office\Office12\ONENOTEM.EXE

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll (file missing)

O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll (file missing)

O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~1\Office12\REFIEBAR.DLL

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://www.compartilhando.org/

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://imagem.caixa.gov.br/cab/gbpdist.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{9FC043E4-5F90-4654-B618-E93393357878}: NameServer = 200.172.83.136 200.209.133.130

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\ARQUIV~1\MICROS~1\Office12\GR99D3~1.DLL

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Arquivos de programas\AVG\AVG9\avgpp.dll

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL (file missing)

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL (file missing)

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Arquivos de programas\Windows Live\Mail\mailcomm.dll (file missing)

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\ARQUIV~1\ARQUIV~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Arquivos de programas\AVG\AVG9\avgwdsvc.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: Serviço Windows Live Proteção para a Família (fsssvc) - Unknown owner - C:\Arquivos de programas\Windows Live\Family Safety\fsssvc.exe (file missing)

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\ARQUIV~1\GbPlugin\GbpSv.exe (file missing)

O23 - Service: Microsoft Office Groove Audit Service - Unknown owner - C:\Arquivos de programas\Microsoft Office\Office12\GrooveAuditService.exe

O23 - Service: NBService - Unknown owner - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe (file missing)

O23 - Service: Microsoft Office Diagnostics Service (odserv) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\OFFICE12\ODSERV.EXE

O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Source Engine\OSE.EXE

Compartilhar este post


Link para o post
Compartilhar em outros sites

OK...

 

1.

*Delete os arquivos C:\salitykiller.exe e C:\sality.txt

 

2.

*Baixe o RegistryFix e salve-o no desktop

*Duplo clique em RegistryFix.exe e clique em [Fix Registry]

 

3.

*Baixe o sality_regkeys e salve-o no desktop

*Extraia o conteúdo de Sality_RegKeys.zip para o desktop

*Na pasta SalityRegKeys dê duplo clique no arquivo SafeBootWinXP.reg e aceite a entrada no registro

 

4.

*Baixe o programa de um dos links abaixo e salve-o no desktop

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

http://www.freedrweb.com/download+cureit/

*Duplo clique em drweb-cureit.exe e instale o programa

*Clique em Iniciar e aguarde o scan inicial das áreas vitais do sistema terminar

*Caso encontre algo, clique em "Sim"

*Ao término, selecione a opção "Scan completo" e clique na seta verde ou azul

*Clique sempre "Sim" para a remoção

*Ao término, clique em "Arquivo" e salve o relatório no desktop

*O relatório terá extensão .csv

*Feche o DrWebCureIt e reinicie o PC

*Cole o relatório na sua próxima resposta.

Compartilhar este post


Link para o post
Compartilhar em outros sites

 

3.

*Baixe o sality_regkeys'>http://support.kaspersky.com/downloads/utils/sality_regkeys.zip"]sality_regkeys e salve-o no desktop

*Extraia o conteúdo de Sality_RegKeys.zip para o desktop

*Na pasta SalityRegKeys dê duplo clique no arquivo SafeBootWinXP.reg e aceite a entrada no registro

 

 

 

Eu extraio o arquivo ai tudo bem mais quando eu do um duplo clique no SafeBootWinXP.reg ai aparece : A Edição de Registro foi desativada pelo Administrador, ai não continuei com medo que desse algum problema na minha máquina.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Vamos ver se ainda há ação do Sality.

 

Caso ele ainda esteja ativo, terás que formatar o PC.

 

*Baixe o ComboFix e salve-o no desktop

*Duplo-clique no arquivo Combofix.exe

*Aceite o contrato

 

*Se o console de recuperação do Windows já estiver instalado, o ComboFix irá continuar o processo automaticamente. Caso não esteja uma janela, conforme abaixo, será aberta. Clique em [sIM] para aceitar a instalação do mesmo.

 

recovery-console-prompt.jpg

 

*Após a instalação, clique em [sIM] para continuar.

 

recovery-console-installed.jpg

 

*Importante: enquanto o ComboFix estiver em execução, não use o mouse nem o teclado!!..... Para interromper o procedimento tecle N ou 2 e depois ENTER.

 

*O programa será fechado automaticamente

 

*Cole o relatório criado em C:\combofix.txt

Compartilhar este post


Link para o post
Compartilhar em outros sites

Olá, eu consigui usar o SafeBootWinXP.reg fiz como no procedimento abaixo,

 

1.

*Delete os arquivos C:\salitykiller.exe e C:\sality.txt

 

2.

*Baixe o RegistryFix e salve-o no desktop

*Duplo clique em RegistryFix.exe e clique em [Fix Registry]

 

3.

*Baixe o sality_regkeys e salve-o no desktop

*Extraia o conteúdo de Sality_RegKeys.zip para o desktop

*Na pasta SalityRegKeys dê duplo clique no arquivo SafeBootWinXP.reg e aceite a entrada no registro

 

4.

*Baixe o programa de um dos links abaixo e salve-o no desktop

ftp://ftp.drweb.com/...rweb-cureit.exe

http://www.freedrweb...ownload+cureit/

*Duplo clique em drweb-cureit.exe e instale o programa

*Clique em Iniciar e aguarde o scan inicial das áreas vitais do sistema terminar

*Caso encontre algo, clique em "Sim"

*Ao término, selecione a opção "Scan completo" e clique na seta verde ou azul

*Clique sempre "Sim" para a remoção

*Ao término, clique em "Arquivo" e salve o relatório no desktop

*O relatório terá extensão .csv

*Feche o DrWebCureIt e reinicie o PC

*Cole o relatório na sua próxima resposta.

