.matiello 0 Denunciar post Postado Maio 27, 2010 Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully kernel: MBR read successfully user & kernel MBR OK copy of MBR has been found in sector 1 ! ComboFix 10-05-23.07 - Marcus 27/05/2010 10:56:50.3.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.2045.1573 [GMT -3:00] Executando de: c:\documents and settings\Marcus\Desktop\ComboFix.exe Comandos utilizados :: c:\documents and settings\Marcus\Desktop\CFScript.txt AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} AV: ESET Smart Security 3.0 *On-access scanning enabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0} FW: Firewall pessoal do ESET *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0} FW: Outpost Firewall *disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD} * AV residente está ativo FILE :: "c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll" "c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll" "c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe" "c:\windows\NiwradSoft Shell Pack\Backup\comctl32.dll" "c:\windows\NiwradSoft Shell Pack\Backup\ctfmon.exe" "c:\windows\NiwradSoft Shell Pack\Backup\explorer.exe" "c:\windows\NiwradSoft Shell Pack\Backup\user32.dll" "c:\windows\NiwradSoft Shell Pack\Backup\winlogon.exe" "c:\windows\ServicePackFiles\i386\comctl32.dll" "c:\windows\ServicePackFiles\i386\ctfmon.exe" "c:\windows\ServicePackFiles\i386\explorer.exe" "c:\windows\ServicePackFiles\i386\user32.dll" "c:\windows\ServicePackFiles\i386\winlogon.exe" . ((((((((((((((((((((((((((((((((((((( Outras Exclusões ))))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Marcus\mbr.exe c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe c:\windows\NiwradSoft Shell Pack\Backup c:\windows\NiwradSoft Shell Pack\Backup\access.cpl c:\windows\NiwradSoft Shell Pack\Backup\acctres.dll c:\windows\NiwradSoft Shell Pack\Backup\accwiz.exe c:\windows\NiwradSoft Shell Pack\Backup\admparse.dll c:\windows\NiwradSoft Shell Pack\Backup\ahui.exe c:\windows\NiwradSoft Shell Pack\Backup\appmgr.dll c:\windows\NiwradSoft Shell Pack\Backup\asctrls.ocx c:\windows\NiwradSoft Shell Pack\Backup\Audiodev.dll c:\windows\NiwradSoft Shell Pack\Backup\avtapi.dll c:\windows\NiwradSoft Shell Pack\Backup\batmeter.dll c:\windows\NiwradSoft Shell Pack\Backup\batt.dll c:\windows\NiwradSoft Shell Pack\Backup\browseui.dll c:\windows\NiwradSoft Shell Pack\Backup\bthci.dll c:\windows\NiwradSoft Shell Pack\Backup\cabview.dll c:\windows\NiwradSoft Shell Pack\Backup\capesnpn.dll c:\windows\NiwradSoft Shell Pack\Backup\cards.dll c:\windows\NiwradSoft Shell Pack\Backup\cdfview.dll c:\windows\NiwradSoft Shell Pack\Backup\certmgr.dll c:\windows\NiwradSoft Shell Pack\Backup\charmap.exe c:\windows\NiwradSoft Shell Pack\Backup\ciadmin.dll c:\windows\NiwradSoft Shell Pack\Backup\cleanmgr.exe c:\windows\NiwradSoft Shell Pack\Backup\cliconfg.exe c:\windows\NiwradSoft Shell Pack\Backup\cliconfg.rll c:\windows\NiwradSoft Shell Pack\Backup\clipbrd.exe c:\windows\NiwradSoft Shell Pack\Backup\clipsrv.exe c:\windows\NiwradSoft Shell Pack\Backup\cmd.exe c:\windows\NiwradSoft Shell Pack\Backup\cmdial32.dll c:\windows\NiwradSoft Shell Pack\Backup\cmdl32.exe c:\windows\NiwradSoft Shell Pack\Backup\cmmon32.exe c:\windows\NiwradSoft Shell Pack\Backup\cmprops.dll c:\windows\NiwradSoft Shell Pack\Backup\cmstp.exe c:\windows\NiwradSoft Shell Pack\Backup\comctl32.dll c:\windows\NiwradSoft Shell Pack\Backup\comdlg32.dll c:\windows\NiwradSoft Shell Pack\Backup\compatUI.dll c:\windows\NiwradSoft Shell Pack\Backup\compstui.dll c:\windows\NiwradSoft Shell Pack\Backup\comres.dll c:\windows\NiwradSoft Shell Pack\Backup\conime.exe c:\windows\NiwradSoft Shell Pack\Backup\console.dll c:\windows\NiwradSoft Shell Pack\Backup\credui.dll c:\windows\NiwradSoft Shell Pack\Backup\cryptui.dll c:\windows\NiwradSoft Shell Pack\Backup\cscdll.dll c:\windows\NiwradSoft Shell Pack\Backup\cscript.exe c:\windows\NiwradSoft Shell Pack\Backup\cscui.dll c:\windows\NiwradSoft Shell Pack\Backup\ctfmon.exe c:\windows\NiwradSoft Shell Pack\Backup\dataclen.dll c:\windows\NiwradSoft Shell Pack\Backup\ddeshare.exe c:\windows\NiwradSoft Shell Pack\Backup\desk.cpl c:\windows\NiwradSoft Shell Pack\Backup\deskadp.dll c:\windows\NiwradSoft Shell Pack\Backup\deskmon.dll c:\windows\NiwradSoft Shell Pack\Backup\deskperf.dll c:\windows\NiwradSoft Shell Pack\Backup\devmgr.dll c:\windows\NiwradSoft Shell Pack\Backup\dfrgres.dll c:\windows\NiwradSoft Shell Pack\Backup\dfrgui.dll c:\windows\NiwradSoft Shell Pack\Backup\dfshim.dll c:\windows\NiwradSoft Shell Pack\Backup\digest.dll c:\windows\NiwradSoft Shell Pack\Backup\diskcopy.dll c:\windows\NiwradSoft Shell Pack\Backup\dmdlgs.dll c:\windows\NiwradSoft Shell Pack\Backup\dmdskres.dll c:\windows\NiwradSoft Shell Pack\Backup\dpmodemx.dll c:\windows\NiwradSoft Shell Pack\Backup\dpvoice.dll c:\windows\NiwradSoft Shell Pack\Backup\drwtsn32.exe c:\windows\NiwradSoft Shell Pack\Backup\dsprop.dll c:\windows\NiwradSoft Shell Pack\Backup\dsquery.dll c:\windows\NiwradSoft Shell Pack\Backup\dsuiext.dll c:\windows\NiwradSoft Shell Pack\Backup\dvdplay.exe c:\windows\NiwradSoft Shell Pack\Backup\els.dll c:\windows\NiwradSoft Shell Pack\Backup\eqnclass.dll c:\windows\NiwradSoft Shell Pack\Backup\eventvwr.exe c:\windows\NiwradSoft Shell Pack\Backup\explorer.exe c:\windows\NiwradSoft Shell Pack\Backup\fde.dll c:\windows\NiwradSoft Shell Pack\Backup\filemgmt.dll c:\windows\NiwradSoft Shell Pack\Backup\fldrclnr.dll c:\windows\NiwradSoft Shell Pack\Backup\fontext.dll c:\windows\NiwradSoft Shell Pack\Backup\fsusd.dll c:\windows\NiwradSoft Shell Pack\Backup\gcdef.dll c:\windows\NiwradSoft Shell Pack\Backup\gpedit.dll c:\windows\NiwradSoft Shell Pack\Backup\gptext.dll c:\windows\NiwradSoft Shell Pack\Backup\grpconv.exe c:\windows\NiwradSoft Shell Pack\Backup\hdwwiz.cpl c:\windows\NiwradSoft Shell Pack\Backup\helpctr.exe c:\windows\NiwradSoft Shell Pack\Backup\hnetcfg.dll c:\windows\NiwradSoft Shell Pack\Backup\hnetwiz.dll c:\windows\NiwradSoft Shell Pack\Backup\hotplug.dll c:\windows\NiwradSoft Shell Pack\Backup\hticons.dll c:\windows\NiwradSoft Shell Pack\Backup\hypertrm.exe c:\windows\NiwradSoft Shell Pack\Backup\icmui.dll c:\windows\NiwradSoft Shell Pack\Backup\icwdial.dll c:\windows\NiwradSoft Shell Pack\Backup\ieaksie.dll c:\windows\NiwradSoft Shell Pack\Backup\ieakui.dll c:\windows\NiwradSoft Shell Pack\Backup\iepeers.dll c:\windows\NiwradSoft Shell Pack\Backup\iernonce.dll c:\windows\NiwradSoft Shell Pack\Backup\iesetup.dll c:\windows\NiwradSoft Shell Pack\Backup\iexplore.exe c:\windows\NiwradSoft Shell Pack\Backup\inetcpl.cpl c:\windows\NiwradSoft Shell Pack\Backup\inetcplc.dll c:\windows\NiwradSoft Shell Pack\Backup\inetppui.dll c:\windows\NiwradSoft Shell Pack\Backup\inetres.dll c:\windows\NiwradSoft Shell Pack\Backup\input.dll c:\windows\NiwradSoft Shell Pack\Backup\intl.cpl c:\windows\NiwradSoft Shell Pack\Backup\ipsecsnp.dll c:\windows\NiwradSoft Shell Pack\Backup\ipsmsnap.dll c:\windows\NiwradSoft Shell Pack\Backup\irclass.dll c:\windows\NiwradSoft Shell Pack\Backup\irprops.cpl c:\windows\NiwradSoft Shell Pack\Backup\isign32.dll c:\windows\NiwradSoft Shell Pack\Backup\itss.dll c:\windows\NiwradSoft Shell Pack\Backup\ivfsrc.ax c:\windows\NiwradSoft Shell Pack\Backup\jobexec.dll c:\windows\NiwradSoft Shell Pack\Backup\joy.cpl c:\windows\NiwradSoft Shell Pack\Backup\keymgr.dll c:\windows\NiwradSoft Shell Pack\Backup\localsec.dll c:\windows\NiwradSoft Shell Pack\Backup\logonui.exe c:\windows\NiwradSoft Shell Pack\Backup\magnify.exe c:\windows\NiwradSoft Shell Pack\Backup\main.cpl c:\windows\NiwradSoft Shell Pack\Backup\mapi32.dll c:\windows\NiwradSoft Shell Pack\Backup\mapistub.dll c:\windows\NiwradSoft Shell Pack\Backup\mdminst.dll c:\windows\NiwradSoft Shell Pack\Backup\mdwmdmsp.dll c:\windows\NiwradSoft Shell Pack\Backup\midimap.dll c:\windows\NiwradSoft Shell Pack\Backup\migpwd.exe c:\windows\NiwradSoft Shell Pack\Backup\migwiz.exe c:\windows\NiwradSoft Shell Pack\Backup\mmc.exe c:\windows\NiwradSoft Shell Pack\Backup\mmcbase.dll c:\windows\NiwradSoft Shell Pack\Backup\mmcndmgr.dll c:\windows\NiwradSoft Shell Pack\Backup\mmcshext.dll c:\windows\NiwradSoft Shell Pack\Backup\mmsys.cpl c:\windows\NiwradSoft Shell Pack\Backup\mnmsrvc.exe c:\windows\NiwradSoft Shell Pack\Backup\mobsync.dll c:\windows\NiwradSoft Shell Pack\Backup\mobsync.exe c:\windows\NiwradSoft Shell Pack\Backup\modemui.dll c:\windows\NiwradSoft Shell Pack\Backup\moricons.dll c:\windows\NiwradSoft Shell Pack\Backup\moviemk.exe c:\windows\NiwradSoft Shell Pack\Backup\mplay32.exe c:\windows\NiwradSoft Shell Pack\Backup\mprui.dll c:\windows\NiwradSoft Shell Pack\Backup\mqsnap.dll c:\windows\NiwradSoft Shell Pack\Backup\mqutil.dll c:\windows\NiwradSoft Shell Pack\Backup\msconf.dll c:\windows\NiwradSoft Shell Pack\Backup\msconfig.exe c:\windows\NiwradSoft Shell Pack\Backup\mscorier.dll c:\windows\NiwradSoft Shell Pack\Backup\msdxm.ocx c:\windows\NiwradSoft Shell Pack\Backup\msgina.dll c:\windows\NiwradSoft Shell Pack\Backup\mshearts.exe c:\windows\NiwradSoft Shell Pack\Backup\mshta.exe c:\windows\NiwradSoft Shell Pack\Backup\mshtml.dll c:\windows\NiwradSoft Shell Pack\Backup\msi.dll c:\windows\NiwradSoft Shell Pack\Backup\msident.dll c:\windows\NiwradSoft Shell Pack\Backup\msidntld.dll c:\windows\NiwradSoft Shell Pack\Backup\msieftp.dll c:\windows\NiwradSoft Shell Pack\Backup\msiexec.exe c:\windows\NiwradSoft Shell Pack\Backup\msihnd.dll c:\windows\NiwradSoft Shell Pack\Backup\msimn.exe c:\windows\NiwradSoft Shell Pack\Backup\msinfo32.exe c:\windows\NiwradSoft Shell Pack\Backup\msoeres.dll c:\windows\NiwradSoft Shell Pack\Backup\mspaint.exe c:\windows\NiwradSoft Shell Pack\Backup\msratelc.dll c:\windows\NiwradSoft Shell Pack\Backup\msrating.dll c:\windows\NiwradSoft Shell Pack\Backup\msshavmsg.dll c:\windows\NiwradSoft Shell Pack\Backup\mstask.dll c:\windows\NiwradSoft Shell Pack\Backup\mstsc.exe c:\windows\NiwradSoft Shell Pack\Backup\mstscax.dll c:\windows\NiwradSoft Shell Pack\Backup\msutb.dll c:\windows\NiwradSoft Shell Pack\Backup\msvfw32.dll c:\windows\NiwradSoft Shell Pack\Backup\msxml.dll c:\windows\NiwradSoft Shell Pack\Backup\msxml2.dll c:\windows\NiwradSoft Shell Pack\Backup\msxml3.dll c:\windows\NiwradSoft Shell Pack\Backup\mycomput.dll c:\windows\NiwradSoft Shell Pack\Backup\mydocs.dll c:\windows\NiwradSoft Shell Pack\Backup\ncpa.cpl c:\windows\NiwradSoft Shell Pack\Backup\netid.dll c:\windows\NiwradSoft Shell Pack\Backup\netplwiz.dll c:\windows\NiwradSoft Shell Pack\Backup\netsetup.exe c:\windows\NiwradSoft Shell Pack\Backup\netshell.dll c:\windows\NiwradSoft Shell Pack\Backup\newdev.dll c:\windows\NiwradSoft Shell Pack\Backup\notepad.exe c:\windows\NiwradSoft Shell Pack\Backup\nslookup.exe c:\windows\NiwradSoft Shell Pack\Backup\ntbackup.exe c:\windows\NiwradSoft Shell Pack\Backup\ntkrnlpa.exe c:\windows\NiwradSoft Shell Pack\Backup\ntlanui2.dll c:\windows\NiwradSoft Shell Pack\Backup\ntoskrnl.exe c:\windows\NiwradSoft Shell Pack\Backup\ntsd.exe c:\windows\NiwradSoft Shell Pack\Backup\ntshrui.dll c:\windows\NiwradSoft Shell Pack\Backup\nusrmgr.cpl c:\windows\NiwradSoft Shell Pack\Backup\objsel.dll c:\windows\NiwradSoft Shell Pack\Backup\occache.dll c:\windows\NiwradSoft Shell Pack\Backup\odbcad32.exe c:\windows\NiwradSoft Shell Pack\Backup\odbccp32.cpl c:\windows\NiwradSoft Shell Pack\Backup\odbcint.dll c:\windows\NiwradSoft Shell Pack\Backup\ole32.dll c:\windows\NiwradSoft Shell Pack\Backup\osk.exe c:\windows\NiwradSoft Shell Pack\Backup\osuninst.dll c:\windows\NiwradSoft Shell Pack\Backup\osuninst.exe c:\windows\NiwradSoft Shell Pack\Backup\packager.exe c:\windows\NiwradSoft Shell Pack\Backup\pautoenr.dll c:\windows\NiwradSoft Shell Pack\Backup\perfmon.exe c:\windows\NiwradSoft Shell Pack\Backup\photowiz.dll c:\windows\NiwradSoft Shell Pack\Backup\pifmgr.dll c:\windows\NiwradSoft Shell Pack\Backup\powercfg.cpl c:\windows\NiwradSoft Shell Pack\Backup\printui.dll c:\windows\NiwradSoft Shell Pack\Backup\progman.exe c:\windows\NiwradSoft Shell Pack\Backup\proquota.exe c:\windows\NiwradSoft Shell Pack\Backup\psbase.dll c:\windows\NiwradSoft Shell Pack\Backup\quartz.dll c:\windows\NiwradSoft Shell Pack\Backup\rasdlg.dll c:\windows\NiwradSoft Shell Pack\Backup\rasphone.exe c:\windows\NiwradSoft Shell Pack\Backup\rcimlby.exe c:\windows\NiwradSoft Shell Pack\Backup\regedit.exe c:\windows\NiwradSoft Shell Pack\Backup\regwizc.dll c:\windows\NiwradSoft Shell Pack\Backup\remotepg.dll c:\windows\NiwradSoft Shell Pack\Backup\rstrui.exe c:\windows\NiwradSoft Shell Pack\Backup\rtcshare.exe c:\windows\NiwradSoft Shell Pack\Backup\rundll32.exe c:\windows\NiwradSoft Shell Pack\Backup\sapi.cpl c:\windows\NiwradSoft Shell Pack\Backup\scrobj.dll c:\windows\NiwradSoft Shell Pack\Backup\sendmail.dll c:\windows\NiwradSoft Shell Pack\Backup\servdeps.dll c:\windows\NiwradSoft Shell Pack\Backup\setup.exe c:\windows\NiwradSoft Shell Pack\Backup\setup_wm.exe c:\windows\NiwradSoft Shell Pack\Backup\setupapi.dll c:\windows\NiwradSoft Shell Pack\Backup\sfc_os.dll c:\windows\NiwradSoft Shell Pack\Backup\shdoclc.dll c:\windows\NiwradSoft Shell Pack\Backup\shdocvw.dll c:\windows\NiwradSoft Shell Pack\Backup\shell32.dll c:\windows\NiwradSoft Shell Pack\Backup\shimgvw.dll c:\windows\NiwradSoft Shell Pack\Backup\shrpubw.exe c:\windows\NiwradSoft Shell Pack\Backup\shscrap.dll c:\windows\NiwradSoft Shell Pack\Backup\sigverif.exe c:\windows\NiwradSoft Shell Pack\Backup\sndrec32.exe c:\windows\NiwradSoft Shell Pack\Backup\sndvol32.exe c:\windows\NiwradSoft Shell Pack\Backup\sol.exe c:\windows\NiwradSoft Shell Pack\Backup\spider.exe c:\windows\NiwradSoft Shell Pack\Backup\srchui.dll c:\windows\NiwradSoft Shell Pack\Backup\srclient.dll c:\windows\NiwradSoft Shell Pack\Backup\srrstr.dll c:\windows\NiwradSoft Shell Pack\Backup\sti.dll c:\windows\NiwradSoft Shell Pack\Backup\sti_ci.dll c:\windows\NiwradSoft Shell Pack\Backup\stimon.exe c:\windows\NiwradSoft Shell Pack\Backup\stobject.dll c:\windows\NiwradSoft Shell Pack\Backup\storprop.dll c:\windows\NiwradSoft Shell Pack\Backup\sxs.dll c:\windows\NiwradSoft Shell Pack\Backup\syncapp.exe c:\windows\NiwradSoft Shell Pack\Backup\syncui.dll c:\windows\NiwradSoft Shell Pack\Backup\sysdm.cpl c:\windows\NiwradSoft Shell Pack\Backup\syskey.exe c:\windows\NiwradSoft Shell Pack\Backup\sysmon.ocx c:\windows\NiwradSoft Shell Pack\Backup\sysocmgr.exe c:\windows\NiwradSoft Shell Pack\Backup\syssetup.dll c:\windows\NiwradSoft Shell Pack\Backup\tapiui.dll c:\windows\NiwradSoft Shell Pack\Backup\taskmgr.exe c:\windows\NiwradSoft Shell Pack\Backup\tcpmonui.dll c:\windows\NiwradSoft Shell Pack\Backup\telephon.cpl c:\windows\NiwradSoft Shell Pack\Backup\telnet.exe c:\windows\NiwradSoft