EDSSX 0 Denunciar post Postado Maio 1, 2010 Boa tarde ! Constância de rootkits e trojan.Agent.Gen hiper camuflados; me dando dibles no sistema . Segue o HijackThis v2.0.4 : Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 17:07:17, on 1/5/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\Explorer.EXE D:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe D:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe D:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe D:\Arquivos de programas\CursorXP\CursorXP.exe D:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe D:\Arquivos de programas\Java\jre6\bin\jqs.exe D:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE D:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe D:\Arquivos de programas\Avira\AntiVir Desktop\avshadow.exe D:\WINDOWS\system32\wbem\wmiapsrv.exe D:\Arquivos de programas\Malwarebytes' Anti-Malware\mbam.exe D:\Arquivos de programas\Mozilla Firefox\firefox.exe D:\Documents and Settings\edsom luis\Meus documentos\Downloads\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.msn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - Default URLSearchHook is missing O1 - Hosts: ÿþ127.0.0.1 localhost O1 - Hosts: ::1 localhost O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - D:\Arquivos de programas\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "D:\Arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "D:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [avgnt] "D:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKCU\..\Run: [CursorXP] D:\Arquivos de programas\CursorXP\CursorXP.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe O20 - AppInit_DLLs: D:\WINDOWS\system32\wbsys.dll O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - D:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - D:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Arquivos de programas\Java\jre6\bin\jqs.exe -- End of file - 3994 bytes Obrigado e abraços Compartilhar este post Link para o post Compartilhar em outros sites
DigRam 144 Denunciar post Postado Maio 2, 2010 Boa Noite! EDSSX Constância de rootkits e trojan.Agent.Gen hiper camuflados; me dando dibles no sistema. <!> Confirmou,realmente,a presença de rootkits? 00000000000000000000000 00000000000000000000000 <@> Baixe: < gmer.zip > <@> Salve-o no Disco Local ( D ) e descompacte-o aí mesmo,em uma pasta própria. ( D:\gmer.exe ) <@> Ps: Observe a imagem: <@> Por default,a caixa D:\ e Show All estarão desmarcadas. <@> Possuindo,também,essa unidade,pode assinalar a caixa D:\. <@> Feche todos os programas,que estejam abertos,e clique em Scan. <-- Aguarde! <@> Permita a execução de gmer.sys,caso seja solicitado. <@> Caso surja,clique No na mensagem! <@> Confirme a investigação na busca por rootkits,caso receba essa solicitação. <@> Terminando poderá receber outro aviso sobre atividade rootkit,clique OK. <@> Ao final,conclua clicando em "Save...". <@> Coloque como "Nome do arquivo": Gmer.log <@> Em "Salvar em:",escolha o Desktop! --> Clique em "Salvar" --> OK. <@> Poste,na sua resposta: Gmer.log + HijackThis,atualizado. Abraços! Compartilhar este post Link para o post Compartilhar em outros sites
EDSSX 0 Denunciar post Postado Maio 2, 2010 Bom final de tarde ! DigRam Sim , pois ao iniciar o sistema o guarda chuva do avira consta fechado, mesmo com o guard ativado; ás vezes ora abre sozinho ora eu tenho que desativar o guard e ativa-lo novamente para constar o guarda chuva aberto . E o avira antirootkit não está abrindo . Veja este print; inclusive dei Ok ( apenas constou esta opção ) . Itens vermelhos no gmer : São estes os rootkits ? D:\Arquivos (*** hidden *** ) @ D:\WINDOWS\Explorer.EXE [1724] 0x01E40000 D:\Arquivos (*** hidden *** ) @ D:\WINDOWS\Explorer.EXE [1724] 0x02D90000 D:\WINDOWS\system32\txmlutil.dll (*** hidden *** ) @ D:\WINDOWS\Explorer.EXE [1724] 0x02660000 D:\Arquivos (*** hidden *** ) @ D:\WINDOWS\Explorer.EXE [1724] 0x026E0000 D:\Arquivos (*** hidden *** ) @ D:\WINDOWS\Explorer.EXE [1724] 0x027C0000 Segue log do gmer : GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-05-02 18:32:43 Windows 5.1.2600 Service Pack 3 Running: gmer.exe; Driver: D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\pxtdapoc.sys ---- System - GMER 1.0.15 ---- SSDT \??\D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys ZwAllocateVirtualMemory [0xF746FD02] SSDT \??\D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys ZwAssignProcessToJobObject [0xF747006E] SSDT \??\D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys ZwConnectPort [0xF747123C] SSDT \??\D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys ZwCreateFile [0xF7470A52] SSDT \??\D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys ZwCreateKey [0xF74716A6] SSDT \??\D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys ZwCreateProcess [0xF74701B8] SSDT \??\D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys ZwCreateProcessEx [0xF747023A] SSDT \??\D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys ZwCreateSection [0xF7470876] SSDT \??\D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys ZwCreateThread [0xF746F904] SSDT F83A34F3 ZwDeleteKey SSDT F83A34FD ZwDeleteValueKey SSDT \??\D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys ZwDeviceIoControlFile [0xF74717A6] SSDT \??\D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys ZwDuplicateObject [0xF747428C] SSDT \??\D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys ZwFsControlFile [0xF74718E4] SSDT \??\D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys ZwLoadDriver [0xF74721F6] SSDT F83A3502 ZwLoadKey SSDT \??\D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys ZwOpenFile [0xF7470966] SSDT \??\D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys ZwOpenProcess [0xF7473FDE] SSDT \??\D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys ZwOpenSection [0xF7470796] SSDT \??\D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys ZwOpenThread [0xF747410C] SSDT \??\D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys ZwProtectVirtualMemory [0xF746FC00] SSDT \??\D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys ZwQueueApcThread [0xF7470110] SSDT F83A350C ZwReplaceKey SSDT \??\D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys ZwRequestPort [0xF74712CC] SSDT \??\D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys ZwRequestWaitReplyPort [0xF7471088] SSDT F83A3507 ZwRestoreKey SSDT \??\D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys ZwSecureConnectPort [0xF7471456] SSDT \??\D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys ZwSetContextThread [0xF746F9F4] SSDT \??\D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys ZwSetSystemInformation [0xF746FE06] SSDT F83A34F8 ZwSetValueKey SSDT \??\D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys ZwSuspendProcess [0xF746FB62] SSDT \??\D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys ZwSuspendThread [0xF746FAC4] SSDT \??\D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys ZwSystemDebugControl [0xF746FFCC] SSDT \??\D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys ZwTerminateProcess [0xF7473F4E] SSDT \??\D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys ZwTerminateThread [0xF747439A] SSDT \??\D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys ZwWriteVirtualMemory [0xF746F802] ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!_abnormal_termination + 440 804E2AAC 12 Bytes [62, FB, 46, F7, C4, FA, 46, ...] ? D:\Arquivos de programas\Arquivos comuns\BitDefender\BitDefender Firewall\bdftdif.sys O sistema não pode encontrar o arquivo especificado. ! ? system32\drivers\bdfsfltr.sys O sistema não pode encontrar o caminho especificado. ! ? D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys O sistema não pode encontrar o arquivo especificado. ! ? system32\drivers\bdfm.sys O sistema não pode encontrar o caminho especificado. ! ? system32\drivers\BDHV.SYS O sistema não pode encontrar o caminho especificado. ! ? D:\Arquivos de programas\Arquivos comuns\BitDefender\BitDefender Threat Scanner\profos.sys O sistema não pode encontrar o arquivo especificado. ! ? D:\Arquivos de programas\Arquivos comuns\BitDefender\BitDefender Threat Scanner\trufos.sys O sistema não pode encontrar o arquivo especificado. ! ? System32\Drivers\d1c20812.sys O sistema não pode encontrar o caminho especificado. ! ---- User code sections - GMER 1.0.15 ---- .text D:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe[328] USER32.dll!GetCursor 7E37A91B 5 Bytes JMP 012C1080 D:\Arquivos de programas\CursorXP\CurXP0.dll (CursorXP control panel/ ) .text D:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe[328] USER32.dll!DrawIconEx 7E37CB84 5 Bytes JMP 012C1120 D:\Arquivos de programas\CursorXP\CurXP0.dll (CursorXP control panel/ ) .text D:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe[328] USER32.dll!GetIconInfo 7E37D427 5 Bytes JMP 012C1030 D:\Arquivos de programas\CursorXP\CurXP0.dll (CursorXP control panel/ ) .text D:\WINDOWS\Explorer.EXE[1724] USER32.dll!GetCursor 7E37A91B 5 Bytes JMP 10001080 D:\Arquivos de programas\CursorXP\CurXP0.dll (CursorXP control panel/ ) .text D:\WINDOWS\Explorer.EXE[1724] USER32.dll!DrawIconEx 7E37CB84 5 Bytes JMP 10001120 D:\Arquivos de programas\CursorXP\CurXP0.dll (CursorXP control panel/ ) .text D:\WINDOWS\Explorer.EXE[1724] USER32.dll!GetIconInfo 7E37D427 5 Bytes JMP 10001030 D:\Arquivos de programas\CursorXP\CurXP0.dll (CursorXP control panel/ ) .text D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\Diretório temporário 1 para gmer.zip\gmer.exe[2304] USER32.dll!GetCursor 7E37A91B 5 Bytes JMP 10001080 D:\Arquivos