[Arquivado] Malware cdrom.sys

ivanindustrial7 · Março 20, 2010

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:27:43, on 20/3/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Arquivos de programas\Fingerprint Sensor\AtService.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

c:\drivers\audio\r213367\stacsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Kaspersky Lab\NetworkAgent 8\klnagent.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Arquivos de programas\Google\Update\GoogleUpdate.exe

C:\Arquivos de programas\Arquivos comuns\Nero\Nero BackItUp 4\NBService.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Wave Systems Corp\Trusted Drive Manager\TdmService.exe

C:\Arquivos de programas\Dell\Dell ControlPoint\DCPButtonSvc.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\Arquivos de programas\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe

C:\Arquivos de programas\Kaspersky Lab\NetworkAgent 8\klnagent.exe

C:\WINDOWS\system32\igfxext.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Arquivos de programas\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Documents and Settings\126064\Configurações locais\Dados de aplicativos\av.exe

C:\Arquivos de programas\IDT\WDM\sttray.exe

C:\WINDOWS\system32\AESTFltr.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Arquivos de programas\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Arquivos de programas\Wave Systems Corp\SecureUpgrade.exe

C:\Arquivos de programas\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe

C:\Arquivos de programas\Hewlett-Packard\HP Printer Utility\HPPU.exe

C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe

C:\windows\system32\wuaucldt.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\ISUSPM.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Windows Desktop Search\WindowsSearch.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Arquivos comuns\Hewlett-Packard\HP Printer Utility DCS\AppInterfaces\HPPUDH.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\System32\svchost.exe

C:\HiJackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USREL/5

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USREL/5

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxypac.aernnova.com/proxy.pac

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Arquivos de programas\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\ARQUIV~1\MI1933~1\Office12\GRA8E1~1.DLL

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\Arquivos de programas\GbPlugin\gbieh.dll

O2 - BHO: G-Buster Browser Defense Banco Real - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\ARQUIV~1\GbPlugin\gbiehAbn.dll

O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Arquivos de programas\Free Download Manager\iefdm2.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll

O4 - HKLM\..\Run: [sysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe

O4 - HKLM\..\Run: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [iAAnotif] C:\Arquivos de programas\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [ChangeTPMAuth] C:\Arquivos de programas\Wave Systems Corp\Common\ChangeTPMAuth.exe /T:NTRU12

O4 - HKLM\..\Run: [WavXMgr] C:\Arquivos de programas\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe

O4 - HKLM\..\Run: [secureUpgrade] "C:\Arquivos de programas\Wave Systems Corp\SecureUpgrade.exe"

O4 - HKLM\..\Run: [EmbassySecurityCheck] "C:\Arquivos de programas\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe"

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [AVP] "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe"

O4 - HKLM\..\Run: [RunPUTasktray] "C:\Arquivos de programas\Hewlett-Packard\HP Printer Utility\HPPU.exe" --regkeypath=Software\Hewlett-Packard\HP Printer Utility\HPPURun --valuename=InstallTTM

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [\\manutenção\EPSON Stylus CX5900_Manutenção] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIL.EXE /FU "C:\DOCUME~1\126064\CONFIG~1\Temp\E_S3E.tmp" /EF "HKLM"

O4 - HKLM\..\Run: [\\192.168.2.31\EPSON Stylus CX5900 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIL.EXE /FU "C:\DOCUME~1\126064\CONFIG~1\Temp\E_S95.tmp" /EF "HKLM"

O4 - HKLM\..\Run: [syncman] c:\windows\system32\wuaucldt.exe

O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [iSUSPM] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKCU\..\Run: [syncman] c:\documents and settings\126064\wuaucldt.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: syspck32.exe

O4 - Global Startup: Acelerador de inicialização AutoCAD.lnk = C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\acstart16.exe

O4 - Global Startup: Windows Search.lnk = C:\Arquivos de programas\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: Adicionar ao Anti-Banner - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\ie_banner_deny.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MI1933~1\Office12\EXCEL.EXE/3000

O9 - Extra button: Estatísticas do Antivírus da Web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\SCIEPlgn.dll

O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MI1933~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MI1933~1\Office12\ONBttnIE.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Arquivos de programas\PokerStars.NET\PokerStarsUpdate.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O15 - Trusted Zone: http://eportal.aernnova.com

