[Resolvido!] Suspeita de Virus

[Sels 0]

Olá,

 

Esses dias verifiquei um comportamento estranho em sites de banco.

No Itaú por exemplo, ao entrar no site e digitar minha Agência e Conta, eu não sou identificado como deveria e pede informações sobre meu cartão e senha que não são pedidas da forma que normalmente é pedido. Verifiquei o mesmo problema no site do Banco do Brasil.

 

Passei a avast! 4.8 e pegou algumas ameaças, também passei o Malwarebytes' Anti-Malware e o PC Tools Spyware Doctor, e também foram encontradas e movidos para quarentena outras ameaças.

 

Baixei agora o HijackThis e o executei como recomendado, segue o log. Obrigado.

 

--------------------------------

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:27:03, on 1/3/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16981)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\xampp\apache\bin\apache.exe

C:\Arquivos de programas\Comodo\Firewall\cmdagent.exe

C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\xampp\mysql\bin\mysqld-nt.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\Comodo\Firewall\CPF.exe

C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

C:\Arquivos de programas\Spyware Doctor\pctsAuxs.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\xampp\apache\bin\apache.exe

C:\Arquivos de programas\Spyware Doctor\pctsSvc.exe

C:\Arquivos de programas\lg_fwupdate\fwupdate.exe

C:\Arquivos de programas\Microsoft SQL Server\90\Shared\sqlbrowser.exe

C:\Arquivos de programas\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Arquivos de programas\Spyware Doctor\pctsTray.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Nero\Nero 7\InCD\NBHGui.exe

C:\Arquivos de programas\Nero\Nero 7\InCD\InCD.exe

C:\WINDOWS\system32\rundll32.exe

C:\Arquivos de programas\D-Tools\daemon.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Arquivos de programas\VIA\VIAudioi\HDADeck\HDeck.exe

C:\Arquivos de programas\ASUS\PC Probe II\Probe2.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\ASUS\AASP\1.00.61\aaCenter.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\alg.exe

C:\Hijack\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://ns1.natalnosso.info:8082/windows.pac

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Arquivos de programas\Orbitdownloader\orbitcth.dll

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre6\bin\ssv.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\Arquivos de programas\GbPlugin\gbieh.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Arquivos de programas\Comodo\Firewall\CPF.exe" /background

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [LGODDFU] "C:\Arquivos de programas\lg_fwupdate\fwupdate.exe" blrun

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [securDisc] C:\Arquivos de programas\Nero\Nero 7\InCD\NBHGui.exe

O4 - HKLM\..\Run: [inCD] C:\Arquivos de programas\Nero\Nero 7\InCD\InCD.exe

O4 - HKLM\..\Run: [ink Monitor] C:\Arquivos de programas\EPSON\Ink Monitor\InkMonitor.exe

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Arquivos de programas\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Arquivos de programas\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [awxDTools] rundll32 C:\ARQUIV~1\arniWORX\AWXDTO~1\awxDTools.dll,awxRegisterDll /r /s

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [HDAudDeck] C:\Arquivos de programas\VIA\VIAudioi\HDADeck\HDeck.exe 1

O4 - HKLM\..\Run: [Launch PC Probe II] "C:\Arquivos de programas\ASUS\PC Probe II\Probe2.exe" 1

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [iSTray] "C:\Arquivos de programas\Spyware Doctor\pctsTray.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [EPSON Stylus CX4500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AL.EXE /P26 "EPSON Stylus CX4500 Series" /M "Stylus CX4500" /EF "HKCU"

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Silas Eduardo\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /c

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: &Download by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/201

O8 - Extra context menu item: &Grab video by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/204

O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/203

O8 - Extra context menu item: Down&load all by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/202

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre6\bin\jp2iexp.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre6\bin\jp2iexp.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

O20 - Winlogon Notify: GbPluginBb - C:\Arquivos de programas\GbPlugin\gbieh.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apache2.2 - Apache Software Foundation - C:\xampp\apache\bin\apache.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Arquivos de programas\Comodo\Firewall\cmdagent.exe

O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - c:\xampp\FileZillaFTP\FileZillaServer.exe

O23 - Service: Gbp Service (GbpSv) - - C:\ARQUIV~1\GbPlugin\GbpSv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: mysql - Unknown owner - C:\xampp\mysql\bin\mysqld-nt.exe

O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsSvc.exe

O23 - Service: XAMPP Service (XAMPP) - Unknown owner - C:\xampp\service.exe

 

--

End of file - 11333 bytes

[wings 22]

Boa noite....

 

 

*Desative temporariamente seu antivírus

 

Clique com o botão direito do mouse no ícone do Avast que fica rodando ao lado do relógio > Selecione "Pausar a proteção residente" > Confirme.

*Baixe o ComboFix e salve-o no desktop

*Duplo-clique no arquivo Combofix.exe

*Aceite o contrato

 

*Se o console de recuperação do Windows já estiver instalado, o ComboFix continuará o processo automaticamente. Caso não esteja, uma janela conforme abaixo será aberta. Clique em [sIM] para aceitar a instalação do mesmo.

 

 

*Após a instalação, clique em [sIM] para continuar.

 

 

*Importante: enquanto o ComboFix estiver em execução, não use o mouse nem o teclado!!..... Para interromper o procedimento tecle N ou 2 e depois ENTER.