Shell Pack\Backup\themeui.dll c:\windows\NiwradSoft Shell Pack\Backup\timedate.cpl c:\windows\NiwradSoft Shell Pack\Backup\tourstart.exe c:\windows\NiwradSoft Shell Pack\Backup\unimdm.tsp c:\windows\NiwradSoft Shell Pack\Backup\upnpui.dll c:\windows\NiwradSoft Shell Pack\Backup\url.dll c:\windows\NiwradSoft Shell Pack\Backup\urlmon.dll c:\windows\NiwradSoft Shell Pack\Backup\usbui.dll c:\windows\NiwradSoft Shell Pack\Backup\user32.dll c:\windows\NiwradSoft Shell Pack\Backup\userenv.dll c:\windows\NiwradSoft Shell Pack\Backup\utilman.exe c:\windows\NiwradSoft Shell Pack\Backup\verifier.exe c:\windows\NiwradSoft Shell Pack\Backup\wab.exe c:\windows\NiwradSoft Shell Pack\Backup\wab32.dll c:\windows\NiwradSoft Shell Pack\Backup\wab32res.dll c:\windows\NiwradSoft Shell Pack\Backup\wabfind.dll c:\windows\NiwradSoft Shell Pack\Backup\wabimp.dll c:\windows\NiwradSoft Shell Pack\Backup\webcheck.dll c:\windows\NiwradSoft Shell Pack\Backup\wextract.exe c:\windows\NiwradSoft Shell Pack\Backup\wiaacmgr.exe c:\windows\NiwradSoft Shell Pack\Backup\wiadefui.dll c:\windows\NiwradSoft Shell Pack\Backup\wiashext.dll c:\windows\NiwradSoft Shell Pack\Backup\winbrand.dll c:\windows\NiwradSoft Shell Pack\Backup\winchat.exe c:\windows\NiwradSoft Shell Pack\Backup\wininet.dll c:\windows\NiwradSoft Shell Pack\Backup\winlogon.exe c:\windows\NiwradSoft Shell Pack\Backup\winmine.exe c:\windows\NiwradSoft Shell Pack\Backup\winntbbu.dll c:\windows\NiwradSoft Shell Pack\Backup\winsrv.dll c:\windows\NiwradSoft Shell Pack\Backup\wintrust.dll c:\windows\NiwradSoft Shell Pack\Backup\wmplayer.exe c:\windows\NiwradSoft Shell Pack\Backup\wpabaln.exe c:\windows\NiwradSoft Shell Pack\Backup\WpdShext.dll c:\windows\NiwradSoft Shell Pack\Backup\write.exe c:\windows\NiwradSoft Shell Pack\Backup\wscui.cpl c:\windows\NiwradSoft Shell Pack\Backup\wsecedit.dll c:\windows\NiwradSoft Shell Pack\Backup\wuapi.dll c:\windows\NiwradSoft Shell Pack\Backup\wuauclt.exe c:\windows\NiwradSoft Shell Pack\Backup\wuaucpl.cpl c:\windows\NiwradSoft Shell Pack\Backup\wuaueng1.dll c:\windows\NiwradSoft Shell Pack\Backup\wucltui.dll c:\windows\NiwradSoft Shell Pack\Backup\wupdmgr.exe c:\windows\NiwradSoft Shell Pack\Backup\wuweb.dll c:\windows\NiwradSoft Shell Pack\Backup\xpsp1res.dll c:\windows\NiwradSoft Shell Pack\Backup\xpsp2res.dll c:\windows\NiwradSoft Shell Pack\Backup\xpsp3res.dll c:\windows\NiwradSoft Shell Pack\Backup\zipfldr.dll c:\windows\ServicePackFiles\i386\comctl32.dll c:\windows\ServicePackFiles\i386\ctfmon.exe c:\windows\ServicePackFiles\i386\explorer.exe c:\windows\ServicePackFiles\i386\user32.dll c:\windows\ServicePackFiles\i386\winlogon.exe . (((((((((((((((( Arquivos/Ficheiros criados de 2010-04-27 to 2010-05-27 )))))))))))))))))))))))))))) . 2010-05-27 13:39 . 2010-05-27 13:39 2266718 ----a-w- C:\TS.zip 2010-05-26 00:38 . 2010-05-26 00:45 -------- d-----w- c:\arquivos de programas\cFosSpeed 2010-05-26 00:38 . 2009-10-30 15:25 288472 ------w- c:\windows\system32\cfosspeed.dll 2010-05-24 14:34 . 2010-05-24 14:36 -------- d-----w- C:\ToolBar SD 2010-05-24 14:26 . 2010-05-24 14:26 -------- d-----w- C:\toolb 2010-05-23 23:05 . 2010-05-23 23:05 -------- d-----w- C:\_OTL 2010-05-23 17:48 . 2008-04-13 14:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys 2010-05-23 17:39 . 2010-05-23 17:39 -------- d-----w- c:\arquivos de programas\TD74 Corporation 2010-05-23 17:39 . 2006-09-19 17:26 212992 ----a-w- c:\windows\VMSnap23.exe 2010-05-23 17:39 . 2006-06-28 05:54 49152 ----a-w- c:\windows\Domino.exe 2010-05-23 17:39 . 2006-03-30 23:24 81920 ----a-w- c:\windows\VMCap323.exe 2010-05-23 17:39 . 2010-05-23 17:39 -------- d-----w- c:\windows\CatRoot 2010-05-23 17:39 . 2007-04-24 14:56 257408 ----a-w- c:\windows\system32\drivers\usbvm323.sys 2010-05-23 16:58 . 2010-05-23 16:58 61440 ----a-w- c:\documents and settings\Marcus\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6b8c2a79-n\decora-sse.dll 2010-05-23 16:58 . 2010-05-23 16:58 12800 ----a-w- c:\documents and settings\Marcus\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6b8c2a79-n\decora-d3d.dll 2010-05-23 16:58 . 2010-05-23 16:58 503808 ----a-w- c:\documents and settings\Marcus\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2b79a7b3-n\msvcp71.dll 2010-05-23 16:58 . 2010-05-23 16:58 499712 ----a-w- c:\documents and settings\Marcus\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2b79a7b3-n\jmc.dll 2010-05-23 16:58 . 2010-05-23 16:58 348160 ----a-w- c:\documents and settings\Marcus\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2b79a7b3-n\msvcr71.dll 2010-05-22 12:46 . 2010-05-22 12:46 -------- d-----w- c:\windows\system32\wbem\Repository 2010-05-22 01:49 . 2010-05-22 12:45 -------- d-----w- c:\arquivos de programas\Pryme 2010-05-22 01:47 . 2010-05-22 12:45 -------- d-----w- C:\cmos 2010-05-22 01:25 . 2010-05-22 01:25 -------- d-----w- c:\arquivos de programas\STV 2010-05-09 14:32 . 2010-05-09 22:25 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\NCH Swift Sound 2010-05-09 14:32 . 2010-05-09 14:32 -------- d-----w- c:\arquivos de programas\NCH Software 2010-05-09 14:31 . 2010-05-09 22:26 -------- d-----w- c:\documents and settings\Marcus\Dados de aplicativos\NCH Swift Sound 2010-05-09 14:28 . 2010-05-09 14:28 -------- d-----w- c:\arquivos de programas\MIKSOFT 2010-05-07 16:58 . 2010-05-07 16:58 152064 ----a-w- c:\windows\snap.dat 2010-05-07 16:55 . 2010-04-12 20:29 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-05-01 04:10 . 2010-05-01 05:43 -------- d-----w- c:\documents and settings\Marcus\Dados de aplicativos\TS3Client 2010-05-01 04:09 . 2010-05-01 04:09 -------- d-----w- c:\arquivos de programas\TeamSpeak 3 Client 2010-04-28 01:05 . 2010-04-28 01:05 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Nokia 2010-04-28 01:01 . 2010-04-28 01:01 -------- d-----w- c:\arquivos de programas\Arquivos comuns\PCSuite 2010-04-28 01:00 . 2010-04-28 01:00 -------- d-----w- c:\arquivos de programas\PC Connectivity Solution 2010-04-28 01:00 . 2007-02-22 13:15 12288 ----a-w- c:\windows\system32\drivers\nmwcdcj.sys 2010-04-28 01:00 . 2007-02-22 13:15 12288 ----a-w- c:\windows\system32\drivers\nmwcdcm.sys 2010-04-28 01:00 . 2007-02-22 13:15 8320 ----a-w- c:\windows\system32\drivers\nmwcdc.sys 2010-04-28 01:00 . 2007-02-22 13:15 137216 ----a-w- c:\windows\system32\drivers\nmwcd.sys 2010-04-28 01:00 . 2007-02-22 13:15 65536 ----a-w- c:\windows\system32\nmwcdcocls.dll . ((((((((((((((((((((((((((((((((((((( Relatório Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-27 03:02 . 2008-11-15 14:03 -------- d-----w- c:\documents and settings\Marcus\Dados de aplicativos\uTorrent 2010-05-25 23:37 . 2007-05-21 21:11 -------- d-----w- c:\arquivos de programas\Serviços on-line 2010-05-25 12:11 . 2008-11-15 14:03 -------- d-----w- c:\arquivos de programas\uTorrent 2010-05-25 01:55 . 2007-05-21 22:36 -------- d-----w- c:\arquivos de programas\Arquivos comuns\InstallShield 2010-05-24 14:30 . 2007-06-07 11:06 1324 ----a-w- c:\windows\system32\d3d9caps.dat 2010-05-22 12:46 . 2008-11-05 21:01 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\NexonUS 2010-05-22 10:51 . 2009-09-02 12:01 -------- d---a-w- c:\documents and settings\All Users\Dados de aplicativos\TEMP 2010-05-22 01:25 . 2007-05-21 22:37 -------- d--h--w- c:\arquivos de programas\InstallShield Installation Information 2010-05-19 18:57 . 2010-03-07 03:52 -------- d-----w- c:\arquivos de programas\Full Tilt Poker 2010-05-12 20:51 . 2007-05-23 22:24 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Microsoft Help 2010-05-12 01:42 . 2008-11-27 23:07 -------- d-----w- c:\documents and settings\Marcus\Dados de aplicativos\LimeWire 2010-05-11 03:09 . 2009-09-22 01:36 -------- d-----w- c:\arquivos de programas\Messenger Plus! Live 2010-05-07 16:55 . 2008-03-08 17:38 -------- d-----w- c:\arquivos de programas\Java 2010-05-01 02:20 . 2007-05-23 22:37 -------- d-----w- c:\arquivos de programas\CCleaner 2010-04-28 14:33 . 2008-10-11 12:19 -------- d-----w- c:\documents and settings\Marcus\Dados de aplicativos\Nokia Multimedia Player 2010-04-28 01:28 . 2008-11-28 00:03 -------- d-----w- c:\arquivos de programas\LG PC Suite II 2010-04-28 01:05 . 2008-10-11 11:01 -------- d-----w- c:\arquivos de programas\Nokia 2010-04-23 00:57 . 2010-02-25 16:01 26112 ----a-w- c:\windows\system32\drivers\tap0901.sys 2010-04-19 19:50 . 2009-11-04 15:12 -------- d-----w- c:\arquivos de programas\K-Lite Codec Pack 2010-04-16 18:00 . 2010-04-19 19:50 85504 ----a-w- c:\windows\system32\ff_vfw.dll 2010-04-03 19:22 . 2010-04-03 19:22 2336 ----a-w- C:\boot.bat 2010-03-15 09:31 . 2002-10-15 22:54 165376 ----a-w- c:\windows\system32\unrar.dll 2010-03-12 15:05 . 2010-03-12 15:05 503808 ----a-w- c:\documents and settings\Marcus\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-43823346-n\msvcp71.dll 2010-03-12 15:05 . 2010-03-12 15:05 499712 ----a-w- c:\documents and settings\Marcus\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-43823346-n\jmc.dll 2010-03-12 15:05 . 2010-03-12 15:05 348160 ----a-w- c:\documents and settings\Marcus\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-43823346-n\msvcr71.dll 2010-03-12 15:05 . 2010-03-12 15:05 61440 ----a-w- c:\documents and settings\Marcus\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3ec352b1-n\decora-sse.dll 2010-03-12 15:05 . 2010-03-12 15:05 12800 ----a-w- c:\documents and settings\Marcus\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3ec352b1-n\decora-d3d.dll 2010-03-12 15:04 . 2004-08-04 12:00 79832 ----a-w- c:\windows\system32\perfc016.dat 2010-03-12 15:04 . 2004-08-04 12:00 470730 ----a-w- c:\windows\system32\perfh016.dat 2010-03-10 06:16 . 2004-08-04 07:45 420352 ----a-w- c:\windows\system32\vbscript.dll 2010-02-26 15:05 . 2010-02-26 15:05 72488 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe 2009-09-04 21:00 . 2009-09-04 21:00 916430 ----a-w- c:\arquivos de programas\Apr2006_MDX1_x86.cab 2008-08-12 00:07 . 2008-07-17 22:49 29806 ----a-w- c:\arquivos de programas\megacubo_log.log 2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\arquivos de programas\mozilla firefox\plugins\libdivx.dll 2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\arquivos de programas\mozilla firefox\plugins\ssldivx.dll . ------- Sigcheck ------- [-] 2008-04-14 . B0C0BF2504B830BFC1E93CA39F3C75FE . 549376 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe [-] 2008-04-14 . 302CD5BE4CA48200F9AC1C6074D71805 . 643072 . . [5.82] . . c:\windows\system32\comctl32.dll [-] 2008-04-14 . A9B36030497E98C29210E4544700649D . 579072 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll [-] 2008-04-14 . 54701D40A8E060872E666D48FDA27A19 . 1542656 . . [6.00.2900.5512] . . c:\windows\explorer.exe [-] 2008-04-14 . 584450C5B2439571755D40444589C63D . 40448 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe . ((((((((((((((((((((((((((((( SnapShot_2010-05-26_13.51.01 ))))))))))))))))))))))))))))))))))))))))) . + 2010-05-27 13:53 . 2010-05-27 13:53 16384 c:\windows\Temp\Perflib_Perfdata_7cc.dat + 2010-05-27 13:53 . 2010-05-27 13:53 16384 c:\windows\Temp\Perflib_Perfdata_1a4.dat . (((((((((((((((((((((((((( Pontos de Carregamento do Registro ))))))))))))))))))))))))))))))))))))))) . . *Nota* entradas vazias e legítimas por defeito não são mostradas. REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "msnmsgr"="c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883840] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-31 468408] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ipTray.exe"="c:\arquivos de programas\Intel\IDU\iptray.exe" [2006-12-28 2242328] "nwiz"="c:\arquivos de programas\NVIDIA Corporation\nView\nwiz.exe" [2009-07-09 1657376] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-14 13877248] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-07-14 86016] "OutpostMonitor"="c:\arquiv~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-04-28 2374464] "OutpostFeedBack"="c:\arquivos de programas\Agnitum\Outpost Firewall\feedback.exe" [2009-04-28 428032] "avgnt"="c:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "QuickTime Task"="c:\arquivos de programas\QuickTime\QTTask.exe" [2009-11-11 417792] "AppleSyncNotifier"="c:\arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440] "iTunesHelper"="c:\arquivos de programas\iTunes\iTunesHelper.exe" [2010-02-15 141608] "SunJavaUpdateSched"="c:\arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe" [2010-02-18 248040] "NSLauncher"="c:\arquivos de programas\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-08-02 3096576] "SigmatelSysTrayApp"="sttray.exe" [2006-05-26 282624] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 40448] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "HonorAutoRunSetting"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMBalloonTip"= 1 (0x1) "HonorAutoRunSetting"= 0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] @="" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk] backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Microsoft Office.lnk] backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Orbit.lnk] backup=c:\windows\pss\Orbit.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Marcus^Menu Iniciar^Programas^Inicializar^hamachi.lnk] backup=c:\windows\pss\hamachi.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Marcus^Menu Iniciar^Programas^Inicializar^Recorte de tela e Iniciador do OneNote 2007.lnk] backup=c:\windows\pss\Recorte de tela e Iniciador do OneNote 2007.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3] 2010-03-29 17:54 2343120 ----a-w- c:\arquivos de programas\IObit\Advanced SystemCare 3\AWC.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier] 2009-08-13 17:51 177440 ----a-w- c:\arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-14 02:20 40448 ----a-w- c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite] 2008-07-24 15:02 490952 ----a-w- c:\arquivos de programas\DAEMON Tools Lite\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor] 2008-10-25 13:44 31072 ----a-w- c:\arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint] 2006-07-07 23:15 600896 ----a-w- c:\arquivos de programas\Microsoft IntelliPoint\ipoint.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] 2005-08-12 08:30 81920 ----a-w- c:\arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2010-02-15 21:07 141608 ----a-w- c:\arquivos de programas\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype] 2006-07-07 23:14 576320 ----a-w- c:\arquivos de programas\Microsoft IntelliType Pro\itype.