O15 - Trusted Zone: http://www.google.com.br

O15 - ESC Trusted Zone: http://runonce.msn.com

O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = AERNNOVA.COM

O17 - HKLM\Software\..\Telephony: DomainName = AERNNOVA.COM

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = AERNNOVA.COM

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\ARQUIV~1\MI1933~1\Office12\GR99D3~1.DLL

O18 - Protocol: HPPUDCS - {522CC7E5-F378-4F97-8BD7-125D17F5B332} - C:\Arquivos de programas\Arquivos comuns\Hewlett-Packard\HP Printer Utility DCS\APP\hplidcsapp.dll

O18 - Protocol: hppufile - {4BCA8E33-E18F-4358-9F6F-3C7206BCF72F} - C:\Arquivos de programas\Hewlett-Packard\HP Printer Utility\hpluCtrls.dll

O18 - Protocol: hppusam - {4BCA8E33-E18F-4358-9F6F-3C7206BCF72F} - C:\Arquivos de programas\Hewlett-Packard\HP Printer Utility\hpluCtrls.dll

O18 - Protocol: hppuzip - {4BCA8E33-E18F-4358-9F6F-3C7206BCF72F} - C:\Arquivos de programas\Hewlett-Packard\HP Printer Utility\hpluCtrls.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\ARQUIV~1\KASPER~1\KASPER~1.0FO\adialhk.dll

O20 - Winlogon Notify: GbPluginAbn - C:\ARQUIV~1\GbPlugin\gbiehAbn.dll

O20 - Winlogon Notify: GbPluginBb - C:\Arquivos de programas\GbPlugin\gbieh.dll

O23 - Service: AuthenTec Fingerprint Service (ATService) - AuthenTec, Inc. - C:\Arquivos de programas\Fingerprint Sensor\AtService.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe

O23 - Service: Dell ControlPoint Button Service (buttonsvc32) - Dell Inc. - C:\Arquivos de programas\Dell\Dell ControlPoint\DCPButtonSvc.exe

O23 - Service: Dell ControlPoint System Manager (dcpsysmgrsvc) - Dell Inc. - C:\Arquivos de programas\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe

O23 - Service: Gbp Service (GbpSv) - - C:\ARQUIV~1\GbPlugin\GbpSv.exe

O23 - Service: Google Update Service (gupdate1ca60ae48abe4e2) (gupdate1ca60ae48abe4e2) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Arquivos de programas\Intel\Intel Matrix Storage Manager\IAANTMon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: Kaspersky Lab Network Agent (klnagent) - Kaspersky Lab - C:\Arquivos de programas\Kaspersky Lab\NetworkAgent 8\klnagent.exe

O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Arquivos de programas\Arquivos comuns\Nero\Nero BackItUp 4\NBService.exe

O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Arquivos de programas\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe

O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\drivers\audio\r213367\stacsv.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Arquivos de programas\Arquivos comuns\SureThing Shared\stllssvr.exe

O23 - Service: NTRU TSS v1.2.1.29 TCS (tcsd_win32.exe) - Unknown owner - C:\Arquivos de programas\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe

O23 - Service: TdmService - Wave Systems Corp. - C:\Arquivos de programas\Wave Systems Corp\Trusted Drive Manager\TdmService.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 15154 bytes

Power Max · Março 20, 2010

:) Olá ivanindustrial7! Seja bem-vindo ao Fórum Imasters.

:seta: Sugiro que você salve ou imprima essas instruções abaixo, pois em alguns momentos você poderá precisar usar o computador sem o acesso à internet:

Faça o download do ComboFix

Salve-o no Desktop (área de trabalho).

* Desabilite as proteções residente de: antivírus, antispywares e firewall ( menos o do Windows! )

* Feche todas as janelas e execute a ferramenta.

* Ps: A execução, por comando, também é possível:

* Vá em Iniciar --> Executar --> Digite ou cole:

"%userprofile%\desktop\Combofix.exe" /killall

* Clique em Ok.

* Na solicitação: "Negação de garantia de software" --> Clique em Sim.

* Não possuindo o "'>http://support.microsoft.com/kb/307654/pt-br"]Console de Recuperação",aceite optar pela instalação do mesmo.

* Terminando,clique Sim ou Yes. --> Aguarde.

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

:!: Caso aconteça a notificação de: Aplicativo Win32 inválido ou alguma mensagem parecida com esta, delete a ferramenta ComboFix.exe e faça, novamente, seu download.