 

*O programa será fechado automaticamente

 

*Cole o relatório criado em C:\combofix.txt

[Sels 0]

Fiz o recomendado, segue log do arquivo ComboFix.txt

 

--------------------------------

 

ComboFix 10-03-02.02 - Silas Eduardo 02/03/2010 18:34:47.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.2047.1504 [GMT -3:00]

Executando de: C:\Documents and Settings\Silas Eduardo\Desktop\ComboFix.exe

AV: avast! antivirus 4.8.1356 [VPS 100302-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

.

ADS - drivers: deleted 204 bytes in 1 streams.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\Paulo\Meus documentos\MP4\Casting Crown - The Altar And The Door (2007)\Desktop_.ini

C:\Documents and Settings\Paulo\Meus documentos\MP4\Casting_Crowns-Lifesong-2005-RNS\Desktop_.ini

C:\WINDOWS\system32\_000006_.tmp.dll

C:\WINDOWS\system32\Ijl11.dll

C:\WINDOWS\system32\VB6KO.DLL

 

.

(((((((((((((((( Arquivos/Ficheiros criados de 2010-02-02 to 2010-03-02 ))))))))))))))))))))))))))))

.

 

2010-03-02 01:15:54 . 2010-03-02 01:27:03 -------- d-----w- C:\Hijack

2010-02-28 18:20:23 . 2008-12-11 11:38:22 159600 ----a-w- C:\WINDOWS\system32\drivers\pctgntdi.sys

2010-02-28 18:20:16 . 2010-03-02 21:24:06 -------- d---a-w- C:\Documents and Settings\All Users\Dados de aplicativos\TEMP

2010-02-28 18:20:15 . 2009-04-03 14:18:26 130936 ----a-w- C:\WINDOWS\system32\drivers\PCTCore.sys

2010-02-28 18:20:15 . 2008-12-18 15:16:56 73840 ----a-w- C:\WINDOWS\system32\drivers\PCTAppEvent.sys

2010-02-28 18:20:08 . 2010-02-28 18:30:59 -------- d-----w- C:\Arquivos de programas\Arquivos comuns\PC Tools

2010-02-28 18:20:08 . 2008-12-10 14:36:04 64392 ----a-w- C:\WINDOWS\system32\drivers\pctplsg.sys

2010-02-28 18:20:00 . 2010-03-02 12:23:42 -------- d-----w- C:\Arquivos de programas\Spyware Doctor

2010-02-28 18:20:00 . 2010-02-28 18:20:00 -------- d-----w- C:\Documents and Settings\Silas Eduardo\Dados de aplicativos\PC Tools

2010-02-28 18:20:00 . 2010-02-28 18:20:00 -------- d-----w- C:\Documents and Settings\All Users\Dados de aplicativos\PC Tools

2010-02-28 03:18:23 . 2010-02-28 03:18:23 -------- d-----w- C:\Documents and Settings\Silas Eduardo\Dados de aplicativos\Malwarebytes

2010-02-28 03:18:16 . 2010-01-07 19:07:14 38224 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2010-02-28 03:18:14 . 2010-02-28 03:18:14 -------- d-----w- C:\Documents and Settings\All Users\Dados de aplicativos\Malwarebytes

2010-02-28 03:18:12 . 2010-02-28 03:18:20 -------- d-----w- C:\Arquivos de programas\Malwarebytes' Anti-Malware

2010-02-28 03:18:12 . 2010-01-07 19:07:04 19160 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys

2010-02-27 20:37:01 . 2009-06-30 12:37:16 28552 ----a-w- C:\WINDOWS\system32\drivers\pavboot.sys

2010-02-27 20:34:40 . 2010-02-27 20:34:40 -------- d-----w- C:\Arquivos de programas\Panda Security

2010-02-20 20:20:15 . 2008-03-21 15:32:28 29184 ----a-w- C:\Documents and Settings\Silas Eduardo\kWab.dll

2010-02-20 20:19:39 . 2010-02-28 02:40:13 24798 ----a-w- C:\Documents and Settings\Silas Eduardo\strike32.zip

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-02 21:17:38 . 2008-02-21 02:17:08 -------- d-----w- C:\Arquivos de programas\lg_fwupdate

2010-02-27 13:44:29 . 2010-02-27 13:44:29 2232 ----a-w- C:\WINDOWS\java\Packages\Data\Z3F9R5R1.DAT

2010-02-27 13:44:29 . 2010-02-27 13:44:29 155995 ----a-w- C:\WINDOWS\java\Packages\4HB9B31J.ZIP

2010-02-27 13:44:27 . 2010-02-27 13:44:27 2678 ----a-w- C:\WINDOWS\java\Packages\Data\XJHZ7DFN.DAT

2010-02-27 13:44:25 . 2010-02-27 13:44:25 2678 ----a-w- C:\WINDOWS\java\Packages\Data\A7X3H7TB.DAT

2010-02-27 13:44:24 . 2010-02-27 13:44:24 2678 ----a-w- C:\WINDOWS\java\Packages\Data\VJTRRD79.DAT

2010-02-27 13:44:24 . 2010-02-27 13:44:24 2678 ----a-w- C:\WINDOWS\java\Packages\Data\K6044K7B.DAT

2010-02-27 13:44:24 . 2010-02-27 13:44:24 2678 ----a-w- C:\WINDOWS\java\Packages\Data\IMF33X7R.DAT

2010-02-27 01:45:06 . 2008-06-02 23:00:43 -------- d-----w- C:\Arquivos de programas\Java