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] 2009-07-26 18:44 3883840 ----a-w- c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] 2009-07-14 16:34 13877248 ----a-w- c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Openwares LiveUpdate] 2003-12-13 17:17 61440 ----a-w- c:\program files\LIVEUPDATE\LiveUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2009-11-11 01:08 417792 ----a-w- c:\arquivos de programas\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled] "QuickTime Task"="c:\arquivos de programas\QuickTime\QTTask.exe" -atboottime [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Arquivos de programas\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Arquivos de programas\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Arquivos de programas\\Microsoft Office\\Office12\\ONENOTE.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Arquivos de programas\\Messenger\\msmsgs.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= "c:\\Arquivos de programas\\LimeWire\\LimeWire.exe"= "c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Arquivos de programas\\uTorrent\\uTorrent.exe"= "c:\\Documents and Settings\\All Users\\Dados de aplicativos\\NexonUS\\NGM\\NGM.exe"= "c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe "c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe "c:\\Nexon\\Combat Arms\\NMService.exe"= "c:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"= "c:\\Arquivos de programas\\MegaJogos\\jre\\jre\\bin\\javaw.exe"= "c:\\Arquivos de programas\\KONAMI\\Pro Evolution Soccer 2009\\pes2009.exe"= "c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Arquivos de programas\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"= "c:\\Arquivos de programas\\TeamViewer\\Version5\\TeamViewer.exe"= "c:\\Arquivos de programas\\iTunes\\iTunes.exe"= "c:\\Arquivos de programas\\Megacubo\\megacubo.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "56458:TCP"= 56458:TCP:Pando Media Booster "56458:UDP"= 56458:UDP:Pando Media Booster "56911:TCP"= 56911:TCP:Pando Media Booster "56911:UDP"= 56911:UDP:Pando Media Booster R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [19/01/2010 11:23 130936] R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [03/11/2009 20:52 704384] R2 acssrv;Agnitum Client Security Service;c:\arquiv~1\Agnitum\OUTPOS~1\acs.exe [03/11/2009 20:49 1195008] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [12/01/2010 13:31 108289] R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [03/11/2009 20:49 31128] R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [03/11/2009 20:52 257432] R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [10/06/2002 00:09 31232] S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [20/11/2008 11:26 717296] S2 gupdate1ca7415f53b919c;Google Update Service (gupdate1ca7415f53b919c);c:\arquivos de programas\Google\Update\GoogleUpdate.exe [03/12/2009 09:41 133104] S3 3xHybrid;Philips SAA713x PCI Card;c:\windows\system32\DRIVERS\3xHybrid.sys --> c:\windows\system32\DRIVERS\3xHybrid.sys [?] S3 exdisk;Express Disk Service;c:\windows\system32\drivers\exdisk.sys [21/05/2007 19:50 14074] S3 GarenaPEngine;GarenaPEngine; [x] S3 hid8101;hid8101;c:\windows\system32\drivers\hid8101.sys [22/10/2009 10:45 31908] S3 lgmcbus;LGE Mobile driver (WDM);c:\windows\system32\drivers\lgmcbus.sys [27/11/2008 21:05 83584] S3 lgmcmdfl;LGE Mobile USB WMC Modem Filter;c:\windows\system32\drivers\lgmcmdfl.sys [27/11/2008 21:05 14976] S3 lgmcmdm;LGE Mobile USB WMC Modem Driver;c:\windows\system32\drivers\lgmcmdm.sys [27/11/2008 21:05 110464] S3 lgmcobex;LGE Mobile USB WMC OBEX Interface;c:\windows\system32\drivers\lgmcobex.sys [27/11/2008 21:05 100480] S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?] S3 PhTVTune;ENCORE TV Tuner Pro PCI Adapter;c:\windows\system32\drivers\PhTVTune.sys [18/08/2007 15:24 28480] S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [11/01/2010 08:28 27064] S3 sdAuxService;PC Tools Auxiliary Service;c:\arquivos de programas\Spyware Doctor\pctsAuxs.exe [19/01/2010 11:23 348752] S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [25/01/2008 06:12 25088] . Conteúdo da pasta 'Tarefas Agendadas' 2009-04-02 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\arquivos de programas\Apple Software Update\SoftwareUpdate.exe [2008-07-30 15:34] 2010-05-27 c:\windows\Tasks\AWC AutoSweep.job - c:\arquivos de programas\IObit\Advanced SystemCare 3\AutoSweep.exe [2009-09-02 17:11] 2010-05-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2009-12-03 12:41] 2010-05-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2009-12-03 12:41] 2010-05-27 c:\windows\Tasks\OGALogon.job - c:\windows\system32\OGAEXEC.exe [2009-08-03 18:07] . . ------- Scan Suplementar ------- . mWindow Title = uInternet Settings,ProxyOverride = local IE: &Clean Traces IE: &Download with &DAP IE: Download &all with DAP IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office12\EXCEL.EXE/3000 DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab FF - ProfilePath - c:\documents and settings\Marcus\Dados de aplicativos\Mozilla\Firefox\Profiles\mnctdmk7.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://thefreevpn.com/home.php FF - prefs.js: keyword.URL - hxxp://br.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_br&p= FF - prefs.js: network.proxy.http - localhost FF - prefs.js: network.proxy.http_port - 9666 FF - prefs.js: network.proxy.socks - localhost FF - prefs.js: network.proxy.socks_port - 9050 FF - prefs.js: network.proxy.ssl - localhost FF - prefs.js: network.proxy.ssl_port - 9666 FF - prefs.js: network.proxy.type - 1 FF - component: c:\documents and settings\Marcus\Dados de aplicativos\Mozilla\Firefox\Profiles\mnctdmk7.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: browser.cache.memory.capacity - 65536 FF - user.js: browser.chrome.favicons - false FF - user.js: browser.display.show_image_placeholders - true FF - user.js: browser.turbo.enabled - true FF - user.js: browser.urlbar.autocomplete.enabled - true FF - user.js: browser.urlbar.autofill - true FF - user.js: content.interrupt.parsing - true FF - user.js: content.max.tokenizing.time - 2250000 FF - user.js: content.notify.backoffcount - 5 FF - user.js: content.notify.interval - 750000 FF - user.js: content.notify.ontimer - true FF - user.js: content.switch.threshold - 750000 FF - user.js: network.http.max-connections - 48 FF - user.js: network.http.max-connections-per-server - 16 FF - user.js: network.http.max-persistent-connections-per-proxy - 16 FF - user.js: network.http.max-persistent-connections-per-server - 8 FF - user.js: network.http.pipelining - true FF - user.js: network.http.pipelining.firstrequest - true FF - user.js: network.http.pipelining.maxrequests - 8 FF - user.js: network.http.proxy.pipelining - true FF - user.js: network.http.request.max-start-delay - 0 FF - user.js: nglayout.initialpaint.delay - 0 FF - user.js: plugin.expose_full_path - true FF - user.js: ui.submenuDelay - 0 c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-27 11:06 Windows 5.1.2600 Service Pack 3 NTFS Procurando processos ocultos ... Procurando entradas auto inicializáveis ocultas ... Procurando ficheiros/arquivos ocultos ... Varredura completada com sucesso arquivos/ficheiros ocultos: 0 ************************************************************************** . --------------------- CHAVES DO REGISTRO BLOQUEADAS --------------------- [HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\Bars\Settings-Bar0] "BarID"=dword:0000e81b "Bars"=dword:00000003 "Bar#0"=dword:00000000 "Bar#1"=dword:0000e800 "Bar#2"=dword:00000000 [HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\Bars\Settings-Bar1] "BarID"=dword:0000e81c "Bars"=dword:00000004 "Bar#0"=dword:00000000 "Bar#1"=dword:0000e807 "Bar#2"=dword:0000e806 "Bar#3"=dword:00000000 [HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\Bars\Settings-Bar2] "BarID"=dword:0000e800 "XPos"=dword:fffffffe "YPos"=dword:fffffffe "Docking"=dword:00000001 "MRUDockID"=dword:00000000 "MRUDockLeftPos"=dword:fffffffe "MRUDockTopPos"=dword:fffffffe "MRUDockRightPos"=dword:000001f5 "MRUDockBottomPos"=dword:00000036 "MRUFloatStyle"=dword:00002000 "MRUFloatXPos"=dword:80000000 "MRUFloatYPos"=dword:cdcdcdcd [HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\Bars\Settings-Bar3] "BarID"=dword:0000e806 "XPos"=dword:fffffffe "YPos"=dword:00000141 "Docking"=dword:00000001 "MRUDockID"=dword:0000e81c "MRUDockLeftPos"=dword:fffffffe "MRUDockTopPos"=dword:00000141 "MRUDockRightPos"=dword:000000c6 "MRUDockBottomPos"=dword:00000287 "MRUFloatStyle"=dword:00002004 "MRUFloatXPos"=dword:80000000 "MRUFloatYPos"=dword:cdcdcdcd [HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\Bars\Settings-Bar4] "BarID"=dword:0000e807 "XPos"=dword:fffffffe "YPos"=dword:fffffffe "Docking"=dword:00000001 "MRUDockID"=dword:00000000 "MRUDockLeftPos"=dword:fffffffe "MRUDockTopPos"=dword:fffffffe "MRUDockRightPos"=dword:000000c6 "MRUDockBottomPos"=dword:00000143 "MRUFloatStyle"=dword:00002004 "MRUFloatXPos"=dword:80000000 "MRUFloatYPos"=dword:cdcdcdcd [HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\Bars\Settings-Summary] "Bars"=dword:00000005 "ScreenCX"=dword:00000400 "ScreenCY"=dword:00000300 [HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\Settings] "FirstRun"=dword:00000000 "xScreen"=dword:00000400 "yScreen"=dword:000002c4 "floats"="1.000000 0.500000 0.500000 120 120" "skin"="ISR_10Moons.dll" [HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\WNDSTATUS] "FLAG"=dword:00000000 "SHOWCMD"=dword:00000001 "LEFT"=dword:fffffffc "TOP"=dword:fffffffc "RIGHT"=dword:00000404 "BOTTOM"=dword:000002e2 . --------------------- DLLs Carregadas Sob os Processos em Execução --------------------- - - - - - - - > 'winlogon.exe'(980) c:\windows\system32\SETUPAPI.dll c:\windows\system32\sfc_os.dll c:\windows\system32\cscui.dll - - - - - - - > 'lsass.exe'(1036) c:\windows\system32\setupapi.dll . Tempo para conclusão: 2010-05-27 11:08:28 ComboFix-quarantined-files.txt 2010-05-27 14:08 ComboFix2.txt 2010-05-26 13:56 ComboFix3.txt 2010-05-24 14:59 Pré-execução: 51 pasta(s) 46.605.873.152 bytes disponíveis Pós execução: 52 pasta(s) 46.427.955.200 bytes disponíveis Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4 - - End Of File - - 3150294D939DC180B7B71FA535965522 Compartilhar este post Link para o post Compartilhar em outros sites
DigRam 144 Denunciar post Postado Maio 27, 2010 Boa Tarde! .martiello <!> Siga,na ordem estas instruções! 0000000000000000000000 oooooooooooooooooooooo <@> Baixe: < > ( ...by Atribune ) <@> Salve-o no Desktop! <@> Reinicie o computador,em Modo de Segurança! <@> Clique em ATF-Cleaner.exe <@> Em "Select Files To Delete",marque Select All. <@> Clique em Empty Selected. <@> Na janela Done Cleaning,dê o OK --> Exit <@> Atenção: Se utiliza o Firefox: * No topo,clique em Firefox e escolha: Select All --> Clique em Empty Selected. <@> Atenção: Se utiliza o Opera: * No topo,clique em Opera e escolha: Select All --> Clique em Empty Selected. <@> Reinicie,normalmente,o computador. 0000000000000000000000 oooooooooooooooooooooo <@> Descompacte TS.zip,para a pasta: c:\windows\ServicePackFiles\i386 <-- <@> Portanto.passaremos a ter o seguinte caminho: c:\windows\ServicePackFiles\i386\TS 0000000000000000000000 oooooooooooooooooooooo <@> Selecione e copie,todo o conteúdo que está na área do QUOTE,para o Bloco de Notas. <@> Salve-o,no Desktop,com o nome: CFScript.txt RESTORE::c:\windows\system32\comctl32.dll C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\setupapi.dll C:\WINDOWS\system32\syssetup.dll c:\windows\system32\user32.dll c:\windows\system32\ctfmon.exe c:\windows\explorer.exe <@> Ps: É recomendável que esteja desconectado,ao rodar o script. <@> Ps: Desabilite,temporariamente,seu antivírus. <@> Ps: Não utilizem este script em outra máquina! <@> Arraste,o CFScript.txt para o ícone/interior do ComboFix. <@> Veja a demonstração! <@> Atenda à solicitação,que deverá surgir,para rodar o ComboFix. <@> Ps: Faça o arraste,até surgir essa solicitação! ( janela ) <@> Terminando,poste: C:\ComboFix.txt 0000000000000000000000 oooooooooooooooooooooo <!> Ps: Caso esteja tudo Ok,e sem incidentes de percurso,baixe esta ferramenta: The Comedian 0000000000000000000000 oooooooooooooooooooooo <@> Baixe: < The_Comedian > ( ...by Rorschach112 ) <@> Salve-o no desktop,renomeado como: komedian.exe <@> Execute komedian.exe,com um duplo-clique. <@> Siga as várias etapas ( Steps 1,2,3,4.. ),sempre apertando Enter. Step 1 --> Turning off wordwrap.. Step 2 --> Fixing file associations Step 3 --> Creating an ERUNT registry backup.. <@> Permita a instalação de ERUNT,que estabelecerá backup ao registro. <@> Conclua a etapa 4 ( Step 4 ),que irá criar um novo Ponto de restauração do sistema. <@> Confirme a finalização dessa etapa,que terminará automaticamente. <@> Por default,o backup estará em: C:\WINDOWS\ERUNT\d-m-2010 Abraços! Compartilhar este post Link para o post Compartilhar em outros sites