* Salve-a no Desktop,renomeada como: Kombo.exe

* Ps: Nomeie durante o salvamento,e não após salvá-la!

* Ps: Surgindo alguma mensagem de erro, rode o ComboFix.exe em "'>http://dicasetutoriaisparapc.blogspot.com/2009/11/ferramentas-para-reparar-o-modo-seguro.html"]Modo Seguro". <-- Link!

* Ps: Na presença de atividades rootkit,teremos a seguinte janela de notificação:

* Ps: Anote essas detecções, e dê o OK. Neste caso poste estas detecções que você terá anotado em sua próxima resposta juntamente com os logs pedidos.

* Ps: Para completar as remoções, talvez haja necessidade da ferramenta reiniciar o computador. <-- Aguarde!

* Ps: Para evitar problemas, siga todas as recomendações propostas.

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

* Abrir-se-á a janela Auto Scan. --> Aguarde!

* Para finalizar remoções, o ComboFix poderá reiniciar o computador.

* Se houver necessidade, digite a opção ( 1 ) --> Aperte Enter! --> Aguarde a conclusão!

* Durante o scan, evite manusear o mouse ou teclado! <-- Importante!

* Caso, por algum motivo de força maior, precise parar ou sair do ComboFix,tecle "N" ou "2" --> Aperte Enter.

<><><><><><><><><><><><>

O log do Combofix estará em C:\ComboFix.txt

_________________________________

:seta: Siga, por gentileza, as dicas deste tutorial para fazer uma limpeza de seu PC com o Malwarebytes:

'>http://dicasetutoriaisparapc.blogspot.com/2009/10/tutorial-do-malwarebytes-anti-malware.html"]Tutorial do Malwarebytes Anti-Malware

Na sua próxima resposta poste este log do Malwarebytes juntamente com o log que estará em C:\ComboFix.txt e um novo log do Hijackthis e nos diga como está o seu PC após estes procedimentos.

Ficamos no aguardo.

ivanindustrial7 · Março 21, 2010

:) Olá ivanindustrial7! Seja bem-vindo ao Fórum Imasters.

:seta: Sugiro que você salve ou imprima essas instruções abaixo, pois em alguns momentos você poderá precisar usar o computador sem o acesso à internet:

Faça o download do ComboFix

Salve-o no Desktop (área de trabalho).

* Desabilite as proteções residente de: antivírus, antispywares e firewall ( menos o do Windows! )

* Feche todas as janelas e execute a ferramenta.

* Ps: A execução, por comando, também é possível:

* Vá em Iniciar --> Executar --> Digite ou cole:

"%userprofile%\desktop\Combofix.exe" /killall

* Clique em Ok.

* Na solicitação: "Negação de garantia de software" --> Clique em Sim.

* Não possuindo o "'>http://support.microsoft.com/kb/307654/pt-br"]Console de Recuperação",aceite optar pela instalação do mesmo.

* Terminando,clique Sim ou Yes. --> Aguarde.

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

:!: Caso aconteça a notificação de: Aplicativo Win32 inválido ou alguma mensagem parecida com esta, delete a ferramenta ComboFix.exe e faça, novamente, seu download.

* Salve-a no Desktop,renomeada como: Kombo.exe

* Ps: Nomeie durante o salvamento,e não após salvá-la!

* Ps: Surgindo alguma mensagem de erro, rode o ComboFix.exe em "'>http://dicasetutoriaisparapc.blogspot.com/2009/11/ferramentas-para-reparar-o-modo-seguro.html"]Modo Seguro". <-- Link!

* Ps: Na presença de atividades rootkit,teremos a seguinte janela de notificação:

* Ps: Anote essas detecções, e dê o OK. Neste caso poste estas detecções que você terá anotado em sua próxima resposta juntamente com os logs pedidos.

* Ps: Para completar as remoções, talvez haja necessidade da ferramenta reiniciar o computador. <-- Aguarde!

* Ps: Para evitar problemas, siga todas as recomendações propostas.

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

* Abrir-se-á a janela Auto Scan. --> Aguarde!

* Para finalizar remoções, o ComboFix poderá reiniciar o computador.

* Se houver necessidade, digite a opção ( 1 ) --> Aperte Enter! --> Aguarde a conclusão!

* Durante o scan, evite manusear o mouse ou teclado! <-- Importante!

* Caso, por algum motivo de força maior, precise parar ou sair do ComboFix,tecle "N" ou "2" --> Aperte Enter.