2010-02-27 00:43:26 . 2009-08-04 23:29:30 -------- d-----w- C:\Documents and Settings\Silas Eduardo\Dados de aplicativos\Orbit

2010-02-27 00:13:38 . 2009-08-26 23:13:35 -------- d-----w- C:\Documents and Settings\Audeni\Dados de aplicativos\Orbit

2010-02-26 23:11:15 . 2009-08-05 22:33:03 -------- d-----w- C:\Documents and Settings\All Users\Dados de aplicativos\GbPlugin

2010-02-26 23:11:12 . 2009-08-05 22:33:03 -------- d-----w- C:\Arquivos de programas\GbPlugin

2010-02-25 18:19:34 . 2001-10-28 12:07:18 543888 ----a-w- C:\WINDOWS\system32\perfh016.dat

2010-02-25 18:19:34 . 2001-10-28 12:07:18 109236 ----a-w- C:\WINDOWS\system32\perfc016.dat

2010-02-18 13:20:44 . 2009-08-05 22:33:15 30752 ----a-w- C:\WINDOWS\system32\drivers\gbpkm.sys

2010-02-16 18:45:15 . 2009-04-18 02:40:26 -------- d-----w- C:\Documents and Settings\Silas Eduardo\Dados de aplicativos\uTorrent

2010-01-27 18:03:02 . 2008-02-09 22:51:13 -------- d-----w- C:\Arquivos de programas\Google

2010-01-17 15:57:18 . 2009-01-06 00:07:21 -------- d-----w- C:\Documents and Settings\Audeni\Dados de aplicativos\CyberLink

2010-01-08 00:47:36 . 2010-01-08 00:47:36 152576 ----a-w- C:\Documents and Settings\Silas Eduardo\Dados de aplicativos\Sun\Java\jre1.6.0_17\lzma.dll

2010-01-08 00:44:53 . 2009-11-23 20:13:26 79488 -c--a-w- C:\Documents and Settings\Silas Eduardo\Dados de aplicativos\Sun\Java\jre1.6.0_17\gtapi.dll

2010-01-05 09:56:13 . 2004-08-04 03:45:28 832512 ----a-w- C:\WINDOWS\system32\wininet.dll

2010-01-05 09:56:07 . 2009-07-25 22:03:19 78336 ----a-w- C:\WINDOWS\system32\ieencode.dll

2010-01-05 09:56:06 . 2004-08-04 03:45:22 17408 ----a-w- C:\WINDOWS\system32\corpol.dll

2010-01-05 00:06:30 . 2010-01-05 00:06:30 -------- d-----w- C:\Documents and Settings\Silas Eduardo\Dados de aplicativos\Apple Computer

2010-01-05 00:04:20 . 2010-01-05 00:03:55 -------- d-----w- C:\Arquivos de programas\QuickTime

2010-01-05 00:03:54 . 2010-01-05 00:03:54 -------- d-----w- C:\Documents and Settings\All Users\Dados de aplicativos\Apple Computer

2010-01-05 00:03:44 . 2010-01-05 00:03:44 -------- d-----w- C:\Arquivos de programas\Arquivos comuns\Apple

2010-01-05 00:03:38 . 2010-01-05 00:03:38 -------- d-----w- C:\Documents and Settings\All Users\Dados de aplicativos\Apple

2010-01-05 00:03:38 . 2010-01-05 00:03:38 -------- d-----w- C:\Arquivos de programas\Apple Software Update

2009-12-31 16:14:12 . 2004-08-04 02:14:46 352640 ----a-w- C:\WINDOWS\system32\drivers\srv.sys

2009-12-17 07:59:45 . 2008-02-09 21:08:49 345600 ----a-w- C:\WINDOWS\system32\mspaint.exe

2009-12-14 07:36:35 . 2004-08-04 03:45:22 33280 ----a-w- C:\WINDOWS\system32\csrsrv.dll

2009-12-09 10:27:02 . 2004-08-04 03:40:12 2140160 ----a-w- C:\WINDOWS\system32\ntoskrnl.exe

2009-12-09 10:26:59 . 2004-08-04 00:40:24 2019840 ----a-w- C:\WINDOWS\system32\ntkrnlpa.exe

2009-12-04 14:41:55 . 2004-08-04 02:15:18 453760 ----a-w- C:\WINDOWS\system32\drivers\mrxsmb.sys

2009-01-29 00:26:07 . 2009-01-29 00:24:40 3379640 -c--a-w- C:\Arquivos de programas\Shockwave_Installer_SlimBP.exe

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EPSON Stylus CX4500 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AL.EXE" [2004-03-03 10:00:00 98304]

"Google Update"="C:\Documents and Settings\Silas Eduardo\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" [2008-09-02 21:41:39 133104]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"COMODO Firewall Pro"="C:\Arquivos de programas\Comodo\Firewall\CPF.exe" [2008-02-10 02:18:57 1115728]

"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 10:56:48 81000]

"SkyTel"="SkyTel.EXE" [2006-05-17 18:04:26 2879488]

"RTHDCPL"="RTHDCPL.EXE" [2007-01-31 18:54:36 16116224]

"LanguageShortcut"="C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe" [2006-12-06 01:55:32 54832]

"LGODDFU"="C:\Arquivos de programas\lg_fwupdate\fwupdate.exe" [2008-10-09 21:34:39 548864]