 

O problema é que não da pra eu abrir o relátorio, porque eu não tenho Microsoft Office ai eu abri como blocos de nota tem problema ?

 

Relatório :

 

pic1[1].jpg;C:\WINDOWS\system32\config\systemprofile\Configurações locais\Temporary Internet Files\Content.IE5\AB6LAXQV;BackDoor.Pigeon.12660;Eliminado.;

pic2[1].jpg;C:\WINDOWS\system32\config\systemprofile\Configurações locais\Temporary Internet Files\Content.IE5\Q1C3GRS1;BackDoor.Pigeon.12660;Eliminado.;

ComboFix.exe;C:\Documents and Settings\Administrador\Meus documentos\Downloads;Win32.Sector.10;Desinfectado.;

HijackThis.exe;C:\Documents and Settings\Administrador\Meus documentos\Downloads;Win32.Sector.10;Desinfectado.;

RegUnlocker.exe;C:\Documents and Settings\Administrador\Meus documentos\Downloads;Win32.Sector.10;Desinfectado.;

odserv.exe;c:\arquivos de programas\arquivos comuns\microsoft shared\office12;Win32.Sector.10;Desinfectado.;

ose.exe;c:\arquivos de programas\arquivos comuns\microsoft shared\source engine;Win32.Sector.10;Desinfectado.;

avgtray.exe;c:\arquivos de programas\avg\avg9;Win32.Sector.10;Desinfectado.;

grooveauditservice.exe;c:\arquivos de programas\microsoft office\office12;Win32.Sector.10;Desinfectado.;

onenotem.exe;c:\arquivos de programas\microsoft office\office12;Win32.Sector.10;Desinfectado.;

explorer.exe;c:\windows;Win32.Sector.10;Desinfectado.;

 

Também foi gerado o CureIt.txt vo postar as últimas informações porque ele é grande, caso você queira que eu poste o resto so falar.

 

Estatísticas totais da sessão

=============================================================================

Objectos verificados: 7581

Infectado: 11

Objectos com modificações encontrados: 0

Objectos suspeitos encontrados: 0

Programas Adware encontrados: 0

Programas Dialer encontrados: 0

Programas Joke encontrados: 0

Programas Riskware encontrados: 0

Programas Hacktool encontrados: 0

Objectos desinfectados: 9

Objectos eliminados: 2

Objectos renomeados: 0

Objectos movidos: 0

Objectos ignorados: 0

Velocidade de verificação: 426 Kb/s

Tempo de verificação: 01:30:59

 

 

 

 

Ps: Você poderia me dar uma ajuda porque sempre quando eu vou instalar o Daemon Tools Lite, pede pra reiniciar ai depois quando reinicia na parte que está carregando o Windows, aparece uma tela Azul e algumas coisas escritas cuja eu não consigo ler porque é rápido de mais.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Logfile of HijackThis v1.99.1

Scan saved at 23:07:50, on 27/1/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Unable to get Internet Explorer version!

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\AVG\AVG9\avgchsvx.exe

C:\Arquivos de programas\AVG\AVG9\avgrsx.exe

C:\Arquivos de programas\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\AVG\AVG9\avgwdsvc.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\AVG\AVG9\avgnsx.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

D:\avast_home_setup.exe

C:\Documents and Settings\Administrador\Desktop\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Arquivos de programas\AVG\AVG9\Toolbar\IEToolbar.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Arquivos de programas\AVG\AVG9\avgssie.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Arquivos de programas\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\ARQUIV~1\MICROS~1\Office12\GRA8E1~1.DLL

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Arquivos de programas\AVG\AVG9\Toolbar\IEToolbar.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll (file missing)

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll (file missing)

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Arquivos de programas\AVG\AVG9\Toolbar\IEToolbar.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [AVG9_TRAY] C:\ARQUIV~1\AVG\AVG9\avgtray.exe

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: B8487C.lnk = C:\WINDOWS\system32\164A02\B8487C.EXE

O4 - Startup: Recorte de tela e Iniciador do OneNote 2007.lnk = C:\Arquivos de programas\Microsoft Office\Office12\ONENOTEM.EXE

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll (file missing)

O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll (file missing)

O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~1\Office12\REFIEBAR.DLL

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://www.compartilhando.org/

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://imagem.caixa.gov.br/cab/gbpdist.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{9FC043E4-5F90-4654-B618-E93393357878}: NameServer = 200.172.83.136 200.209.133.130

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\ARQUIV~1\MICROS~1\Office12\GR99D3~1.DLL

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Arquivos de programas\AVG\AVG9\avgpp.dll

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL (file missing)

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL (file missing)

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Arquivos de programas\Windows Live\Mail\mailcomm.dll (file missing)

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\ARQUIV~1\ARQUIV~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Arquivos de programas\AVG\AVG9\avgwdsvc.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: Serviço Windows Live Proteção para a Família (fsssvc) - Unknown owner - C:\Arquivos de programas\Windows Live\Family Safety\fsssvc.exe (file missing)

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\ARQUIV~1\GbPlugin\GbpSv.exe (file missing)

O23 - Service: NBService - Unknown owner - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe (file missing)

Compartilhar este post


Link para o post
Compartilhar em outros sites

Faça o procedimento do Combofix conforme solicitei antes.