de programas\CursorXP\CurXP0.dll (CursorXP control panel/ ) .text D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\Diretório temporário 1 para gmer.zip\gmer.exe[2304] USER32.dll!DrawIconEx 7E37CB84 5 Bytes JMP 10001120 D:\Arquivos de programas\CursorXP\CurXP0.dll (CursorXP control panel/ ) .text D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\Diretório temporário 1 para gmer.zip\gmer.exe[2304] USER32.dll!GetIconInfo 7E37D427 5 Bytes JMP 10001030 D:\Arquivos de programas\CursorXP\CurXP0.dll (CursorXP control panel/ ) .text D:\Arquivos de programas\Gadwin Systems\PrintScreen\PrintScreen.exe[2616] USER32.dll!GetCursor 7E37A91B 5 Bytes JMP 015B1080 D:\Arquivos de programas\CursorXP\CurXP0.dll (CursorXP control panel/ ) .text D:\Arquivos de programas\Gadwin Systems\PrintScreen\PrintScreen.exe[2616] USER32.dll!DrawIconEx 7E37CB84 5 Bytes JMP 015B1120 D:\Arquivos de programas\CursorXP\CurXP0.dll (CursorXP control panel/ ) .text D:\Arquivos de programas\Gadwin Systems\PrintScreen\PrintScreen.exe[2616] USER32.dll!GetIconInfo 7E37D427 5 Bytes JMP 015B1030 D:\Arquivos de programas\CursorXP\CurXP0.dll (CursorXP control panel/ ) .text D:\Arquivos de programas\Mozilla Firefox\firefox.exe[3264] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 D:\Arquivos de programas\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) .text D:\Arquivos de programas\Mozilla Firefox\firefox.exe[3264] USER32.dll!GetCursor 7E37A91B 5 Bytes JMP 030E1080 D:\Arquivos de programas\CursorXP\CurXP0.dll (CursorXP control panel/ ) .text D:\Arquivos de programas\Mozilla Firefox\firefox.exe[3264] USER32.dll!DrawIconEx 7E37CB84 5 Bytes JMP 030E1120 D:\Arquivos de programas\CursorXP\CurXP0.dll (CursorXP control panel/ ) .text D:\Arquivos de programas\Mozilla Firefox\firefox.exe[3264] USER32.dll!GetIconInfo 7E37D427 5 Bytes JMP 030E1030 D:\Arquivos de programas\CursorXP\CurXP0.dll (CursorXP control panel/ ) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip bdftdif.sys AttachedDevice \Driver\Tcpip \Device\Tcp bdftdif.sys AttachedDevice \Driver\Tcpip \Device\Udp bdftdif.sys AttachedDevice \Driver\Tcpip \Device\RawIp bdftdif.sys AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat trufos.sys ---- Processes - GMER 1.0.15 ---- Library D:\Arquivos (*** hidden *** ) @ D:\WINDOWS\Explorer.EXE [1724] 0x01E40000 Library D:\Arquivos (*** hidden *** ) @ D:\WINDOWS\Explorer.EXE [1724] 0x02D90000 Library D:\WINDOWS\system32\txmlutil.dll (*** hidden *** ) @ D:\WINDOWS\Explorer.EXE [1724] 0x02660000 Library D:\Arquivos (*** hidden *** ) @ D:\WINDOWS\Explorer.EXE [1724] 0x026E0000 Library D:\Arquivos (*** hidden *** ) @ D:\WINDOWS\Explorer.EXE [1724] 0x027C0000 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Classes\.cfexe@ cfexefile Reg HKLM\SOFTWARE\Classes\cfexefile\shell Reg HKLM\SOFTWARE\Classes\cfexefile\shell\open Reg HKLM\SOFTWARE\Classes\cfexefile\shell\open\command Reg HKLM\SOFTWARE\Classes\cfexefile\shell\open\command@ "%1" %* Reg HKLM\SOFTWARE\Classes\Installer\Products\740714A303E250D498777F604DB0FF93\SourceList@PackageName Dashboard.msi Reg HKLM\SOFTWARE\Classes\Installer\Products\740714A303E250D498777F604DB0FF93\SourceList\Media Reg HKLM\SOFTWARE\Classes\Installer\Products\740714A303E250D498777F604DB0FF93\SourceList\Media@1 Windows Live installer; Reg HKLM\SOFTWARE\Classes\Installer\Products\740714A303E250D498777F604DB0FF93\SourceList\Net Reg HKLM\SOFTWARE\Classes\Installer\Products\B37BDAE8D62087948A0FE1FEE5E1EC7C\SourceList@PackageName Install_{8EADB73B-026D-4978-A8F0-1EEF5E1ECEC7}.msi Reg HKLM\SOFTWARE\Classes\Installer\Products\B37BDAE8D62087948A0FE1FEE5E1EC7C\SourceList@LastUsedSource n;1;D:\Arquivos de programas\Arquivos comuns\WindowsLiveInstaller\MsiSources\ Reg HKLM\SOFTWARE\Classes\Installer\Products\B37BDAE8D62087948A0FE1FEE5E1EC7C\SourceList\Media Reg HKLM\SOFTWARE\Classes\Installer\Products\B37BDAE8D62087948A0FE1FEE5E1EC7C\SourceList\Media@1 Messenger; Reg HKLM\SOFTWARE\Classes\Installer\Products\B37BDAE8D62087948A0FE1FEE5E1EC7C\SourceList\Net Reg HKLM\SOFTWARE\Classes\Installer\Products\B37BDAE8D62087948A0FE1FEE5E1EC7C\SourceList\Net@1 D:\Arquivos de programas\Arquivos comuns\WindowsLiveInstaller\MsiSources\ Reg HKLM\SOFTWARE\Classes\Microsoft.MSN.MCC.USNJSVC.1@ MSN USNSVC Reg HKLM\SOFTWARE\Classes\Microsoft.MSN.MCC.USNJSVC.1\CLSID Reg HKLM\SOFTWARE\Classes\Microsoft.MSN.MCC.USNJSVC.1\CLSID@ {98AC5C33-EE18-4EC2-BE25-3B16EE8F75F1} Reg HKLM\SOFTWARE\Classes\MSN.V2SDeviceHandler@ WL Hardware Device Manager Reg HKLM\SOFTWARE\Classes\MSN.V2SDeviceHandler\CLSID Reg HKLM\SOFTWARE\Classes\MSN.V2SDeviceHandler\CLSID@ {D74C0C0E-14F3-402C-9379-3E2BD0BF5D06} Reg HKLM\SOFTWARE\Classes\MSN.V2SDeviceHandler\CurVer Reg HKLM\SOFTWARE\Classes\MSN.V2SDeviceHandler\CurVer@ MSN.V2SDeviceHandler.1 Reg HKLM\SOFTWARE\Classes\MSN.V2SDeviceHandler.1@ WL Hardware Device Manager Reg HKLM\SOFTWARE\Classes\MSN.V2SDeviceHandler.1\CLSID Reg HKLM\SOFTWARE\Classes\MSN.V2SDeviceHandler.1\CLSID@ {D74C0C0E-14F3-402C-9379-3E2BD0BF5D06} Reg HKLM\SOFTWARE\Classes\pcsexe.Dialer@ LivecallDialer Class Reg HKLM\SOFTWARE\Classes\pcsexe.Dialer\CLSID Reg HKLM\SOFTWARE\Classes\pcsexe.Dialer\CLSID@ {6E2200B4-7C9E-44C6-96A3-F904A7AB8880} Reg HKLM\SOFTWARE\Classes\pcsexe.Dialer\CurVer Reg HKLM\SOFTWARE\Classes\pcsexe.Dialer\CurVer@ pcsexe.Dialer.1 Reg HKLM\SOFTWARE\Classes\pcsexe.Dialer.1@ LivecallDialer Class Reg HKLM\SOFTWARE\Classes\pcsexe.Dialer.1\CLSID Reg HKLM\SOFTWARE\Classes\pcsexe.Dialer.1\CLSID@ {6E2200B4-7C9E-44C6-96A3-F904A7AB8880} Reg HKLM\SOFTWARE\Classes\pcsexe.MessengerDialer@ LivecallDialer Class Reg HKLM\SOFTWARE\Classes\pcsexe.MessengerDialer\CLSID Reg HKLM\SOFTWARE\Classes\pcsexe.MessengerDialer\CLSID@ {81C63250-607F-4e79-9FCB-F756C16C5AB9} Reg HKLM\SOFTWARE\Classes\pcsexe.MessengerDialer\CurVer Reg HKLM\SOFTWARE\Classes\pcsexe.MessengerDialer\CurVer@ pcsexe.Dialer.1 Reg HKLM\SOFTWARE\Classes\pcsexe.MessengerDialer.1@ LivecallDialer Class Reg HKLM\SOFTWARE\Classes\pcsexe.MessengerDialer.1\CLSID Reg HKLM\SOFTWARE\Classes\pcsexe.MessengerDialer.1\CLSID@ {81C63250-607F-4e79-9FCB-F756C16C5AB9} Reg HKLM\SOFTWARE\Classes\pcsexe.PstnOut@ PstnOut Class Reg HKLM\SOFTWARE\Classes\pcsexe.PstnOut\CLSID Reg HKLM\SOFTWARE\Classes\pcsexe.PstnOut\CLSID@ {630ED07B-04A5-4AB9-A73B-FD94F34D5F09} Reg HKLM\SOFTWARE\Classes\pcsexe.PstnOut\CurVer Reg HKLM\SOFTWARE\Classes\pcsexe.PstnOut\CurVer@ pcsexe.PstnOut.1 Reg HKLM\SOFTWARE\Classes\pcsexe.PstnOut.1@ PstnOut Class Reg HKLM\SOFTWARE\Classes\pcsexe.PstnOut.1\CLSID Reg HKLM\SOFTWARE\Classes\pcsexe.PstnOut.1\CLSID@ {630ED07B-04A5-4AB9-A73B-FD94F34D5F09} Reg HKLM\SOFTWARE\Classes\Softphone.Dialer@ SoftphoneDialer Class Reg HKLM\SOFTWARE\Classes\Softphone.Dialer\CLSID Reg HKLM\SOFTWARE\Classes\Softphone.Dialer\CLSID@ {72770783-9801-43c4-9E1F-9084BAE210CF} Reg HKLM\SOFTWARE\Classes\Softphone.Dialer\CurVer Reg HKLM\SOFTWARE\Classes\Softphone.Dialer\CurVer@ Softphone.Dialer.1 Reg HKLM\SOFTWARE\Classes\Softphone.Dialer.1@ SoftphoneDialer Class Reg HKLM\SOFTWARE\Classes\Softphone.Dialer.1\CLSID Reg HKLM\SOFTWARE\Classes\Softphone.Dialer.1\CLSID@ {72770783-9801-43c4-9E1F-9084BAE210CF} Reg HKLM\SOFTWARE\Classes\Softphone.DialerWindow@ SoftphoneDialerWindow Class Reg HKLM\SOFTWARE\Classes\Softphone.DialerWindow\CLSID Reg HKLM\SOFTWARE\Classes\Softphone.DialerWindow\CLSID@ {37E192CB-B5C5-4487-9D66-2550B6F57B7A} Reg HKLM\SOFTWARE\Classes\Softphone.DialerWindow\CurVer Reg HKLM\SOFTWARE\Classes\Softphone.DialerWindow\CurVer@ Softphone.DialerWindow.1 Reg HKLM\SOFTWARE\Classes\Softphone.DialerWindow.1@ SoftphoneDialerWindow Class Reg HKLM\SOFTWARE\Classes\Softphone.DialerWindow.1\CLSID Reg HKLM\SOFTWARE\Classes\Softphone.DialerWindow.1\CLSID@ {37E192CB-B5C5-4487-9D66-2550B6F57B7A} Reg HKLM\SOFTWARE\Classes\Softphone.Error@ SoftphoneError Class Reg HKLM\SOFTWARE\Classes\Softphone.Error\CLSID Reg HKLM\SOFTWARE\Classes\Softphone.Error\CLSID@ {C2F86E32-3AD2-42f1-94F2-D7E0414F2C10} Reg HKLM\SOFTWARE\Classes\Softphone.Error\CurVer Reg HKLM\SOFTWARE\Classes\Softphone.Error\CurVer@ Softphone.Error.1 Reg HKLM\SOFTWARE\Classes\Softphone.Error.1@ SoftphoneError Class Reg HKLM\SOFTWARE\Classes\Softphone.Error.1\CLSID Reg HKLM\SOFTWARE\Classes\Softphone.Error.1\CLSID@ {C2F86E32-3AD2-42f1-94F2-D7E0414F2C10} Reg HKLM\SOFTWARE\Classes\Softphone.PhoneContact@ SoftphonePhoneContact Class Reg HKLM\SOFTWARE\Classes\Softphone.PhoneContact\CLSID Reg HKLM\SOFTWARE\Classes\Softphone.PhoneContact\CLSID@ {52C92B9C-B117-4AC5-AD94-A6D8604608BB} Reg HKLM\SOFTWARE\Classes\Softphone.PhoneContact\CurVer Reg HKLM\SOFTWARE\Classes\Softphone.PhoneContact\CurVer@ Softphone.PhoneContact.1 Reg HKLM\SOFTWARE\Classes\Softphone.PhoneContact.1@ SoftphonePhoneContact Class Reg HKLM\SOFTWARE\Classes\Softphone.PhoneContact.1\CLSID Reg HKLM\SOFTWARE\Classes\Softphone.PhoneContact.1\CLSID@ {52C92B9C-B117-4AC5-AD94-A6D8604608BB} Reg HKLM\SOFTWARE\Classes\Softphone.PhoneNumber@ SoftphonePhoneNumber Class Reg HKLM\SOFTWARE\Classes\Softphone.PhoneNumber\CLSID Reg HKLM\SOFTWARE\Classes\Softphone.PhoneNumber\CLSID@ {B0C5F2DF-5D4B-4DBC-888E-D96E971B57F4} Reg HKLM\SOFTWARE\Classes\Softphone.PhoneNumber\CurVer Reg HKLM\SOFTWARE\Classes\Softphone.PhoneNumber\CurVer@ Softphone.PhoneNumber.1 Reg HKLM\SOFTWARE\Classes\Softphone.PhoneNumber.1@ SoftphonePhoneNumber Class Reg HKLM\SOFTWARE\Classes\Softphone.PhoneNumber.1\CLSID Reg HKLM\SOFTWARE\Classes\Softphone.PhoneNumber.1\CLSID@ {B0C5F2DF-5D4B-4DBC-888E-D96E971B57F4} Reg HKLM\SOFTWARE\Classes\WindowsLive.SetupJob@ Windows Live Setup Service Reg HKLM\SOFTWARE\Classes\WindowsLive.SetupJob\CLSID Reg HKLM\SOFTWARE\Classes\WindowsLive.SetupJob\CLSID@ {9B38B1AC-C774-46AB-AD99-0C19871F0714} Reg