"NeroFilterCheck"="C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe" [2007-03-01 18:57:24 153136]

"SecurDisc"="C:\Arquivos de programas\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 18:55:46 1628208]

"InCD"="C:\Arquivos de programas\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 18:55:26 1057328]

"Ink Monitor"="C:\Arquivos de programas\EPSON\Ink Monitor\InkMonitor.exe" [2004-05-05 01:54:34 262210]

"Sony Ericsson PC Suite"="C:\Arquivos de programas\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-03-28 04:07:42 593920]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 18:31:00 13529088]

"nwiz"="nwiz.exe" [2008-05-16 18:31:00 1630208]

"DAEMON Tools-1033"="C:\Arquivos de programas\D-Tools\daemon.exe" [2004-08-22 19:05:02 81920]

"awxDTools"="C:\ARQUIV~1\arniWORX\AWXDTO~1\awxDTools.dll" [2005-03-17 11:45:26 126976]

"Adobe Reader Speed Launcher"="C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 03:04:34 39792]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 18:31:00 86016]

"HDAudDeck"="C:\Arquivos de programas\VIA\VIAudioi\HDADeck\HDeck.exe" [2008-04-10 03:36:58 29757440]

"Launch PC Probe II"="C:\Arquivos de programas\ASUS\PC Probe II\Probe2.exe" [2008-04-07 16:48:28 2137088]

"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [2009-11-11 01:08:18 417792]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre6\bin\jusched.exe" [2009-10-11 06:17:36 149280]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"GbPluginBb"="C:\ARQUIV~1\GbPlugin\gbieh.dll" [2010-02-18 13:19:34 323360]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 03:45:32 15360]

 

C:\Documents and Settings\Audeni\Menu Iniciar\Programas\Inicializar\

Ferramenta de Verifica‡Æo de M¡dia do PMB.lnk - C:\Arquivos de programas\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-10-17 333088]

 

C:\Documents and Settings\Paulo\Menu Iniciar\Programas\Inicializar\

Adobe Gamma.lnk - C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]

2010-02-18 13:19:34 323360 ----a-w- C:\Arquivos de programas\GbPlugin\gbieh.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\UltraVNC\\vncviewer.exe"=

"C:\\Arquivos de programas\\eMule\\emule.exe"=

"C:\\Arquivos de programas\\Sony\\Vegas 7.0\\VegSrv70.exe"=

"C:\\xampp\\apache\\bin\\apache.exe"=

"C:\\Arquivos de programas\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=

"C:\\Arquivos de programas\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=

"C:\\Arquivos de programas\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=

"C:\\Arquivos de programas\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=

"C:\\Arquivos de programas\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=

"C:\\Arquivos de programas\\Xfire\\Xfire.exe"=

"C:\\Arquivos de programas\\Java\\jre6\\bin\\java.exe"=

"C:\\Arquivos de programas\\Sony Ericsson\\Update Service\\Update Service.exe"=

"C:\\WINDOWS\\system32\\dpvsetup.exe"=

"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

"C:\\Arquivos de programas\\uTorrent\\uTorrent.exe"=

"C:\\xampp\\mysql\\bin\\mysqld.exe"=

"C:\\Arquivos de programas\\Orbitdownloader\\orbitdm.exe"=

"C:\\Arquivos de programas\\Orbitdownloader\\orbitnet.exe"=

"C:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

"E:\\Counter-Strike Source\\hl2.exe"=

"C:\\Arquivos de programas\\CyberLink\\PowerDVD\\PowerDVD.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"=

 

R0 d347bus;d347bus;C:\WINDOWS\system32\drivers\d347bus.sys [19/10/2008 12:05:56 155136]

R0 d347prt;d347prt;C:\WINDOWS\system32\drivers\d347prt.sys [19/10/2008 12:05:56 5248]

R0 GbpKm;Gbp KernelMode;C:\WINDOWS\system32\drivers\gbpkm.sys [5/8/2009 19:33:15 30752]

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [27/2/2010 17:37:01 28552]

R0 PCTCore;PCTools KDS;C:\WINDOWS\system32\drivers\PCTCore.sys [28/2/2010 15:20:15 130936]

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [4/4/2008 18:35:50 114768]

R2 Apache2.2;Apache2.2;C:\xampp\apache\bin\apache.exe [20/12/2007 23:00:12 17920]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\drivers\aswFsBlk.sys [4/4/2008 18:35:50 20560]

R2 GbpSv;Gbp Service;C:\ARQUIV~1\GbPlugin\GbpSv.exe [5/8/2009 19:33:14 54048]

R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:\WINDOWS\system32\drivers\viahduaa.sys [14/2/2009 23:29:32 222976]

S0 sptd;sptd;C:\WINDOWS\system32\drivers\sptd.sys [10/2/2008 13:38:46 716272]

S2 XAMPP;XAMPP Service;C:\xampp\service.exe [20/12/2007 23:01:02 60928]

S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\drivers\ggflt.sys [9/3/2009 21:41:48 13224]

S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);C:\Arquivos de programas\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [27/5/2009 03:27:04 29262680]

S3 sdAuxService;PC Tools Auxiliary Service;C:\Arquivos de programas\Spyware Doctor\pctsAuxs.exe [28/2/2010 15:20:03 348752]

S4 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys --> C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys [?]

.

Conteúdo da pasta 'Tarefas Agendadas'

.

.