.matiello 0 Denunciar post Postado Maio 28, 2010 ComboFix 10-05-23.07 - Marcus 27/05/2010 20:50:29.4.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.2045.1563 [GMT -3:00] Executando de: c:\documents and settings\Marcus\Desktop\ComboFix.exe Comandos utilizados :: c:\documents and settings\Marcus\Desktop\CFScript.txt AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} AV: ESET Smart Security 3.0 *On-access scanning enabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0} FW: Firewall pessoal do ESET *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0} FW: Outpost Firewall *disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD} * AV residente está ativo . ((((((((((((((((((((((((((((((((((((( Outras Exclusões ))))))))))))))))))))))))))))))))))))))))))))))))))) . A cópia de c:\windows\explorer.exe foi encontrada e desinfectada Cópia restaurada de - c:\windows\ServicePackFiles\i386\TS\explorer.exe A cópia de c:\windows\system32\comctl32.dll foi encontrada e desinfectada Cópia restaurada de - c:\windows\ServicePackFiles\i386\TS\comctl32.dll A cópia de c:\windows\system32\ctfmon.exe foi encontrada e desinfectada Cópia restaurada de - c:\system volume information\_restore{9722A98C-9BBF-474D-B81F-F14975B21EDA}\RP212\A0067368.exe A cópia de c:\windows\system32\setupapi.dll foi encontrada e desinfectada Cópia restaurada de - c:\windows\ServicePackFiles\i386\TS\setupapi.dll A cópia de c:\windows\system32\syssetup.dll foi encontrada e desinfectada Cópia restaurada de - c:\windows\ServicePackFiles\i386\TS\syssetup.dll A cópia de c:\windows\system32\user32.dll foi encontrada e desinfectada Cópia restaurada de - c:\windows\ServicePackFiles\i386\TS\user32.dll A cópia de c:\windows\system32\winlogon.exe foi encontrada e desinfectada Cópia restaurada de - c:\windows\ServicePackFiles\i386\TS\winlogon.exe . (((((((((((((((( Arquivos/Ficheiros criados de 2010-04-27 to 2010-05-27 )))))))))))))))))))))))))))) . 2010-05-27 13:39 . 2010-05-27 13:39 2266718 ----a-w- C:\TS.zip 2010-05-26 00:38 . 2010-05-26 00:45 -------- d-----w- c:\arquivos de programas\cFosSpeed 2010-05-26 00:38 . 2009-10-30 15:25 288472 ------w- c:\windows\system32\cfosspeed.dll 2010-05-24 14:34 . 2010-05-24 14:36 -------- d-----w- C:\ToolBar SD 2010-05-24 14:26 . 2010-05-24 14:26 -------- d-----w- C:\toolb 2010-05-23 23:05 . 2010-05-23 23:05 -------- d-----w- C:\_OTL 2010-05-23 17:48 . 2008-04-13 14:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys 2010-05-23 17:39 . 2010-05-23 17:39 -------- d-----w- c:\arquivos de programas\TD74 Corporation 2010-05-23 17:39 . 2006-09-19 17:26 212992 ----a-w- c:\windows\VMSnap23.exe 2010-05-23 17:39 . 2006-06-28 05:54 49152 ----a-w- c:\windows\Domino.exe 2010-05-23 17:39 . 2006-03-30 23:24 81920 ----a-w- c:\windows\VMCap323.exe 2010-05-23 17:39 . 2010-05-23 17:39 -------- d-----w- c:\windows\CatRoot 2010-05-23 17:39 . 2007-04-24 14:56 257408 ----a-w- c:\windows\system32\drivers\usbvm323.sys 2010-05-22 12:46 . 2010-05-22 12:46 -------- d-----w- c:\windows\system32\wbem\Repository 2010-05-22 01:49 . 2010-05-22 12:45 -------- d-----w- c:\arquivos de programas\Pryme 2010-05-22 01:47 . 2010-05-22 12:45 -------- d-----w- C:\cmos 2010-05-22 01:25 . 2010-05-22 01:25 -------- d-----w- c:\arquivos de programas\STV 2010-05-09 14:32 . 2010-05-09 22:25 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\NCH Swift Sound 2010-05-09 14:32 . 2010-05-09 14:32 -------- d-----w- c:\arquivos de programas\NCH Software 2010-05-09 14:31 . 2010-05-09 22:26 -------- d-----w- c:\documents and settings\Marcus\Dados de aplicativos\NCH Swift Sound 2010-05-09 14:28 . 2010-05-09 14:28 -------- d-----w- c:\arquivos de programas\MIKSOFT 2010-05-07 16:58 . 2010-05-07 16:58 152064 ----a-w- c:\windows\snap.dat 2010-05-07 16:55 . 2010-04-12 20:29 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-05-01 04:10 . 2010-05-01 05:43 -------- d-----w- c:\documents and settings\Marcus\Dados de aplicativos\TS3Client 2010-05-01 04:09 . 2010-05-01 04:09 -------- d-----w- c:\arquivos de programas\TeamSpeak 3 Client 2010-04-28 01:05 . 2010-04-28 01:05 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Nokia 2010-04-28 01:01 . 2010-04-28 01:01 -------- d-----w- c:\arquivos de programas\Arquivos comuns\PCSuite 2010-04-28 01:00 . 2010-04-28 01:00 -------- d-----w- c:\arquivos de programas\PC Connectivity Solution 2010-04-28 01:00 . 2007-02-22 13:15 12288 ----a-w- c:\windows\system32\drivers\nmwcdcj.sys 2010-04-28 01:00 . 2007-02-22 13:15 12288 ----a-w- c:\windows\system32\drivers\nmwcdcm.sys 2010-04-28 01:00 . 2007-02-22 13:15 8320 ----a-w- c:\windows\system32\drivers\nmwcdc.sys 2010-04-28 01:00 . 2007-02-22 13:15 137216 ----a-w- c:\windows\system32\drivers\nmwcd.sys 2010-04-28 01:00 . 2007-02-22 13:15 65536 ----a-w- c:\windows\system32\nmwcdcocls.dll . ((((((((((((((((((((((((((((((((((((( Relatório Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-27 23:35 . 2007-06-07 11:06 1324 ----a-w- c:\windows\system32\d3d9caps.dat 2010-05-27 17:32 . 2008-11-15 14:03 -------- d-----w- c:\documents and settings\Marcus\Dados de aplicativos\uTorrent 2010-05-25 23:37 . 2007-05-21 21:11 -------- d-----w- c:\arquivos de programas\Serviços on-line 2010-05-25 12:11 . 2008-11-15 14:03 -------- d-----w- c:\arquivos de programas\uTorrent 2010-05-25 01:55 . 2007-05-21 22:36 -------- d-----w- c:\arquivos de programas\Arquivos comuns\InstallShield 2010-05-23 16:58 . 2010-05-23 16:58 61440 ----a-w- c:\documents and settings\Marcus\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6b8c2a79-n\decora-sse.dll 2010-05-23 16:58 . 2010-05-23 16:58 12800 ----a-w- c:\documents and settings\Marcus\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6b8c2a79-n\decora-d3d.dll 2010-05-23 16:58 . 2010-05-23 16:58 503808 ----a-w- c:\documents and settings\Marcus\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2b79a7b3-n\msvcp71.dll 2010-05-23 16:58 . 2010-05-23 16:58 499712 ----a-w- c:\documents and settings\Marcus\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2b79a7b3-n\jmc.dll 2010-05-23 16:58 . 2010-05-23 16:58 348160 ----a-w- c:\documents and settings\Marcus\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2b79a7b3-n\msvcr71.dll 2010-05-22 12:46 . 2008-11-05 21:01 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\NexonUS 2010-05-22 10:51 . 2009-09-02 12:01 -------- d---a-w- c:\documents and settings\All Users\Dados de aplicativos\TEMP 2010-05-22 01:25 . 2007-05-21 22:37 -------- d--h--w- c:\arquivos de programas\InstallShield Installation Information 2010-05-19 18:57 . 2010-03-07 03:52 -------- d-----w- c:\arquivos de programas\Full Tilt Poker 2010-05-12 20:51 . 2007-05-23 22:24 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Microsoft Help 2010-05-12 01:42 . 2008-11-27 23:07 -------- d-----w- c:\documents and settings\Marcus\Dados de aplicativos\LimeWire 2010-05-11 03:09 . 2009-09-22 01:36 -------- d-----w- c:\arquivos de programas\Messenger Plus! Live 2010-05-07 16:55 . 2008-03-08 17:38 -------- d-----w- c:\arquivos de programas\Java 2010-05-01 02:20 . 2007-05-23 22:37 -------- d-----w- c:\arquivos de programas\CCleaner 2010-04-28 14:33 . 2008-10-11 12:19 -------- d-----w- c:\documents and settings\Marcus\Dados de aplicativos\Nokia Multimedia Player 2010-04-28 01:28 . 2008-11-28 00:03 -------- d-----w- c:\arquivos de programas\LG PC Suite II 2010-04-28 01:05 . 2008-10-11 11:01 -------- d-----w- c:\arquivos de programas\Nokia 2010-04-23 00:57 . 2010-02-25 16:01 26112 ----a-w- c:\windows\system32\drivers\tap0901.sys 2010-04-19 19:50 . 2009-11-04 15:12 -------- d-----w- c:\arquivos de programas\K-Lite Codec Pack 2010-04-16 18:00 . 2010-04-19 19:50 85504 ----a-w- c:\windows\system32\ff_vfw.dll 2010-04-03 19:22 . 2010-04-03 19:22 2336 ----a-w- C:\boot.bat 2010-03-15 09:31 . 2002-10-15 22:54 165376 ----a-w- c:\windows\system32\unrar.dll 2010-03-12 15:05 . 2010-03-12 15:05 503808 ----a-w- c:\documents and settings\Marcus\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-43823346-n\msvcp71.dll 2010-03-12 15:05 . 2010-03-12 15:05 499712 ----a-w- c:\documents and settings\Marcus\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-43823346-n\jmc.dll 2010-03-12 15:05 . 2010-03-12 15:05 348160 ----a-w- c:\documents and settings\Marcus\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-43823346-n\msvcr71.dll 2010-03-12 15:05 . 2010-03-12 15:05 61440 ----a-w- c:\documents and settings\Marcus\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3ec352b1-n\decora-sse.dll 2010-03-12 15:05 . 2010-03-12 15:05 12800 ----a-w- c:\documents and settings\Marcus\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3ec352b1-n\decora-d3d.dll 2010-03-12 15:04 . 2004-08-04 12:00 79832 ----a-w- c:\windows\system32\perfc016.dat 2010-03-12 15:04 . 2004-08-04 12:00 470730 ----a-w- c:\windows\system32\perfh016.dat 2010-03-10 06:16 . 2004-08-04 07:45 420352 ----a-w- c:\windows\system32\vbscript.dll 2009-09-04 21:00 . 2009-09-04 21:00 916430 ----a-w- c:\arquivos de programas\Apr2006_MDX1_x86.cab 2008-08-12 00:07 . 2008-07-17 22:49 29806 ----a-w- c:\arquivos de programas\megacubo_log.log 2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\arquivos de programas\mozilla firefox\plugins\libdivx.dll 2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\arquivos de programas\mozilla firefox\plugins\ssldivx.dll . (((((((((((((((((((((((((( Pontos de Carregamento do Registro ))))))))))))))))))))))))))))))))))))))) . . *Nota* entradas vazias e legítimas por defeito não são mostradas. REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "msnmsgr"="c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883840] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-31 468408] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ipTray.exe"="c:\arquivos de programas\Intel\IDU\iptray.exe" [2006-12-28 2242328] "nwiz"="c:\arquivos de programas\NVIDIA Corporation\nView\nwiz.exe" [2009-07-09 1657376] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-14 13877248] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-07-14 86016] "OutpostMonitor"="c:\arquiv~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-04-28 2374464] "OutpostFeedBack"="c:\arquivos de programas\Agnitum\Outpost Firewall\feedback.exe" [2009-04-28 428032] "avgnt"="c:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "QuickTime Task"="c:\arquivos de programas\QuickTime\QTTask.exe" [2009-11-11 417792] "AppleSyncNotifier"="c:\arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440] "iTunesHelper"="c:\arquivos de programas\iTunes\iTunesHelper.exe" [2010-02-15 141608] "SunJavaUpdateSched"="c:\arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe" [2010-02-18 248040] "NSLauncher"="c:\arquivos de programas\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-08-02 3096576] "SigmatelSysTrayApp"="sttray.exe" [2006-05-26 282624] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "HonorAutoRunSetting"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMBalloonTip"= 1 (0x1) "HonorAutoRunSetting"= 0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] @="" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk] backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Microsoft Office.lnk] backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Orbit.lnk] backup=c:\windows\pss\Orbit.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Marcus^Menu Iniciar^Programas^Inicializar^hamachi.lnk] backup=c:\windows\pss\hamachi.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Marcus^Menu Iniciar^Programas^Inicializar^Recorte de tela e Iniciador do OneNote 2007.lnk] backup=c:\windows\pss\Recorte de tela e Iniciador do OneNote 2007.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3] 2010-03-29 17:54 2343120 ----a-w- c:\arquivos de programas\IObit\Advanced SystemCare 3\AWC.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier] 2009-08-13 17:51 177440 ----a-w- c:\arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-14 02:20 15360 ----a-w- c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite] 2008-07-24 15:02 490952 ----a-w- c:\arquivos de programas\DAEMON Tools Lite\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor] 2008-10-25 13:44 31072 ----a-w- c:\arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint] 2006-07-07 23:15 600896 ----a-w- c:\arquivos de programas\Microsoft IntelliPoint\ipoint.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] 2005-08-12 08:30 81920 ----a-w- c:\arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2010-02-15 21:07 141608 ----a-w- c:\arquivos de programas\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype] 2006-07-07 23:14 576320 ----a-w- c:\arquivos de programas\Microsoft IntelliType Pro\itype.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] 2009-07-26 18:44 3883840 ----a-w- c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] 2009-07-14 16:34 13877248 ----a-w- c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Openwares LiveUpdate] 2003-12-13 17:17 61440 ----a-w- c:\program files\LIVEUPDATE\LiveUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2009-11-11 01:08 417792 ----a-w- c:\arquivos de programas\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled] "QuickTime Task"="c:\arquivos de programas\QuickTime\QTTask.exe" -atboottime [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Arquivos de programas\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Arquivos de programas\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Arquivos de programas\\Microsoft Office\\Office12\\ONENOTE.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Arquivos de programas\\Messenger\\msmsgs.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= "c:\\Arquivos de programas\\LimeWire\\LimeWire.exe"= "c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Arquivos de programas\\uTorrent\\uTorrent.exe"= "c:\\Documents and Settings\\All Users\\Dados de aplicativos\\NexonUS\\NGM\\NGM.exe"= "c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe "c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe "c:\\Nexon\\Combat Arms\\NMService.exe"= "c:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"= "c:\\Arquivos de programas\\MegaJogos\\jre\\jre\\bin\\javaw.exe"= "c:\\Arquivos de programas\\KONAMI\\Pro Evolution Soccer 2009\\pes2009.exe"= "c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Arquivos de programas\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"= "c:\\Arquivos de programas\\TeamViewer\\Version5\\TeamViewer.exe"= "c:\\Arquivos de programas\\iTunes\\iTunes.exe"= "c:\\Arquivos de programas\\Megacubo\\megacubo.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "56458:TCP"= 56458:TCP:Pando Media Booster "56458:UDP"= 56458:UDP:Pando Media Booster "56911:TCP"= 56911:TCP:Pando Media Booster "56911:UDP"= 56911:UDP:Pando Media Booster R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [19/01/2010 11:23 130936] R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [20/11/2008 11:26 717296] R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [03/11/2009 20:52 704384] R2 acssrv;Agnitum Client Security Service;c:\arquiv~1\Agnitum\OUTPOS~1\acs.exe [03/11/2009 20:49 1195008] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [12/01/2010 13:31 108289] R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [03/11/2009 20:49 31128] R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [03/11/2009 20:52 257432] R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [10/06/2002 00:09 31232] S2 gupdate1ca7415f53b919c;Google Update Service (gupdate1ca7415f53b919c);c:\arquivos de programas\Google\Update\GoogleUpdate.exe [03/12/2009 09:41 133104] S3 3xHybrid;Philips SAA713x PCI Card;c:\windows\system32\DRIVERS\3xHybrid.sys --> c:\windows\system32\DRIVERS\3xHybrid.sys [?] S3 exdisk;Express Disk Service;c:\windows\system32\drivers\exdisk.sys [21/05/2007 19:50 14074] S3 GarenaPEngine;GarenaPEngine; [x] S3 hid8101;hid8101;c:\windows\system32\drivers\hid8101.sys [22/10/2009 10:45 31908] S3 lgmcbus;LGE Mobile driver (WDM);c:\windows\system32\drivers\lgmcbus.sys [27/11/2008 21:05 83584] S3 lgmcmdfl;LGE Mobile USB WMC Modem Filter;c:\windows\system32\drivers\lgmcmdfl.sys [27/11/2008 21:05 14976] S3 lgmcmdm;LGE Mobile USB WMC Modem Driver;c:\windows\system32\drivers\lgmcmdm.sys [27/11/2008 21:05 110464] S3 lgmcobex;LGE Mobile USB WMC OBEX Interface;c:\windows\system32\drivers\lgmcobex.sys [27/11/2008 21:05 100480] S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?] S3 PhTVTune;ENCORE TV Tuner Pro PCI Adapter;c:\windows\system32\drivers\PhTVTune.sys [18/08/2007 15:24 28480] S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [11/01/2010 08:28 27064] S3 sdAuxService;PC Tools Auxiliary Service;c:\arquivos de programas\Spyware Doctor\pctsAuxs.exe [19/01/2010 11:23 348752] S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [25/01/2008 06:12 25088] . Conteúdo da pasta 'Tarefas Agendadas' 2009-04-02 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\arquivos de programas\Apple Software Update\SoftwareUpdate.exe [2008-07-30 15:34] 2010-05-27 c:\windows\Tasks\AWC AutoSweep.job - c:\arquivos de programas\IObit\Advanced SystemCare 3\AutoSweep.exe [2009-09-02 17:11] 2010-05-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2009-12-03 12:41] 2010-05-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2009-12-03 12:41] 2010-05-27 c:\windows\Tasks\OGALogon.job - c:\windows\system32\OGAEXEC.exe [2009-08-03 18:07] . . ------- Scan Suplementar ------- . mWindow Title = uInternet Settings,ProxyOverride = local IE: &Clean Traces IE: &Download with &DAP IE: Download &all with DAP IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office12\EXCEL.EXE/3000 DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab FF - ProfilePath - c:\documents and settings\Marcus\Dados de aplicativos\Mozilla\Firefox\Profiles\mnctdmk7.