HKLM\SOFTWARE\Classes\WindowsLive.SetupJob\CurVer Reg HKLM\SOFTWARE\Classes\WindowsLive.SetupJob\CurVer@ WindowsLive.SetupJob.1 Reg HKLM\SOFTWARE\Classes\WindowsLive.SetupJob.1@ Windows Live Setup Service Reg HKLM\SOFTWARE\Classes\WindowsLive.SetupJob.1\CLSID Reg HKLM\SOFTWARE\Classes\WindowsLive.SetupJob.1\CLSID@ {9B38B1AC-C774-46AB-AD99-0C19871F0714} Reg HKLM\SOFTWARE\Classes\WindowsLive.SetupService@ Windows Live Setup Service Reg HKLM\SOFTWARE\Classes\WindowsLive.SetupService\CLSID Reg HKLM\SOFTWARE\Classes\WindowsLive.SetupService\CLSID@ {585D47D2-CF74-4869-BF4E-DF5662504F11} Reg HKLM\SOFTWARE\Classes\WindowsLive.SetupService\CurVer Reg HKLM\SOFTWARE\Classes\WindowsLive.SetupService\CurVer@ WindowsLive.SetupService.1 Reg HKLM\SOFTWARE\Classes\WindowsLive.SetupService.1@ Windows Live Setup Service Reg HKLM\SOFTWARE\Classes\WindowsLive.SetupService.1\CLSID Reg HKLM\SOFTWARE\Classes\WindowsLive.SetupService.1\CLSID@ {585D47D2-CF74-4869-BF4E-DF5662504F11} Reg HKLM\SOFTWARE\Classes\XceedSoftware.XceedCompression.1@ Xceed Compression Control Reg HKLM\SOFTWARE\Classes\XceedSoftware.XceedCompression.1\CLSID Reg HKLM\SOFTWARE\Classes\XceedSoftware.XceedCompression.1\CLSID@ {4C836512-BB70-11D2-A5A7-00105A9C91C6} Reg HKLM\SOFTWARE\Classes\XceedSoftware.XceedCompression.1\Insertable Reg HKLM\SOFTWARE\Classes\XceedSoftware.XceedZip.4@ Xceed Zip Control v4.1 Reg HKLM\SOFTWARE\Classes\XceedSoftware.XceedZip.4\CLSID Reg HKLM\SOFTWARE\Classes\XceedSoftware.XceedZip.4\CLSID@ {DB797690-40E0-11D2-9BD5-0060082AE372} Reg HKLM\SOFTWARE\Classes\XceedSoftware.XceedZip.4\Insertable ---- EOF - GMER 1.0.15 ---- Segue log do HijackThis : Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 18:36:03, on 2/5/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\Explorer.EXE D:\WINDOWS\system32\spoolsv.exe D:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe D:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe D:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe D:\Arquivos de programas\CursorXP\CursorXP.exe D:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe D:\Arquivos de programas\Java\jre6\bin\jqs.exe D:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE D:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe D:\Arquivos de programas\Avira\AntiVir Desktop\avshadow.exe D:\WINDOWS\system32\wbem\wmiapsrv.exe D:\Arquivos de programas\Mozilla Firefox\firefox.exe D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\Diretório temporário 1 para gmer.zip\gmer.exe D:\Arquivos de programas\Gadwin Systems\PrintScreen\PrintScreen.exe D:\WINDOWS\system32\NOTEPAD.EXE D:\Documents and Settings\edsom luis\Meus documentos\Downloads\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.msn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - Default URLSearchHook is missing O1 - Hosts: ÿþ127.0.0.1 localhost O1 - Hosts: ::1 localhost O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - D:\Arquivos de programas\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "D:\Arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "D:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [avgnt] "D:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] D:\Arquivos de programas\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKCU\..\Run: [CursorXP] D:\Arquivos de programas\CursorXP\CursorXP.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe O20 - AppInit_DLLs: D:\WINDOWS\system32\wbsys.dll O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - D:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - D:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Arquivos de programas\Java\jre6\bin\jqs.exe -- End of file - 4249 bytes Obrigado e abraços Compartilhar este post Link para o post Compartilhar em outros sites
DigRam 144 Denunciar post Postado Maio 3, 2010 Boa Noite! EDSSX <!> Ps: As detecções em gmer,não foram conclusivas! 000000000000000000 000000000000000000 <@> Baixe: < > <!> Link-2 < RootRepeal.zip > <!> Link-3 < RootRepeal.zip > <@> Descompacte-o para o desktop. <@> Abra a o programa,e clique em "Report" --> "Scan" < > <@> Marque,àcima,as 7 caixinhas. --> Clique OK. <@> Escolha,à seguir,seu drive. ( C:\ ou D:\ ) --> OK. <@> Dê início ao scan e,ao terminar,clique em "Save Report" < > <@> Salve-o com o nome: "RootRepeal.txt" <-- Relatório! <-- Poste-o! Abraços! Compartilhar este post Link para o post Compartilhar em outros sites
EDSSX 0 Denunciar post Postado Maio 3, 2010 Boa Noite ! DigRam Segue o log : ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2010/05/02 22:07 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: bdfm.sys Image Path: D:\WINDOWS\system32\drivers\bdfm.sys Address: 0xF6BB8000 Size: 145792 File Visible: No Signed: - Status: - Name: bdfsfltr.sys Image Path: D:\WINDOWS\system32\drivers\bdfsfltr.sys Address: 0xF6E9D000 Size: 282880 File Visible: No Signed: - Status: - Name: bdftdif.sys Image Path: D:\Arquivos de programas\Arquivos comuns\BitDefender\BitDefender Firewall\bdftdif.sys Address: 0xF7ED2000 Size: 112640 File Visible: No Signed: - Status: - Name: BDHV.SYS Image Path: D:\WINDOWS\system32\drivers\BDHV.SYS Address: 0xF6B9F000 Size: 102400 File Visible: No Signed: - Status: - Name: bdselfpr.sys Image Path: D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys Address: 0xF746D000 Size: 64512 File Visible: No Signed: - Status: - Name: d1c20812.sys Image Path: D:\WINDOWS\System32\Drivers\d1c20812.sys Address: 0xF6A8B000 Size: 143744 File Visible: No Signed: - Status: - Name: profos.sys Image Path: D:\Arquivos de programas\Arquivos comuns\BitDefender\BitDefender Threat Scanner\profos.sys Address: 0xF6B4F000 Size: 14720 File Visible: No Signed: - Status: - Name: pxtdapoc.sys Image Path: D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\pxtdapoc.sys Address: 0xF6883000 Size: 93056 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: D:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xF748D000 Size: 49152 File Visible: No Signed: - Status: - Name: trufos.sys Image Path: D:\Arquivos de programas\Arquivos comuns\BitDefender\BitDefender Threat Scanner\trufos.sys Address: 0xF7CD2000 Size: 39808 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: d:\documents and settings\edsom luis\meus documentos\salvação..bkf Status: Allocation size mismatch (API: 4294967295, Raw: 0) Path: d:\documents and settings\edsom luis\dados de aplicativos\mozilla\firefox\profiles\izozpjim.default\places.sqlite Status: Allocation size mismatch (API: 1277952, Raw: 262144) Path: d:\documents and settings\edsom luis\configurações locais\dados de aplicativos\mozilla\firefox\profiles\izozpjim.default\cache\_cache_001_ Status: Allocation size mismatch (API: 2621440, Raw: 1933312) Path: d:\documents and settings\edsom luis\configurações locais\dados de aplicativos\mozilla\firefox\profiles\izozpjim.default\cache\_cache_002_ Status: Allocation size mismatch (API: 4259840, Raw: 3440640) Path: d:\documents and settings\edsom luis\configurações locais\dados de aplicativos\mozilla\firefox\profiles\izozpjim.default\cache\_cache_003_ Status: Allocation size mismatch (API: 6389760, Raw: 5996544) SSDT ------------------- #: 017 Function Name: NtAllocateVirtualMemory Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf746fd02 #: 019 Function Name: NtAssignProcessToJobObject Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf747006e #: 031 Function Name: NtConnectPort Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf747123c #: 037 Function Name: NtCreateFile Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf7470a52 #: 041 Function Name: NtCreateKey Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf74716a6 #: 047 Function Name: NtCreateProcess Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf74701b8 #: 048 Function Name: NtCreateProcessEx Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf747023a #: 050 Function Name: NtCreateSection Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf7470876 #: 053 Function Name: NtCreateThread Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf746f904 #: 063 Function Name: NtDeleteKey Status: Hooked by "<unknown>" at address 0xf83a34f3 #: 065 Function Name: NtDeleteValueKey Status: Hooked by "<unknown>" at address 0xf83a34fd #: 066 Function Name: NtDeviceIoControlFile Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf74717a6 #: 068 Function Name: NtDuplicateObject Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf747428c #: 084 Function Name: NtFsControlFile Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf74718e4 #: 097 Function Name: NtLoadDriver Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf74721f6 #: 098 Function Name: NtLoadKey Status: Hooked by "<unknown>" at address 0xf83a3502 #: 116 Function Name: NtOpenFile Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf7470966 #: 122 Function Name: NtOpenProcess Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf7473fde #: 125 Function Name: NtOpenSection Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf7470796 #: 128 Function Name: NtOpenThread Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf747410c #: 137 Function Name: NtProtectVirtualMemory Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf746fc00 #: 180 Function Name: NtQueueApcThread Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf7470110 #: 193 Function Name: NtReplaceKey Status: Hooked by "<unknown>" at address 0xf83a350c #: 199 Function Name: NtRequestPort Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf74712cc #: 200 Function Name: NtRequestWaitReplyPort Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf7471088 #: 204 Function Name: NtRestoreKey