[Resolvido!] TR/Rootkit.Gen não removido por AV

[DavidVr 0]

Ola Pessoal,

 

Necessito de auxilio para remover este arquivo:

 

C:\Windows\System32\drivers\hgumfrg.sys

 

Tanto o Avira, Quanto o Malwarebytes detectam ele como TR/Rootkit.Gen, porem nenhum deles consegue remove-lo.

 

Abaixo log do Hijackthis:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 01:59:14, on 04/03/2010

Platform: Windows Vista (WinNT 6.00.1904)

MSIE: Internet Explorer v7.00 (7.00.6000.16890)

Boot mode: Normal

 

Running processes:

C:\Windows\System32\smss.exe

C:\Windows\system32\csrss.exe

C:\Windows\system32\wininit.exe

C:\Windows\system32\csrss.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\winlogon.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\nvvsvc.exe

C:\PROGRA~1\GbPlugin\GbpSv.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Windows\system32\Dwm.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Windows\ehome\ehtray.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\iPod Access for Windows\iPAHelper.exe

C:\Windows\system32\lxczcoms.exe

C:\Windows\system32\svchost.exe

c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\Explorer.exe

C:\Windows\system32\conime.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\hijackthis\HiJackThis.exe

C:\Windows\system32\wbem\wmiprvse.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: G-Buster Browser Defense Banco Real - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\PROGRA~1\GbPlugin\gbiehAbn.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [unlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - Startup: setup_9.0.0.722_04.03.2010_02-19.lnk = C:\Users\David Fernandes\Desktop\Virus Removal Tool1\setup_9.0.0.722_04.03.2010_02-19\startup.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab

O20 - Winlogon Notify: GbPluginAbn - C:\PROGRA~1\GbPlugin\gbiehAbn.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Dispositivo Celular da Apple (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Gbp Service (GbpSv) - - C:\PROGRA~1\GbPlugin\GbpSv.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: lxcz_device - - C:\Windows\system32\lxczcoms.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (file missing)

O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

 

--

End of file - 7018 bytes

 

Obrigado,

 

David

[wings 22]

Boa tarde....

 

 

*Desative temporariamente seu antivírus

 

Clique com o botão direito do mouse no ícone do Avira ao lado do relógio > clique na opção "AntiVir Guard enable".

*Baixe o ComboFix e salve-o no desktop

*Duplo-clique no arquivo Combofix.exe

*Aceite o contrato

 

*Se o console de recuperação do Windows já estiver instalado, o ComboFix continuará o processo automaticamente. Caso não esteja, uma janela conforme abaixo será aberta. Clique em [sIM] para aceitar a instalação do mesmo.

 

 

*Após a instalação, clique em [Yes] para continuar. Seja paciente e aguarde até que todas as etapas sejam concluídas.

 

 

 

*Importante: enquanto o ComboFix estiver em execução, não use o mouse nem o teclado!!..... Para interromper o procedimento tecle N ou 2 e depois ENTER.

 

*O programa será fechado automaticamente e um relatório (C:\combofix.txt) será apresentado.

 

*Cole-o na sua próxima resposta

[DavidVr 0]

Ola mas uma vez!

 

Abaixo o log:

ComboFix 10-03-04.02 - David Fernandes 04/03/2010 23:53:34.3.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.55.1046.18.2047.992 [GMT -3:00]

Executando de: c:\users\David Fernandes\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

SP: AntiVir Desktop *disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

.

ADS - drivers: deleted 208 bytes in 1 streams.

 

(((((((((((((((( Arquivos/Ficheiros criados de 2010-02-05 to 2010-03-05 ))))))))))))))))))))))))))))

.

 

2010-03-05 03:03 . 2010-03-05 03:03 -------- d-----w- c:\users\David Fernandes\AppData\Local\temp

2010-03-05 03:03 . 2010-03-05 03:03 -------- d-----w- c:\users\Public\AppData\Local\temp

2010-03-05 03:03 . 2010-03-05 03:03 -------- d-----w- c:\users\Default\AppData\Local\temp

2010-03-05 03:03 . 2010-03-05 03:03 -------- d-----w- c:\users\David\AppData\Local\temp

2010-03-04 23:54 . 2010-03-04 23:54 7168 ----a-w- c:\windows\system32\drivers\uti1mtk5.sys

2010-03-04 04:43 . 2010-03-04 04:59 -------- d-----w- C:\hijackthis

2010-03-04 03:39 . 2009-10-22 15:54 37392 ----a-w- c:\windows\system32\drivers\15180392.sys

2010-03-04 03:39 . 2009-10-10 01:31 311312 ----a-w- c:\windows\system32\drivers\1518039.sys

2010-03-04 03:39 . 2009-09-25 19:59 128016 ----a-w- c:\windows\system32\drivers\15180391.sys

2010-03-04 02:33 . 2010-03-04 23:47 -------- d-----w- c:\programdata\Kaspersky Lab

2010-03-03 16:58 . 2010-03-03 16:58 -------- d-----w- c:\program files\iPod

2010-03-03 16:58 . 2010-03-03 16:59 -------- d-----w- c:\program files\iTunes

2010-03-03 16:43 . 2010-03-04 04:56 -------- d-----w- c:\program files\Unlocker

2010-03-03 16:31 . 2010-03-03 16:31 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe

2010-03-03 03:45 . 2010-03-03 03:45 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-03-03 03:04 . 2010-03-03 03:04 -------- d-----w- c:\users\David Fernandes\AppData\Roaming\PeerNetworking

2010-03-02 19:54 . 2010-03-02 19:55 -------- d-----w- C:\Shared

2010-02-15 14:07 . 2010-01-11 20:33 789320 ----a-w- c:\users\David Fernandes\AppData\Roaming\Mozilla\Firefox\Profiles\izg8zwtw.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

2010-02-15 14:07 . 2010-01-11 20:32 698184 ----a-w- c:\users\David Fernandes\AppData\Roaming\Mozilla\Firefox\Profiles\izg8zwtw.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll

2010-02-14 16:45 . 2010-02-14 16:45 -------- d-----w- c:\users\David Fernandes\AppData\Local\Ubisoft

2010-02-14 16:45 . 2010-02-14 16:45 -------- d-----w- c:\programdata\Ubisoft

2010-02-13 13:37 . 2010-02-13 13:37 -------- d-----w- c:\program files\Common Files\xing shared

2010-02-13 13:36 . 2010-02-13 13:37 -------- d-----w- c:\program files\Common Files\Real

2010-02-13 13:36 . 2010-02-13 13:36 -------- d-----w- c:\program files\Real

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-05 03:00 . 2006-11-06 01:32 87484 ----a-w- c:\windows\system32\prfc0416.dat

2010-03-05 03:00 . 2006-11-06 01:32 514454 ----a-w- c:\windows\system32\prfh0416.dat

2010-03-05 02:51 . 2008-10-28 01:15 -------- d-----w- c:\programdata\NVIDIA

2010-03-05 02:51 . 2009-10-31 18:05 67777 ----a-w- c:\programdata\nvModes.dat

2010-03-03 16:58 . 2007-10-13 12:36 -------- d-----w- c:\program files\Common Files\Apple

2010-03-03 03:45 . 2009-12-26 21:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-03 02:22 . 2009-12-26 23:37 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2010-03-02 23:22 . 2010-01-21 23:44 -------- d-----w- c:\users\David Fernandes\AppData\Roaming\uTorrent