<><><><><><><><><><><><>

O log do Combofix estará em C:\ComboFix.txt

_________________________________

:seta: Siga, por gentileza, as dicas deste tutorial para fazer uma limpeza de seu PC com o Malwarebytes:

'>http://dicasetutoriaisparapc.blogspot.com/2009/10/tutorial-do-malwarebytes-anti-malware.html"]Tutorial do Malwarebytes Anti-Malware

Na sua próxima resposta poste este log do Malwarebytes juntamente com o log que estará em C:\ComboFix.txt e um novo log do Hijackthis e nos diga como está o seu PC após estes procedimentos.

Ficamos no aguardo.

Muito obrigado, segui todas suas instruções e creio que o resultado foi perfeito, ja testei tudo o possível e aparentemente está tudo bem... Muito obrigado mesmo, vcs devem ser muito bons mesmo, visto que sou completamente leigo neste assunto, porém consegui seguir suas instruções a risca e funcionou perfeitamente.. Segue abaixo o relatório como solicitado: ... Muito obrigado novamente

ComboFix 10-03-20.01 - 126064 20/03/2010 20:36:39.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.3539.3090 [GMT -3:00]

Executando de: c:\documents and settings\126064\desktop\Combofix.exe

Comandos utilizados :: /killall

AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

ATENÇAO - ESTA MAQUINA NAO TEM O CONSOLE DE RECUPERAÇÃO INSTALADA !!

.

ADS - drivers: deleted 304 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\126064\Dados de aplicativos\avdrn.dat

c:\documents and settings\126064\Menu Iniciar\Programas\Inicializar\syspck32.exe

c:\documents and settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd

C:\Thumbs.db

c:\windows\system32\config\systemprofile\oashdihasidhasuidhiasdhiashdiuasdhasd

c:\windows\system32\config\systemprofile\wuaucldt.exe

c:\windows\system32\Thumbs.db

c:\windows\system32\wuaucldt.exe

----- BITS: Sites possivelmente infectados -----

hxxp://annmf13:8530

estava faltando c:\windows\system32\drivers\cdrom.sys

Cópia restaurada de - c:\system volume information\_restore{39205A96-AF40-408D-ADC1-B5BED4F73C01}\RP221\A0031670.sys

.

(((((((((((((((( Arquivos/Ficheiros criados de 2010-02-20 to 2010-03-20 ))))))))))))))))))))))))))))

.

2010-03-20 23:41 . 2008-04-14 12:00 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys

2010-03-20 23:41 . 2008-04-14 12:00 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2010-03-20 21:43 . 2010-03-20 21:43 -------- d-----w- C:\hijackthis

2010-03-20 21:24 . 2010-03-20 21:16 401720 ----a-w- C:\HiJackThis.exe

2010-03-20 10:21 . 2010-03-20 10:21 -------- dc-h--w- c:\documents and settings\All Users\Dados de aplicativos\{52AC600B-5800-407E-99FF-83CD0669760B}

2010-03-20 10:21 . 2010-02-05 09:04 2954656 -c--a-w- c:\documents and settings\All Users\Dados de aplicativos\{52AC600B-5800-407E-99FF-83CD0669760B}\Ad-AwareInstaller.exe

2010-03-20 10:21 . 2010-03-20 10:21 -------- d-----w- c:\arquivos de programas\Lavasoft

2010-03-20 10:21 . 2010-03-20 10:21 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Lavasoft

2010-03-20 00:49 . 2010-03-20 00:49 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2010-03-20 00:49 . 2010-03-20 00:49 -------- d-sh--w- c:\windows\system32\config\systemprofile\IECompatCache

2010-03-20 00:49 . 2010-03-20 00:49 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-03-15 11:22 . 2010-03-15 11:22 -------- d-----w- C:\BACK OUT LOOK 2010 ANB

2010-03-10 18:46 . 2010-03-10 18:46 -------- d-----w- c:\windows\system32\DRM

2010-03-03 16:48 . 2010-03-03 16:48 -------- d-----w- C:\Arquivos de Programas RFB

2010-02-23 11:08 . 2009-10-12 13:39 150016 -c----w- c:\windows\system32\dllcache\rastls.dll

2010-02-23 11:08 . 2009-10-12 13:39 79872 -c----w- c:\windows\system32\dllcache\raschap.dll