Status: Hooked by "<unknown>" at address 0xf83a3507 #: 210 Function Name: NtSecureConnectPort Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf7471456 #: 213 Function Name: NtSetContextThread Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf746f9f4 #: 240 Function Name: NtSetSystemInformation Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf746fe06 #: 247 Function Name: NtSetValueKey Status: Hooked by "<unknown>" at address 0xf83a34f8 #: 253 Function Name: NtSuspendProcess Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf746fb62 #: 254 Function Name: NtSuspendThread Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf746fac4 #: 255 Function Name: NtSystemDebugControl Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf746ffcc #: 257 Function Name: NtTerminateProcess Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf7473f4e #: 258 Function Name: NtTerminateThread Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf747439a #: 277 Function Name: NtWriteVirtualMemory Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf746f802 Shadow SSDT ------------------- #: 307 Function Name: NtUserAttachThreadInput Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf746f5e2 #: 347 Function Name: NtUserDdeSetQualityOfService Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf746f576 #: 383 Function Name: NtUserGetAsyncKeyState Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf746f534 #: 414 Function Name: NtUserGetKeyboardState Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf746f3f6 #: 416 Function Name: NtUserGetKeyState Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf746f3b0 #: 460 Function Name: NtUserMessageCall Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf746f132 #: 475 Function Name: NtUserPostMessage Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf746efbc #: 476 Function Name: NtUserPostThreadMessage Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf746f010 #: 491 Function Name: NtUserRegisterRawInputDevices Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf746f190 #: 502 Function Name: NtUserSendInput Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf746ef82 #: 549 Function Name: NtUserSetWindowsHookEx Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf746e90e #: 552 Function Name: NtUserSetWinEventHook Status: Hooked by "D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xf746ec3c ==EOF== Aproveitando esta oportunidade ref. à malwares,fineza ler ref. autorun.inf : http://forum.imasters.com.br/index.php?/topic/393173-testando-bitdefender-free-2010/ Abraços Compartilhar este post Link para o post Compartilhar em outros sites
DigRam 144 Denunciar post Postado Maio 3, 2010 Bom Dia! EDSSX <!> Desinstale,esperimentalmente,a suíte: D:\Arquivos de programas\BitDefender <-- <!> Ps: Voçê já possui o Avira.... 000000000000000000000 000000000000000000000 <@> Submeta este ficheiro,abaixo,à uma análise em: < VirSCAN.org > <!> D:\WINDOWS\System32\Drivers\d1c20812.sys <@> Clique em "Enviar arquivo...". <@> Localizado o ficheiro,em seu PC,clique em "Upload" --> Aguarde! <@> Na mensagem,clique em: "Verificar novamente" <@> Concluindo,copie e envie-nos o link ao relatório. <@> Exemplo: Foi verificado o arquivo NodeRefresh.dll,cujo link ao relatório segue abaixo: <@> Link: --> < > 000000000000000000000 000000000000000000000 <@> Baixe: < > ( ...by OldTimer Tools ) <@> Salve-o no desktop e,execute-o aí mesmo! :Processesexplorer.exe :Files D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\pxtdapoc.sys :Services pxtdapoc :Commands [purity] [emptytemp] [start explorer] [Reboot] <@> Copie e cole estas informações,que estão na Quote,para o campo ( clipboard ),da ferramenta. <@> Ps: Área abaixo de "Paste Instructions for Items to be Moved". <@> Clique em MoveIt. <@> Na solicitação de reboot,confirme! --> Aguarde! <@> Terminando,verifique o conteúdo texto da pasta: C:\_OTM\MovedFiles <@> Copie e poste,seu relatório mais recente: C:\_OTM\MovedFiles\xxxx2010_xxxxxx.log <-- Abraços! Compartilhar este post Link para o post Compartilhar em outros sites
EDSSX 0 Denunciar post Postado Maio 3, 2010 Boa noite ! DigRam Sim, perçebi também muitos diretórios ocultos do bitdefender no log do ROOTREPEAL; pois/o estranho é que já tinha removido o bitdefender ás 19:00 h mais ou menos de ontem ; vossa pessoa leu os meus dois primeiros posts no tópico http://forum.imasters.com.br/index.php?/topic/393173-testando-bitdefender-free-2010/ ; para dar suporte à isto posto log da DDS logo infra. O diretório D:\WINDOWS\System32\Drivers\d1c20812.sys , não existe mais no sistema, segundo a caixa de dialogo que abre no momento de enviar o arquivo . Segue log do OTM : All processes killed ========== PROCESSES ========== No active process named explorer.exe was found! ========== FILES ========== File/Folder D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\pxtdapoc.sys not found. ========== SERVICES/DRIVERS ========== Error: No service named pxtdapoc was found to stop! Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pxtdapoc deleted successfully. ========== COMMANDS ========== [EMPTYTEMP] User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: All Users User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: LocalService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33172 bytes User: edsom luis ->Temp folder emptied: 1830177 bytes ->Temporary Internet Files folder emptied: 49420 bytes ->Java cache emptied: 0 bytes ->FireFox cache emptied: 67631209 bytes ->Google Chrome cache emptied: 0 bytes ->Apple Safari cache emptied: 0 bytes ->Flash cache emptied: 661 bytes User: Administrador ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->FireFox cache emptied: 0 bytes ->Flash cache emptied: 0 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32\dllcache .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 0 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 66,00 mb OTM by OldTimer - Version 3.1.11.0 log created on 05022010_233317 Segue DDS : DDS (Ver_09-12-01.01) - FAT32x86 Run by edsom luis at 23:44:20,01 on dom 02/05/2010 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.511.167 [GMT -3:00] AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} ============== Running Processes =============== D:\WINDOWS\system32\svchost -k DcomLaunch SVCHOST.EXE D:\WINDOWS\System32\svchost.exe -k netsvcs SVCHOST.EXE SVCHOST.EXE D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\Explorer.EXE D:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe D:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe D:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe D:\Arquivos de programas\CursorXP\CursorXP.exe D:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe D:\Arquivos de programas\Java\jre6\bin\jqs.exe D:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE D:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe D:\Arquivos de programas\Avira\AntiVir Desktop\avshadow.exe D:\Arquivos de programas\Mozilla Firefox\firefox.exe D:\WINDOWS\system32\wbem\wmiapsrv.exe D:\Documents and Settings\edsom luis\Meus documentos\Downloads\dds.scr ============== Pseudo HJT Report =============== mWindow Title = BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - d:\arquivos de programas\arquivos comuns\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - d:\arquivos de programas\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\arquivos de programas\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\arquivos de programas\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll uRun: [CursorXP] d:\arquivos de programas\cursorxp\CursorXP.exe mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe mRun: [Adobe Reader Speed Launcher] "d:\arquivos de programas\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "d:\arquivos de programas\arquivos comuns\adobe\arm\1.0\AdobeARM.exe" mRun: [sunJavaUpdateSched] "d:\arquivos de programas\arquivos comuns\java\java update\jusched.exe" mRun: [avgnt] "d:\arquivos de programas\avira\antivir desktop\avgnt.exe" /min uPolicies-explorer: NoRealMode = 0 (0x0) uPolicies-explorer: HonorAutoRunSetting = 0 (0x0) uPolicies-explorer: NoFileUrl = 0 (0x0) uPolicies-explorer: NoUpdateCheck = 0 (0x0) mPolicies-explorer: HonorAutoRunSetting = 0 (0x0) mPolicies-explorer: NoResolveTrack = 1 (0x1) IE: E&xportar para o Microsoft Excel IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab AppInit_DLLs: d:\windows\system32\wbsys.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - d:\docume~1\edsoml~1\dadosd~1\mozilla\firefox\profiles\izozpjim.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.br/webhp?hl=pt-BR FF - component: d:\documents and settings\edsom luis\dados de aplicativos\mozilla\firefox\profiles\izozpjim.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll FF - plugin: d:\arquivos de programas\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: d:\documents and settings\edsom luis\dados de aplicativos\mozilla\firefox\profiles\izozpjim.