2010-03-02 17:01 . 2007-11-03 21:31 680 ----a-w- c:\users\David Fernandes\AppData\Local\d3d9caps.dat

2010-02-19 23:38 . 2007-10-13 11:49 -------- d-----w- c:\program files\uTorrent

2010-02-18 03:22 . 2010-02-18 03:22 12 ----a-w- c:\users\David Fernandes\AppData\Roaming\cqfyto.dat

2010-02-16 00:40 . 2009-05-16 20:43 -------- d-----w- c:\program files\UBISOFT

2010-02-16 00:40 . 2007-03-08 17:04 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-02-06 12:44 . 2008-07-11 02:24 -------- d-----w- c:\program files\Google

2010-02-02 00:21 . 2010-02-02 00:11 -------- d-----w- c:\users\David Fernandes\AppData\Roaming\DAEMON Tools Lite

2010-02-02 00:12 . 2010-02-02 00:11 -------- d-----w- c:\program files\DAEMON Tools Lite

2010-02-02 00:12 . 2007-10-20 22:34 691696 ----a-w- c:\windows\system32\drivers\sptd.sys

2010-02-02 00:11 . 2010-02-02 00:11 -------- d-----w- c:\programdata\DAEMON Tools Lite

2010-01-31 01:19 . 2007-10-27 15:47 -------- d-----w- c:\program files\Eidos Interactive

2010-01-29 18:56 . 2007-10-13 13:10 -------- d-----w- c:\users\David Fernandes\AppData\Roaming\Apple Computer

2010-01-28 18:48 . 2010-01-28 15:36 -------- d-----w- c:\users\David Fernandes\AppData\Roaming\Winamp

2010-01-28 16:24 . 2010-01-28 15:36 -------- d-----w- c:\program files\Winamp

2010-01-28 15:36 . 2010-01-28 15:36 -------- d-----w- c:\program files\Winamp Detect

2010-01-28 15:22 . 2010-01-28 15:21 -------- d-----w- c:\program files\K-Lite Codec Pack

2010-01-27 16:11 . 2010-01-27 16:10 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}

2010-01-27 16:08 . 2007-11-15 15:20 -------- d-----w- c:\program files\QuickTime

2010-01-23 17:18 . 2010-01-23 17:17 -------- d-----w- c:\program files\dvdSanta

2010-01-07 19:07 . 2009-12-26 21:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 19:07 . 2009-12-26 21:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-29 16:45 . 2009-12-29 16:40 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-12-27 17:08 . 2009-12-27 17:08 24448 ----a-w- c:\windows\system32\drivers\rkhdrv40.sys

2009-12-18 22:57 . 2009-12-18 22:57 676104 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

2009-12-12 14:15 . 2010-01-28 15:21 178176 ----a-w- c:\windows\system32\unrar.dll

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="RtHDVCpl.exe" [2006-09-27 3768320]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-13 198160]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginAbn]

2009-10-22 16:01 310824 ----a-w- c:\progra~1\GbPlugin\gbiehAbn.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiserver]

@="service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]

2006-11-02 12:35 125440 ----a-w- c:\windows\ehome\ehtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]

2007-02-08 22:56 295856 ----a-w- c:\program files\Lexmark Fax Solutions\fm3032.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-02-15 21:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxczbmgr.exe]

2007-04-19 17:45 74672 ----a-w- c:\program files\Lexmark 1200 Series\LXCZbmgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-11-11 01:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]

2006-07-17 18:25 573440 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-04-19 20:45 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-423846414-3903668000-291553332-1000]

"EnableNotifications"=dword:00000001

"EnableNotificationsRef"=dword:00000001

 

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-02-02 691696]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-09-29 133104]

R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [x]

R3 rkhdrv40;Rootkit Unhooker Driver; [x]

R3 uti1mtk5;AVZ Kernel Driver;c:\windows\system32\Drivers\uti1mtk5.sys [2010-03-04 7168]

R3 XDva120;XDva120;c:\windows\system32\XDva120.sys [x]

R3 XDva182;XDva182;c:\windows\system32\XDva182.sys [x]

S0 15180392;15180392 Boot Guard Driver;c:\windows\system32\DRIVERS\15180392.sys [2009-10-22 37392]

S0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\GbpKm.sys [2009-10-22 31080]

S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]

S1 15180391;15180391;c:\windows\system32\DRIVERS\15180391.sys [2009-09-25 128016]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]

S2 GbpSv;Gbp Service;c:\progra~1\GbPlugin\GbpSv.exe [2009-10-22 54376]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2009-10-28 240232]

 

 

--- =Outros Serviços/Drivers Na Memória ---

 

*Deregistered* - hgumfrg

.

Conteúdo da pasta 'Tarefas Agendadas'

 

2010-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-29 03:27]

 

2010-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-29 03:27]

 

2010-03-04 c:\windows\Tasks\User_Feed_Synchronization-{333CA22D-B544-4E54-976E-3506E4A8A8AD}.job

- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]

.

.

------- Scan Suplementar -------

.

uStart Page = about:blank

uInternet Settings,ProxyOverride = *.local

IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\users\David Fernandes\AppData\Roaming\Mozilla\Firefox\Profiles\izg8zwtw.default\

FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll

FF - component: c:\users\David Fernandes\AppData\Roaming\Mozilla\Firefox\Profiles\izg8zwtw.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E8873}\components\GbMzhUni.dll

FF - component: c:\users\David Fernandes\AppData\Roaming\Mozilla\Firefox\Profiles\izg8zwtw.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E8874}\components\GbMzhAbn.dll

FF - component: c:\users\David Fernandes\AppData\Roaming\Mozilla\Firefox\Profiles\izg8zwtw.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll

FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll

FF - plugin: c:\users\David Fernandes\AppData\Roaming\Mozilla\Firefox\Profiles\izg8zwtw.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

 

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

- - - - ORFÃOS REMOVIDOS - - - -

 

AddRemove-Free Audio CD Burner_is1 - c:\program files\DVDVideoSoft\Free Audio CD Burner\unins000.exe

AddRemove-Uninstall_is1 - c:\program files\Common Files\DVDVideoSoft\unins000.exe

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-05 00:03

Windows 6.0.6000 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\hgumfrg]

 

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

 

[HKEY_USERS\S-1-5-21-423846414-3903668000-291553332-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:7b,02,38,8e,d9,07,88,b9,4e,2b,42,e5,8b,25,a7,5e,e8,9d,4e,72,31,86,bd,

6a,59,c0,1e,e7,3e,e3,fa,96,55,c2,c2,4f,52,e9,7a,61,16,82,c5,80,00,6b,ca,94,\

"??"=hex:47,8e,23,9b,3a,39,d8,97,3b,99,cd,b8,11,ac,14,9e

 

[HKEY_USERS\S-1-5-21-423846414-3903668000-291553332-1000\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0C12&PID_0005\Calibration\0\Type\Axes]

@DACL=(02 0000)

 

[HKEY_USERS\S-1-5-21-423846414-3903668000-291553332-1000\ w*.*]

@Allowed: (Read) (RestrictedCode)

DUMPHIVE0.003 (REGF)

 

[HKEY_LOCAL_MACHINE\system\ControlSet004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b5

.

Tempo para conclusão: 2010-03-05 00:05:35

ComboFix-quarantined-files.txt 2010-03-05 03:05

 

Pré-execução: 9.085.579.264 bytes disponíveis

Pós execução: 9.174.597.632 bytes disponíveis

 

- - End Of File - - B1CF28E3D5F0FF0BAD7CB0E769421161

 

Aguardo proximas instruções.