 

O acesso ao registro ainda está comprometido.

Compartilhar este post


Link para o post
Compartilhar em outros sites

ComboFix 10-01-27.03 - Administrador 27/01/2010 23:36:57.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.1015.454 [GMT -3:00]

Executando de: c:\documents and settings\Administrador\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\system32\Drivers\qtmqom.sys

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Service_dac970nt

 

 

(((((((((((((((( Arquivos/Ficheiros criados de 2009-12-28 to 2010-01-28 ))))))))))))))))))))))))))))

.

 

2010-01-28 02:13 . 2010-01-28 02:13 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Yahoo! Companion

2010-01-28 02:13 . 2010-01-28 02:13 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\Yahoo!

2010-01-28 02:13 . 2010-01-28 02:13 -------- d-----w- c:\arquivos de programas\Yahoo!

2010-01-28 02:12 . 2010-01-28 02:13 -------- d-----w- c:\arquivos de programas\CCleaner

2010-01-28 01:28 . 2008-04-21 21:27 216064 ------w- c:\windows\system32\dllcache\wordpad.exe

2010-01-28 01:20 . 2010-01-28 01:32 -------- d--h--w- c:\windows\$hf_mig$

2010-01-28 01:08 . 2009-08-06 22:23 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-01-27 23:07 . 2010-01-27 23:07 -------- d-----w- c:\documents and settings\Administrador\DoctorWeb

2010-01-27 16:14 . 2010-01-27 16:14 -------- d-----w- c:\windows\system32\LogFiles

2010-01-25 22:07 . 2010-01-27 16:03 -------- d-----w- C:\RegUnlocker Backups

2010-01-25 11:54 . 2010-01-25 11:54 -------- d-----w- c:\windows\system32\xircom

2010-01-25 11:54 . 2010-01-25 11:54 -------- d-----w- c:\windows\system32\wbem\snmp

2010-01-25 11:54 . 2010-01-25 11:54 -------- d-----w- c:\windows\system32\oobe

2010-01-25 11:54 . 2010-01-25 11:54 -------- d-----w- c:\arquivos de programas\microsoft frontpage

2010-01-25 11:54 . 2010-01-28 01:32 -------- d-sh--w- c:\windows\system32\dllcache

2010-01-24 14:33 . 2010-01-24 14:33 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\Malwarebytes

2010-01-24 14:32 . 2010-01-24 14:32 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes

2010-01-24 14:32 . 2010-01-27 14:55 -------- d-----w- c:\arquivos de programas\Malwarebytes' Anti-Malware

2010-01-23 20:30 . 2010-01-23 11:40 920344 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\avg9\update\backup\avgupd.exe

2010-01-23 20:29 . 2010-01-23 19:09 691992 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\avg9\update\backup\avgiproxy.exe

2010-01-18 00:41 . 2010-01-20 18:16 360584 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\avg9\update\backup\avgtdix.sys

2010-01-18 00:41 . 2010-01-18 00:41 28424 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\avg9\update\backup\avgmfx86.sys

2010-01-18 00:41 . 2010-01-18 00:41 12464 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\avg9\update\backup\avgrsstx.dll

2010-01-18 00:13 . 2010-01-21 16:47 1656088 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\avg9\update\backup\avgupd.dll

2010-01-18 00:13 . 2010-01-21 16:47 798488 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\avg9\update\backup\avginet.dll

2010-01-14 12:33 . 2010-01-14 12:55 -------- d-----w- C:\$AVG

2010-01-14 12:33 . 2010-01-21 15:46 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-01-14 12:33 . 2010-01-21 16:47 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-01-14 12:33 . 2010-01-21 15:46 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-01-14 12:33 . 2010-01-27 14:50 -------- d-----w- c:\windows\system32\drivers\Avg

2010-01-14 12:32 . 2010-01-14 12:32 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\AVG Security Toolbar

2010-01-14 12:32 . 2010-01-14 12:32 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-01-14 12:31 . 2010-01-14 12:31 -------- d-----w- c:\arquivos de programas\AVG

2010-01-14 12:31 . 2010-01-27 14:49 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\avg9

2010-01-12 22:32 . 2010-01-28 02:45 115030048 --sha-w- c:\windows\system32\drivers\fidbox.dat

2010-01-12 22:31 . 2008-07-08 16:54 148496 ----a-w- c:\windows\system32\drivers\93307238.sys

2010-01-12 22:16 . 2010-01-12 22:16 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\ESET

2010-01-12 18:37 . 2010-01-12 18:37 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Trymedia

2010-01-11 23:39 . 2010-01-11 23:39 -------- d-s---w- c:\documents and settings\NetworkService\UserData

2010-01-09 01:05 . 2010-01-09 01:05 -------- d-sh--w- c:\windows\ftpcache

2010-01-08 20:50 . 2010-01-27 21:44 -------- d--h--w- c:\windows\system32\C1B37C

2010-01-08 20:50 . 2010-01-14 14:57 -------- d--h--w- c:\windows\system32\164A02

2010-01-08 20:50 . 2010-01-10 17:48 -------- d--h--w- c:\windows\system32\3F754F

2010-01-08 20:50 . 2010-01-08 21:05 -------- d--h--w- c:\windows\system32\F759C6

2010-01-07 00:59 . 2010-01-11 16:57 -------- d-----w- c:\arquivos de programas\GbPlugin