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://thefreevpn.com/home.php FF - prefs.js: keyword.URL - hxxp://br.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_br&p= FF - prefs.js: network.proxy.http - localhost FF - prefs.js: network.proxy.http_port - 9666 FF - prefs.js: network.proxy.socks - localhost FF - prefs.js: network.proxy.socks_port - 9050 FF - prefs.js: network.proxy.ssl - localhost FF - prefs.js: network.proxy.ssl_port - 9666 FF - prefs.js: network.proxy.type - 1 FF - component: c:\documents and settings\Marcus\Dados de aplicativos\Mozilla\Firefox\Profiles\mnctdmk7.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: browser.cache.memory.capacity - 65536 FF - user.js: browser.chrome.favicons - false FF - user.js: browser.display.show_image_placeholders - true FF - user.js: browser.turbo.enabled - true FF - user.js: browser.urlbar.autocomplete.enabled - true FF - user.js: browser.urlbar.autofill - true FF - user.js: content.interrupt.parsing - true FF - user.js: content.max.tokenizing.time - 2250000 FF - user.js: content.notify.backoffcount - 5 FF - user.js: content.notify.interval - 750000 FF - user.js: content.notify.ontimer - true FF - user.js: content.switch.threshold - 750000 FF - user.js: network.http.max-connections - 48 FF - user.js: network.http.max-connections-per-server - 16 FF - user.js: network.http.max-persistent-connections-per-proxy - 16 FF - user.js: network.http.max-persistent-connections-per-server - 8 FF - user.js: network.http.pipelining - true FF - user.js: network.http.pipelining.firstrequest - true FF - user.js: network.http.pipelining.maxrequests - 8 FF - user.js: network.http.proxy.pipelining - true FF - user.js: network.http.request.max-start-delay - 0 FF - user.js: nglayout.initialpaint.delay - 0 FF - user.js: plugin.expose_full_path - true FF - user.js: ui.submenuDelay - 0 c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-27 20:59 Windows 5.1.2600 Service Pack 3 NTFS Procurando processos ocultos ... Procurando entradas auto inicializáveis ocultas ... Procurando ficheiros/arquivos ocultos ... Varredura completada com sucesso arquivos/ficheiros ocultos: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spus.sys >>UNKNOWN [0x8A643938]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xb80ecf28 \Driver\ACPI -> ACPI.sys @ 0xb7e67cb8 \Driver\atapi -> atapi.sys @ 0xb7dfcb40 IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8 ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8 ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb7ccfbb0 PacketIndicateHandler -> NDIS.sys @ 0xb7cdca21 SendHandler -> NDIS.sys @ 0xb7cba87b user & kernel MBR OK copy of MBR has been found in sector 1 ! ************************************************************************** . --------------------- CHAVES DO REGISTRO BLOQUEADAS --------------------- [HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\Bars\Settings-Bar0] "BarID"=dword:0000e81b "Bars"=dword:00000003 "Bar#0"=dword:00000000 "Bar#1"=dword:0000e800 "Bar#2"=dword:00000000 [HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\Bars\Settings-Bar1] "BarID"=dword:0000e81c "Bars"=dword:00000004 "Bar#0"=dword:00000000 "Bar#1"=dword:0000e807 "Bar#2"=dword:0000e806 "Bar#3"=dword:00000000 [HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\Bars\Settings-Bar2] "BarID"=dword:0000e800 "XPos"=dword:fffffffe "YPos"=dword:fffffffe "Docking"=dword:00000001 "MRUDockID"=dword:00000000 "MRUDockLeftPos"=dword:fffffffe "MRUDockTopPos"=dword:fffffffe "MRUDockRightPos"=dword:000001f5 "MRUDockBottomPos"=dword:00000036 "MRUFloatStyle"=dword:00002000 "MRUFloatXPos"=dword:80000000 "MRUFloatYPos"=dword:cdcdcdcd [HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\Bars\Settings-Bar3] "BarID"=dword:0000e806 "XPos"=dword:fffffffe "YPos"=dword:00000141 "Docking"=dword:00000001 "MRUDockID"=dword:0000e81c "MRUDockLeftPos"=dword:fffffffe "MRUDockTopPos"=dword:00000141 "MRUDockRightPos"=dword:000000c6 "MRUDockBottomPos"=dword:00000287 "MRUFloatStyle"=dword:00002004 "MRUFloatXPos"=dword:80000000 "MRUFloatYPos"=dword:cdcdcdcd [HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\Bars\Settings-Bar4] "BarID"=dword:0000e807 "XPos"=dword:fffffffe "YPos"=dword:fffffffe "Docking"=dword:00000001 "MRUDockID"=dword:00000000 "MRUDockLeftPos"=dword:fffffffe "MRUDockTopPos"=dword:fffffffe "MRUDockRightPos"=dword:000000c6 "MRUDockBottomPos"=dword:00000143 "MRUFloatStyle"=dword:00002004 "MRUFloatXPos"=dword:80000000 "MRUFloatYPos"=dword:cdcdcdcd [HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\Bars\Settings-Summary] "Bars"=dword:00000005 "ScreenCX"=dword:00000400 "ScreenCY"=dword:00000300 [HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\Settings] "FirstRun"=dword:00000000 "xScreen"=dword:00000400 "yScreen"=dword:000002c4 "floats"="1.000000 0.500000 0.500000 120 120" "skin"="ISR_10Moons.dll" [HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\WNDSTATUS] "FLAG"=dword:00000000 "SHOWCMD"=dword:00000001 "LEFT"=dword:fffffffc "TOP"=dword:fffffffc "RIGHT"=dword:00000404 "BOTTOM"=dword:000002e2 . --------------------- DLLs Carregadas Sob os Processos em Execução --------------------- - - - - - - - > 'winlogon.exe'(968) c:\windows\system32\sfc_os.dll c:\windows\system32\cscui.dll - - - - - - - > 'explorer.exe'(940) c:\windows\system32\WININET.dll c:\windows\system32\COMRes.dll c:\windows\System32\cscui.dll c:\windows\system32\LINKINFO.dll c:\windows\system32\ntshrui.dll c:\windows\system32\msi.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\arquivos de programas\Scpad\scpLIB.dll c:\arquivos de programas\Scpad\scpMIB.dll c:\arquivos de programas\Scpad\sshib.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\windows\system32\NETSHELL.dll c:\windows\system32\credui.dll . ------------------------ Outros Processos em Execução ------------------------ . c:\windows\system32\nvsvc32.exe c:\arquivos de programas\Avira\AntiVir Desktop\avguard.exe c:\arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\arquivos de programas\Intel\IDU\awServ.exe c:\arquivos de programas\Java\jre6\bin\jqs.exe c:\arquivos de programas\Arquivos comuns\Nero\Nero BackItUp 4\NBService.exe c:\arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\windows\System32\snmp.exe c:\arquivos de programas\SigmaTel\C-Major Audio\WDM\STacSV.exe c:\windows\system32\wbem\wmiapsrv.exe c:\windows\system32\RUNDLL32.EXE c:\windows\sttray.exe . ************************************************************************** . Tempo para conclusão: 2010-05-27 21:05:32 - Máquina reiniciou ComboFix-quarantined-files.txt 2010-05-28 00:05 ComboFix2.txt 2010-05-27 14:08 ComboFix3.txt 2010-05-26 13:56 ComboFix4.txt 2010-05-24 14:59 Pré-execução: 51 pasta(s) 46.147.018.752 bytes disponíveis Pós execução: 52 pasta(s) 46.084.259.840 bytes disponíveis Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4 - - End Of File - - 07ED081BA1C4F577902603E34A7BFA3C Após finalizar a etapa 4 do komedian.exe o que deve fazer? Compartilhar este post Link para o post Compartilhar em outros sites
DigRam 144 Denunciar post Postado Maio 28, 2010 Após finalizar a etapa 4 do komedian.exe o que deve fazer? ///////////////\\\\\\\\\\\\\\ Boa Noite! .matiello <!> Nada! Pois essa etapa estabeleceu novo ponto de "Restauração do sistema". <!> Ps: Seus problemas de validação de assinaturas,foram resolvidos! <!> Repita,novamente,o procedimento com a ferramenta Gmer_MBR :seta: Poste o relatório! 0000000000000000000 ooooooooooooooooooo <@> Baixe: < > <!> Link-2 < RootRepeal.zip > <!> Link-3 < RootRepeal.zip > <@> Descompacte-o para o desktop. <@> Abra a o programa,e clique em "Report" --> "Scan" < > <@> Marque,àcima,as 7 caixinhas. --> Clique OK. <@> Escolha,à seguir,seu drive. ( C:\ ou D:\ ) --> OK. <@> Dê início ao scan e,ao terminar,clique em "Save Report" < > <@> Salve-o com o nome: "RootRepeal.txt" <-- Relatório! Abraços! Compartilhar este post Link para o post Compartilhar em outros sites
.matiello 0 Denunciar post Postado Maio 28, 2010 Desculpe, ferramenta Gmer_MBR ??? Já baixei ela no processo? Compartilhar este post Link para o post Compartilhar em outros sites
DigRam 144 Denunciar post Postado Maio 28, 2010 Desculpe, ferramenta Gmer_MBR ??? Já baixei ela no processo? /////////////\\\\\\\\\\\\\\\ Bom Dia! .matiello <!> Sim! Mas...em todo caso,vai aqui sua repetição. 0000000000000000 oooooooooooooooo <@> Baixe: < mbr.exe v.0.3.7 > ( by Gmer ) <@> Salve-o em C:\ ou C:\Documents and Settings\[userName]\,dando preferência ao diretório em que abre o prompt de comando. <@> Vá em Iniciar --> Executar --> Digite: cmd --> OK. <@> No prompt,digite: cd \ --> Aperte Enter. <@> Digite: C:\>mbr.exe -f ou C:\Documents and Settings\[userName]\>mbr.exe -f <@> Aperte Enter. <@> Ps: Uma outra opção seria baixar mbr.exe,para o seu desktop. <@> Vá em Iniciar --> Executar --> Digite ou cole: "%userprofile%\desktop\mbr.exe" -f <@> Clique OK. <@> Poste: C:\mbr.txt ou C:\Documents and Settings\[userName]\mbr.txt Abraços! Compartilhar este post Link para o post Compartilhar em outros sites
.matiello 0 Denunciar post Postado Maio 28, 2010 Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully kernel: MBR read successfully user & kernel MBR OK copy of MBR has been found in sector 1 ! ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2010/05/28 19:01 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: mbr.sys Image Path: C:\DOCUME~1\Marcus\CONFIG~1\Temp\mbr.sys Address: 0xB8440000 Size: 20864 File Visible: No Signed: - Status: - Name: PCI_PNP2960 Image Path: \Driver\PCI_PNP2960 Address: 0x00000000 Size: 0 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xB3102000 Size: 49152 File Visible: No Signed: - Status: - Name: sptd Image Path: \Driver\sptd Address: 0x00000000 Size: 0 File Visible: No Signed: - Status: - Name: spvt.sys Image Path: spvt.sys Address: 0xB7EA7000 Size: 1048576 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: C:\Documents and Settings\Marcus\Configurações locais\Apps\2.0\138HJ9W4.9GX\5WEWYVOJ.TKB\manifests\Scrim Spot Anti-Cheat.exe.cdf-ms Status: Locked to the Windows API! Path: C:\Documents and Settings\Marcus\Configurações locais\Apps\2.0\138HJ9W4.9GX\5WEWYVOJ.TKB\manifests\Scrim Spot Anti-Cheat.exe.manifest Status: Locked to the Windows API! Path: C:\Documents and Settings\Marcus\Configurações locais\Apps\2.0\EAB11K66.DQK\3CZ4QMQY.EJR\manifests\Scrim Spot Anti-Cheat.exe.cdf-ms Status: Locked to the Windows API! Path: C:\Documents and Settings\Marcus\Configurações locais\Apps\2.0\EAB11K66.DQK\3CZ4QMQY.EJR\manifests\Scrim Spot Anti-Cheat.exe.manifest Status: Locked to the Windows API! Processes ------------------- Path: C:\ARQUIV~1\Agnitum\OUTPOS~1\acs.exe PID: 572 Status: Locked to the Windows API! Path: C:\ARQUIV~1\Agnitum\OUTPOS~1\op_mon.exe PID: 1456 Status: Locked to the Windows API! SSDT ------------------- #: 019 Function Name: NtAssignProcessToJobObject Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb3ffea60 #: 025 Function Name: NtClose Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb3fe3bf0 #: 031 Function Name: NtConnectPort Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb4000920 #: 037 Function Name: NtCreateFile Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb3fdff60 #: 041 Function Name: NtCreateKey Status: Hooked by "PCTCore.sys" at address 0xb7db6514 #: 047 Function Name: NtCreateProcess Status: Hooked by "PCTCore.sys" at address 0xb7da5282 #: 048 Function Name: NtCreateProcessEx Status: Hooked by "PCTCore.sys" at address 0xb7da5474 #: 050 Function Name: NtCreateSection Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb3fded10 #: 052 Function Name: NtCreateSymbolicLinkObject Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb3feae40 #: 053 Function Name: NtCreateThread Status: Hooked by "<unknown>" at address 0xb8716e04 #: 057 Function Name: NtDebugActiveProcess Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb4003f30 #: 062 Function Name: NtDeleteFile Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb3fe9b20 #: 063 Function Name: NtDeleteKey Status: Hooked by "PCTCore.sys" at address 0xb7db6d00 #: 065 Function Name: NtDeleteValueKey Status: Hooked by "PCTCore.sys" at address 0xb7db6fb8 #: 071 Function Name: NtEnumerateKey Status: Hooked by "spvt.sys" at address 0xb7ec6ca2 #: 073 Function Name: NtEnumerateValueKey Status: Hooked by "spvt.sys" at address 0xb7ec7030 #: 097 Function Name: NtLoadDriver Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb3ff4bb0 #: 098 Function Name: NtLoadKey Status: Hooked by "<unknown>" at address 0xb8716e22 #: 105 Function Name: NtMakeTemporaryObject Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb3fea6b0 #: 116 Function Name: NtOpenFile Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb3fe2c10 #: 119 Function Name: NtOpenKey Status: Hooked by "PCTCore.sys" at address 0xb7db53fa #: 122 Function Name: NtOpenProcess Status: Hooked by "<unknown>" at address 0xb8716df0 #: 125 Function Name: NtOpenSection Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb3fdf580 #: 128 Function Name: NtOpenThread Status: Hooked by "<unknown>" at address 0xb8716df5 #: 137 Function Name: NtProtectVirtualMemory Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb3fffda0 #: 145 Function Name: NtQueryDirectoryFile Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb3fe48a0 #: 160 Function Name: NtQueryKey Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb3fee750 #: 177 Function Name: NtQueryValueKey Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb3feefa0 #: 180 Function Name: NtQueueApcThread Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb3ffded0 #: 192 Function Name: NtRenameKey Status: Hooked by "PCTCore.sys" at address 0xb7db7422 #: 193 Function Name: NtReplaceKey Status: Hooked by "<unknown>" at address 0xb8716e2c #: 199 Function Name: NtRequestPort Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb4002a50 #: 200 Function Name: NtRequestWaitReplyPort Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb4002d70 #: 204 Function Name: NtRestoreKey Status: Hooked by "<unknown>" at address 0xb8716e27 #: 207 Function Name: NtSaveKey Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb3ff0c80 #: 208 Function Name: NtSaveKeyEx Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb3ff14d0 #: 210 Function Name: NtSecureConnectPort Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb4001480 #: 213 Function Name: NtSetContextThread Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb3ffd440 #: 223 Function Name: NtSetInformationDebugObject Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb4004520 #: 224 Function Name: NtSetInformationFile Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb3fe5bf0 #: 240 Function Name: NtSetSystemInformation Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb3ff41c0 #: 247 Function Name: NtSetValueKey Status: Hooked by "PCTCore.sys" at address 0xb7db67d8 #: 253 Function Name: NtSuspendProcess Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb3ffc190 #: 254 Function Name: NtSuspendThread Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb3ffcac0 #: 255 Function Name: NtSystemDebugControl Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb4003770 #: 257 Function Name: NtTerminateProcess Status: Hooked by "PCTCore.sys" at address 0xb7da4f32 #: 258 Function Name: NtTerminateThread Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb3ffb620 #: 262 Function Name: NtUnloadDriver Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb3ff5530 #: 277 Function Name: NtWriteVirtualMemory Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb3fff2b0 Stealth Objects ------------------- Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE] Process: System Address: 0x8a6931f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE] Process: System Address: 0x8a6931f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ] Process: System Address: 0x8a6931f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE] Process: System Address: 0x8a6931f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x8a6931f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION] Process: System Address: 0x8a6931f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA] Process: System Address: 0x8a6931f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA] Process: System Address: 0x8a6931f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x8a6931f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x8a6931f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x8a6931f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x8a6931f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x8a6931f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8a6931f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN] Process: System Address: 0x8a6931f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x8a6931f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP] Process: System Address: 0x8a6931f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x8a6931f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY] Process: System Address: 0x8a6931f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x8a6931f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA] Process: System Address: 0x8a6931f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP] Process: System Address: 0x8a6931f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE] Process: System Address: 0x8a3ac1f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE] Process: System Address: 0x8a3ac1f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ] Process: System Address: 0x8a3ac1f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE] Process: System Address: 0x8a3ac1f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x8a3ac1f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8a3ac1f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x8a3ac1f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN] Process: System Address: 0x8a3ac1f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER] Process: System Address: 0x8a3ac1f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x8a3ac1f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP] Process: System Address: 0x8a3ac1f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE] Process: System Address: 0x8a6231f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE] Process: System Address: 0x8a6231f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_READ] Process: System Address: 0x8a6231f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE] Process: System Address: 0x8a6231f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x8a6231f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8a6231f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x8a6231f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN] Process: System Address: 0x8a6231f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_POWER] Process: System Address: 0x8a6231f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x8a6231f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_PNP] Process: System Address: 0x8a6231f8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE] Process: System Address: 0x8a3f81f8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE] Process: System Address: 0x8a3f81f8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8a3f81f8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x8a3f81f8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER] Process: System Address: 0x8a3f81f8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x8a3f81f8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP] Process: System Address: 0x8a3f81f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE] Process: System Address: 0x8a6951f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ] Process: System Address: 0x8a6951f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE] Process: System Address: 0x8a6951f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x8a6951f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8a6951f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x8a6951f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN] Process: System Address: 0x8a6951f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP] Process: System Address: 0x8a6951f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER] Process: System Address: 0x8a6951f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x8a6951f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP] Process: System Address: 0x8a6951f8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE] Process: System Address: 0x8a2f9500 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE] Process: System Address: 0x8a2f9500 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8a2f9500 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x8a2f9500 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP] Process: System Address: 0x8a2f9500 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP] Process: System Address: 0x8a2f9500 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE] Process: System Address: 0x8a3c31f8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE] Process: System Address: 0x8a3c31f8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8a3c31f8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x8a3c31f8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER] Process: System Address: 0x8a3c31f8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x8a3c31f8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP] Process: System Address: 0x8a3c31f8 Size: 121 Object: Hidden Code [Driver: a61bhmce䵆湦ం扏楄섰슨浍浓, IRP_MJ_CREATE] Process: System Address: 0x8a3841f8 Size: 121 Object: Hidden Code [Driver: a61bhmce䵆湦ం扏楄섰슨浍浓, IRP_MJ_CLOSE] Process: System Address: 0x8a3841f8 Size: 121 Object: Hidden Code [Driver: a61bhmce䵆湦ం扏楄섰슨浍浓, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8a3841f8 Size: 121 Object: Hidden Code [Driver: a61bhmce䵆湦ం扏楄섰슨浍浓, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x8a3841f8 Size: 121 Object: Hidden Code [Driver: a61bhmce䵆湦ం扏楄섰슨浍浓, IRP_MJ_POWER] Process: System Address: 0x8a3841f8 Size: 121 Object: Hidden Code [Driver: a61bhmce䵆湦ం扏楄섰슨浍浓, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x8a3841f8 Size: 121 Object: Hidden Code [Driver: a61bhmce䵆湦ం扏楄섰슨浍浓, IRP_MJ_PNP] Process: System Address: 0x8a3841f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE] Process: System Address: 0x891fc1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE] Process: System Address: 0x891fc1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE] Process: System Address: 0x891fc1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ] Process: System Address: 0x891fc1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE] Process: System Address: 0x891fc1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x891fc1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION] Process: System Address: 0x891fc1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA] Process: System Address: 0x891fc1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA] Process: System Address: 0x891fc1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x891fc1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x891fc1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x891fc1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x891fc1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x891fc1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x891fc1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x891fc1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN] Process: System Address: 0x891fc1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x891fc1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP] Process: System Address: 0x891fc1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT] Process: System Address: 0x891fc1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x891fc1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY] Process: System Address: 0x891fc1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER] Process: System Address: 0x891fc1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x891fc1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE] Process: System Address: 0x891fc1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x891fc1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA] Process: System Address: 0x891fc1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP] Process: System Address: 0x891fc1f8 Size: 121 Object: Hidden Code [Driver: Cdfsࠅఈ䵃慖, IRP_MJ_CREATE] Process: System Address: 0x891ea500 Size: 121 Object: Hidden Code [Driver: Cdfsࠅఈ䵃慖, IRP_MJ_CLOSE] Process: System Address: 0x891ea500 Size: 121 Object: Hidden Code [Driver: Cdfsࠅఈ䵃慖, IRP_MJ_READ] Process: System Address: 0x891ea500 Size: 121 Object: Hidden Code [Driver: Cdfsࠅఈ䵃慖, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x891ea500 Size: 121 Object: Hidden Code [Driver: Cdfsࠅఈ䵃慖, IRP_MJ_SET_INFORMATION] Process: System Address: 0x891ea500 Size: 121 Object: Hidden Code [Driver: Cdfsࠅఈ䵃慖, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x891ea500 Size: 121 Object: Hidden Code [Driver: Cdfsࠅఈ䵃慖, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x891ea500 Size: 121 Object: Hidden Code [Driver: Cdfsࠅఈ䵃慖, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x891ea500 Size: 121 Object: Hidden Code [Driver: Cdfsࠅఈ䵃慖, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x891ea500 Size: 121 Object: Hidden Code [Driver: Cdfsࠅఈ䵃慖, IRP_MJ_SHUTDOWN] Process: System Address: 0x891ea500 Size: 121 Object: Hidden Code [Driver: Cdfsࠅఈ䵃慖, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x891ea500 Size: 121 Object: Hidden Code [Driver: Cdfsࠅఈ䵃慖, IRP_MJ_CLEANUP] Process: System Address: 0x891ea500 Size: 121 Object: Hidden Code [Driver: Cdfsࠅఈ䵃慖, IRP_MJ_PNP] Process: System Address: 0x891ea500 Size: 121 Shadow SSDT ------------------- #: 307 Function Name: NtUserAttachThreadInput Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb40081a0 #: 383 Function Name: NtUserGetAsyncKeyState Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb4007db0 #: 416 Function Name: NtUserGetKeyState Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb40076b0 #: 460 Function Name: NtUserMessageCall Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb4005ed0 #: 475 Function Name: NtUserPostMessage Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb40053d0 #: 476 Function Name: NtUserPostThreadMessage Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb4005760 #: 491 Function Name: NtUserRegisterRawInputDevices Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb4008600 #: 502 Function Name: NtUserSendInput Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb4007380 #: 549 Function Name: NtUserSetWindowsHookEx Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb4006290 #: 552 Function Name: NtUserSetWinEventHook Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xb4006a60 ==EOF== Compartilhar este post Link para o post Compartilhar em outros sites
DigRam 144 Denunciar post Postado Maio 29, 2010 Boa Noite! .matiello <@> Selecione e copie,todo o conteúdo que está na área do Quote,para o Bloco de Notas. <@> Salve-o,no Desktop,com o nome: CFScript.txt RegLock::[HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\Bars\Settings-Bar0] [HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\Bars\Settings-Bar1] [HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\Bars\Settings-Bar2] [HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\Bars\Settings-Bar3] [HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\Bars\Settings-Bar4] [HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\Bars\Settings-Summary] [HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\Settings] [HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\WNDSTATUS] Registry:: [-HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\Bars\Settings-Bar0] [-HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\Bars\Settings-Bar1] [-HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\Bars\Settings-Bar2] [-HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\Bars\Settings-Bar3] [-HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\Bars\Settings-Bar4] [-HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\Bars\Settings-Summary] [-HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\Settings] [-HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\WNDSTATUS] <@> Ps: É recomendável que esteja desconectado,ao rodar o script. <@> Ps: Desabilite,temporariamente,seu antivírus. <@> Ps: Não utilizem este script em outra máquina! <@> Arraste,o CFScript.txt para o ícone/interior do ComboFix. <@> Veja a demonstração! <@> Atenda à solicitação,que deverá surgir,para rodar o ComboFix. <@> Ps: Faça o arraste,até surgir essa solicitação! ( janela ) <@> Terminando,poste os relatórios: C:\ComboFix.txt + HijackThis,atualizado. Abraços! Compartilhar este post Link para o post Compartilhar em outros sites