[wings 22]

*Abra o bloco de notas, selecione, copie e cole nele todo o conteúdo do código abaixo:

 

FileLook::

c:\windows\system32\drivers\15180392.sys

c:\windows\system32\drivers\1518039.sys

c:\windows\system32\drivers\15180391.sys

Registry::

[-HKEY_LOCAL_MACHINE\system\ControlSet004\Services\hgumfrg]

*Salve o arquivo no desktop como CFScript.txt

*Arraste o arquivo para o Combofix conforme ilustração abaixo:

 

 

*Importante: enquanto o combofix estiver em execução, não use o mouse nem o teclado!!..para interromper o processo tecle N ou 2.

*Cole o relatório criado em C:\combofix.txt

[DavidVr 0]

Segui suas instruções. Abaixo o segundo log:

 

ComboFix 10-03-04.05 - David Fernandes 05/03/2010 10:16:01.4.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.55.1046.18.2047.1219 [GMT -3:00]

Executando de: C:\Users\David Fernandes\Desktop\ComboFix.exe

Comandos utilizados :: C:\Users\David Fernandes\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

SP: AntiVir Desktop *disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

.

ADS - drivers: deleted 208 bytes in 1 streams.

 

(((((((((((((((( Arquivos/Ficheiros criados de 2010-02-05 to 2010-03-05 ))))))))))))))))))))))))))))

.

 

2010-03-05 13:23:15 . 2010-03-05 13:23:15 -------- d-----w- C:\Users\Public\AppData\Local\temp

2010-03-05 13:23:15 . 2010-03-05 13:23:15 -------- d-----w- C:\Users\Default\AppData\Local\temp

2010-03-05 13:23:15 . 2010-03-05 13:23:15 -------- d-----w- C:\Users\David\AppData\Local\temp

2010-03-04 23:54:45 . 2010-03-04 23:54:57 7168 ----a-w- C:\Windows\system32\drivers\uti1mtk5.sys

2010-03-04 04:43:58 . 2010-03-04 04:59:14 -------- d-----w- C:\hijackthis

2010-03-04 03:39:39 . 2009-10-22 15:54:18 37392 ----a-w- C:\Windows\system32\drivers\15180392.sys

2010-03-04 03:39:39 . 2009-10-10 01:31:02 311312 ----a-w- C:\Windows\system32\drivers\1518039.sys

2010-03-04 03:39:39 . 2009-09-25 19:59:42 128016 ----a-w- C:\Windows\system32\drivers\15180391.sys

2010-03-04 02:33:44 . 2010-03-04 23:47:17 -------- d-----w- C:\ProgramData\Kaspersky Lab

2010-03-03 16:58:16 . 2010-03-03 16:58:16 -------- d-----w- C:\Program Files\iPod

2010-03-03 16:58:13 . 2010-03-03 16:59:05 -------- d-----w- C:\Program Files\iTunes

2010-03-03 16:43:26 . 2010-03-04 04:56:55 -------- d-----w- C:\Program Files\Unlocker

2010-03-03 16:31:27 . 2010-03-03 16:31:27 72488 ----a-w- C:\ProgramData\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe

2010-03-03 03:45:14 . 2010-03-03 03:45:14 5115824 ----a-w- C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-03-03 03:04:05 . 2010-03-03 03:04:05 -------- d-----w- C:\Users\David Fernandes\AppData\Roaming\PeerNetworking

2010-03-02 19:54:19 . 2010-03-02 19:55:39 -------- d-----w- C:\Shared

2010-02-15 14:07:59 . 2010-01-11 20:33:00 789320 ----a-w- C:\Users\David Fernandes\AppData\Roaming\Mozilla\Firefox\Profiles\izg8zwtw.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

2010-02-15 14:07:59 . 2010-01-11 20:32:58 698184 ----a-w- C:\Users\David Fernandes\AppData\Roaming\Mozilla\Firefox\Profiles\izg8zwtw.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll

2010-02-14 16:45:15 . 2010-02-14 16:45:15 -------- d-----w- C:\Users\David Fernandes\AppData\Local\Ubisoft

2010-02-14 16:45:15 . 2010-02-14 16:45:15 -------- d-----w- C:\ProgramData\Ubisoft

2010-02-13 13:37:11 . 2010-02-13 13:37:11 -------- d-----w- C:\Program Files\Common Files\xing shared

2010-02-13 13:36:47 . 2010-02-13 13:37:31 -------- d-----w- C:\Program Files\Common Files\Real

2010-02-13 13:36:47 . 2010-02-13 13:36:47 -------- d-----w- C:\Program Files\Real

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-05 13:17:19 . 2006-11-06 01:32:59 514454 ----a-w- C:\Windows\system32\prfh0416.dat

2010-03-05 13:17:18 . 2006-11-06 01:32:59 87484 ----a-w- C:\Windows\system32\prfc0416.dat

2010-03-05 13:12:29 . 2009-10-31 18:05:07 67777 ----a-w- C:\ProgramData\nvModes.dat

2010-03-05 13:11:17 . 2008-10-28 01:15:37 -------- d-----w- C:\ProgramData\NVIDIA

2010-03-03 16:58:14 . 2007-10-13 12:36:43 -------- d-----w- C:\Program Files\Common Files\Apple

2010-03-03 03:45:31 . 2009-12-26 21:04:35 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware

2010-03-03 02:22:59 . 2009-12-26 23:37:01 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy

2010-03-02 23:22:04 . 2010-01-21 23:44:10 -------- d-----w- C:\Users\David Fernandes\AppData\Roaming\uTorrent

2010-03-02 17:01:24 . 2007-11-03 21:31:00 680 ----a-w- C:\Users\David Fernandes\AppData\Local\d3d9caps.dat

2010-02-19 23:38:54 . 2007-10-13 11:49:07 -------- d-----w- C:\Program Files\uTorrent

2010-02-18 03:22:27 . 2010-02-18 03:22:27 12 ----a-w- C:\Users\David Fernandes\AppData\Roaming\cqfyto.dat

2010-02-16 00:40:24 . 2009-05-16 20:43:19 -------- d-----w- C:\Program Files\UBISOFT

2010-02-16 00:40:23 . 2007-03-08 17:04:08 -------- d--h--w- C:\Program Files\InstallShield Installation Information

2010-02-06 12:44:39 . 2008-07-11 02:24:00 -------- d-----w- C:\Program Files\Google

2010-02-02 00:21:50 . 2010-02-02 00:11:12 -------- d-----w- C:\Users\David Fernandes\AppData\Roaming\DAEMON Tools Lite

2010-02-02 00:12:21 . 2010-02-02 00:11:46 -------- d-----w- C:\Program Files\DAEMON Tools Lite

2010-02-02 00:12:19 . 2007-10-20 22:34:04 691696 ----a-w- C:\Windows\system32\drivers\sptd.sys

2010-02-02 00:11:14 . 2010-02-02 00:11:09 -------- d-----w- C:\ProgramData\DAEMON Tools Lite

2010-01-31 01:19:17 . 2007-10-27 15:47:16 -------- d-----w- C:\Program Files\Eidos Interactive

2010-01-29 18:56:22 . 2007-10-13 13:10:10 -------- d-----w- C:\Users\David Fernandes\AppData\Roaming\Apple Computer