2010-01-07 00:59 . 2010-01-07 01:17 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\GbPlugin

2010-01-07 00:09 . 2010-01-07 00:09 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Macrovision

2010-01-07 00:08 . 2010-01-07 00:08 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Macrovision Shared

2010-01-07 00:08 . 2010-01-07 00:08 12464 ----a-w- c:\windows\system32\drivers\CDAC15BA.SYS

2010-01-07 00:08 . 2010-01-07 00:08 54784 ------w- c:\windows\system32\drivers\CDAC11BA.EXE

2010-01-07 00:07 . 2010-01-08 02:37 -------- d-----w- c:\arquivos de programas\AnswerWorks 4.0

2010-01-07 00:06 . 2010-01-08 02:37 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Autodesk Shared

2010-01-07 00:06 . 2010-01-07 00:06 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Autodesk

2010-01-07 00:06 . 2010-01-07 00:06 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\Autodesk

2010-01-04 22:11 . 2009-12-05 18:53 38200 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-01-02 22:57 . 2005-09-19 19:43 159232 ----a-w- c:\windows\system32\ptpusd.dll

2010-01-02 22:57 . 2005-09-19 19:43 5632 ----a-w- c:\windows\system32\ptpusb.dll

2009-12-30 16:55 . 2009-12-30 16:55 514 ----a-w- C:\avexport.bat

2009-12-30 16:54 . 2009-12-30 16:54 34760 ----a-w- c:\windows\system32\Partizan.sys

2009-12-30 16:54 . 2009-12-30 16:54 710 ----a-w- c:\windows\system32\Partizan.exe

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-28 02:46 . 2009-12-22 00:54 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\Skype

2010-01-28 02:42 . 2010-01-12 22:32 1349504 --sha-w- c:\windows\system32\drivers\fidbox.idx

2010-01-28 01:32 . 2009-12-05 18:58 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Microsoft Help

2010-01-27 21:43 . 2005-09-19 19:43 1034240 ----a-w- c:\windows\explorer.exe

2010-01-27 12:37 . 2004-08-04 03:45 114688 ----a-w- c:\windows\system32\wscript.exe

2010-01-27 12:36 . 2004-08-04 03:45 434688 ----a-w- c:\windows\system32\wiaacmgr.exe

2010-01-27 12:35 . 2004-08-04 03:45 141312 ----a-w- c:\windows\system32\taskmgr.exe

2010-01-27 12:34 . 2005-09-19 19:45 57856 ----a-w- c:\windows\system32\spoolsv.exe

2010-01-27 12:34 . 2004-08-04 03:45 542208 ----a-w- c:\windows\system32\shimgvw.dll

2010-01-27 12:33 . 2004-08-04 03:45 32768 ----a-w- c:\windows\system32\sethc.exe

2010-01-27 12:33 . 2004-08-04 03:45 33280 ----a-w- c:\windows\system32\rundll32.exe

2010-01-27 12:33 . 2004-08-04 03:45 11776 ----a-w- c:\windows\system32\regsvr32.exe

2010-01-27 12:33 . 2004-08-04 03:45 51200 ----a-w- c:\windows\system32\reg.exe

2010-01-27 12:32 . 2001-10-28 17:07 11776 ----a-w- c:\windows\system32\rasautou.exe

2010-01-27 12:31 . 2004-08-04 03:45 172032 ----a-w- c:\windows\system32\odbcconf.exe

2010-01-27 12:31 . 2004-08-04 03:45 70144 ----a-w- c:\windows\system32\notepad.exe

2010-01-27 12:30 . 2004-08-04 03:45 42496 ----a-w- c:\windows\system32\net.exe

2010-01-27 12:30 . 2009-12-05 18:08 345600 ----a-w- c:\windows\system32\mspaint.exe

2010-01-27 12:29 . 2005-09-19 19:45 78848 ----a-w- c:\windows\system32\msiexec.exe

2010-01-27 12:29 . 2004-08-04 03:45 29184 ----a-w- c:\windows\system32\mshta.exe

2010-01-27 12:28 . 2004-08-04 03:45 815616 ----a-w- c:\windows\system32\mmc.exe

2010-01-27 12:28 . 2005-09-19 20:12 96768 ----a-w- c:\windows\system32\logagent.exe

2010-01-27 12:26 . 2004-08-04 03:45 39424 ----a-w- c:\windows\system32\grpconv.exe

2010-01-27 01:05 . 2004-08-04 03:45 1298432 ----a-w- c:\windows\system32\dxdiag.exe

2010-01-27 00:59 . 2004-08-04 03:45 98304 ----a-w- c:\windows\system32\cscript.exe

2010-01-27 00:57 . 2004-08-04 03:45 502784 ----a-w- c:\windows\system32\cmd.exe

2010-01-27 00:57 . 2004-08-04 03:45 64512 ----a-w- c:\windows\system32\cleanmgr.exe

2010-01-27 00:55 . 2009-12-05 18:09 115200 ----a-w- c:\windows\system32\calc.exe

2010-01-27 00:54 . 2001-10-28 17:06 11264 ----a-w- c:\windows\system32\attrib.exe

2010-01-25 12:00 . 2001-10-28 17:07 66136 ----a-w- c:\windows\system32\perfc016.dat

2010-01-25 12:00 . 2001-10-28 17:07 422178 ----a-w- c:\windows\system32\perfh016.dat