.matiello 0 Denunciar post Postado Maio 29, 2010 ComboFix 10-05-23.07 - Marcus 29/05/2010 11:00:18.5.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.2045.1571 [GMT -3:00] Executando de: c:\documents and settings\Marcus\Desktop\ComboFix.exe Comandos utilizados :: c:\documents and settings\Marcus\Desktop\CFScript.txt AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} AV: ESET Smart Security 3.0 *On-access scanning enabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0} FW: Firewall pessoal do ESET *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0} FW: Outpost Firewall *disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD} * AV residente está ativo . (((((((((((((((( Arquivos/Ficheiros criados de 2010-04-28 to 2010-05-29 )))))))))))))))))))))))))))) . 2010-05-28 00:10 . 2010-05-28 00:10 -------- d-----w- c:\arquivos de programas\ERUNT 2010-05-27 13:39 . 2010-05-27 13:39 2266718 ----a-w- C:\TS.zip 2010-05-26 00:38 . 2010-05-26 00:45 -------- d-----w- c:\arquivos de programas\cFosSpeed 2010-05-26 00:38 . 2009-10-30 15:25 288472 ------w- c:\windows\system32\cfosspeed.dll 2010-05-24 14:34 . 2010-05-24 14:36 -------- d-----w- C:\ToolBar SD 2010-05-24 14:26 . 2010-05-24 14:26 -------- d-----w- C:\toolb 2010-05-23 23:05 . 2010-05-23 23:05 -------- d-----w- C:\_OTL 2010-05-23 17:48 . 2008-04-13 14:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys 2010-05-23 17:39 . 2010-05-23 17:39 -------- d-----w- c:\arquivos de programas\TD74 Corporation 2010-05-23 17:39 . 2006-09-19 17:26 212992 ----a-w- c:\windows\VMSnap23.exe 2010-05-23 17:39 . 2006-06-28 05:54 49152 ----a-w- c:\windows\Domino.exe 2010-05-23 17:39 . 2006-03-30 23:24 81920 ----a-w- c:\windows\VMCap323.exe 2010-05-23 17:39 . 2010-05-23 17:39 -------- d-----w- c:\windows\CatRoot 2010-05-23 17:39 . 2007-04-24 14:56 257408 ----a-w- c:\windows\system32\drivers\usbvm323.sys 2010-05-23 16:58 . 2010-05-23 16:58 61440 ----a-w- c:\documents and settings\Marcus\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6b8c2a79-n\decora-sse.dll 2010-05-23 16:58 . 2010-05-23 16:58 12800 ----a-w- c:\documents and settings\Marcus\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6b8c2a79-n\decora-d3d.dll 2010-05-23 16:58 . 2010-05-23 16:58 503808 ----a-w- c:\documents and settings\Marcus\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2b79a7b3-n\msvcp71.dll 2010-05-23 16:58 . 2010-05-23 16:58 499712 ----a-w- c:\documents and settings\Marcus\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2b79a7b3-n\jmc.dll 2010-05-23 16:58 . 2010-05-23 16:58 348160 ----a-w- c:\documents and settings\Marcus\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2b79a7b3-n\msvcr71.dll 2010-05-22 12:46 . 2010-05-22 12:46 -------- d-----w- c:\windows\system32\wbem\Repository 2010-05-22 01:49 . 2010-05-22 12:45 -------- d-----w- c:\arquivos de programas\Pryme 2010-05-22 01:47 . 2010-05-22 12:45 -------- d-----w- C:\cmos 2010-05-22 01:25 . 2010-05-22 01:25 -------- d-----w- c:\arquivos de programas\STV 2010-05-09 14:32 . 2010-05-09 22:25 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\NCH Swift Sound 2010-05-09 14:32 . 2010-05-09 14:32 -------- d-----w- c:\arquivos de programas\NCH Software 2010-05-09 14:31 . 2010-05-09 22:26 -------- d-----w- c:\documents and settings\Marcus\Dados de aplicativos\NCH Swift Sound 2010-05-09 14:28 . 2010-05-09 14:28 -------- d-----w- c:\arquivos de programas\MIKSOFT 2010-05-07 16:58 . 2010-05-07 16:58 152064 ----a-w- c:\windows\snap.dat 2010-05-07 16:55 . 2010-04-12 20:29 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-05-01 04:10 . 2010-05-01 05:43 -------- d-----w- c:\documents and settings\Marcus\Dados de aplicativos\TS3Client 2010-05-01 04:09 . 2010-05-01 04:09 -------- d-----w- c:\arquivos de programas\TeamSpeak 3 Client . ((((((((((((((((((((((((((((((((((((( Relatório Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-29 01:14 . 2008-11-15 14:03 -------- d-----w- c:\documents and settings\Marcus\Dados de aplicativos\uTorrent 2010-05-27 23:35 . 2007-06-07 11:06 1324 ----a-w- c:\windows\system32\d3d9caps.dat 2010-05-25 23:37 . 2007-05-21 21:11 -------- d-----w- c:\arquivos de programas\Serviços on-line 2010-05-25 12:11 . 2008-11-15 14:03 -------- d-----w- c:\arquivos de programas\uTorrent 2010-05-25 01:55 . 2007-05-21 22:36 -------- d-----w- c:\arquivos de programas\Arquivos comuns\InstallShield 2010-05-22 12:46 . 2008-11-05 21:01 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\NexonUS 2010-05-22 10:51 . 2009-09-02 12:01 -------- d---a-w- c:\documents and settings\All Users\Dados de aplicativos\TEMP 2010-05-22 01:25 . 2007-05-21 22:37 -------- d--h--w- c:\arquivos de programas\InstallShield Installation Information 2010-05-19 18:57 . 2010-03-07 03:52 -------- d-----w- c:\arquivos de programas\Full Tilt Poker 2010-05-12 20:51 . 2007-05-23 22:24 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Microsoft Help 2010-05-12 01:42 . 2008-11-27 23:07 -------- d-----w- c:\documents and settings\Marcus\Dados de aplicativos\LimeWire 2010-05-11 03:09 . 2009-09-22 01:36 -------- d-----w- c:\arquivos de programas\Messenger Plus! Live 2010-05-07 16:55 . 2008-03-08 17:38 -------- d-----w- c:\arquivos de programas\Java 2010-05-01 02:20 . 2007-05-23 22:37 -------- d-----w- c:\arquivos de programas\CCleaner 2010-04-28 14:33 . 2008-10-11 12:19 -------- d-----w- c:\documents and settings\Marcus\Dados de aplicativos\Nokia Multimedia Player 2010-04-28 01:28 . 2008-11-28 00:03 -------- d-----w- c:\arquivos de programas\LG PC Suite II 2010-04-28 01:05 . 2010-04-28 01:05 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Nokia 2010-04-28 01:05 . 2008-10-11 11:01 -------- d-----w- c:\arquivos de programas\Nokia 2010-04-28 01:01 . 2010-04-28 01:01 -------- d-----w- c:\arquivos de programas\Arquivos comuns\PCSuite 2010-04-28 01:00 . 2010-04-28 01:00 -------- d-----w- c:\arquivos de programas\PC Connectivity Solution 2010-04-23 00:57 . 2010-02-25 16:01 26112 ----a-w- c:\windows\system32\drivers\tap0901.sys 2010-04-19 19:50 . 2009-11-04 15:12 -------- d-----w- c:\arquivos de programas\K-Lite Codec Pack 2010-04-16 18:00 . 2010-04-19 19:50 85504 ----a-w- c:\windows\system32\ff_vfw.dll 2010-04-03 19:22 . 2010-04-03 19:22 2336 ----a-w- C:\boot.bat 2010-03-15 09:31 . 2002-10-15 22:54 165376 ----a-w- c:\windows\system32\unrar.dll 2010-03-12 15:05 . 2010-03-12 15:05 503808 ----a-w- c:\documents and settings\Marcus\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-43823346-n\msvcp71.dll 2010-03-12 15:05 . 2010-03-12 15:05 499712 ----a-w- c:\documents and settings\Marcus\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-43823346-n\jmc.dll 2010-03-12 15:05 . 2010-03-12 15:05 348160 ----a-w- c:\documents and settings\Marcus\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-43823346-n\msvcr71.dll 2010-03-12 15:05 . 2010-03-12 15:05 61440 ----a-w- c:\documents and settings\Marcus\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3ec352b1-n\decora-sse.dll 2010-03-12 15:05 . 2010-03-12 15:05 12800 ----a-w- c:\documents and settings\Marcus\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3ec352b1-n\decora-d3d.dll 2010-03-12 15:04 . 2004-08-04 12:00 79832 ----a-w- c:\windows\system32\perfc016.dat 2010-03-12 15:04 . 2004-08-04 12:00 470730 ----a-w- c:\windows\system32\perfh016.dat 2010-03-10 06:16 . 2004-08-04 07:45 420352 ----a-w- c:\windows\system32\vbscript.dll 2009-09-04 21:00 . 2009-09-04 21:00 916430 ----a-w- c:\arquivos de programas\Apr2006_MDX1_x86.cab 2008-08-12 00:07 . 2008-07-17 22:49 29806 ----a-w- c:\arquivos de programas\megacubo_log.log 2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\arquivos de programas\mozilla firefox\plugins\libdivx.dll 2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\arquivos de programas\mozilla firefox\plugins\ssldivx.dll . ((((((((((((((((((((((((((((( SnapShot_2010-05-26_13.51.01 ))))))))))))))))))))))))))))))))))))))))) . + 2010-05-29 13:58 . 2010-05-29 13:58 16384 c:\windows\Temp\Perflib_Perfdata_378.dat + 2010-05-29 13:58 . 2010-05-29 13:58 16384 c:\windows\Temp\Perflib_Perfdata_1a4.dat + 2004-08-04 07:45 . 2008-04-14 02:20 15360 c:\windows\system32\ctfmon.exe + 2004-08-04 07:45 . 2008-04-14 12:00 509952 c:\windows\system32\winlogon.exe - 2004-08-04 07:45 . 2008-04-14 02:20 579072 c:\windows\system32\user32.dll + 2004-08-04 07:45 . 2008-04-14 12:00 579072 c:\windows\system32\user32.dll + 2004-08-04 07:45 . 2008-04-14 12:00 995328 c:\windows\system32\setupapi.dll + 2004-08-04 07:45 . 2008-04-14 12:00 617472 c:\windows\system32\comctl32.dll + 2010-05-27 23:43 . 2008-04-14 12:00 509952 c:\windows\ServicePackFiles\i386\TS\winlogon.exe + 2010-05-27 23:43 . 2008-04-14 12:00 579072 c:\windows\ServicePackFiles\i386\TS\user32.dll + 2010-05-27 23:43 . 2008-04-14 12:00 995328 c:\windows\ServicePackFiles\i386\TS\setupapi.dll + 2010-05-27 23:43 . 2008-04-14 12:00 617472 c:\windows\ServicePackFiles\i386\TS\comctl32.dll + 2010-05-29 13:52 . 2010-05-29 13:52 442368 c:\windows\ERDNT\AutoBackup\29-05-2010\Users\00000002\UsrClass.dat + 2010-05-29 13:52 . 2005-10-20 15:02 163328 c:\windows\ERDNT\AutoBackup\29-05-2010\ERDNT.EXE + 2010-05-28 13:15 . 2010-05-28 13:15 442368 c:\windows\ERDNT\AutoBackup\28-05-2010\Users\00000002\UsrClass.dat + 2010-05-28 13:15 . 2005-10-20 15:02 163328 c:\windows\ERDNT\AutoBackup\28-05-2010\ERDNT.EXE + 2004-08-04 07:45 . 2008-04-14 12:00 1003008 c:\windows\system32\syssetup.dll + 2010-05-27 23:43 . 2008-04-14 12:00 1003008 c:\windows\ServicePackFiles\i386\TS\syssetup.dll + 2010-05-27 23:43 . 2008-04-14 12:00 1035776 c:\windows\ServicePackFiles\i386\TS\explorer.exe + 2004-08-04 07:45 . 2008-04-14 12:00 1035776 c:\windows\explorer.exe + 2010-05-29 13:52 . 2010-05-29 13:52 9531392 c:\windows\ERDNT\AutoBackup\29-05-2010\Users\00000001\ntuser.dat + 2010-05-28 13:15 . 2010-05-28 13:15 9523200 c:\windows\ERDNT\AutoBackup\28-05-2010\Users\00000001\ntuser.dat . (((((((((((((((((((((((((( Pontos de Carregamento do Registro ))))))))))))))))))))))))))))))))))))))) . . *Nota* entradas vazias e legítimas por defeito não são mostradas. REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "msnmsgr"="c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883840] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-31 468408] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ipTray.exe"="c:\arquivos de programas\Intel\IDU\iptray.exe" [2006-12-28 2242328] "nwiz"="c:\arquivos de programas\NVIDIA Corporation\nView\nwiz.exe" [2009-07-09 1657376] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-14 13877248] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-07-14 86016] "OutpostMonitor"="c:\arquiv~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-04-28 2374464] "OutpostFeedBack"="c:\arquivos de programas\Agnitum\Outpost Firewall\feedback.exe" [2009-04-28 428032] "avgnt"="c:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "QuickTime Task"="c:\arquivos de programas\QuickTime\QTTask.exe" [2009-11-11 417792] "AppleSyncNotifier"="c:\arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440] "iTunesHelper"="c:\arquivos de programas\iTunes\iTunesHelper.exe" [2010-02-15 141608] "SunJavaUpdateSched"="c:\arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe" [2010-02-18 248040] "NSLauncher"="c:\arquivos de programas\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-08-02 3096576] "SigmatelSysTrayApp"="sttray.exe" [2006-05-26 282624] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\Marcus\Menu Iniciar\Programas\Inicializar\ ERUNT AutoBackup.lnk - c:\arquivos de programas\ERUNT\AUTOBACK.EXE [2005-10-20 38912] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "HonorAutoRunSetting"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMBalloonTip"= 1 (0x1) "HonorAutoRunSetting"= 0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] @="" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk] backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Microsoft Office.lnk] backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Orbit.lnk] backup=c:\windows\pss\Orbit.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Marcus^Menu Iniciar^Programas^Inicializar^hamachi.lnk] backup=c:\windows\pss\hamachi.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Marcus^Menu Iniciar^Programas^Inicializar^Recorte de tela e Iniciador do OneNote 2007.lnk] backup=c:\windows\pss\Recorte de tela e Iniciador do OneNote 2007.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3] 2010-03-29 17:54 2343120 ----a-w- c:\arquivos de programas\IObit\Advanced SystemCare 3\AWC.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier] 2009-08-13 17:51 177440 ----a-w- c:\arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-14 02:20 15360 ----a-w- c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite] 2008-07-24 15:02 490952 ----a-w- c:\arquivos de programas\DAEMON Tools Lite\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor] 2008-10-25 13:44 31072 ----a-w- c:\arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint] 2006-07-07 23:15 600896 ----a-w- c:\arquivos de programas\Microsoft IntelliPoint\ipoint.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] 2005-08-12 08:30 81920 ----a-w- c:\arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2010-02-15 21:07 141608 ----a-w- c:\arquivos de programas\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype] 2006-07-07 23:14 576320 ----a-w- c:\arquivos de programas\Microsoft IntelliType Pro\itype.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] 2009-07-26 18:44 3883840 ----a-w- c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] 2009-07-14 16:34 13877248 ----a-w- c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Openwares LiveUpdate] 2003-12-13 17:17 61440 ----a-w- c:\program files\LIVEUPDATE\LiveUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2009-11-11 01:08 417792 ----a-w- c:\arquivos de programas\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled] "QuickTime Task"="c:\arquivos de programas\QuickTime\QTTask.exe" -atboottime [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Arquivos de programas\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Arquivos de programas\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Arquivos de programas\\Microsoft Office\\Office12\\ONENOTE.