2010-02-23 11:08 . 2009-07-17 16:17 1439744 -c----w- c:\windows\system32\dllcache\query.dll

2010-02-23 11:08 . 2009-12-14 07:09 33280 -c----w- c:\windows\system32\dllcache\csrsrv.dll

2010-02-23 11:08 . 2009-09-04 21:04 58880 -c----w- c:\windows\system32\dllcache\msasn1.dll

2010-02-23 11:08 . 2009-10-13 10:34 271360 -c----w- c:\windows\system32\dllcache\oakley.dll

2010-02-23 11:08 . 2009-11-27 16:08 28672 -c----w- c:\windows\system32\dllcache\msvidc32.dll

2010-02-23 11:08 . 2009-11-27 16:08 11264 -c----w- c:\windows\system32\dllcache\msrle32.dll

2010-02-23 11:08 . 2009-12-17 07:41 345600 -c----w- c:\windows\system32\dllcache\mspaint.exe

2010-02-21 14:30 . 2010-03-01 23:03 -------- d-----w- c:\arquivos de programas\PokerStars.NET

2010-02-19 10:14 . 2009-10-21 05:39 75776 -c----w- c:\windows\system32\dllcache\strmfilt.dll

2010-02-19 10:13 . 2009-10-21 05:39 25088 -c----w- c:\windows\system32\dllcache\httpapi.dll

2010-02-19 10:13 . 2009-10-20 16:20 265728 -c----w- c:\windows\system32\dllcache\http.sys

2010-02-19 10:13 . 2009-11-21 15:58 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-20 23:56 . 2008-06-23 11:31 82744 ----a-w- c:\windows\system32\perfc016.dat

2010-03-20 23:56 . 2008-06-23 11:31 481128 ----a-w- c:\windows\system32\perfh016.dat

2010-03-20 23:54 . 2009-09-17 11:46 2138400 --sha-w- c:\windows\system32\drivers\fidbox2.dat

2010-03-20 23:54 . 2009-09-17 11:46 40171296 --sha-w- c:\windows\system32\drivers\fidbox.dat

2010-03-20 23:45 . 2009-09-17 11:46 538916 --sha-w- c:\windows\system32\drivers\fidbox.idx

2010-03-20 23:45 . 2009-09-17 11:46 202472 --sha-w- c:\windows\system32\drivers\fidbox2.idx

2010-03-20 23:10 . 2009-09-17 11:46 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Kaspersky Lab

2010-03-20 23:08 . 2009-09-26 00:36 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\GbPlugin

2010-03-20 00:56 . 2010-03-20 00:56 8 ----a-w- c:\documents and settings\LocalService\Dados de aplicativos\jasltw.dat

2010-03-20 00:46 . 2010-03-20 00:46 8 ----a-w- c:\documents and settings\NetworkService\Dados de aplicativos\jasltw.dat

2010-03-20 00:46 . 2009-10-04 23:49 -------- d-----w- c:\documents and settings\126064\Dados de aplicativos\Skype

2010-03-19 11:09 . 2009-10-04 23:55 -------- d-----w- c:\documents and settings\126064\Dados de aplicativos\skypePM

2010-02-26 01:16 . 2009-09-15 18:11 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Microsoft Help

2010-02-20 10:56 . 2009-09-26 00:36 -------- d-----w- c:\arquivos de programas\GbPlugin

2010-02-18 13:20 . 2009-09-26 00:36 30752 ----a-w- c:\windows\system32\drivers\gbpkm.sys

2010-02-13 15:57 . 2010-02-13 15:57 -------- d-----w- c:\documents and settings\126064\Dados de aplicativos\Roxio

2010-02-13 13:50 . 2010-02-13 13:39 -------- d-----w- c:\arquivos de programas\SudokuBlues

2010-02-13 13:48 . 2010-02-13 13:48 -------- d-----w- c:\arquivos de programas\Favorite Fox

2010-02-13 13:38 . 2010-02-13 13:38 282624 ------w- c:\windows\Setup1.exe

2010-02-13 13:38 . 2010-02-13 13:38 73216 ----a-w- c:\windows\ST6UNST.EXE

2010-02-13 01:53 . 2009-10-04 11:50 -------- d-----w- c:\arquivos de programas\eMule

2010-02-09 22:47 . 2009-11-08 20:01 -------- d-----w- c:\arquivos de programas\Google