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll ---- FIREFOX POLICIES ---- d:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true); d:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); d:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); d:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); d:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); d:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); d:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); d:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false); d:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); d:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false); d:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); d:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); d:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); d:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); d:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); d:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); d:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("html5.enable", false); d:\arquivos de programas\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true); d:\arquivos de programas\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); d:\arquivos de programas\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); d:\arquivos de programas\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); d:\arquivos de programas\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); d:\arquivos de programas\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); d:\arquivos de programas\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); d:\arquivos de programas\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); d:\arquivos de programas\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); d:\arquivos de programas\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); d:\arquivos de programas\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); d:\arquivos de programas\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); d:\arquivos de programas\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); d:\arquivos de programas\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); d:\arquivos de programas\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); d:\arquivos de programas\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); d:\arquivos de programas\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); d:\arquivos de programas\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); d:\arquivos de programas\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); d:\arquivos de programas\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); d:\arquivos de programas\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br"); ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;d:\windows\system32\drivers\Lbd.sys [2009-9-11 64160] R1 avgio;avgio;d:\arquivos de programas\avira\antivir desktop\avgio.sys [2010-4-20 11608] R1 VBoxDrv;VirtualBox Service;d:\windows\system32\drivers\VBoxDrv.sys [2009-9-18 115856] R1 VBoxUSBMon;VirtualBox USB Monitor Driver;d:\windows\system32\drivers\VBoxUSBMon.sys [2009-9-18 41424] R2 713xTVCard;SAA7131 TV Card;d:\windows\system32\drivers\SAA713x.sys [2005-3-15 277504] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\arquivos de programas\avira\antivir desktop\sched.exe [2010-4-20 135336] R2 AntiVirService;Avira AntiVir Guard;d:\arquivos de programas\avira\antivir desktop\avguard.exe [2010-4-20 267432] R2 avgntflt;avgntflt;d:\windows\system32\drivers\avgntflt.sys [2010-4-20 60936] R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;d:\windows\system32\drivers\VBoxNetAdp.sys [2009-9-18 91856] R3 VBoxNetFlt;VBoxNetFlt Service;d:\windows\system32\drivers\VBoxNetFlt.sys [2009-9-9 100368] R3 xpvcom;XPVCOM Port;d:\windows\system32\drivers\XPVCOM.sys [2007-3-23 30032] S0 GbpKm;Gbp KernelMode;d:\windows\system32\drivers\GbpKm.sys [2009-4-18 26568] S3 RegGuard;RegGuard;d:\windows\system32\drivers\regguard.sys [2009-9-17 29584] S3 rootrepeal;rootrepeal;\??\d:\windows\system32\drivers\rootrepeal.sys --> d:\windows\system32\drivers\rootrepeal.sys [?] S3 rspSanity;rspSanity;d:\windows\system32\drivers\rspSanity32.sys [2009-4-14 30136] =============== Created Last 30 ================ 2010-05-03 02:33:17 0 d-----w- D:\_OTM 2010-05-03 01:06:39 0 ----a-w- d:\documents and settings\edsom luis\settings.dat 2010-05-02 21:04:24 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys 2010-05-02 21:04:21 20952 ----a-w- d:\windows\system32\drivers\mbam.sys 2010-05-02 20:53:20 0 d-----w- d:\arquivos de programas\navilog1 2010-05-02 20:45:41 69046 ----a-w- D:\BdUninstallTool2010.05.02-05.45.40.reg 2010-05-02 15:15:19 52 ----a-w- d:\windows\system32\ashttpstats.csv 2010-04-30 00:45:56 0 d-----w- d:\windows\system32\wbem\Repository 2010-04-29 23:16:40 54624 ----a-w- d:\windows\system32\9877.sys 2010-04-29 23:16:08 2335270 ----a-w- d:\windows\system32\0fc6.mht 2010-04-29 22:42:56 2335270 ----a-w- d:\windows\system32\0e81A.mht 2010-04-29 22:09:41 3968 ----a-w- d:\windows\system32\drivers\AvgArCln.sys 2010-04-29 21:41:55 0 d-----w- D:\_OTL 2010-04-26 22:45:09 0 d-----w- d:\arquivos de programas\Yahoo! 2010-04-25 17:52:09 0 d--h--w- d:\windows\NiwradSoft Shell Pack 2010-04-24 20:13:19 0 d-----w- d:\windows\speech 2010-04-22 23:54:53 0 d-----w- d:\arquivos de programas\Malwarebytes' Anti-Malware 2010-04-22 23:41:42 171912 ----a-w- D:\BdUninstallTool2010.04.22-08.41.42.reg 2010-04-22 18:28:47 345600 ------w- d:\windows\system32\dllcache\mspaint.exe 2010-04-22 16:16:42 0 d-sha-r- D:\autorun.inf 2010-04-22 15:34:59 28552 ----a-w- d:\windows\system32\drivers\pavboot.sys 2010-04-22 13:45:34 0 d---a-w- D:\Navilog1 2010-04-22 02:41:30 3 ----a-w- d:\windows\rrxx.dll 2010-04-22 02:19:35 0 d-sh--w- D:\Recycled 2010-04-22 02:11:17 98816 ----a-w- d:\windows\sed.exe 2010-04-21 18:09:36 0 d-----w- D:\Lop SD 2010-04-20 21:57:49 5760054 ----a-w- d:\windows\AW_1600x1200.bmp 2010-04-20 15:39:15 0 d-----w- d:\docume~1\edsoml~1\dadosd~1\Avira 2010-04-20 15:35:16 60936 ----a-w- d:\windows\system32\drivers\avgntflt.sys 2010-04-20 15:35:14 0 d-----w- d:\docume~1\alluse~1\dadosd~1\Avira 2010-04-20 15:35:14 0 d-----w- d:\arquivos de programas\Avira 2010-04-18 21:13:09 3932214 ----a-w- d:\windows\AW_XenoMorph1280.bmp 2010-04-18 20:27:53 64 ----a-w- d:\windows\wb.ini 2010-04-18 20:27:53 0 d-----w- d:\arquivos de programas\arquivos comuns\Stardock 2010-04-18 00:33:59 73728 ----a-w- d:\windows\system32\javacpl.cpl 2010-04-18 00:33:59 411368 ----a-w- d:\windows\system32\deployJava1.dll 2010-04-17 17:51:02 0 d-----w- d:\windows\Crystal 2010-04-17 17:40:07 0 d-----w- D:\APTDatabase 2010-04-05 00:25:42 0 d-----w- d:\docume~1\edsoml~1\dadosd~1\Software Informer 2010-04-05 00:25:29 0 d--h--w- d:\documents and settings\edsom luis\Recent(8) 2010-04-04 19:14:32 0 d-----w- d:\arquivos de programas\arquivos comuns\Apple ==================== Find3M ==================== 2010-05-03 02:35:22 12 ----a-w- d:\windows\system32\drivers\IncompleteBoot.cnt 2010-04-25 21:25:08 219648 ----a-w- d:\windows\system32\uxtheme.dll 2010-04-04 16:04:58 537842 ----a-w- D:\HaxFix.exe 2010-03-19 21:05:50 4874240 ----a-w- d:\windows\system32\dllcache\wmp.dll 2010-03-12 21:02:40 261632 ----a-w- d:\windows\PEV.exe 2010-03-10 06:16:48 420352 ----a-w- d:\windows\system32\vbscript.dll 2010-03-10 06:16:48 420352 ----a-w- d:\windows\system32\dllcache\vbscript.dll 2010-03-04 01:54:22 80630 ----a-w- d:\windows\system32\perfc016.dat 2010-03-04 01:54:22 471828 ----a-w- d:\windows\system32\perfh016.dat 2010-02-25 14:47:48 11070976 ----a-w- d:\windows\system32\dllcache\ieframe.dll 2010-02-24 13:11:08 455680 ------w- d:\windows\system32\dllcache\mrxsmb.sys 2010-02-24 09:57:24 173056 ----a-w- d:\windows\system32\dllcache\ie4uinit.exe 2010-02-17 17:07:18 2354304 ----a-w- d:\windows\system32\ntoskrnl.exe 2010-02-17 17:07:18 2354304 ----a-w- d:\windows\system32\dllcache\ntoskrnl.exe 2010-02-17 04:06:58 126976 ----a-w- d:\windows\MSKeyStoreJNI.dll 2010-02-16 19:07:16 2231168 ----a-w- d:\windows\system32\ntkrnlpa.exe 2010-02-16 19:07:16 2231168 ----a-w- d:\windows\system32\dllcache\ntkrnlpa.exe 2010-02-16 19:07:12 2150400 ------w- d:\windows\system32\dllcache\ntkrnlmp.exe 2010-02-16 19:07:12 2028544 ------w- d:\windows\system32\dllcache\ntkrpamp.exe 2010-02-12 04:34:56 100864 ----a-w- d:\windows\system32\6to4svc.dll 2010-02-12 04:34:56 100864 ------w- d:\windows\system32\dllcache\6to4svc.dll 2010-02-11 12:02:16 226880 ------w- d:\windows\system32\dllcache\tcpip6.sys 2010-02-08 11:23:12 7725 ----a-w- d:\windows\system32\tcpip.reg 2010-02-02 12:27:42 3132 ----a-w- d:\windows\system32\Service_GoogleDesktopManager-060409-093314.reg.dat 2010-02-02 12:27:42 2404 ----a-w- d:\windows\system32\Service_pxkbf.reg.dat 2010-02-02 12:27:42 2380 ----a-w- d:\windows\system32\Service_CMC AntiRootkit Service.reg.dat 2010-02-02 12:27:42 2012 ----a-w- d:\windows\system32\Service_KProcWatch.reg.dat 2009-12-01 18:16:32 38338 ------w- d:\arquivos de programas\Uninst.isu 2009-11-27 21:47:52 218 ------w- d:\arquivos de programas\arquivos comuns\operaprefs_default.ini 2009-11-20 22:11:28 15828 ------w- d:\arquivos de programas\arquivos comuns\license.rtf 2009-11-20 22:01:18 832296 ------w- d:\arquivos de programas\arquivos comuns\opera.exe 2009-11-20 22:01:16 4450088 ------w- d:\arquivos de programas\arquivos comuns\opera.dll 2009-11-20 22:00:42 20480 ------w- d:\arquivos de programas\arquivos comuns\OUniAnsi.dll 2009-11-20 22:00:24 653419 ------w- d:\arquivos de programas\arquivos comuns\encoding.bin 2009-11-13 21:19:06 2320 ------w- d:\arquivos de programas\arquivos comuns\operadef6.ini 2009-08-19 08:39:36 330 ------w- d:\arquivos de programas\setup.ini 2009-07-10 06:20:00 621546 ----a-w- d:\arquivos de programas\arquivos comuns\ACIHELP.HLP.vir 2009-07-10 06:20:00 3219 ----a-w- d:\arquivos de programas\arquivos comuns\Acihelp.cnt.vir 2009-06-17 17:41:58 3870 ----a-w- d:\arquivos de programas\arquivos comuns\lngcode.txt.vir 2008-06-09 13:17:20 301 ----a-w- d:\arquivos de programas\arquivos comuns\c3nform.vxml.vir 2004-02-26 16:35:04 7904 ------w- d:\arquivos de programas\arquivos comuns\html40_entities.dtd 2002-03-11 09:06:30 1822520 ------w- d:\arquivos