------- Scan Suplementar -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Download by Orbit - C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/204

IE: Do&wnload selected by Orbit - C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/202

IE: E&xportar para o Microsoft Excel - C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

FF - ProfilePath - C:\Documents and Settings\Silas Eduardo\Dados de aplicativos\Mozilla\Firefox\Profiles\yb4wlkv3.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=orkut&continue=http%3A%2F%2Fwww.orkut.com%2FRedirLogin.aspx%3Fmsg%3D0%26page%3Dhttp%253A%252F%252Fwww.orkut.com%252FHome.aspx&hl=pt-BR&rm=false&passive=true

FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=

FF - prefs.js: network.proxy.type - 2

FF - plugin: C:\Arquivos de programas\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll

FF - plugin: C:\Arquivos de programas\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

FF - plugin: C:\Arquivos de programas\Mozilla Firefox\plugins\np-mswmp.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

 

---- FIREFOX POLICIES ----

C:\Arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-02 18:46:22

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HDAudDeck = C:\Arquivos de programas\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????????????

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

EPSON Stylus CX4500 Series = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AL.EXE /P26 "EPSON Stylus CX4500 Series" /M "Stylus CX4500" /EF "HKCU"????????????????????????????????????????p???W?9~0?6~????*?6~??6~??????8~?????????????????$T???6~????????????????????T???????????W?9~??6~??????6~??6~?$T???????????6~???????????????????????????????|?????????$T???????????????8~s?6~??6~-?7~????????????????????????????????=???0???????4????Y7~????????????????T???????????????T????Y7~????T????????S??????????????X?8~????T???????j?8~T???????8???????????`??

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

 

[HKEY_USERS\S-1-5-21-1757981266-484061587-725345543-1003\Software\SecuROM\License information*]

"datasecu"=hex:ed,01,f8,3c,d3,65,a3,bc,6b,18,b6,a8,ab,76,85,f7,68,1a,fc,1a,b4,

99,80,9b,d2,0c,7a,5e,3a,61,18,3d,02,db,6e,9b,ac,1a,61,e5,56,d6,50,62,9c,f6,\

"rkeysecu"=hex:1c,06,46,38,3d,ce,ac,10,de,b3,e3,f6,c5,76,7a,d3

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•6~*]

"6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'winlogon.exe'(708)

C:\Arquivos de programas\GbPlugin\gbieh.dll

.

Tempo para conclusão: 2010-03-02 18:51:05

ComboFix-quarantined-files.txt 2010-03-02 21:51:03

 

Pré-execução: 7.630.233.600 bytes disponíveis

Pós execução: 17 pasta(s) 10.981.638.144 bytes disponíveis

 

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

 

- - End Of File - - C0F105A5B702FCF42D9059657C5A0078

[wings 22]

*Abra o bloco de notas, selecione, copie e cole nele todo o conteúdo do código abaixo:

 

File::

C:\Documents and Settings\Silas Eduardo\kWab.dll

*Salve o arquivo no desktop como CFScript.txt

*Arraste o arquivo para o Combofix conforme ilustração abaixo:

 

 

*Importante: enquanto o combofix estiver em execução, não use o mouse nem o teclado!!..para interromper o processo tecle N ou 2.

 

*Cole o relatório criado em C:\combofix.txt

[Sels 0]

Segue novo log.

 

--------------------------------------

 

ComboFix 10-03-02.02 - Silas Eduardo 03/03/2010 20:00:59.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.2047.1529 [GMT -3:00]

Executando de: C:\Documents and Settings\Silas Eduardo\Desktop\ComboFix.exe

Comandos utilizados :: C:\Documents and Settings\Silas Eduardo\Desktop\CFScript.txt

AV: avast! antivirus 4.8.1356 [VPS 100303-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

 

FILE ::

"C:\Documents and Settings\Silas Eduardo\kWab.dll"

.

ADS - drivers: deleted 204 bytes in 1 streams.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\Silas Eduardo\kWab.dll

.

---- Execuções precedente -------

.

C:\Documents and Settings\Paulo\Meus documentos\MP4\Casting Crown - The Altar And The Door (2007)\Desktop_.ini

C:\Documents and Settings\Paulo\Meus documentos\MP4\Casting_Crowns-Lifesong-2005-RNS\Desktop_.ini

C:\WINDOWS\system32\_000006_.tmp.dll

C:\WINDOWS\system32\Ijl11.dll

C:\WINDOWS\system32\VB6KO.DLL

 

.

(((((((((((((((( Arquivos/Ficheiros criados de 2010-02-03 to 2010-03-03 ))))))))))))))))))))))))))))

.

 

2010-03-02 01:15:54 . 2010-03-02 01:27:03 -------- d-----w- C:\Hijack

2010-02-28 18:20:16 . 2010-03-03 14:52:06 -------- d---a-w- C:\Documents and Settings\All Users\Dados de aplicativos\TEMP

2010-02-28 03:18:23 . 2010-02-28 03:18:23 -------- d-----w- C:\Documents and Settings\Silas Eduardo\Dados de aplicativos\Malwarebytes

2010-02-28 03:18:16 . 2010-01-07 19:07:14 38224 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2010-02-28 03:18:14 . 2010-02-28 03:18:14 -------- d-----w- C:\Documents and Settings\All Users\Dados de aplicativos\Malwarebytes

2010-02-28 03:18:12 . 2010-02-28 03:18:20 -------- d-----w- C:\Arquivos de programas\Malwarebytes' Anti-Malware