2010-02-06 00:36 . 2009-10-28 12:34 -------- d-----w- c:\arquivos de programas\Minitab 15

2010-02-06 00:33 . 2009-10-25 00:47 -------- d-----w- c:\arquivos de programas\SolidWorks

2010-02-05 18:28 . 2010-02-05 18:26 -------- d-----w- c:\arquivos de programas\Claro

2010-02-04 10:31 . 2010-02-04 10:31 -------- d-----w- c:\arquivos de programas\EPSON

2010-01-31 13:40 . 2010-01-31 13:27 -------- d-----w- c:\arquivos de programas\CoolSMS

2010-01-26 20:58 . 2009-09-17 12:20 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Adobe

2010-01-26 10:15 . 2009-09-11 16:58 -------- d-----w- c:\arquivos de programas\Windows Desktop Search

2010-01-08 17:46 . 2010-01-04 10:51 79488 ----a-w- c:\documents and settings\126064\Dados de aplicativos\Sun\Java\jre1.6.0_17\gtapi.dll

2009-12-31 16:50 . 2008-06-23 11:30 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-21 19:08 . 2008-06-23 11:31 916480 ----a-w- c:\windows\system32\wininet.dll

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]

@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"

[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]

2009-04-22 13:03 49152 ----a-w- c:\arquivos de programas\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]

@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"

[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]

2009-04-22 13:03 49152 ----a-w- c:\arquivos de programas\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM"="c:\arquivos de programas\Arquivos comuns\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RunPUTasktray"="c:\arquivos de programas\Hewlett-Packard\HP Printer Utility\HPPU.exe --regkeypath=Software\Hewlett-Packard\HP Printer Utility\HPPURun --valuename=InstallTTM" [X]

"SysTrayApp"="c:\arquivos de programas\IDT\WDM\sttray.exe" [2009-03-17 483420]

"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-03-17 729088]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 134656]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 166912]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-26 134656]

"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre6\bin\jusched.exe" [2009-09-11 148888]

"IAAnotif"="c:\arquivos de programas\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-11 186904]

"ChangeTPMAuth"="c:\arquivos de programas\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2009-02-26 184320]

"WavXMgr"="c:\arquivos de programas\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2008-12-22 145408]

"SecureUpgrade"="c:\arquivos de programas\Wave Systems Corp\SecureUpgrade.exe" [2009-04-22 656696]

"EmbassySecurityCheck"="c:\arquivos de programas\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2009-04-22 95544]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-09-11 2220032]

"GrooveMonitor"="c:\arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"\\manutenção\EPSON Stylus CX5900_Manutenção"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBIL.EXE" [2006-02-13 131072]

"\\192.168.2.31\EPSON Stylus CX5900 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBIL.EXE" [2006-02-13 131072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

Acelerador de inicializa‡Æo AutoCAD.lnk - c:\arquivos de programas\Arquivos comuns\Autodesk Shared\acstart16.exe [2005-3-5 10872]

Windows Search.lnk - c:\arquivos de programas\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"consentpromptbehavioradmin"= 0 (0x0)

"consentpromptbehavioruser"= 0 (0x0)

"enableinstallerdetection"= 0 (0x0)

"enablesecureuiapaths"= 0 (0x0)

"promptonsecuredesktop"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\arquivos de programas\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginAbn]

2009-10-22 16:01 310824 ------w- c:\arquiv~1\GbPlugin\gbiehAbn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]

2010-02-18 13:19 323360 ----a-w- c:\arquivos de programas\GbPlugin\gbieh.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-147074643-1583691317-747400972-24505\Scripts\Logon\0\0]

"Script"=PushPrinterConnections.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-147074643-1583691317-747400972-24505\Scripts\Logon\1\0]

"Script"=MapeoANB.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^126064^Menu Iniciar^Programas^Inicializar^SolidWorks Task Scheduler Engine.lnk]

path=c:\documents and settings\126064\Menu Iniciar\Programas\Inicializar\SolidWorks Task Scheduler Engine.lnk

backup=c:\windows\pss\SolidWorks Task Scheduler Engine.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Synchronizer.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Synchronizer.lnk

backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Dell ControlPoint System Manager.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Dell ControlPoint System Manager.lnk

backup=c:\windows\pss\Dell ControlPoint System Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]

2009-02-22 21:51 200704 ----a-w- c:\arquivos de programas\DellTPad\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]