de programas\instmsiw.exe 2002-03-11 08:45:04 1708856 ------w- d:\arquivos de programas\instmsia.exe 2009-01-21 15:39:44 32768 --sha-w- d:\windows\system32\config\systemprofile\configurações locais\histórico\history.ie5\mshist012009012120090122\index.dat 2009-09-11 17:30:12 245760 --sha-w- d:\windows\system32\config\systemprofile\ietldcache\index.dat 2009-11-24 09:18:56 32 --sha-w- d:\windows\system32\drivers\fidbox.dat 2009-03-08 17:09:26 638816 --sha-w- d:\windows\niwradsoft shell pack\backup\iexplore.exe 2008-04-14 03:21:24 73728 --sha-w- d:\windows\niwradsoft shell pack\backup\wmplayer.exe ============= FINISH: 23:45:40,51 =============== UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_09-12-01.01) Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume1 Install Date: 19/9/2007 10:51:37 System Uptime: 5/2/2010 23:35:08 (2064 hours ago) Motherboard: ECS | | M825G Processor: AMD Sempron 2400+ | Socket-A | 1668/166mhz ==== Disk Partitions ========================= A: is Removable C: is FIXED (FAT32) - 17 GiB total, 9,516 GiB free. D: is FIXED (FAT32) - 59 GiB total, 38,957 GiB free. E: is CDROM () ==== Disabled Device Manager Items ============= Class GUID: {4D36E968-E325-11CE-BFC1-08002BE10318} Description: RADEON 9200 PRO Family (Microsoft Corporation) Device ID: PCI\VEN_1002&DEV_5960&SUBSYS_061018BC&REV_01\4&1FEB96E4&0&0008 Manufacturer: ATI Technologies Inc. Name: RADEON 9200 PRO Family (Microsoft Corporation) PNP Device ID: PCI\VEN_1002&DEV_5960&SUBSYS_061018BC&REV_01\4&1FEB96E4&0&0008 Service: ati2mtag Class GUID: {4D36E968-E325-11CE-BFC1-08002BE10318} Description: RADEON 9200 PRO SEC Family (Microsoft Corporation) Device ID: PCI\VEN_1002&DEV_5940&SUBSYS_061118BC&REV_01\4&1FEB96E4&0&0108 Manufacturer: ATI Technologies Inc. Name: RADEON 9200 PRO SEC Family (Microsoft Corporation) PNP Device ID: PCI\VEN_1002&DEV_5940&SUBSYS_061118BC&REV_01\4&1FEB96E4&0&0108 Service: ati2mtag Class GUID: Description: Device ID: STREAM\7131TVTUNER\4&2164E342&0&0 Manufacturer: Name: PNP Device ID: STREAM\7131TVTUNER\4&2164E342&0&0 Service: Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318} Description: Controlador de comunicação PCI simples Device ID: PCI\VEN_1106&DEV_3068&SUBSYS_4C211543&REV_80\3&61AAA01&0&8E Manufacturer: Name: Controlador de comunicação PCI simples PNP Device ID: PCI\VEN_1106&DEV_3068&SUBSYS_4C211543&REV_80\3&61AAA01&0&8E Service: Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: VirtualBox Bridged Networking Driver Miniport Device ID: ROOT\SUN_VBOXNETFLTMP\0004 Manufacturer: Sun Microsystems, Inc. Name: WAN Miniport (PPTP) - VirtualBox Bridged Networking Driver Miniport PNP Device ID: ROOT\SUN_VBOXNETFLTMP\0004 Service: VBoxNetFlt Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: VirtualBox Bridged Networking Driver Miniport Device ID: ROOT\SUN_VBOXNETFLTMP\0005 Manufacturer: Sun Microsystems, Inc. Name: Miniporta WAN (PPPOE) - VirtualBox Bridged Networking Driver Miniport PNP Device ID: ROOT\SUN_VBOXNETFLTMP\0005 Service: VBoxNetFlt ==== System Restore Points =================== RP69: 2/5/2010 18:10:16 - LCCD C INFO C D RP70: 2/5/2010 22:48:36 - Revo Uninstaller's restore point - MV RegClean 5.9 ==== Installed Programs ====================== Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Reader 9.3.2 - Português Apple Application Support Apple Software Update Atualização de Segurança para o Windows Media Player (KB979402) Atualização de Segurança para Windows Internet Explorer 7 (KB938127-v2) Atualização de Segurança para Windows Internet Explorer 7 (KB938127) Atualização de Segurança para Windows Internet Explorer 7 (KB958215) Atualização de Segurança para Windows Internet Explorer 7 (KB960714) Atualização de Segurança para Windows Internet Explorer 7 (KB961260) Atualização de Segurança para Windows Internet Explorer 8 (KB969897) Atualização de Segurança para Windows Internet Explorer 8 (KB971961) Atualização de Segurança para Windows Internet Explorer 8 (KB972260) Atualização de Segurança para Windows Internet Explorer 8 (KB974455) Atualização de Segurança para Windows Internet Explorer 8 (KB976325) Atualização de Segurança para Windows Internet Explorer 8 (KB978207) Atualização de Segurança para Windows Internet Explorer 8 (KB981332) Atualização de Segurança para Windows XP (KB977816) Atualização de Segurança para Windows XP (KB978338) Atualização de Segurança para Windows XP (KB978601) Atualização de Segurança para Windows XP (KB978706) Atualização de Segurança para Windows XP (KB979309) Atualização de Segurança para Windows XP (KB979683) Atualização de Segurança para Windows XP (KB980232) Atualização para Windows Internet Explorer 8 (KB973874) Atualização para Windows Internet Explorer 8 (KB976662) Atualização para Windows Internet Explorer 8 (KB976749) Atualização para Windows Internet Explorer 8 (KB980182) Avira AntiVir Personal - Free Antivirus BrOffice.org 3.1 C-Media WDM Audio Driver CCleaner CursorXP EVEREST Home Edition v2.20 Gadwin PrintScreen Google Chrome HijackThis 2.0.2 Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Java Auto Updater Java 6 Update 20 Junk Mail filter update K-Meleon 1.5.4 en-US (remove only) Malwarebytes' Anti-Malware Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft Application Error Reporting Microsoft Search Enhancement Pack Microsoft Silverlight Microsoft Speech Recognition Engine 4.0 (English) Microsoft Sync Framework Runtime Native v1.0 (x86) Microsoft Sync Framework Services Native v1.0 (x86) Microsoft Text-to-Speech Engine 4.0 (English) Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 Mozilla Firefox (3.6) MSXML 4.0 SP2 (KB973688) Opera 10.53 Revo Uninstaller 1.87 Safari Seven Remix XP 2.4 Update for Microsoft .NET Framework 3.5 SP1 (KB963707) você 9.0 Runtime VIA Rhine-Family Fast-Ethernet Adapter Visual C++ 2008 x86 Runtime - (v9.0.30729) Visual C++ 2008 x86 Runtime - v9.0.30729.01 WebFldrs XP Windows Internet Explorer 7 Windows Media Format 11 runtime XML Paper Specification Shared Components Pack 1.0 ==== End Of File =========================== Abraços Compartilhar este post Link para o post Compartilhar em outros sites
DigRam 144 Denunciar post Postado Maio 3, 2010 Bom Dia! EDSSX Sim, perçebi também muitos diretórios ocultos do bitdefender no log do ROOTREPEAL; pois/o estranho é que já tinha removido o bitdefender ás 19:00 h mais ou menos de ontem ; vossa pessoa leu os meus dois primeiros posts no tópico http://forum.imaster...nder-free-2010/ ; para dar suporte à isto posto log da DDS logo infra. <!> Não tinha lido o outro Tópico,mas se o software foi desinstalado,restam-lhe resquícios que são detectados,como rootkits. 00000000000000000000000000 00000000000000000000000000 D:\BdUninstallTool2010.05.02-05.45.40.reg D:\BdUninstallTool2010.04.22-08.41.42.reg <!> Ps: Encontrando-o(s),execute estes arquivos e aceite a inserção ao registro. 00000000000000000000000000 00000000000000000000000000 <@> Execute,novamente,OTM.exe e cole no campo,estas informações: :Processesexplorer.exe :services bdselfpr bdftdif trufos profos bdfm bdhv :files D:\Arquivos de programas\Arquivos comuns\BitDefender\BitDefender Threat Scanner\trufos.sys D:\Arquivos de programas\Arquivos comuns\BitDefender\BitDefender Threat Scanner\profos.sys D:\Arquivos de programas\Arquivos comuns\BitDefender\BitDefender Firewall\bdftdif.sys D:\Arquivos de programas\Arquivos comuns\BitDefender\BitDefender Threat Scanner D:\Arquivos de programas\Arquivos comuns\BitDefender\BitDefender Firewall D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys D:\Arquivos de programas\BitDefender\BitDefender 2010 D:\Arquivos de programas\Arquivos comuns\BitDefender D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\pxtdapoc.sys D:\BdUninstallTool2010.05.02-05.45.40.reg D:\BdUninstallTool2010.04.22-08.41.42.reg D:\WINDOWS\system32\drivers\bdfsfltr.sys D:\WINDOWS\System32\Drivers\d1c20812.sys D:\WINDOWS\system32\drivers\bdfm.sys D:\WINDOWS\system32\drivers\BDHV.SYS :reg :commands [purity] [emptytemp] [start explorer] [Reboot] <@> Copie e cole estas informações,na Quote,para o campo ( clipboard ),da ferramenta. <@> Ps: Área abaixo de "Paste Instructions for Items to be Moved". <@> Clique em MoveIt. <@> Na solicitação de reboot,confirme! --> Aguarde! <@> Terminando,verifique o conteúdo texto da pasta: D:\_OTM\MovedFiles <@> Copie e poste,seu relatório mais recente: D:\_OTM\MovedFiles\xxxx2010_xxxxxx.log <-- <@> Ps: Como a ferramenta não sobreescreve seus relatórios,devemos observar o que foi gerado logo após sua execução. <@> Poste,também,novo relatório do RootRepeal. Abraços! Compartilhar este post Link para o post Compartilhar em outros sites