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Arquivos de programas\\Messenger\\msmsgs.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= "c:\\Arquivos de programas\\LimeWire\\LimeWire.exe"= "c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Arquivos de programas\\uTorrent\\uTorrent.exe"= "c:\\Documents and Settings\\All Users\\Dados de aplicativos\\NexonUS\\NGM\\NGM.exe"= "c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe "c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe "c:\\Nexon\\Combat Arms\\NMService.exe"= "c:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"= "c:\\Arquivos de programas\\MegaJogos\\jre\\jre\\bin\\javaw.exe"= "c:\\Arquivos de programas\\KONAMI\\Pro Evolution Soccer 2009\\pes2009.exe"= "c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Arquivos de programas\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"= "c:\\Arquivos de programas\\TeamViewer\\Version5\\TeamViewer.exe"= "c:\\Arquivos de programas\\iTunes\\iTunes.exe"= "c:\\Arquivos de programas\\Megacubo\\megacubo.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "56458:TCP"= 56458:TCP:Pando Media Booster "56458:UDP"= 56458:UDP:Pando Media Booster "56911:TCP"= 56911:TCP:Pando Media Booster "56911:UDP"= 56911:UDP:Pando Media Booster R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [19/01/2010 11:23 130936] R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [03/11/2009 20:52 704384] R2 acssrv;Agnitum Client Security Service;c:\arquiv~1\Agnitum\OUTPOS~1\acs.exe [03/11/2009 20:49 1195008] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [12/01/2010 13:31 108289] R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [03/11/2009 20:49 31128] R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [03/11/2009 20:52 257432] R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [10/06/2002 00:09 31232] S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [20/11/2008 11:26 717296] S2 gupdate1ca7415f53b919c;Google Update Service (gupdate1ca7415f53b919c);c:\arquivos de programas\Google\Update\GoogleUpdate.exe [03/12/2009 09:41 133104] S3 3xHybrid;Philips SAA713x PCI Card;c:\windows\system32\DRIVERS\3xHybrid.sys --> c:\windows\system32\DRIVERS\3xHybrid.sys [?] S3 exdisk;Express Disk Service;c:\windows\system32\drivers\exdisk.sys [21/05/2007 19:50 14074] S3 GarenaPEngine;GarenaPEngine; [x] S3 hid8101;hid8101;c:\windows\system32\drivers\hid8101.sys [22/10/2009 10:45 31908] S3 lgmcbus;LGE Mobile driver (WDM);c:\windows\system32\drivers\lgmcbus.sys [27/11/2008 21:05 83584] S3 lgmcmdfl;LGE Mobile USB WMC Modem Filter;c:\windows\system32\drivers\lgmcmdfl.sys [27/11/2008 21:05 14976] S3 lgmcmdm;LGE Mobile USB WMC Modem Driver;c:\windows\system32\drivers\lgmcmdm.sys [27/11/2008 21:05 110464] S3 lgmcobex;LGE Mobile USB WMC OBEX Interface;c:\windows\system32\drivers\lgmcobex.sys [27/11/2008 21:05 100480] S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?] S3 PhTVTune;ENCORE TV Tuner Pro PCI Adapter;c:\windows\system32\drivers\PhTVTune.sys [18/08/2007 15:24 28480] S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [11/01/2010 08:28 27064] S3 sdAuxService;PC Tools Auxiliary Service;c:\arquivos de programas\Spyware Doctor\pctsAuxs.exe [19/01/2010 11:23 348752] S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [25/01/2008 06:12 25088] . Conteúdo da pasta 'Tarefas Agendadas' 2009-04-02 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\arquivos de programas\Apple Software Update\SoftwareUpdate.exe [2008-07-30 15:34] 2010-05-29 c:\windows\Tasks\AWC AutoSweep.job - c:\arquivos de programas\IObit\Advanced SystemCare 3\AutoSweep.exe [2009-09-02 17:11] 2010-05-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2009-12-03 12:41] 2010-05-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2009-12-03 12:41] 2010-05-29 c:\windows\Tasks\OGALogon.job - c:\windows\system32\OGAEXEC.exe [2009-08-03 18:07] . . ------- Scan Suplementar ------- . mWindow Title = uInternet Settings,ProxyOverride = local IE: &Clean Traces IE: &Download with &DAP IE: Download &all with DAP IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office12\EXCEL.EXE/3000 DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab FF - ProfilePath - c:\documents and settings\Marcus\Dados de aplicativos\Mozilla\Firefox\Profiles\mnctdmk7.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://thefreevpn.com/home.php FF - prefs.js: keyword.URL - hxxp://br.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_br&p= FF - prefs.js: network.proxy.http - localhost FF - prefs.js: network.proxy.http_port - 9666 FF - prefs.js: network.proxy.socks - localhost FF - prefs.js: network.proxy.socks_port - 9050 FF - prefs.js: network.proxy.ssl - localhost FF - prefs.js: network.proxy.ssl_port - 9666 FF - prefs.js: network.proxy.type - 1 FF - component: c:\documents and settings\Marcus\Dados de aplicativos\Mozilla\Firefox\Profiles\mnctdmk7.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: browser.cache.memory.capacity - 65536 FF - user.js: browser.chrome.favicons - false FF - user.js: browser.display.show_image_placeholders - true FF - user.js: browser.turbo.enabled - true FF - user.js: browser.urlbar.autocomplete.enabled - true FF - user.js: browser.urlbar.autofill - true FF - user.js: content.interrupt.parsing - true FF - user.js: content.max.tokenizing.time - 2250000 FF - user.js: content.notify.backoffcount - 5 FF - user.js: content.notify.interval - 750000 FF - user.js: content.notify.ontimer - true FF - user.js: content.switch.threshold - 750000 FF - user.js: network.http.max-connections - 48 FF - user.js: network.http.max-connections-per-server - 16 FF - user.js: network.http.max-persistent-connections-per-proxy - 16 FF - user.js: network.http.max-persistent-connections-per-server - 8 FF - user.js: network.http.pipelining - true FF - user.js: network.http.pipelining.firstrequest - true FF - user.js: network.http.pipelining.maxrequests - 8 FF - user.js: network.http.proxy.pipelining - true FF - user.js: network.http.request.max-start-delay - 0 FF - user.js: nglayout.initialpaint.delay - 0 FF - user.js: plugin.expose_full_path - true FF - user.js: ui.submenuDelay - 0 c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-29 11:07 Windows 5.1.2600 Service Pack 3 NTFS Procurando processos ocultos ... Procurando entradas auto inicializáveis ocultas ... Procurando ficheiros/arquivos ocultos ... Varredura completada com sucesso arquivos/ficheiros ocultos: 0 ************************************************************************** . --------------------- CHAVES DO REGISTRO BLOQUEADAS --------------------- [HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\Bars\Settings-Bar0] "BarID"=dword:0000e81b "Bars"=dword:00000003 "Bar#0"=dword:00000000 "Bar#1"=dword:0000e800 "Bar#2"=dword:00000000 [HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\Bars\Settings-Bar1] "BarID"=dword:0000e81c "Bars"=dword:00000004 "Bar#0"=dword:00000000 "Bar#1"=dword:0000e807 "Bar#2"=dword:0000e806 "Bar#3"=dword:00000000 [HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\Bars\Settings-Bar2] "BarID"=dword:0000e800 "XPos"=dword:fffffffe "YPos"=dword:fffffffe "Docking"=dword:00000001 "MRUDockID"=dword:00000000 "MRUDockLeftPos"=dword:fffffffe "MRUDockTopPos"=dword:fffffffe "MRUDockRightPos"=dword:000001f5 "MRUDockBottomPos"=dword:00000036 "MRUFloatStyle"=dword:00002000 "MRUFloatXPos"=dword:80000000 "MRUFloatYPos"=dword:cdcdcdcd [HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\Bars\Settings-Bar3] "BarID"=dword:0000e806 "XPos"=dword:fffffffe "YPos"=dword:00000141 "Docking"=dword:00000001 "MRUDockID"=dword:0000e81c "MRUDockLeftPos"=dword:fffffffe "MRUDockTopPos"=dword:00000141 "MRUDockRightPos"=dword:000000c6 "MRUDockBottomPos"=dword:00000287 "MRUFloatStyle"=dword:00002004 "MRUFloatXPos"=dword:80000000 "MRUFloatYPos"=dword:cdcdcdcd [HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\Bars\Settings-Bar4] "BarID"=dword:0000e807 "XPos"=dword:fffffffe "YPos"=dword:fffffffe "Docking"=dword:00000001 "MRUDockID"=dword:00000000 "MRUDockLeftPos"=dword:fffffffe "MRUDockTopPos"=dword:fffffffe "MRUDockRightPos"=dword:000000c6 "MRUDockBottomPos"=dword:00000143 "MRUFloatStyle"=dword:00002004 "MRUFloatXPos"=dword:80000000 "MRUFloatYPos"=dword:cdcdcdcd [HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\Bars\Settings-Summary] "Bars"=dword:00000005 "ScreenCX"=dword:00000400 "ScreenCY"=dword:00000300 [HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\Settings] "FirstRun"=dword:00000000 "xScreen"=dword:00000400 "yScreen"=dword:000002c4 "floats"="1.000000 0.500000 0.500000 120 120" "skin"="ISR_10Moons.dll" [HKEY_USERS\S-1-5-21-1078081533-1409082233-725345543-1006\Software\10Moons\þV * *Gr * *Om * *ȉ * *hV *\WNDSTATUS] "FLAG"=dword:00000000 "SHOWCMD"=dword:00000001 "LEFT"=dword:fffffffc "TOP"=dword:fffffffc "RIGHT"=dword:00000404 "BOTTOM"=dword:000002e2 . --------------------- DLLs Carregadas Sob os Processos em Execução --------------------- - - - - - - - > 'winlogon.exe'(956) c:\windows\system32\sfc_os.dll c:\windows\system32\cscui.dll . Tempo para conclusão: 2010-05-29 11:10:06 ComboFix-quarantined-files.txt 2010-05-29 14:10 ComboFix2.txt 2010-05-28 00:05 ComboFix3.txt 2010-05-27 14:08 ComboFix4.txt 2010-05-26 13:56 ComboFix5.txt 2010-05-29 13:58 Pré-execução: 51 pasta(s) 45.565.140.992 bytes disponíveis Pós execução: 52 pasta(s) 45.520.199.680 bytes disponíveis Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4 - - End Of File - - 2283AB42D901567B9F0DB6ACA91F8F3B Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:10:39, on 29/05/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Arquivos de programas\Intel\IDU\awServ.exe C:\WINDOWS\System32\svchost.exe C:\Arquivos de programas\Java\jre6\bin\jqs.exe C:\Arquivos de programas\Arquivos comuns\Nero\Nero BackItUp 4\NBService.exe C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\WINDOWS\System32\snmp.exe C:\Arquivos de programas\SigmaTel\C-Major Audio\WDM\STacSV.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\explorer.exe C:\WINDOWS\System32\svchost.exe C:\Hijack\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: ssh2 Class - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Arquivos de programas\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll O4 - HKLM\..\Run: [ipTray.exe] "C:\Arquivos de programas\Intel\IDU\iptray.exe" O4 - HKLM\..\Run: [nwiz] C:\Arquivos de programas\NVIDIA Corporation\nView\nwiz.exe /install O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [OutpostMonitor] C:\ARQUIV~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Arquivos de programas\Agnitum\Outpost Firewall\feedback.exe" /dump:os_startup O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Arquivos de programas\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [NSLauncher] C:\Arquivos de programas\Nokia\Nokia Software Launcher\NSLauncher.exe /startup O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\RunOnce: [shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/5.0_(Windows;_U;_Windows_NT_5.1;_en-US)_AppleWebKit/532.5_(KHTML,_like_Gecko)_Chrome/4.1.249.1045_Safari/532.5" -"http://www.miniclip.com/games/celebrity-table-tennis/br/content_iframe.php" O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: ERUNT AutoBackup.lnk = C:\Arquivos de programas\ERUNT\AUTOBACK.EXE O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Estatísticas do Antivírus da Web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Arquivos de programas\Yahoo!\Common\Yinsthelper200711281.dll O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/pt/uno1/GAME_UNO1.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveSystemServices.dll O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\ARQUIV~1\Agnitum\OUTPOS~1\acs.exe O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe O23 - Service: Dispositivo Celular da Apple (Apple Mobile Device) - Apple Inc. - C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Admin Works Agent X8 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Arquivos de programas\Intel\IDU\awServ.exe O23 - Service: Google Update Service (gupdate1ca7415f53b919c) (gupdate1ca7415f53b919c) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Arquivos de programas\Arquivos comuns\Nero\Nero BackItUp 4\NBService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsSvc.exe O23 - Service: ServiceLayer - Nokia. - C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Arquivos de programas\SigmaTel\C-Major Audio\WDM\STacSV.exe -- End of file - 9803 bytes Compartilhar este post Link para o post Compartilhar em outros sites
DigRam 144 Denunciar post Postado Maio 29, 2010 Boa Tarde! .matiello <!> Você,ainda possui algum produto/software desta empresa? ( 10moons ) <!> < 10moons Technology Development Co.,Ltd > <!> Pelo visto,sua presença no PC avança,também,para ação maliciosa. Provavelmente,Hijacker. 000000000000000000 <!> No mais,o seu log está limpo! Abraços! Compartilhar este post Link para o post Compartilhar em outros sites
.matiello 0 Denunciar post Postado Maio 29, 2010 Não conheço essa 10moons. Compartilhar este post Link para o post Compartilhar em outros sites
DigRam 144 Denunciar post Postado Maio 30, 2010 Não conheço essa 10moons. ///////////\\\\\\\\\\\ Opa! .matiello <!> Como está o computador? Tudo Ok? 0000000000000000000 ooooooooooooooooooo <@> Vá em Iniciar --> Executar --> Digite ou cole: combofix.exe /uninstall --> Clique OK. < > <@> Abrir-se-á,a seguinte janela: ( Abrir arquivo - Aviso de Segurança ) <@> Clique em Executar --> Aguarde! <@> Surgirá,finalmente,a mensagem: "ComboFix está desinstalado" --> Clique OK. <@> Caso encontre,apague: C:\ComboFix <-- A pasta! + C:\ComboFix.txt <-- Relatório! <@> Ou,vá em Iniciar --> Executar --> Digite ou cole: "%userprofile%\desktop\combofix" /uninstall <@> Clique OK. 0000000000000000000 ooooooooooooooooooo <!> Bom trabalho! :) Abraços! Compartilhar este post Link para o post Compartilhar em outros sites
.matiello 0 Denunciar post Postado Maio 30, 2010 Tudo ok com o pc. ComboFix desinstalado. Compartilhar este post Link para o post Compartilhar em outros sites
DigRam 144 Denunciar post Postado Maio 30, 2010 PROBLEMA RESOLVIDO! Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico. Compartilhar este post Link para o post Compartilhar em outros sites