2009-02-03 13:22 1004544 ----a-w- c:\arquivos de programas\Ares\Ares.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cobian Backup 9]

2009-01-22 13:38 579584 ----a-w- c:\arquivos de programas\Cobian Backup 9\Cobian.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellControlPoint]

2009-03-19 21:25 667648 ----a-w- c:\arquivos de programas\Dell\Dell ControlPoint\Dell.ControlPoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

2008-12-03 01:30 3882312 ----a-w- c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]

2009-02-05 00:26 128232 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PUStarter]

2007-05-31 19:15 81920 ----a-w- c:\arquivos de programas\Arquivos comuns\Hewlett-Packard\HP Printer Utility DCS\AppInterfaces\HPPUDS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SolidWorks_CheckForUpdates]

2007-09-10 06:15 6460696 ----a-r- c:\arquivos de programas\Arquivos comuns\Gerenciador de Instalação do SolidWorks\Scheduler\sldIMScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USCService]

2009-04-22 18:41 15360 ----a-w- c:\arquivos de programas\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

2009-07-01 16:37 37888 ----a-w- c:\arquivos de programas\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

"c:\\Arquivos de programas\\Hewlett-Packard\\HP Printer Utility\\HPPU.exe"=

"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"15000:UDP"= 15000:UDP:Kaspersky Administration Kit

R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\gbpkm.sys [25/9/2009 21:36 30752]

R2 ATService;AuthenTec Fingerprint Service;c:\arquivos de programas\Fingerprint Sensor\AtService.exe [27/6/2008 13:47 1664248]

R2 buttonsvc32;Dell ControlPoint Button Service;c:\arquivos de programas\Dell\Dell ControlPoint\DCPButtonSvc.exe [29/12/2008 11:07 320800]

R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\arquivos de programas\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [9/4/2009 14:02 447264]

R2 GbpSv;Gbp Service;c:\arquiv~1\GbPlugin\GbpSv.exe [25/9/2009 21:36 54048]

R2 klnagent;Kaspersky Lab Network Agent;c:\arquivos de programas\Kaspersky Lab\NetworkAgent 8\klnagent.exe [18/9/2009 16:03 138792]

R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [11/9/2009 18:39 112512]

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [11/9/2009 18:39 109568]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [30/5/2007 18:49 24344]

R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [11/9/2009 14:20 232744]

S2 gupdate1ca60ae48abe4e2;Google Update Service (gupdate1ca60ae48abe4e2);c:\arquivos de programas\Google\Update\GoogleUpdate.exe [8/11/2009 17:01 133104]

S3 camfilt2;camfilt2;c:\windows\system32\drivers\camfilt2.sys [19/9/2009 21:06 98432]

S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys --> c:\windows\system32\Drivers\NvtSp50.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

getPlusHelper REG_MULTI_SZ getPlusHelper

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.google.com.br/

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MI1933~1\Office12\EXCEL.EXE/3000

IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\arquivos de programas\PokerStars.NET\PokerStarsUpdate.exe

Trusted Zone: aernnova.com\eportal

Trusted Zone: BOEING.COM\SSLVPN

Trusted Zone: google.com.br\www

Trusted Zone: BOEING.COM\SSLVPN

Handler: HPPUDCS - {522CC7E5-F378-4F97-8BD7-125D17F5B332} - c:\arquivos de programas\Arquivos comuns\Hewlett-Packard\HP Printer Utility DCS\APP\hplidcsapp.dll

Handler: hppufile - {4BCA8E33-E18F-4358-9F6F-3C7206BCF72F} - c:\arquivos de programas\Hewlett-Packard\HP Printer Utility\hpluCtrls.dll

Handler: hppusam - {4BCA8E33-E18F-4358-9F6F-3C7206BCF72F} - c:\arquivos de programas\Hewlett-Packard\HP Printer Utility\hpluCtrls.dll

Handler: hppuzip - {4BCA8E33-E18F-4358-9F6F-3C7206BCF72F} - c:\arquivos de programas\Hewlett-Packard\HP Printer Utility\hpluCtrls.dll

.

------- Associação de arquivos/ficheiros -------

.

.scr=AutoCADScriptFile

.