2010-01-23 19:56 . 2004-08-04 03:45 420352 ----a-w- c:\windows\system32\ntvdm.exe

2010-01-23 19:56 . 2009-12-05 18:10 114688 ----a-w- c:\windows\system32\mstinit.exe

2010-01-23 19:56 . 2009-12-05 18:09 128000 ----a-w- c:\windows\system32\mshearts.exe

2010-01-23 16:09 . 2009-12-10 04:29 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Meal Grey Test Lies

2010-01-22 23:01 . 2004-08-04 03:45 150528 ----a-w- c:\windows\regedit.exe

2010-01-22 15:21 . 2009-12-05 18:08 206336 ----a-w- c:\windows\system32\sndrec32.exe

2010-01-19 13:56 . 2004-08-04 01:59 95360 ------w- c:\windows\system32\drivers\atapi.sys

2010-01-15 16:07 . 2009-12-25 23:50 717296 ----a-w- c:\windows\system32\drivers\sptd.sys

2010-01-15 15:51 . 2009-12-05 19:51 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Ahead

2010-01-15 11:52 . 2009-12-22 01:42 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\skypePM

2010-01-14 17:30 . 2009-12-13 19:37 -------- d-----w- c:\arquivos de programas\Circle Deveopement

2010-01-14 17:02 . 2009-12-10 04:26 -------- d-----w- c:\arquivos de programas\MessengerPlus! 3

2010-01-12 16:57 . 2009-12-14 03:02 -------- d-----w- c:\arquivos de programas\Registrar Registry Manager

2010-01-04 22:11 . 2009-12-21 19:14 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\Hamachi

2009-12-30 16:55 . 2009-12-30 16:55 474 ----a-w- c:\arquivos de programas\wegdjqn.txt

2009-12-28 22:50 . 2009-12-28 22:49 -------- d-----w- c:\arquivos de programas\DirectX9

2009-12-28 03:34 . 2009-12-28 03:33 -------- d---a-w- c:\documents and settings\All Users\Dados de aplicativos\TEMP

2009-12-27 19:08 . 2009-12-14 18:18 -------- d-----w- c:\arquivos de programas\Arquivos comuns\SWF Studio

2009-12-27 17:29 . 2009-12-27 17:29 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2009-12-27 17:25 . 2009-12-27 17:25 54624 ----a-w- c:\windows\system32\b87B.sys

2009-12-25 23:50 . 2009-12-25 23:50 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\DAEMON Tools Lite

2009-12-24 13:09 . 2004-08-04 03:45 117760 ----a-w- c:\windows\system32\ctfmon.exe

2009-12-22 22:02 . 2009-12-09 17:01 150616 ----a-w- c:\windows\hpoins15.dat

2009-12-22 21:08 . 2009-12-22 21:08 -------- d-----w- c:\arquivos de programas\Microsoft Works

2009-12-22 21:08 . 2009-12-22 21:08 -------- d-----w- c:\arquivos de programas\MSBuild

2009-12-22 21:05 . 2009-12-22 21:05 -------- d-----w- c:\arquivos de programas\Microsoft.NET

2009-12-22 21:02 . 2009-12-22 21:01 -------- d-----w- c:\arquivos de programas\Microsoft Visual Studio 8

2009-12-22 01:42 . 2009-12-22 01:42 56 ---ha-w- c:\windows\system32\ezsidmv.dat

2009-12-22 00:52 . 2009-12-22 00:48 -------- d-----r- c:\arquivos de programas\Skype

2009-12-22 00:48 . 2009-12-22 00:48 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Skype

2009-12-22 00:48 . 2009-12-22 00:48 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Skype

2009-12-21 19:12 . 2009-12-21 18:44 16224 ----a-w- c:\windows\system32\drivers\hamachi.sys

2009-12-19 00:50 . 2009-12-14 18:39 -------- d-----w- c:\arquivos de programas\DivX

2009-12-16 02:45 . 2009-12-05 18:11 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-12-16 02:42 . 2009-12-14 18:32 45056 ----a-w- c:\windows\NCUNINST.EXE

2009-12-13 23:18 . 2009-12-13 19:37 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Messenger Plus!

2009-12-13 19:51 . 2009-12-13 19:51 -------- d-----w- c:\arquivos de programas\Ask Search Assistant

2009-12-13 19:51 . 2009-12-13 19:37 -------- d-----w- c:\arquivos de programas\Messenger Plus! Live

2009-12-11 06:37 . 2009-12-11 06:37 -------- d-----w- c:\arquivos de programas\Microsoft Silverlight

2009-12-11 06:33 . 2009-12-11 06:33 -------- d-----w- c:\arquivos de programas\Microsoft Sync Framework

2009-12-11 06:33 . 2009-12-11 06:33 -------- d-----w- c:\arquivos de programas\Microsoft SQL Server Compact Edition

2009-12-11 06:32 . 2009-12-11 06:32 -------- d-----w- c:\arquivos de programas\Microsoft

2009-12-11 00:38 . 2009-12-11 00:38 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\Media Player Classic

2009-12-10 05:20 . 2009-12-10 05:20 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Windows Live

2009-12-09 17:04 . 2009-12-09 17:04 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Hewlett-Packard

2009-12-09 17:02 . 2009-12-09 17:02 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Hewlett-Packard

2009-12-09 17:01 . 2009-12-09 17:01 -------- d-----w- c:\arquivos de programas\HP