2010-01-28 18:48:19 . 2010-01-28 15:36:18 -------- d-----w- C:\Users\David Fernandes\AppData\Roaming\Winamp

2010-01-28 16:24:18 . 2010-01-28 15:36:18 -------- d-----w- C:\Program Files\Winamp

2010-01-28 15:36:27 . 2010-01-28 15:36:27 -------- d-----w- C:\Program Files\Winamp Detect

2010-01-28 15:22:11 . 2010-01-28 15:21:56 -------- d-----w- C:\Program Files\K-Lite Codec Pack

2010-01-27 16:11:44 . 2010-01-27 16:10:30 -------- d-----w- C:\ProgramData\{755AC846-7372-4AC8-8550-C52491DAA8BD}

2010-01-27 16:08:40 . 2007-11-15 15:20:44 -------- d-----w- C:\Program Files\QuickTime

2010-01-23 17:18:21 . 2010-01-23 17:17:30 -------- d-----w- C:\Program Files\dvdSanta

2010-01-07 19:07:14 . 2009-12-26 21:04:37 38224 ----a-w- C:\Windows\system32\drivers\mbamswissarmy.sys

2010-01-07 19:07:04 . 2009-12-26 21:04:35 19160 ----a-w- C:\Windows\system32\drivers\mbam.sys

2009-12-29 16:45:57 . 2009-12-29 16:40:52 56816 ----a-w- C:\Windows\system32\drivers\avgntflt.sys

2009-12-27 17:08:17 . 2009-12-27 17:08:17 24448 ----a-w- C:\Windows\system32\drivers\rkhdrv40.sys

2009-12-18 22:57:04 . 2009-12-18 22:57:04 676104 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

2009-12-12 14:15:30 . 2010-01-28 15:21:59 178176 ----a-w- C:\Windows\system32\unrar.dll

.

 

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

--- c:\windows\system32\drivers\1518039.sys ---

Company: Kaspersky Lab

File Description: Klif Mini-Filter [fre_wlh_x86]

File Version: 8.4.0.101 built by: WinDDK

Product Name: Kaspersky™ Anti-Virus ®

Copyright: Copyright © Kaspersky Lab 1996-2009.

Original Filename: KLIF

File size: 311312

Created time: 2010-03-04 03:39:39

Modified time: 2009-10-10 01:31:02

MD5: 64D93EC1218765498C40619427A85A91

SHA1: 5695668698653C1B24ADF47FE4ED11ACA821C9CD

 

 

--- c:\windows\system32\drivers\15180391.sys ---

Company: Kaspersky Lab

File Description: Kaspersky Unified Driver

File Version: 6.4.0.11

Product Name: Kaspersky Anti-Virus

Copyright: Copyright © Kaspersky Lab 1997-2009.

Original Filename: KL1.SYS

File size: 128016

Created time: 2010-03-04 03:39:39

Modified time: 2009-09-25 19:59:42

MD5: 7DD41B7AC1FBB1DBF20BB1F4E4FBE58C

SHA1: C763C52F8B0DBB6594F1A81246AE2C27C6F74557

 

 

--- c:\windows\system32\drivers\15180392.sys ---

Company: Kaspersky Lab

File Description: Kaspersky Lab Boot Guard Driver

File Version: 9.1.0.0

Product Name: Kaspersky Anti-Virus

Copyright: Copyright © Kaspersky Lab 1997-2009.

Original Filename: KLBG.SYS

File size: 37392

Created time: 2010-03-04 03:39:39

Modified time: 2009-10-22 15:54:18

MD5: A305FAD3719C5DB0C13D1C2BFD08A04D

SHA1: CD7300AE608DB1CA6583736B9648CF36B476F832

 

 

((((((((((((((((((((((((((((( SnapShot@2010-03-05_03.03.12 )))))))))))))))))))))))))))))))))))))))))

.

+ 2007-03-08 15:55:20 . 2010-03-05 13:12:59 62154 C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin

+ 2006-11-02 13:05:11 . 2010-03-05 13:13:00 54672 C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin

+ 2007-10-08 00:43:18 . 2010-03-05 13:13:00 9512 C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-423846414-3903668000-291553332-1000_UserData.bin

- 2010-03-05 02:51:15 . 2010-03-05 02:51:15 2048 C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

+ 2010-03-05 13:10:55 . 2010-03-05 13:10:55 2048 C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

- 2010-03-05 02:51:15 . 2010-03-05 02:51:15 2048 C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

+ 2010-03-05 13:10:55 . 2010-03-05 13:10:55 2048 C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

+ 2006-11-02 10:33:01 . 2010-03-05 13:17:18 618272 C:\Windows\System32\perfh009.dat

- 2006-11-02 10:33:01 . 2010-03-05 03:00:06 618272 C:\Windows\System32\perfh009.dat

+ 2006-11-02 10:33:01 . 2010-03-05 13:17:18 107416 C:\Windows\System32\perfc009.dat

- 2006-11-02 10:33:01 . 2010-03-05 03:00:05 107416 C:\Windows\System32\perfc009.dat

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 12:35:32 125440]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="RtHDVCpl.exe" [2006-09-27 19:52:02 3768320]

"avgnt"="C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 14:08:47 209153]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2009-11-11 01:08:18 417792]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2010-02-13 13:36:50 198160]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2010-02-15 21:07:02 141608]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginAbn]

2009-10-22 16:01:04 310824 ----a-w- C:\PROGRA~1\GbPlugin\gbiehAbn.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiserver]

@="service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]

2006-11-02 12:35:32 125440 ----a-w- C:\Windows\ehome\ehtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]

2007-02-08 22:56:06 295856 ----a-w- C:\Program Files\Lexmark Fax Solutions\fm3032.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-02-15 21:07:02 141608 ----a-w- C:\Program Files\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxczbmgr.exe]

2007-04-19 17:45:52 74672 ----a-w- C:\Program Files\Lexmark 1200 Series\LXCZbmgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-11-11 01:08:18 417792 ----a-w- C:\Program Files\QuickTime\QTTask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]

2006-07-17 18:25:20 573440 ----a-w- C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-04-19 20:45:12 148888 ----a-w- C:\Program Files\Java\jre6\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-423846414-3903668000-291553332-1000]

"EnableNotifications"=dword:00000001

"EnableNotificationsRef"=dword:00000001

 

R0 sptd;sptd;C:\Windows\System32\Drivers\sptd.sys [2010-02-02 00:12:19 691696]

R2 gupdate;Google Update Service (gupdate);C:\Program Files\Google\Update\GoogleUpdate.exe [2009-09-29 03:27:41 133104]

R2 RoxLiveShare10;LiveShare P2P Server 10;C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [x]

R3 rkhdrv40;Rootkit Unhooker Driver; [x]

R3 uti1mtk5;AVZ Kernel Driver;C:\Windows\system32\Drivers\uti1mtk5.sys [2010-03-04 23:54:57 7168]

R3 XDva120;XDva120;C:\Windows\system32\XDva120.sys [x]

R3 XDva182;XDva182;C:\Windows\system32\XDva182.sys [x]

S0 15180392;15180392 Boot Guard Driver;C:\Windows\system32\DRIVERS\15180392.sys [2009-10-22 15:54:18 37392]

S0 GbpKm;Gbp KernelMode;C:\Windows\system32\drivers\GbpKm.sys [2009-10-22 16:06:16 31080]

S0 pavboot;pavboot;C:\Windows\system32\drivers\pavboot.sys [2009-06-30 11:37:16 28552]

S1 15180391;15180391;C:\Windows\system32\DRIVERS\15180391.sys [2009-09-25 19:59:42 128016]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-05-13 17:48:22 108289]

S2 GbpSv;Gbp Service;C:\PROGRA~1\GbPlugin\GbpSv.exe [2009-10-22 16:07:48 54376]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2009-10-28 01:08:00 240232]

 

 

--- =Outros Serviços/Drivers Na Memória ---

 

*Deregistered* - hgumfrg

.