2010-02-28 03:18:12 . 2010-01-07 19:07:04 19160 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys

2010-02-27 20:37:01 . 2009-06-30 12:37:16 28552 ----a-w- C:\WINDOWS\system32\drivers\pavboot.sys

2010-02-27 20:34:40 . 2010-02-27 20:34:40 -------- d-----w- C:\Arquivos de programas\Panda Security

2010-02-20 20:19:39 . 2010-02-28 02:40:13 24798 ----a-w- C:\Documents and Settings\Silas Eduardo\strike32.zip

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-03 21:40:13 . 2008-02-21 02:17:08 -------- d-----w- C:\Arquivos de programas\lg_fwupdate

2010-03-02 22:15:16 . 2010-03-02 22:15:16 16384 ----a-w- C:\WINDOWS\~DF57B2.tmp

2010-03-02 22:15:08 . 2010-03-02 22:15:08 131072 ----a-w- C:\WINDOWS\~DF78CE.tmp

2010-02-27 13:44:29 . 2010-02-27 13:44:29 2232 ----a-w- C:\WINDOWS\java\Packages\Data\Z3F9R5R1.DAT

2010-02-27 13:44:29 . 2010-02-27 13:44:29 155995 ----a-w- C:\WINDOWS\java\Packages\4HB9B31J.ZIP

2010-02-27 13:44:27 . 2010-02-27 13:44:27 2678 ----a-w- C:\WINDOWS\java\Packages\Data\XJHZ7DFN.DAT

2010-02-27 13:44:25 . 2010-02-27 13:44:25 2678 ----a-w- C:\WINDOWS\java\Packages\Data\A7X3H7TB.DAT

2010-02-27 13:44:24 . 2010-02-27 13:44:24 2678 ----a-w- C:\WINDOWS\java\Packages\Data\VJTRRD79.DAT

2010-02-27 13:44:24 . 2010-02-27 13:44:24 2678 ----a-w- C:\WINDOWS\java\Packages\Data\K6044K7B.DAT

2010-02-27 13:44:24 . 2010-02-27 13:44:24 2678 ----a-w- C:\WINDOWS\java\Packages\Data\IMF33X7R.DAT

2010-02-27 01:45:06 . 2008-06-02 23:00:43 -------- d-----w- C:\Arquivos de programas\Java

2010-02-27 00:43:26 . 2009-08-04 23:29:30 -------- d-----w- C:\Documents and Settings\Silas Eduardo\Dados de aplicativos\Orbit

2010-02-27 00:13:38 . 2009-08-26 23:13:35 -------- d-----w- C:\Documents and Settings\Audeni\Dados de aplicativos\Orbit

2010-02-26 23:11:15 . 2009-08-05 22:33:03 -------- d-----w- C:\Documents and Settings\All Users\Dados de aplicativos\GbPlugin

2010-02-26 23:11:12 . 2009-08-05 22:33:03 -------- d-----w- C:\Arquivos de programas\GbPlugin

2010-02-25 18:19:34 . 2001-10-28 12:07:18 543888 ----a-w- C:\WINDOWS\system32\perfh016.dat

2010-02-25 18:19:34 . 2001-10-28 12:07:18 109236 ----a-w- C:\WINDOWS\system32\perfc016.dat

2010-02-18 13:20:44 . 2009-08-05 22:33:15 30752 ----a-w- C:\WINDOWS\system32\drivers\gbpkm.sys

2010-02-16 18:45:15 . 2009-04-18 02:40:26 -------- d-----w- C:\Documents and Settings\Silas Eduardo\Dados de aplicativos\uTorrent

2010-01-27 18:03:02 . 2008-02-09 22:51:13 -------- d-----w- C:\Arquivos de programas\Google

2010-01-17 15:57:18 . 2009-01-06 00:07:21 -------- d-----w- C:\Documents and Settings\Audeni\Dados de aplicativos\CyberLink

2010-01-08 00:47:36 . 2010-01-08 00:47:36 152576 ----a-w- C:\Documents and Settings\Silas Eduardo\Dados de aplicativos\Sun\Java\jre1.6.0_17\lzma.dll

2010-01-08 00:44:53 . 2009-11-23 20:13:26 79488 -c--a-w- C:\Documents and Settings\Silas Eduardo\Dados de aplicativos\Sun\Java\jre1.6.0_17\gtapi.dll

2010-01-05 09:56:13 . 2004-08-04 03:45:28 832512 ------w- C:\WINDOWS\system32\wininet.dll

2010-01-05 09:56:07 . 2009-07-25 22:03:19 78336 ----a-w- C:\WINDOWS\system32\ieencode.dll

2010-01-05 09:56:06 . 2004-08-04 03:45:22 17408 ----a-w- C:\WINDOWS\system32\corpol.dll

2010-01-05 00:06:30 . 2010-01-05 00:06:30 -------- d-----w- C:\Documents and Settings\Silas Eduardo\Dados de aplicativos\Apple Computer

2010-01-05 00:04:20 . 2010-01-05 00:03:55 -------- d-----w- C:\Arquivos de programas\QuickTime

2010-01-05 00:03:54 . 2010-01-05 00:03:54 -------- d-----w- C:\Documents and Settings\All Users\Dados de aplicativos\Apple Computer

2010-01-05 00:03:44 . 2010-01-05 00:03:44 -------- d-----w- C:\Arquivos de programas\Arquivos comuns\Apple