2009-12-07 14:34 . 2009-12-07 13:02 -------- d-----w- c:\arquivos de programas\Runtime Software

2009-12-05 21:57 . 2009-12-05 21:57 15240 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\Microsoft\IdentityCRL\ppcrlconfig.dll

2009-12-05 20:05 . 2009-12-05 20:05 0 ----a-w- c:\windows\nsreg.dat

2009-12-05 19:57 . 2009-12-05 19:52 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\Ahead

2009-12-05 19:51 . 2009-12-05 19:51 -------- d-----w- c:\arquivos de programas\Nero

2009-12-05 19:04 . 2009-12-05 19:04 -------- d-----w- c:\arquivos de programas\Alwil Software

2009-12-05 18:53 . 2009-12-05 18:53 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Adobe AIR

2009-12-05 18:35 . 2009-12-05 18:35 -------- d--h--w- c:\arquivos de programas\InstallShield Installation Information

2009-12-05 18:35 . 2009-12-05 18:35 -------- d-----w- c:\arquivos de programas\Realtek

2009-12-05 18:35 . 2009-12-05 18:35 315392 ----a-w- c:\windows\HideWin.exe

2009-12-05 18:35 . 2009-12-05 18:35 -------- d-----w- c:\arquivos de programas\Arquivos comuns\InstallShield

2009-12-05 18:14 . 2009-12-05 18:14 -------- d-----w- c:\arquivos de programas\Java

2009-12-05 18:14 . 2009-12-05 18:14 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Java

2009-12-05 18:13 . 2009-12-05 18:13 -------- d-----w- c:\arquivos de programas\K-Lite Codec Pack

2009-12-05 18:11 . 2009-12-05 18:11 -------- d-----w- c:\arquivos de programas\Serviços on-line

2009-12-05 18:10 . 2009-12-05 18:10 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Serviços

2009-12-05 18:09 . 2009-12-05 18:09 21844 ----a-w- c:\windows\system32\emptyregdb.dat

2009-12-05 18:07 . 2009-12-05 18:07 4128 ----a-w- c:\windows\system32\drivers\INFCACHE.1

2009-11-13 15:23 . 2009-12-14 03:02 32824 ----a-w- c:\windows\system32\rrMon.sys

.

 

------- Sigcheck -------

 

[-] 2005-09-19 . DBC20C4332FE84B826530C49AE09721E . 359936 . . [5.1.2600.2685] . . c:\windows\system32\drivers\tcpip.sys

 

[-] 2005-09-19 . A38FDDA0A6FEC3ACAA8511366AACC6A3 . 396288 . . [5.1.2600.2665] . . c:\windows\system32\rpcss.dll

 

[-] 2010-01-27 . 94B33891F1BE67258433171CE8EB9B3A . 57856 . . [5.1.2600.2696] . . c:\windows\system32\spoolsv.exe

 

[-] 2005-09-19 . 472BE19EDF1B28DC75FB6DC4B55B3CF6 . 617472 . . [5.82] . . c:\windows\system32\comctl32.dll

 

[-] 2005-09-19 . E2BFA54BF52619F13651D4FCF48EC956 . 3014144 . . [6.00.2900.2722] . . c:\windows\system32\mshtml.dll

 

[-] 2005-09-19 . 6E3AB4241E058B248CB7CDC5157449C3 . 2183808 . . [5.1.2600.2622] . . c:\windows\system32\ntoskrnl.exe

 

[-] 2005-09-19 . F94EBF229DC4A2A74A4CEA0318103FD2 . 249344 . . [5.1.2600.2716] . . c:\windows\system32\tapisrv.dll

 

[-] 2005-09-19 . 3ED0A4D74EFD5AAF8408095F452E2613 . 577536 . . [5.1.2600.2622] . . c:\windows\system32\user32.dll

 

[-] 2005-09-19 . CB38F344FAA2CC14A3C6D4E64073F07B . 661504 . . [6.00.2900.2713] . . c:\windows\system32\wininet.dll

 

[-] 2010-01-27 . E86A50F3C5905462575D77AB8B6C3729 . 1034240 . . [6.00.2900.2527] . . c:\windows\explorer.exe

 

[-] 2005-09-19 . 9DD429359FE067BA52D00C0DBB9537EE . 1548288 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll

 

[-] 2009-12-24 . A70004B30AAED51245CC526AB9311D08 . 117760 . . [5.1.2600.2180] . . c:\windows\system32\ctfmon.exe

 

[-] 2005-09-19 20:12 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\system32\mspmsnsv.dll

 

[-] 2005-09-19 . AED7B3AA86AD031CF39C6E4BBA37E818 . 2061184 . . [5.1.2600.2622] . . c:\windows\system32\ntkrnlpa.exe

.

((((((((((((((((((((((((((((( SnapShot@2010-01-27_05.02.10 )))))))))))))))))))))))))))))))))))))))))

.