Conteúdo da pasta 'Tarefas Agendadas'

 

2010-03-05 C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

- C:\Program Files\Google\Update\GoogleUpdate.exe [2009-09-29 03:27:53 . 2009-09-29 03:27:41]

 

2010-03-05 C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

- C:\Program Files\Google\Update\GoogleUpdate.exe [2009-09-29 03:27:53 . 2009-09-29 03:27:41]

 

2010-03-04 C:\Windows\Tasks\User_Feed_Synchronization-{333CA22D-B544-4E54-976E-3506E4A8A8AD}.job

- C:\Windows\system32\msfeedssync.exe [2006-11-02 08:49:06 . 2006-11-02 09:45:26]

.

.

------- Scan Suplementar -------

.

uStart Page = about:blank

uInternet Settings,ProxyOverride = *.local

IE: E&xportar para o Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - C:\Users\David Fernandes\AppData\Roaming\Mozilla\Firefox\Profiles\izg8zwtw.default\

FF - component: C:\Program Files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll

FF - component: C:\Users\David Fernandes\AppData\Roaming\Mozilla\Firefox\Profiles\izg8zwtw.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E8873}\components\GbMzhUni.dll

FF - component: C:\Users\David Fernandes\AppData\Roaming\Mozilla\Firefox\Profiles\izg8zwtw.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E8874}\components\GbMzhAbn.dll

FF - component: C:\Users\David Fernandes\AppData\Roaming\Mozilla\Firefox\Profiles\izg8zwtw.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll

FF - plugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: C:\Program Files\Google\Update\1.2.183.17\npGoogleOneClick8.dll

FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npwachk.dll

FF - plugin: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll

FF - plugin: C:\Users\David Fernandes\AppData\Roaming\Mozilla\Firefox\Profiles\izg8zwtw.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

 

---- FIREFOX POLICIES ----

C:\Program Files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-05 10:23:20

Windows 6.0.6000 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\hgumfrg]

 

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

 

[HKEY_USERS\S-1-5-21-423846414-3903668000-291553332-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:7b,02,38,8e,d9,07,88,b9,4e,2b,42,e5,8b,25,a7,5e,e8,9d,4e,72,31,86,bd,

6a,59,c0,1e,e7,3e,e3,fa,96,55,c2,c2,4f,52,e9,7a,61,16,82,c5,80,00,6b,ca,94,\

"??"=hex:47,8e,23,9b,3a,39,d8,97,3b,99,cd,b8,11,ac,14,9e

 

[HKEY_USERS\S-1-5-21-423846414-3903668000-291553332-1000\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0C12&PID_0005\Calibration\0\Type\Axes]

@DACL=(02 0000)

 

[HKEY_USERS\S-1-5-21-423846414-3903668000-291553332-1000\ w*.*]

@Allowed: (Read) (RestrictedCode)

DUMPHIVE0.003 (REGF)

 

[HKEY_LOCAL_MACHINE\system\ControlSet004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b5

.

Tempo para conclusão: 2010-03-05 10:25:42

ComboFix-quarantined-files.txt 2010-03-05 13:25:40

ComboFix2.txt 2010-03-05 03:05:36

 

Pré-execução: 9.224.822.784 bytes disponíveis

Pós execução: 9.183.236.096 bytes disponíveis

 

- - End Of File - - 466F3EFE648C31CAB86E3F46BA5E32F8

[wings 22]

1.

Abra o Spybot

No menu superior, clique em [Modo] > [Avançado] e confirme.

Clique em [Ferramentas] > [Residente]

Desmarque a opção Ativar "TeaTimer" do Residente (proteção geral das configurações de sistema).

Feche o programa.

 

2.

*Abra o bloco de notas, selecione, copie e cole nele todo o conteúdo do código abaixo:

Killall::

File::

C:\Windows\System32\drivers\hgumfrg.sys

Registry::

[-HKEY_LOCAL_MACHINE\system\ControlSet004\Services\hgumfrg]

Driver::

hgumfrg

*Salve o arquivo no desktop como CFScript.txt

*Arraste o arquivo para o Combofix conforme ilustração abaixo:

 

 

*Importante: enquanto o combofix estiver em execução, não use o mouse nem o teclado!!..para interromper o processo tecle N ou 2.

 

*Cole o relatório criado em C:\combofix.txt

[DavidVr 0]

Ai esta o novo log. Vou ter que tirar o avira pq ele fica entrando sozinho no reboot...

 

ComboFix 10-03-04.06 - David Fernandes 05/03/2010 16:55:30.5.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.55.1046.18.2047.1091 [GMT -3:00]

Executando de: c:\users\David Fernandes\Desktop\ComboFix.exe

Comandos utilizados :: c:\users\David Fernandes\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

SP: AntiVir Desktop *disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

 

FILE ::

"c:\windows\System32\drivers\hgumfrg.sys"

.

ADS - drivers: deleted 208 bytes in 1 streams.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\System32\drivers\hgumfrg.sys . . . . falha na exclusão

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_hgumfrg

-------\Service_hgumfrg

 

 

(((((((((((((((( Arquivos/Ficheiros criados de 2010-02-05 to 2010-03-05 ))))))))))))))))))))))))))))

.

 

2010-03-05 20:05 . 2010-03-05 20:05 -------- d-----w- c:\users\Public\AppData\Local\temp

2010-03-05 20:05 . 2010-03-05 20:05 -------- d-----w- c:\users\Default\AppData\Local\temp

2010-03-05 20:05 . 2010-03-05 20:05 -------- d-----w- c:\users\David\AppData\Local\temp

2010-03-05 03:05 . 2010-03-05 20:10 -------- d-----w- c:\users\David Fernandes\AppData\Local\temp

2010-03-04 23:54 . 2010-03-04 23:54 7168 ----a-w- c:\windows\system32\drivers\uti1mtk5.sys

2010-03-04 04:43 . 2010-03-04 04:59 -------- d-----w- C:\hijackthis

2010-03-04 03:39 . 2009-10-22 15:54 37392 ----a-w- c:\windows\system32\drivers\15180392.sys

2010-03-04 03:39 . 2009-10-10 01:31 311312 ----a-w- c:\windows\system32\drivers\1518039.sys

2010-03-04 03:39 . 2009-09-25 19:59 128016 ----a-w- c:\windows\system32\drivers\15180391.sys

2010-03-04 02:33 . 2010-03-04 23:47 -------- d-----w- c:\programdata\Kaspersky Lab

2010-03-03 16:58 . 2010-03-03 16:58 -------- d-----w- c:\program files\iPod

2010-03-03 16:58 . 2010-03-03 16:59 -------- d-----w- c:\program files\iTunes

2010-03-03 16:43 . 2010-03-04 04:56 -------- d-----w- c:\program files\Unlocker

2010-03-03 03:04 . 2010-03-03 03:04 -------- d-----w- c:\users\David Fernandes\AppData\Roaming\PeerNetworking