2010-01-05 00:03:38 . 2010-01-05 00:03:38 -------- d-----w- C:\Documents and Settings\All Users\Dados de aplicativos\Apple

2010-01-05 00:03:38 . 2010-01-05 00:03:38 -------- d-----w- C:\Arquivos de programas\Apple Software Update

2009-12-31 16:14:12 . 2004-08-04 02:14:46 352640 ----a-w- C:\WINDOWS\system32\drivers\srv.sys

2009-12-17 07:59:45 . 2008-02-09 21:08:49 345600 ----a-w- C:\WINDOWS\system32\mspaint.exe

2009-12-14 07:36:35 . 2004-08-04 03:45:22 33280 ----a-w- C:\WINDOWS\system32\csrsrv.dll

2009-12-09 10:27:02 . 2004-08-04 03:40:12 2140160 ------w- C:\WINDOWS\system32\ntoskrnl.exe

2009-12-09 10:26:59 . 2004-08-04 00:40:24 2019840 ------w- C:\WINDOWS\system32\ntkrnlpa.exe

2009-12-04 14:41:55 . 2004-08-04 02:15:18 453760 ----a-w- C:\WINDOWS\system32\drivers\mrxsmb.sys

2009-01-29 00:26:07 . 2009-01-29 00:24:40 3379640 -c--a-w- C:\Arquivos de programas\Shockwave_Installer_SlimBP.exe

.

 

((((((((((((((((((((((((((((( SnapShot@2010-03-02_21.46.26 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-03-03 22:58:54 . 2010-03-03 22:58:54 16384 C:\WINDOWS\Temp\Perflib_Perfdata_604.dat

+ 2010-03-03 22:59:04 . 2010-03-03 22:59:04 16384 C:\WINDOWS\Temp\Perflib_Perfdata_4e8.dat

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EPSON Stylus CX4500 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AL.EXE" [2004-03-03 10:00:00 98304]

"Google Update"="C:\Documents and Settings\Silas Eduardo\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" [2008-09-02 21:41:39 133104]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2009-07-18 03:21:02 257440]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"COMODO Firewall Pro"="C:\Arquivos de programas\Comodo\Firewall\CPF.exe" [2008-02-10 02:18:57 1115728]

"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 10:56:48 81000]

"SkyTel"="SkyTel.EXE" [2006-05-17 18:04:26 2879488]

"RTHDCPL"="RTHDCPL.EXE" [2007-01-31 18:54:36 16116224]

"LanguageShortcut"="C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe" [2006-12-06 01:55:32 54832]

"LGODDFU"="C:\Arquivos de programas\lg_fwupdate\fwupdate.exe" [2008-10-09 21:34:39 548864]

"NeroFilterCheck"="C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe" [2007-03-01 18:57:24 153136]

"SecurDisc"="C:\Arquivos de programas\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 18:55:46 1628208]

"InCD"="C:\Arquivos de programas\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 18:55:26 1057328]

"Ink Monitor"="C:\Arquivos de programas\EPSON\Ink Monitor\InkMonitor.exe" [2004-05-05 01:54:34 262210]

"Sony Ericsson PC Suite"="C:\Arquivos de programas\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-03-28 04:07:42 593920]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 18:31:00 13529088]

"nwiz"="nwiz.exe" [2008-05-16 18:31:00 1630208]

"DAEMON Tools-1033"="C:\Arquivos de programas\D-Tools\daemon.exe" [2004-08-22 19:05:02 81920]

"awxDTools"="C:\ARQUIV~1\arniWORX\AWXDTO~1\awxDTools.dll" [2005-03-17 11:45:26 126976]

"Adobe Reader Speed Launcher"="C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 03:04:34 39792]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 18:31:00 86016]

"HDAudDeck"="C:\Arquivos de programas\VIA\VIAudioi\HDADeck\HDeck.exe" [2008-04-10 03:36:58 29757440]

"Launch PC Probe II"="C:\Arquivos de programas\ASUS\PC Probe II\Probe2.exe" [2008-04-07 16:48:28 2137088]

"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [2009-11-11 01:08:18 417792]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre6\bin\jusched.exe" [2009-10-11 06:17:36 149280]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"GbPluginBb"="C:\ARQUIV~1\GbPlugin\gbieh.dll" [2010-02-18 13:19:34 323360]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 03:45:32 15360]

 

C:\Documents and Settings\Audeni\Menu Iniciar\Programas\Inicializar\

Ferramenta de Verifica‡Æo de M¡dia do PMB.lnk - C:\Arquivos de programas\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-10-17 333088]

 

C:\Documents and Settings\Paulo\Menu Iniciar\Programas\Inicializar\

Adobe Gamma.lnk - C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]

2010-02-18 13:19:34 323360 ----a-w- C:\Arquivos de programas\GbPlugin\gbieh.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\UltraVNC\\vncviewer.exe"=

"C:\\Arquivos de programas\\eMule\\emule.exe"=

"C:\\Arquivos de programas\\Sony\\Vegas 7.0\\VegSrv70.exe"=

"C:\\xampp\\apache\\bin\\apache.exe"=

"C:\\Arquivos de programas\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=

"C:\\Arquivos de programas\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=

"C:\\Arquivos de programas\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=

"C:\\Arquivos de programas\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=

"C:\\Arquivos de programas\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=