+ 2005-09-03 05:55 . 2009-08-06 22:24 44768 c:\windows\system32\wups2.dll

+ 2009-12-05 18:10 . 2009-08-06 22:24 35552 c:\windows\system32\wups.dll

+ 2009-12-05 18:10 . 2009-08-06 22:24 53472 c:\windows\system32\wuauclt.exe

+ 2009-12-05 18:56 . 2008-07-09 07:34 18296 c:\windows\system32\spmsg.dll

+ 2010-01-27 19:46 . 2009-08-06 22:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll

+ 2010-01-27 19:46 . 2009-08-06 22:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll

+ 2005-09-03 05:55 . 2009-08-06 22:24 96480 c:\windows\system32\cdm.dll

- 2009-12-22 21:10 . 2010-01-25 16:31 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe

+ 2009-12-22 21:10 . 2010-01-28 01:32 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe

- 2009-12-22 21:10 . 2010-01-25 16:31 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe

+ 2009-12-22 21:10 . 2010-01-28 01:32 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe

+ 2009-12-22 21:10 . 2010-01-28 01:32 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe

- 2009-12-22 21:10 . 2010-01-25 16:31 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe

+ 2005-09-19 19:44 . 2008-02-17 07:33 360448 c:\windows\system32\xpsp3res.dll

+ 2009-12-05 18:10 . 2009-08-06 22:24 209632 c:\windows\system32\wuweb.dll

+ 2009-12-05 18:10 . 2009-08-06 22:24 327896 c:\windows\system32\wucltui.dll

+ 2009-12-05 18:10 . 2009-08-06 22:23 575704 c:\windows\system32\wuapi.dll

+ 2005-09-05 11:23 . 2009-08-06 22:23 215920 c:\windows\system32\muweb.dll

- 2009-12-22 21:10 . 2010-01-25 16:31 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe

+ 2009-12-22 21:10 . 2010-01-28 01:32 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe

+ 2009-12-22 21:10 . 2010-01-28 01:32 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe

- 2009-12-22 21:10 . 2010-01-25 16:31 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe

- 2009-12-22 21:10 . 2010-01-25 16:31 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe

+ 2009-12-22 21:10 . 2010-01-28 01:32 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe

+ 2009-12-22 21:10 . 2010-01-28 01:32 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe

- 2009-12-22 21:10 . 2010-01-25 16:31 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe

+ 2009-12-22 21:10 . 2010-01-28 01:32 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe

- 2009-12-22 21:10 . 2010-01-25 16:31 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe

- 2009-12-22 21:10 . 2010-01-25 16:31 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe

+ 2009-12-22 21:10 . 2010-01-28 01:32 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe

- 2009-12-22 21:10 . 2010-01-25 16:31 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe

+ 2009-12-22 21:10 . 2010-01-28 01:32 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe

+ 2009-12-05 18:10 . 2009-08-06 22:23 1929952 c:\windows\system32\wuaueng.dll

+ 2008-10-20 13:18 . 2008-10-20 13:18 6474240 c:\windows\Installer\1302059.msp

+ 2009-12-22 21:10 . 2010-01-28 01:32 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe

- 2009-12-22 21:10 . 2010-01-25 16:31 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe

+ 2009-12-22 21:10 . 2010-01-28 01:32 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe

- 2009-12-22 21:10 . 2010-01-25 16:31 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe

+ 2006-10-27 18:11 . 2006-10-27 18:11 4235560 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\WRD12CNV.DLL

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\arquivos de programas\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-09-18 1119488]

 

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-09-18 15:27 1119488 ----a-w- c:\arquivos de programas\AVG\AVG9\Toolbar\IEToolbar.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\arquivos de programas\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-09-18 1119488]

 

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\arquivos de programas\Skype\Phone\Skype.exe" [2009-10-09 25623336]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 16126464]

"AVG9_TRAY"="c:\arquiv~1\AVG\AVG9\avgtray.exe" [2010-01-27 2088728]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2009-12-24 117760]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nlsf"="move" [X]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-01-21 15:46 12464 ----a-w- c:\windows\system32\avgrsstx.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk /r \0Partizan.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusOverride"=dword:00000001

"AntiVirusDisableNotify"=dword:00000001

"FirewallDisableNotify"=dword:00000001

"FirewallOverride"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"UacDisableNotify"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\taskmgr.exe"=

"c:\\WINDOWS\\system32\\mspaint.exe"=

"c:\\WINDOWS\\system32\\igfxsrvc.exe"=

"c:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"=

"c:\\WINDOWS\\system32\\msiexec.exe"=

"c:\\Arquivos de programas\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\WINDOWS\\system32\\ping.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

"c:\\WINDOWS\\system32\\netsh.exe"=

"c:\\Arquivos de programas\\AVG\\AVG9\\avgtray.exe"=

"c:\\Windows\\System32\\cmd.exe"=

"c:\\Arquivos de programas\\AVG\\AVG9\\avgrsx.exe"=

"c:\\Arquivos de programas\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

"c:\\WINDOWS\\PEV.exe"=

"c:\\WINDOWS\\RTHDCPL.EXE"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9623:TCP"= 9623:TCP:lpisoe

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

 

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [14/1/2010 09:32 333192]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [14/1/2010 09:33 360584]

R1 is-12OL0drv;is-12OL0drv;c:\windows\system32\drivers\93307238.sys [12/1/2010 19:31 148496]

R2 avg9wd;AVG Free WatchDog;c:\arquivos de programas\AVG\AVG9\avgwdsvc.exe [21/1/2010 12:45 285392]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [11/12/2009 03:37 54752]

S0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\GbpKm.sys --> c:\windows\system32\drivers\GbpKm.sys [?]

S2 eetgdngwz.REN;Security System;c:\windows\system32\svchost.exe -k netsvcs [4/8/2004 00:45 14336]

S2 GbpSv;Gbp Service;c:\arquiv~1\GbPlugin\GbpSv.exe --> c:\arquiv~1\GbPlugin\GbpSv.exe [?]