EDSSX 0 Denunciar post Postado Maio 3, 2010 Bom dia ! DigRam Não tinha lido o outro Tópico,mas se o software foi desinstalado,restam-lhe resquícios que são detectados,como rootkits. Vale - se lembrar que este tópico, foi criado um dia antes do tópico acima . Estes arquivos logo abaixo, foram criados no sistema como um backup pela ferramenta cfe. consta no link infra; de remoção do próprio Bitdefender, já que com o revo ficaram estas sobras e as mesmas cfe. no log do ROOTREPEAL supra, pois inclusive foi muito trabalhoso/demorado/teve suspeitas de corromper o sistema operacional no ato de remover o Bitdefender free2010 com o revo uninstall ( tive que usar a ferramenta mencionada no link infra se não, não removia nem o programa; pois o revo travou;usei ambas juntos ) e teve até uma tela parada (azul) descarregando memória e desligando o win para não danifica - lo . Inclusive também ontem dei um shift+del nos mesmos . D:\BdUninstallTool2010.05.02-05.45.40.reg D:\BdUninstallTool2010.04.22-08.41.42.reg http://uninstallers.blogspot.com/ Não recomendo instalar o Bitdefender free 2010 . Nesta madrugada após o teu 1º comando com o OTM cfe. o log do ROOTREPEAL infra, já tinha sumido os diretórios restos do Bitdefender . ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2010/05/03 00:36 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: rootrepeal.sys Image Path: D:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xF7D4E000 Size: 49152 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: d:\documents and settings\edsom luis\meus documentos\salvação..bkf Status: Allocation size mismatch (API: 4294967295, Raw: 0) Path: D:\Documents and Settings\edsom luis\Configurações locais\Temp\~DFF186.TMP Status: Invisible to the Windows API! Path: D:\Documents and Settings\edsom luis\Configurações locais\Temp\~DFF192.TMP Status: Invisible to the Windows API! Path: d:\documents and settings\edsom luis\dados de aplicativos\mozilla\firefox\profiles\izozpjim.default\places.sqlite Status: Allocation size mismatch (API: 1245184, Raw: 229376) Path: d:\documents and settings\edsom luis\configurações locais\dados de aplicativos\mozilla\firefox\profiles\izozpjim.default\urlclassifier3.sqlite Status: Allocation size mismatch (API: 20414464, Raw: 20348928) Path: d:\documents and settings\edsom luis\configurações locais\dados de aplicativos\mozilla\firefox\profiles\izozpjim.default\cache\_cache_001_ Status: Allocation size mismatch (API: 1081344, Raw: 196608) Path: d:\documents and settings\edsom luis\configurações locais\dados de aplicativos\mozilla\firefox\profiles\izozpjim.default\cache\_cache_002_ Status: Allocation size mismatch (API: 1081344, Raw: 163840) Path: d:\documents and settings\edsom luis\configurações locais\dados de aplicativos\mozilla\firefox\profiles\izozpjim.default\cache\_cache_003_ Status: Allocation size mismatch (API: 1081344, Raw: 294912) SSDT ------------------- #: 041 Function Name: NtCreateKey Status: Hooked by "<unknown>" at address 0xf83a222e #: 053 Function Name: NtCreateThread Status: Hooked by "<unknown>" at address 0xf83a2224 #: 063 Function Name: NtDeleteKey Status: Hooked by "<unknown>" at address 0xf83a2233 #: 065 Function Name: NtDeleteValueKey Status: Hooked by "<unknown>" at address 0xf83a223d #: 098 Function Name: NtLoadKey Status: Hooked by "<unknown>" at address 0xf83a2242 #: 122 Function Name: NtOpenProcess Status: Hooked by "<unknown>" at address 0xf83a2210 #: 128 Function Name: NtOpenThread Status: Hooked by "<unknown>" at address 0xf83a2215 #: 193 Function Name: NtReplaceKey Status: Hooked by "<unknown>" at address 0xf83a224c #: 204 Function Name: NtRestoreKey Status: Hooked by "<unknown>" at address 0xf83a2247 #: 247 Function Name: NtSetValueKey Status: Hooked by "<unknown>" at address 0xf83a2238 ==EOF== Segue log do OTM : All processes killed ========== PROCESSES ========== No active process named explorer.exe was found! ========== SERVICES/DRIVERS ========== Error: No service named bdselfpr was found to stop! Service\Driver key bdselfpr not found. Error: No service named bdftdif was found to stop! Service\Driver key bdftdif not found. Error: No service named trufos was found to stop! Service\Driver key trufos not found. Error: No service named profos was found to stop! Service\Driver key profos not found. Error: No service named bdfm was found to stop! Service\Driver key bdfm not found. Error: No service named bdhv was found to stop! Service\Driver key bdhv not found. ========== FILES ========== File/Folder D:\Arquivos de programas\Arquivos comuns\BitDefender\BitDefender Threat Scanner\trufos.sys not found. File/Folder D:\Arquivos de programas\Arquivos comuns\BitDefender\BitDefender Threat Scanner\profos.sys not found. File/Folder D:\Arquivos de programas\Arquivos comuns\BitDefender\BitDefender Firewall\bdftdif.sys not found. File/Folder D:\Arquivos de programas\Arquivos comuns\BitDefender\BitDefender Threat Scanner not found. File/Folder D:\Arquivos de programas\Arquivos comuns\BitDefender\BitDefender Firewall not found. File/Folder D:\Arquivos de programas\BitDefender\BitDefender 2010\bdselfpr.sys not found. File/Folder D:\Arquivos de programas\BitDefender\BitDefender 2010 not found. File/Folder D:\Arquivos de programas\Arquivos comuns\BitDefender not found. File/Folder D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\pxtdapoc.sys not found. File/Folder D:\BdUninstallTool2010.05.02-05.45.40.reg not found. File/Folder D:\BdUninstallTool2010.04.22-08.41.42.reg not found. File/Folder D:\WINDOWS\system32\drivers\bdfsfltr.sys not found. File/Folder D:\WINDOWS\System32\Drivers\d1c20812.sys not found. File/Folder D:\WINDOWS\system32\drivers\bdfm.sys not found. File/Folder D:\WINDOWS\system32\drivers\BDHV.SYS not found. ========== REGISTRY ========== ========== COMMANDS ========== [EMPTYTEMP] User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: All Users User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: LocalService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: edsom luis ->Temp folder emptied: 1487531 bytes ->Temporary Internet Files folder emptied: 165098 bytes ->Java cache emptied: 0 bytes ->FireFox cache emptied: 33498403 bytes ->Google Chrome cache emptied: 0 bytes ->Apple Safari cache emptied: 0 bytes ->Flash cache emptied: 434 bytes User: Administrador ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->FireFox cache emptied: 0 bytes ->Flash cache emptied: 0 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32\dllcache .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 0 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 34,00 mb OTM by OldTimer - Version 3.1.11.0 log created on 05032010_092404 Segue novo log do ROOTREPEAL : ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2010/05/03 09:55 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: rootrepeal.sys Image Path: D:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xF705F000 Size: 49152 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: d:\documents and settings\edsom luis\meus documentos\salvaÇÃo pericia digital..bkf Status: Allocation size mismatch (API: 4294967295, Raw: 0) Path: D:\Documents and Settings\edsom luis\Configurações locais\Temp\~DFEA0A.tmp Status: Visible to the Windows API, but not on disk. Path: D:\Documents and Settings\edsom luis\Configurações locais\Temp\~DFEA16.tmp Status: Visible to the Windows API, but not on disk. Path: d:\documents and settings\edsom luis\configurações locais\dados de aplicativos\mozilla\firefox\profiles\izozpjim.default\urlclassifier3.sqlite Status: Allocation size mismatch (API: 10518528, Raw: 10420224) Path: d:\documents and settings\edsom luis\configurações locais\dados de aplicativos\mozilla\firefox\profiles\izozpjim.default\cache\_cache_001_ Status: Allocation size mismatch (API: 1114112, Raw: 196608) Path: d:\documents and settings\edsom luis\configurações locais\dados de aplicativos\mozilla\firefox\profiles\izozpjim.default\cache\_cache_002_ Status: Allocation size mismatch (API: 1114112, Raw: 131072) Path: d:\documents and settings\edsom luis\configurações locais\dados de aplicativos\mozilla\firefox\profiles\izozpjim.default\cache\_cache_003_ Status: Allocation size mismatch (API: 1146880, Raw: 229376) SSDT ------------------- #: 041 Function Name: NtCreateKey Status: Hooked by "<unknown>" at address 0xf837aa1e #: 053 Function Name: NtCreateThread Status: Hooked by "<unknown>" at address 0xf837aa14 #: 063 Function Name: NtDeleteKey Status: Hooked by "<unknown>" at address 0xf837aa23 #: 065 Function Name: NtDeleteValueKey Status: Hooked by "<unknown>" at address 0xf837aa2d #: 098 Function Name: NtLoadKey Status: Hooked by "<unknown>" at address 0xf837aa32 #: 122 Function Name: NtOpenProcess Status: Hooked by "<unknown>" at address 0xf837aa00 #: 128 Function Name: NtOpenThread Status: Hooked by "<unknown>" at address 0xf837aa05 #: 193 Function Name: NtReplaceKey Status: Hooked by "<unknown>" at address 0xf837aa3c #: 204 Function Name: NtRestoreKey Status: Hooked by "<unknown>" at address 0xf837aa37 #: 247 Function Name: NtSetValueKey Status: Hooked by "<unknown>" at address 0xf837aa28 ==EOF== O guarda chuva do avira ainda está falho e o avira antirootkit ainda também não abre . Abraços Compartilhar este post Link para o post Compartilhar em outros sites
DigRam 144 Denunciar post Postado Maio 3, 2010 Boa Tarde! EDSSX Não recomendo instalar o Bitdefender free 2010. <!> Também não recomendaria,pois sua desinstalação é muito traumatizante. rsrs.. O guarda chuva do avira ainda está falho e o avira antirootkit ainda também não abre. <!> Tente sua desinstalação ou Reparo,e posterior limpeza com a ferramenta da Avira. <!> Remova,também,seus diretórios! <!> < Avira AntiVir RegistryCleaner > ( 887 KB ) <!> Á seguir,instale,novamente,o Avira. 000000000000000000000000 000000000000000000000000 <@> Abra o OTM. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX :processes explorer.exe :reg :files D:\Documents and Settings\edsom luis\Configurações locais\Temp\*.* :commands [emptytemp] [purity] [start explorer] XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX <@> Copie e cole estas informações,entre os XXXXX...,para o campo ( clipboard ),da ferramenta. <@> Ps: Área abaixo de "Paste Instructions for Items to be Moved". <@> Clique em MoveIt. <@> Na solicitação de reboot,confirme! --> Aguarde! <@> Terminando,verifique o conteúdo texto da pasta: D:\_OTM\MovedFiles <@> Copie e poste,seu relatório mais recente: D:\_OTM\MovedFiles\xxxx2010_xxxxxx.log <-- <@> Ps: Como a ferramenta não sobreescreve seus relatórios,devemos observar o que foi gerado logo após sua execução. Abraços! Compartilhar este post Link para o post Compartilhar em outros sites