"C:\\Arquivos de programas\\Xfire\\Xfire.exe"=

"C:\\Arquivos de programas\\Java\\jre6\\bin\\java.exe"=

"C:\\Arquivos de programas\\Sony Ericsson\\Update Service\\Update Service.exe"=

"C:\\WINDOWS\\system32\\dpvsetup.exe"=

"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

"C:\\Arquivos de programas\\uTorrent\\uTorrent.exe"=

"C:\\xampp\\mysql\\bin\\mysqld.exe"=

"C:\\Arquivos de programas\\Orbitdownloader\\orbitdm.exe"=

"C:\\Arquivos de programas\\Orbitdownloader\\orbitnet.exe"=

"C:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

"E:\\Counter-Strike Source\\hl2.exe"=

"C:\\Arquivos de programas\\CyberLink\\PowerDVD\\PowerDVD.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"=

 

R0 d347bus;d347bus;C:\WINDOWS\system32\drivers\d347bus.sys [19/10/2008 12:05:56 155136]

R0 d347prt;d347prt;C:\WINDOWS\system32\drivers\d347prt.sys [19/10/2008 12:05:56 5248]

R0 GbpKm;Gbp KernelMode;C:\WINDOWS\system32\drivers\gbpkm.sys [5/8/2009 19:33:15 30752]

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [27/2/2010 17:37:01 28552]

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [4/4/2008 18:35:50 114768]

R2 Apache2.2;Apache2.2;C:\xampp\apache\bin\apache.exe [20/12/2007 23:00:12 17920]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\drivers\aswFsBlk.sys [4/4/2008 18:35:50 20560]

R2 GbpSv;Gbp Service;C:\ARQUIV~1\GbPlugin\GbpSv.exe [5/8/2009 19:33:14 54048]

R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:\WINDOWS\system32\drivers\viahduaa.sys [14/2/2009 23:29:32 222976]

S0 sptd;sptd;C:\WINDOWS\system32\drivers\sptd.sys [10/2/2008 13:38:46 716272]

S2 XAMPP;XAMPP Service;C:\xampp\service.exe [20/12/2007 23:01:02 60928]

S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\drivers\ggflt.sys [9/3/2009 21:41:48 13224]

S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);C:\Arquivos de programas\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [27/5/2009 03:27:04 29262680]

S4 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys --> C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys [?]

.

.

------- Scan Suplementar -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Download by Orbit - C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/204

IE: Do&wnload selected by Orbit - C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/202

IE: E&xportar para o Microsoft Excel - C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

FF - ProfilePath - C:\Documents and Settings\Silas Eduardo\Dados de aplicativos\Mozilla\Firefox\Profiles\yb4wlkv3.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=orkut&continue=http%3A%2F%2Fwww.orkut.com%2FRedirLogin.aspx%3Fmsg%3D0%26page%3Dhttp%253A%252F%252Fwww.orkut.com%252FHome.aspx&hl=pt-BR&rm=false&passive=true

FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=

FF - prefs.js: network.proxy.type - 2

FF - plugin: C:\Arquivos de programas\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll

FF - plugin: C:\Arquivos de programas\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

FF - plugin: C:\Arquivos de programas\Mozilla Firefox\plugins\np-mswmp.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

 

---- FIREFOX POLICIES ----

C:\Arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-03 20:07:39

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HDAudDeck = C:\Arquivos de programas\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????????????

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

EPSON Stylus CX4500 Series = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AL.EXE /P26 "EPSON Stylus CX4500 Series" /M "Stylus CX4500" /EF "HKCU"????????????????????????????????????????p???W?9~0?6~????*?6~??6~??????8~?????????????????$T???6~????????????????????T???????????W?9~??6~??????6~??6~?$T???????????6~???????????????????????????????|?????????$T???????????????8~s?6~??6~-?7~????????????????????????????????=???0???????4????Y7~????????????????T???????????????T????Y7~????T????????S??????????????X?8~????T???????j?8~T???????8???????????`??

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

 

[HKEY_USERS\S-1-5-21-1757981266-484061587-725345543-1003\Software\SecuROM\License information*]

"datasecu"=hex:ed,01,f8,3c,d3,65,a3,bc,6b,18,b6,a8,ab,76,85,f7,68,1a,fc,1a,b4,

99,80,9b,d2,0c,7a,5e,3a,61,18,3d,02,db,6e,9b,ac,1a,61,e5,56,d6,50,62,9c,f6,\

"rkeysecu"=hex:1c,06,46,38,3d,ce,ac,10,de,b3,e3,f6,c5,76,7a,d3

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•6~*]

"6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'winlogon.exe'(708)

C:\Arquivos de programas\GbPlugin\gbieh.dll

.

Tempo para conclusão: 2010-03-03 20:09:20

ComboFix-quarantined-files.txt 2010-03-03 23:09:18

 

Pré-execução: 16 pasta(s) 11.021.062.144 bytes disponíveis

Pós execução: 17 pasta(s) 11.004.538.880 bytes disponíveis

 

- - End Of File - - 0A87525A4089579782F66189C2E11E5F

[wings 22]

OK...log limpo.

 

 

*Clique em [iniciar] > [Executar] > digite: Combofix /uninstall

*Clique [OK]

 

 

*Clique em [Executar]

*Aguarde até surgir a mensagem: "ComboFix está desinstalado"

 

*Clique [OK]

 

 

Um abraço.

[wings 22]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.