2010-03-02 19:54 . 2010-03-02 19:55 -------- d-----w- C:\Shared

2010-02-18 03:23 . 2010-03-05 20:08 792064 ----a-w- c:\windows\system32\drivers\hgumfrg.sys

2010-02-14 16:45 . 2010-02-14 16:45 -------- d-----w- c:\users\David Fernandes\AppData\Local\Ubisoft

2010-02-14 16:45 . 2010-02-14 16:45 -------- d-----w- c:\programdata\Ubisoft

2010-02-13 13:37 . 2010-02-13 13:37 -------- d-----w- c:\program files\Common Files\xing shared

2010-02-13 13:36 . 2010-02-13 13:37 -------- d-----w- c:\program files\Common Files\Real

2010-02-13 13:36 . 2010-02-13 13:36 -------- d-----w- c:\program files\Real

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-05 20:09 . 2009-10-31 18:05 67777 ----a-w- c:\programdata\nvModes.dat

2010-03-05 20:08 . 2008-10-28 01:15 -------- d-----w- c:\programdata\NVIDIA

2010-03-05 19:57 . 2006-11-06 01:32 87484 ----a-w- c:\windows\system32\prfc0416.dat

2010-03-05 19:57 . 2006-11-06 01:32 514454 ----a-w- c:\windows\system32\prfh0416.dat

2010-03-03 16:58 . 2007-10-13 12:36 -------- d-----w- c:\program files\Common Files\Apple

2010-03-03 16:31 . 2010-03-03 16:31 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe

2010-03-03 03:45 . 2009-12-26 21:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-03 03:45 . 2010-03-03 03:45 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-03-03 02:22 . 2009-12-26 23:37 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2010-03-02 23:22 . 2010-01-21 23:44 -------- d-----w- c:\users\David Fernandes\AppData\Roaming\uTorrent

2010-03-02 17:01 . 2007-11-03 21:31 680 ----a-w- c:\users\David Fernandes\AppData\Local\d3d9caps.dat

2010-02-19 23:38 . 2007-10-13 11:49 -------- d-----w- c:\program files\uTorrent

2010-02-18 03:22 . 2010-02-18 03:22 12 ----a-w- c:\users\David Fernandes\AppData\Roaming\cqfyto.dat

2010-02-16 00:40 . 2009-05-16 20:43 -------- d-----w- c:\program files\UBISOFT

2010-02-16 00:40 . 2007-03-08 17:04 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-02-06 12:44 . 2008-07-11 02:24 -------- d-----w- c:\program files\Google

2010-02-02 00:21 . 2010-02-02 00:11 -------- d-----w- c:\users\David Fernandes\AppData\Roaming\DAEMON Tools Lite

2010-02-02 00:12 . 2010-02-02 00:11 -------- d-----w- c:\program files\DAEMON Tools Lite

2010-02-02 00:12 . 2007-10-20 22:34 691696 ----a-w- c:\windows\system32\drivers\sptd.sys

2010-02-02 00:11 . 2010-02-02 00:11 -------- d-----w- c:\programdata\DAEMON Tools Lite

2010-01-31 01:19 . 2007-10-27 15:47 -------- d-----w- c:\program files\Eidos Interactive

2010-01-29 18:56 . 2007-10-13 13:10 -------- d-----w- c:\users\David Fernandes\AppData\Roaming\Apple Computer

2010-01-28 18:48 . 2010-01-28 15:36 -------- d-----w- c:\users\David Fernandes\AppData\Roaming\Winamp

2010-01-28 16:24 . 2010-01-28 15:36 -------- d-----w- c:\program files\Winamp

2010-01-28 15:36 . 2010-01-28 15:36 -------- d-----w- c:\program files\Winamp Detect

2010-01-28 15:22 . 2010-01-28 15:21 -------- d-----w- c:\program files\K-Lite Codec Pack

2010-01-27 16:11 . 2010-01-27 16:10 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}

2010-01-27 16:08 . 2007-11-15 15:20 -------- d-----w- c:\program files\QuickTime

2010-01-23 17:18 . 2010-01-23 17:17 -------- d-----w- c:\program files\dvdSanta

2010-01-11 20:33 . 2010-02-15 14:07 789320 ----a-w- c:\users\David Fernandes\AppData\Roaming\Mozilla\Firefox\Profiles\izg8zwtw.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

2010-01-11 20:32 . 2010-02-15 14:07 698184 ----a-w- c:\users\David Fernandes\AppData\Roaming\Mozilla\Firefox\Profiles\izg8zwtw.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll

2010-01-07 19:07 . 2009-12-26 21:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 19:07 . 2009-12-26 21:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-29 16:45 . 2009-12-29 16:40 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-12-27 17:08 . 2009-12-27 17:08 24448 ----a-w- c:\windows\system32\drivers\rkhdrv40.sys

2009-12-18 22:57 . 2009-12-18 22:57 676104 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

2009-12-12 14:15 . 2010-01-28 15:21 178176 ----a-w- c:\windows\system32\unrar.dll

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="RtHDVCpl.exe" [2006-09-27 3768320]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-13 198160]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginAbn]

2009-10-22 16:01 310824 ----a-w- c:\progra~1\GbPlugin\gbiehAbn.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiserver]

@="service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]

2006-11-02 12:35 125440 ----a-w- c:\windows\ehome\ehtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]

2007-02-08 22:56 295856 ----a-w- c:\program files\Lexmark Fax Solutions\fm3032.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-02-15 21:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxczbmgr.exe]

2007-04-19 17:45 74672 ----a-w- c:\program files\Lexmark 1200 Series\LXCZbmgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-11-11 01:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]

2006-07-17 18:25 573440 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-04-19 20:45 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-423846414-3903668000-291553332-1000]

"EnableNotifications"=dword:00000001

"EnableNotificationsRef"=dword:00000001

 

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-09-29 133104]

S0 15180392;15180392 Boot Guard Driver;c:\windows\system32\DRIVERS\15180392.sys [2009-10-22 37392]

S0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\GbpKm.sys [2009-10-22 31080]

S1 15180391;15180391;c:\windows\system32\DRIVERS\15180391.sys [2009-09-25 128016]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]

S2 GbpSv;Gbp Service;c:\progra~1\GbPlugin\GbpSv.exe [2009-10-22 54376]

 

.

Conteúdo da pasta 'Tarefas Agendadas'

 

2010-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-29 03:27]

 

2010-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-29 03:27]

 

2010-03-05 c:\windows\Tasks\User_Feed_Synchronization-{333CA22D-B544-4E54-976E-3506E4A8A8AD}.job

- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]

.

.