- - - - ORFÃOS REMOVIDOS - - - -

HKCU-Run-CoolSMS - (no file)

HKCU-Run-syncman - c:\documents and settings\126064\wuaucldt.exe

HKLM-Run-syncman - c:\windows\system32\wuaucldt.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-20 20:53

Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

**************************************************************************

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{93E6CEFD-CA56-59D1-C6A1E22689695F47}\{E62B984B-3624-15D7-6BC3102B23FA8A76}\{D0F98AA7-EDD9-94A9-9F817DE029F1BE16}*]

"YKBG4FY6MRBLZHWNMN5KORGMPA1"=hex:01,00,01,00,00,00,00,00,da,37,90,89,91,09,97,

9b,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC60A522-920C-52E9-898A41C82F89CB84}\{735C0629-1D81-42E2-E1D6A541CCD3DFCD}\{29AB0373-A17F-9B90-31C1A0C3BE2157F2}*]

"RA4KGUJC6T6LBNJRIDQ63C2L6C1"=hex:01,00,01,00,00,00,00,00,f7,8a,3d,85,55,45,07,

82,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(1400)

c:\arquiv~1\GbPlugin\gbiehAbn.dll

c:\arquivos de programas\GbPlugin\gbieh.dll

c:\windows\system32\klogon.dll

- - - - - - - > 'lsass.exe'(1456)

c:\windows\system32\wvauth.dll

- - - - - - - > 'explorer.exe'(1312)

c:\windows\system32\WININET.dll

c:\windows\system32\igfxdo.dll

c:\arquivos de programas\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

c:\arquivos de programas\Windows Desktop Search\deskbar.dll

c:\arquivos de programas\Windows Desktop Search\pt-br\dbres.dll.mui

c:\arquivos de programas\Windows Desktop Search\dbres.dll

c:\arquivos de programas\Windows Desktop Search\wordwheel.dll

c:\arquivos de programas\Windows Desktop Search\pt-br\msnlExtRes.dll.mui

c:\arquivos de programas\Windows Desktop Search\msnlExtRes.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\arquivos de programas\GbPlugin\gbieh.dll

c:\arquiv~1\GbPlugin\gbiehAbn.dll

.

------------------------ Outros Processos em Execução ------------------------

.

c:\windows\System32\WLTRYSVC.EXE

c:\windows\System32\bcmwltry.exe

c:\drivers\audio\r213367\stacsv.exe

c:\arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe

c:\arquivos de programas\Java\jre6\bin\jqs.exe

c:\arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\arquivos de programas\Arquivos comuns\Nero\Nero BackItUp 4\NBService.exe

c:\arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\arquivos de programas\Wave Systems Corp\Trusted Drive Manager\TdmService.exe

c:\arquivos de programas\Intel\Intel Matrix Storage Manager\IAANTMon.exe

c:\windows\system32\SearchIndexer.exe

c:\windows\system32\CCM\CcmExec.exe

c:\windows\system32\igfxext.exe

c:\windows\system32\igfxsrvc.exe

c:\arquivos de programas\Hewlett-Packard\HP Printer Utility\HPPU.exe

c:\arquivos de programas\Arquivos comuns\Hewlett-Packard\HP Printer Utility DCS\AppInterfaces\HPPUDH.exe

.

**************************************************************************

.

Tempo para conclusão: 2010-03-20 21:00:07 - Máquina reiniciou

ComboFix-quarantined-files.txt 2010-03-21 00:00

Pré-execução: 35 pasta(s) 111.589.859.328 bytes disponíveis

Pós execução: 38 pasta(s) 111.603.441.664 bytes disponíveis

- - End Of File - - B1087B84E828903C3A1F817DC598ADB4

Obrigado... Ivanindustrial7

Power Max · Março 21, 2010

:) Vários problemas foram removidos pelo Combofix.

________________________________

:!: Mas faltou você executar o Malwarebytes conforme o tutorial que te passei e postar o log dele juntamente com um novo log do Hijackthis.

Ficamos na espera.

ivanindustrial7 · Março 29, 2010

não consegui encontrar o nome deste virus, é possivel avaliar o problama apenas pelo log abaixo?? não consigo rodar o combofix e ele não está reconhecendo nenhum hardware usb...

ao rodar o kapersky no modo de segurança ele achou alguns trojans em dados de aplicativo\av.exe ou ave.exe..\ syspck33.exe \ wuaucldt.exe.vir

segue abaixo o log..

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 07:55:45, on 29/3/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Safe mode

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe

C:\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USREL/5

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USREL/5

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USREL/5

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www1.la.dell.com/content/default.aspx?c=br&l=pt&s=gen