S3 fsssvc;Serviço Windows Live Proteção para a Família;"c:\arquivos de programas\Windows Live\Family Safety\fsssvc.exe" --> c:\arquivos de programas\Windows Live\Family Safety\fsssvc.exe [?]

S3 XDva281;XDva281;\??\c:\windows\system32\XDva281.sys --> c:\windows\system32\XDva281.sys [?]

S3 XDva297;XDva297;\??\c:\windows\system32\XDva297.sys --> c:\windows\system32\XDva297.sys [?]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

eetgdngwz

.

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.google.com.br/

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~1\Office12\EXCEL.EXE/3000

DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} - hxxps://imagem.caixa.gov.br/cab/gbpdist.cab

FF - ProfilePath - c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\wieu0551.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo! Search

FF - prefs.js: browser.startup.homepage - google.com.br

FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=

FF - component: c:\arquivos de programas\AVG\AVG9\Firefox\components\avgssff.dll

FF - component: c:\arquivos de programas\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\arquivos de programas\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\arquivos de programas\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\arquivos de programas\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll

FF - component: c:\arquivos de programas\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

FF - plugin: c:\arquivos de programas\Java\jre1.5.0_05\bin\NPJava11.dll

FF - plugin: c:\arquivos de programas\Java\jre1.5.0_05\bin\NPJava12.dll

FF - plugin: c:\arquivos de programas\Java\jre1.5.0_05\bin\NPJava13.dll

FF - plugin: c:\arquivos de programas\Java\jre1.5.0_05\bin\NPJava14.dll

FF - plugin: c:\arquivos de programas\Java\jre1.5.0_05\bin\NPJava32.dll

FF - plugin: c:\arquivos de programas\Java\jre1.5.0_05\bin\NPJPI150_05.dll

FF - plugin: c:\arquivos de programas\Java\jre1.5.0_05\bin\NPOJI610.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\real\browser\plugins\nppl3260.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\real\browser\plugins\nprpjplug.dll

FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\np-mswmp.dll

 

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

.

------- Associação de arquivos/ficheiros -------

.

txtfile=Notepad.exe "%1"

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-27 23:46

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet014\Services\eetgdngwz]

"ServiceDll"="c:\windows\system32\ojlsa.dll"

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'explorer.exe'(1056)

c:\arquiv~1\WINDOW~2\wmpband.dll

c:\windows\system32\WINHTTP.dll

.

------------------------ Outros Processos em Execução ------------------------

.

c:\arquivos de programas\AVG\AVG9\avgchsvx.exe

c:\arquivos de programas\AVG\AVG9\avgrsx.exe

c:\arquivos de programas\AVG\AVG9\avgcsrvx.exe

c:\windows\system32\drivers\CDAC11BA.EXE

c:\arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\windows\RTHDCPL.EXE

c:\arquivos de programas\AVG\AVG9\avgnsx.exe

.

**************************************************************************

.

Tempo para conclusão: 2010-01-27 23:50:40 - Máquina reiniciou

ComboFix-quarantined-files.txt 2010-01-28 02:50

ComboFix2.txt 2010-01-27 18:45

 

Pré-execução: 13 pasta(s) 42.001.719.296 bytes disponíveis

Pós execução: 14 pasta(s) 41.972.658.176 bytes disponíveis

 

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

 

Current=14 Default=14 Failed=13 LastKnownGood=15 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15

- - End Of File - - 604E36D8818F5657869C11CDE0303464

Compartilhar este post


Link para o post
Compartilhar em outros sites

Por favor....

 

 

Envie os arquivos abaixo para análise em http://virscan.org

 

c:\arquivos de programas\wegdjqn.txt

c:\windows\system32\b87B.sys

 

Cole os links contendo os resultados de cada um.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Por favor....

 

 

Envie os arquivos abaixo para análise em http://virscan.org

 

c:\arquivos de programas\wegdjqn.txt

c:\windows\system32\b87B.sys

 

Cole os links contendo os resultados de cada um.

 

 

wegdjqn.txt

 

http://virscan.org/report/4902cde59d807c5f47a36a593d96a48b.html

 

b87B.sys

 

http://virscan.org/report/e8541b64f8b1bb1cbd8e955aa9dfd4d2.html

Compartilhar este post


Link para o post
Compartilhar em outros sites

1.

*Delete o RegistryFix

 

2.

*Delete o SalityRegKeys

 

3.

*Vá em Adicionar/Remover programas e desinstale o DrWebCureIt

 

4.

*Abra o bloco de notas, selecione, copie e cole nele todo o conteúdo do código abaixo:

 

File::

C:\avexport.bat

c:\windows\system32\b87B.sys

c:\windows\system32\ojlsa.dll

Registry::

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9623:TCP"=-

[-HKEY_LOCAL_MACHINE\System\ControlSet014\Services\eetgdngwz]

Driver::

eetgdngwz

NetSvc::

eetgdngwz

*Salve o arquivo no desktop como CFScript.txt

*Arraste o arquivo para o Combofix conforme ilustração abaixo:

 

CFScript.gif

 

*Importante: enquanto o combofix estiver em execução, não use o mouse nem o teclado!!..para interromper o processo tecle N ou 2.

 

*Cole o relatório criado em C:\combofix.txt

Compartilhar este post


Link para o post
Compartilhar em outros sites

×

Informação importante

Ao usar o fórum, você concorda com nossos Termos e condições.