------- Scan Suplementar -------

.

uStart Page = about:blank

uInternet Settings,ProxyOverride = *.local

IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\users\David Fernandes\AppData\Roaming\Mozilla\Firefox\Profiles\izg8zwtw.default\

FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll

FF - component: c:\users\David Fernandes\AppData\Roaming\Mozilla\Firefox\Profiles\izg8zwtw.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E8873}\components\GbMzhUni.dll

FF - component: c:\users\David Fernandes\AppData\Roaming\Mozilla\Firefox\Profiles\izg8zwtw.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E8874}\components\GbMzhAbn.dll

FF - component: c:\users\David Fernandes\AppData\Roaming\Mozilla\Firefox\Profiles\izg8zwtw.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll

FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll

FF - plugin: c:\users\David Fernandes\AppData\Roaming\Mozilla\Firefox\Profiles\izg8zwtw.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

 

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-05 17:09

Windows 6.0.6000 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

 

[HKEY_USERS\S-1-5-21-423846414-3903668000-291553332-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:7b,02,38,8e,d9,07,88,b9,4e,2b,42,e5,8b,25,a7,5e,e8,9d,4e,72,31,86,bd,

6a,59,c0,1e,e7,3e,e3,fa,96,55,c2,c2,4f,52,e9,7a,61,16,82,c5,80,00,6b,ca,94,\

"??"=hex:47,8e,23,9b,3a,39,d8,97,3b,99,cd,b8,11,ac,14,9e

 

[HKEY_USERS\S-1-5-21-423846414-3903668000-291553332-1000\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0C12&PID_0005\Calibration\0\Type\Axes]

@DACL=(02 0000)

 

[HKEY_USERS\S-1-5-21-423846414-3903668000-291553332-1000\ w*.*]

@Allowed: (Read) (RestrictedCode)

DUMPHIVE0.003 (REGF)

 

[HKEY_LOCAL_MACHINE\system\ControlSet004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b5

.

------------------------ Outros Processos em Execução ------------------------

.

c:\windows\system32\nvvsvc.exe

c:\windows\system32\nvvsvc.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\iPod Access for Windows\iPAHelper.exe

c:\windows\system32\lxczcoms.exe

c:\program files\Common Files\Protexis\License Service\PsiService_2.exe

c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

c:\windows\system32\conime.exe

c:\windows\RtHDVCpl.exe

c:\windows\ehome\ehmsas.exe

c:\windows\system32\wbem\unsecapp.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Tempo para conclusão: 2010-03-05 17:16:27 - Máquina reiniciou

ComboFix-quarantined-files.txt 2010-03-05 20:16

ComboFix2.txt 2010-03-05 03:05

 

Pré-execução: 2.699.452.416 bytes disponíveis

Pós execução: 2.243.420.160 bytes disponíveis

 

- - End Of File - - A7405A225C035CBE017A0D7EF7CDFFA0

[wings 22]

Delete o arquivo C:\combofix.txt

 

Repita o mesmo procedimento em Modo de Segurança. Copie e cole no bloco de notas o código do post anterior.

[DavidVr 0]

Rodado pelo modo de segurança este é o log:

ComboFix 10-03-04.06 - David Fernandes 05/03/2010 18:24:03.6.2 - x86 MINIMAL

Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.55.1046.18.2047.1626 [GMT -3:00]

Executando de: c:\users\David Fernandes\Desktop\ComboFix.exe

Comandos utilizados :: c:\users\David Fernandes\Desktop\CFScript.txt

SP: AntiVir Desktop *disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

 

FILE ::

"c:\windows\System32\drivers\hgumfrg.sys"

.

ADS - drivers: deleted 208 bytes in 1 streams.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\System32\drivers\hgumfrg.sys

 

.

(((((((((((((((( Arquivos/Ficheiros criados de 2010-02-05 to 2010-03-05 ))))))))))))))))))))))))))))

.

 

2010-03-05 21:32 . 2010-03-05 21:32 -------- d-----w- c:\users\Public\AppData\Local\temp

2010-03-05 21:32 . 2010-03-05 21:32 -------- d-----w- c:\users\Default\AppData\Local\temp

2010-03-05 21:32 . 2010-03-05 21:32 -------- d-----w- c:\users\David\AppData\Local\temp

2010-03-05 21:32 . 2010-03-05 21:32 -------- d-----w- c:\users\David Fernandes\AppData\Local\temp

2010-03-04 23:54 . 2010-03-04 23:54 7168 ----a-w- c:\windows\system32\drivers\uti1mtk5.sys

2010-03-04 04:43 . 2010-03-04 04:59 -------- d-----w- C:\hijackthis

2010-03-04 03:39 . 2009-10-22 15:54 37392 ----a-w- c:\windows\system32\drivers\15180392.sys

2010-03-04 03:39 . 2009-10-10 01:31 311312 ----a-w- c:\windows\system32\drivers\1518039.sys

2010-03-04 03:39 . 2009-09-25 19:59 128016 ----a-w- c:\windows\system32\drivers\15180391.sys

2010-03-04 02:33 . 2010-03-04 23:47 -------- d-----w- c:\programdata\Kaspersky Lab

2010-03-03 16:58 . 2010-03-03 16:58 -------- d-----w- c:\program files\iPod

2010-03-03 16:58 . 2010-03-03 16:59 -------- d-----w- c:\program files\iTunes

2010-03-03 16:43 . 2010-03-04 04:56 -------- d-----w- c:\program files\Unlocker

2010-03-03 03:04 . 2010-03-03 03:04 -------- d-----w- c:\users\David Fernandes\AppData\Roaming\PeerNetworking

2010-03-02 19:54 . 2010-03-02 19:55 -------- d-----w- C:\Shared

2010-02-14 16:45 . 2010-02-14 16:45 -------- d-----w- c:\users\David Fernandes\AppData\Local\Ubisoft

2010-02-14 16:45 . 2010-02-14 16:45 -------- d-----w- c:\programdata\Ubisoft

2010-02-13 13:37 . 2010-02-13 13:37 -------- d-----w- c:\program files\Common Files\xing shared

2010-02-13 13:36 . 2010-02-13 13:37 -------- d-----w- c:\program files\Common Files\Real

2010-02-13 13:36 . 2010-02-13 13:36 -------- d-----w- c:\program files\Real

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-05 21:37 . 2009-10-31 18:05 67777 ----a-w- c:\programdata\nvModes.dat

2010-03-05 21:34 . 2008-10-28 01:15 -------- d-----w- c:\programdata\NVIDIA

2010-03-05 20:39 . 2006-11-06 01:32 87484 ----a-w- c:\windows\system32\prfc0416.dat

2010-03-05 20:39 . 2006-11-06 01:32 514454 ----a-w- c:\windows\system32\prfh0416.dat

2010-03-03 16:58 . 2007-10-13 12:36 -------- d-----w- c:\program files\Common Files\Apple

2010-03-03 16:31 . 2010-03-03 16:31 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe

2010-03-03 03:45 . 2009-12-26 21:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-03 03:45 . 2010-03-03 03:45 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-03-03 02:22 . 2009-12-26 23:37 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2010-03-02 23:22 . 2010-01-21 23:44 -------- d-----w- c:\users\David Fernandes\AppData\Roaming\uTorrent

2010-03-02 17:01 . 2007-11-03 21:31 680 ----a-w- c:\users\David Fernandes\AppData\Local\d3d9caps.dat

2010-02-19 23:38 . 2007-10-13 11:49 -------- d-----w- c:\program files\uTorrent

2010-02-18 03:22 . 2010-02-18 03:22 12 ----a-w- c:\users\David Fernandes\AppData\Roaming\cqfyto.dat

2010-02-16 00:40 . 2009-05-16 20:43 -------- d-----w- c:\program files\UBISOFT

2010-02-16 00:40 . 2007-03-08 17:04 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-02-06 12:44 . 2008-07-11 02:24 -------- d-----w- c:\program files\Google

2010-02-02 00:21 . 2010-02-02 00:11 -------- d-----w- c:\users\David Fernandes\AppData\Roaming\DAEMON Tools Lite

2010-02-02 00:12 . 2007-10-20 22:34 691696 ----a-w- c:\windows\system32\drivers\sptd.sys

2010-02-02 00:11 . 2010-02-02 00:11 -------- d-----w- c:\programdata\DAEMON Tools Lite

2010-01-31 01:19 . 2007-10-27 15:47 -------- d-----w- c:\program files\Eidos Interactive

2010-01-29 18:56 . 2007-10-13 13:10 -------- d-----w- c:\users\David Fernandes\AppData\Roaming\Apple Computer

2010-01-28 18:48 . 2010-01-28 15:36 -------- d-----w- c:\users\David Fernandes\AppData\Roaming\Winamp

2010-01-28 16:24 . 2010-01-28 15:36 -------- d-----w- c:\program files\Winamp

2010-01-28 15:36 . 2010-01-28 15:36 -------- d-----w- c:\program files\Winamp Detect

2010-01-28 15:22 . 2010-01-28 15:21 -------- d-----w- c:\program files\K-Lite Codec Pack

2010-01-27 16:11 . 2010-01-27 16:10 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}

2010-01-27 16:08 . 2007-11-15 15:20 -------- d-----w- c:\program files\QuickTime

2010-01-23 17:18 . 2010-01-23 17:17 -------- d-----w- c:\program files\dvdSanta

2010-01-11 20:33 . 2010-02-15 14:07 789320 ----a-w- c:\users\David Fernandes\AppData\Roaming\Mozilla\Firefox\Profiles\izg8zwtw.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

2010-01-11 20:32 . 2010-02-15 14:07 698184 ----a-w- c:\users\David Fernandes\AppData\Roaming\Mozilla\Firefox\Profiles\izg8zwtw.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll

2010-01-07 19:07 . 2009-12-26 21:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 19:07 . 2009-12-26 21:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-29 16:45 . 2009-12-29 16:40 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-12-27 17:08 . 2009-12-27 17:08 24448 ----a-w- c:\windows\system32\drivers\rkhdrv40.sys

2009-12-18 22:57 . 2009-12-18 22:57 676104 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

2009-12-12 14:15 . 2010-01-28 15:21 178176 ----a-w- c:\windows\system32\unrar.dll

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="RtHDVCpl.exe" [2006-09-27 3768320]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-13 198160]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginAbn]

2009-10-22 16:01 310824 ----a-w- c:\progra~1\GbPlugin\gbiehAbn.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiserver]

@="service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]

2006-11-02 12:35 125440 ----a-w- c:\windows\ehome\ehtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]

2007-02-08 22:56 295856 ----a-w- c:\program files\Lexmark Fax Solutions\fm3032.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-02-15 21:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxczbmgr.exe]

2007-04-19 17:45 74672 ----a-w- c:\program files\Lexmark 1200 Series\LXCZbmgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-11-11 01:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]

2006-07-17 18:25 573440 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-04-19 20:45 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-423846414-3903668000-291553332-1000]

"EnableNotifications"=dword:00000001

"EnableNotificationsRef"=dword:00000001

 

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-09-29 133104]

R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [x]

R3 rkhdrv40;Rootkit Unhooker Driver; [x]

R3 uti1mtk5;AVZ Kernel Driver;c:\windows\system32\Drivers\uti1mtk5.sys [2010-03-04 7168]

R3 XDva120;XDva120;c:\windows\system32\XDva120.sys [x]

R3 XDva182;XDva182;c:\windows\system32\XDva182.sys [x]

R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-02-02 691696]

S0 15180392;15180392 Boot Guard Driver;c:\windows\system32\DRIVERS\15180392.sys [2009-10-22 37392]

S0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\GbpKm.sys [2009-10-22 31080]

S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]

S1 15180391;15180391;c:\windows\system32\DRIVERS\15180391.sys [2009-09-25 128016]

S2 GbpSv;Gbp Service;c:\progra~1\GbPlugin\GbpSv.exe [2009-10-22 54376]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2009-10-28 240232]

 

.

Conteúdo da pasta 'Tarefas Agendadas'

 

2010-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-29 03:27]

 

2010-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-29 03:27]

 

2010-03-05 c:\windows\Tasks\User_Feed_Synchronization-{333CA22D-B544-4E54-976E-3506E4A8A8AD}.job

- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]

.

.

------- Scan Suplementar -------

.

uStart Page = about:blank

uInternet Settings,ProxyOverride = *.local

IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\users\David Fernandes\AppData\Roaming\Mozilla\Firefox\Profiles\izg8zwtw.default\

FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll

FF - component: c:\users\David Fernandes\AppData\Roaming\Mozilla\Firefox\Profiles\izg8zwtw.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E8873}\components\GbMzhUni.dll

FF - component: c:\users\David Fernandes\AppData\Roaming\Mozilla\Firefox\Profiles\izg8zwtw.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E8874}\components\GbMzhAbn.dll

FF - component: c:\users\David Fernandes\AppData\Roaming\Mozilla\Firefox\Profiles\izg8zwtw.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll

FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll

FF - plugin: c:\users\David Fernandes\AppData\Roaming\Mozilla\Firefox\Profiles\izg8zwtw.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

 

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-05 18:37

Windows 6.0.6000 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

 

[HKEY_USERS\S-1-5-21-423846414-3903668000-291553332-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:7b,02,38,8e,d9,07,88,b9,4e,2b,42,e5,8b,25,a7,5e,e8,9d,4e,72,31,86,bd,

6a,59,c0,1e,e7,3e,e3,fa,96,55,c2,c2,4f,52,e9,7a,61,16,82,c5,80,00,6b,ca,94,\

"??"=hex:47,8e,23,9b,3a,39,d8,97,3b,99,cd,b8,11,ac,14,9e

 

[HKEY_USERS\S-1-5-21-423846414-3903668000-291553332-1000\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0C12&PID_0005\Calibration\0\Type\Axes]

@DACL=(02 0000)

 

[HKEY_USERS\S-1-5-21-423846414-3903668000-291553332-1000\ w*.*]

@Allowed: (Read) (RestrictedCode)

DUMPHIVE0.003 (REGF)

 

[HKEY_LOCAL_MACHINE\system\ControlSet004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b5

.

------------------------ Outros Processos em Execução ------------------------

.

c:\windows\system32\nvvsvc.exe

c:\windows\system32\nvvsvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\iPod Access for Windows\iPAHelper.exe

c:\windows\system32\lxczcoms.exe

c:\program files\Common Files\Protexis\License Service\PsiService_2.exe

c:\windows\RtHDVCpl.exe

c:\windows\system32\wbem\unsecapp.exe

c:\windows\ehome\ehmsas.exe

c:\windows\system32\conime.exe

.

**************************************************************************

.

Tempo para conclusão: 2010-03-05 18:41:26 - Máquina reiniciou

ComboFix-quarantined-files.txt 2010-03-05 21:41

ComboFix2.txt 2010-03-05 03:05

 

Pré-execução: 4.385.923.072 bytes disponíveis

Pós execução: 4.236.513.280 bytes disponíveis

 

- - End Of File - - 60F70ADD6EED32C432C336D056311116

[wings 22]

OK...log limpo.

 

1.

*Clique em [iniciar] > [Executar] > digite: Combofix /uninstall

*Clique [OK]

 

 

*Clique em [Executar]

*Aguarde até surgir a mensagem: "ComboFix está desinstalado"

 

*Clique [OK]

 

2.

*Ative o Spybot novamente.

 

 

Um abraço.

[DavidVr 0]

Feito.

 

Muito obrigado pela ajuda mais uma vez!!!

:clap: :joia:

 

 

David

[wings 22]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.