EDSSX 0 Denunciar post Postado Maio 3, 2010 Boa tarde ! DigRam Desinstalei o avira antivir; e agora sempre dá falha na instalação; resultado o guard fica com o serviço parado . Outro antirootkits, o panda; dá erro cfe. print infra : Este print foi antes de remover o avira . Segue o log : All processes killed ========== PROCESSES ========== No active process named explorer.exe was found! ========== REGISTRY ========== ========== FILES ========== File/Folder D:\Documents and Settings\edsom luis\Configurações locais\Temp\*.* not found. ========== COMMANDS ========== [EMPTYTEMP] User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: All Users User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: LocalService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: edsom luis ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 32902 bytes ->Java cache emptied: 0 bytes ->FireFox cache emptied: 31385031 bytes ->Google Chrome cache emptied: 0 bytes ->Apple Safari cache emptied: 0 bytes ->Flash cache emptied: 434 bytes User: Administrador ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->FireFox cache emptied: 0 bytes ->Flash cache emptied: 0 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32\dllcache .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 0 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 30,00 mb OTM by OldTimer - Version 3.1.12.0 log created on 05032010_143142 ------------------------- ------------------------- Entretanto no log do gmer, não consta mais aqueles itens em vermelho . Obrigado e abraços Compartilhar este post Link para o post Compartilhar em outros sites
DigRam 144 Denunciar post Postado Maio 3, 2010 Boa Noite! EDSSX <@> Vá a este endereço: <!> < ConfickerWorkingGroup > <@> Interprete as 6 imagens,na infecção pelo conficker. ( Conficker Eye Chart ) <@> Ps: Informe o resultado! 0000000000000000000000 0000000000000000000000 <@> Baixe: < Kaspersky Virus Removal Tool > Download of Kaspersky Virus Removal Tool will be started after two seconds.If the download does not automatically start in 5 seconds, then please click here. <@> Ps: Salve-o em Arquivos de programas. <@> Instale a ferramenta,seguindo todos os seus passos. <@> Na tela principal do programa,clique na opção "Meu computador". <@> Á seguir,clique no botão "Scan". <@> Ps: Seja paciente,pois o scan é demorado. <@> Caso seja encontrado alguma infecção,clique em "skip". <@> Concluindo,clique no botão < > e na aba "Detected Threats". <@> Copie o conteúdo da lista,se houver algo detectado,e poste-o na sua resposta. Abraços! Compartilhar este post Link para o post Compartilhar em outros sites
EDSSX 0 Denunciar post Postado Maio 4, 2010 Boa noite ! DigRam As seis figuras estão idênticas ao exemplo . Consegui reinstalar o avira antivir; muito simples no ato da instalação, não marcar a opção criar ponto de restauração; ai consta tudo completo e o guard funciona . E inclusive o avira continua detectando e bloqueiando o D:\autorun.inf ao abrir o disco local D ; onde contém também o D:\autorun.inf de vacinação do USBFIX cfe. explicado no outro tópico logo supra . O problema do guarda chuva ainda persiste e o avira antirootkit nada de abrir . Meu caro amigo DigRam, já ouviu falar destes drivers : \SystemRoot\system32\DRIVERS\9156785.sys \SystemRoot\system32\DRIVERS\91567851.sys \SystemRoot\system32\DRIVERS\91567852.sys KEDUSHA.SYS ; pois aqui em meu sistema constão os mesmos como ocultos . SysProt AntiRootkit v1.0.1.0 by swatkat ****************************************************************************************** ****************************************************************************************** ****************************************************************************************** ****************************************************************************************** Kernel Modules: Module Name: kedusha.sys Service Name: --- Module Base: F85B6000 Module End: F85C5000 Hidden: Yes SysProt AntiRootkit v1.0.1.0 by swatkat ****************************************************************************************** ****************************************************************************************** ****************************************************************************************** ****************************************************************************************** Kernel Modules: Module Name: kedusha.sys Service Name: --- Module Base: F85B6000 Module End: F85C5000 Hidden: Yes Module Name: \SystemRoot\system32\DRIVERS\9156785.sys Service Name: --- Module Base: F6BD6000 Module End: F6C27000 Hidden: Yes Module Name: \SystemRoot\system32\DRIVERS\91567851.sys Service Name: 91567851 Module Base: F66B6000 Module End: F6BD6000 Hidden: Yes Module Name: \SystemRoot\system32\DRIVERS\91567852.sys Service Name: --- Module Base: F80AD000 Module End: F80BA000 Hidden: Yes O Kaspersky Virus Removal Tool não detectou nada . Obrigado e abraços Compartilhar este post Link para o post Compartilhar em outros sites
DigRam 144 Denunciar post Postado Maio 4, 2010 Bom Dia! EDSSX Meu caro amigo DigRam, já ouviu falar destes drivers :\SystemRoot\system32\DRIVERS\9156785.sys \SystemRoot\system32\DRIVERS\91567851.sys \SystemRoot\system32\DRIVERS\91567852.sys KEDUSHA.SYS ; pois aqui em meu sistema constão os mesmos como ocultos. <!> Não! Onde a ferramenta AVPTool,se foi executada em Modo Seguro e com os arquivos ocultos liberados,teria-os detectado caso fossem maliciosos. <!> Ps: Não encontrei referências bibliográficas para os mesmos,principalmente para KEDUSHA.SYS O Kaspersky Virus Removal Tool não detectou nada. <!> Porque não houve nada à ser detectado! rsr.. <!> Quanto ao ficheiro D:\autorun.inf,detectado pelo Avira,procure enviá-lo à VirSCAN.org. 00000000000000000000000 00000000000000000000000 <@> Agende,para o próximo boot,o scandisk. <@> Vá em Iniciar --> Executar --> Digite: cmd --> Clique: OK <@> Na janela do prompt,digite: chkdsk /r --> Aperte Enter. <@> Tecle "S" --> Aperte Enter. <@> O scandisk foi selecionado para o próximo boot. <@> Para sair,digite exit --> Aperte Enter. <@> Reinicie o computador,para que tenha início o scandisk. arquivos e pastas índices descritores de segurança dados de arquivos espaço disponível <@> Aguarde,pacientemente,a conclusão de todas as verificações. <@> Ao final,o computador reiniciará automáticamente. <@> Ps: Informe os resultados! Abraços! Compartilhar este post Link para o post Compartilhar em outros sites
EDSSX 0 Denunciar post Postado Maio 5, 2010 Boa tarde ! DigRam Sim , até então pesquisei no google e nem abriu nada = páginas/links relacionados; que milagre pois no google tem tudo, até eu rsrs . Segundo no VirSCAN.org , não é encontrado o arquivo enviado; sendo que o mesmo se encontra no disco D ( vacinações do USBFIX ) e o avira através do guard bloqueia - os toda hora ; basta eu ir/abrir no/o disco local . Enquanto ao scandisk; executo estes proçedimentos esporadicamente e o resultado preocupante consta apenas no D que está 4 GB arquivos danificados/corrompidos ( algo assim, pois a tela azul fecha - se rápida para reiniciar o os ) . Como se perçebe - se os drivers ocultos supra foram detectados pelo antirootkit SysProt . Confiável tuas detecções ? Abraços e obrigado Boa noite ! DigRam A opção editar não consta mais aqui . Esta infecção, HEUR:Trojan.Win32.Invader , nos diretórios logo infra das ferramentas francesas ; são falsos positivos ? D:\desktop\download\haxfix.exe D:\desktop\download\haxfix\catchme.exe D:\desktop\download\LOP S&D.exe D:\desktop\download\LOP S&D\catchme.exe O avira ficou louco, pois só entrar no D ( tuas pastas ),que bloqueia através do guard . Como vossa pessoa pode perçeber no rodapé do log logo abaixo do combofix, executo o mesmo diversas vezes; resolvi roda - lo; olha só o resultado : Apenas este ( d:\windows\rrxx.dll ) é um diretório de um otimizador de velocidade para o xp . ComboFix 10-05-04.01 - edsom luis 04/05/2010 18:15:10.6.1 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.511.192 [GMT -3:00] Executando de: d:\documents and settings\edsom luis\Desktop\ComboFix.exe AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} . ((((((((((((((((((((((((((((((((((((( Outras Exclusões ))))))))))))))))))))))))))))))))))))))))))))))))))) . d:\windows\rrxx.dll d:\windows\system32\drivers\ewqvudyvrsaa.sys A cópia de d:\windows\system32\midimap.dll foi encontrada e desinfectada Cópia restaurada de - d:\windows\NiwradSoft Shell Pack\Backup\midimap.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Serviços ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_ewqvudyvrsaa -------\Service_ewqvudyvrsaa (((((((((((((((( Arquivos/Ficheiros criados de 2010-04-04 to 2010-05-04 )))))))))))))))))))))))))))) . 2010-05-04 18:34 . 2010-05-04 18:34 12552 ----a-w- d:\windows\system32\drivers\hddirect.sys 2010-05-04 03:41 . 2010-05-04 03:41 -------- d-----w- d:\arquivos de programas\CCleaner 2010-05-04 02:37 . 2010-05-04 02:38 -------- d-----w- d:\arquivos de programas\navilog1 2010-05-03 18:07 . 2010-05-03 18:07 -------- d-----w- d:\documents and settings\edsom luis\Dados de aplicativos\Avira 2010-05-03 18:00 . 2010-03-01 13:05 124784 ----a-w- d:\windows\system32\drivers\avipbb.sys 2010-05-03 18:00 . 2010-02-16 17:24 60936 ----a-w- d:\windows\system32\drivers\avgntflt.sys 2010-05-03 18:00 . 2009-05-11 15:49 22360 ----a-w- d:\windows\system32\drivers\avgntmgr.sys 2010-05-03 18:00 . 2010-05-03 18:00 -------- d-----w- d:\documents and settings\All Users\Dados de aplicativos\Avira 2010-05-03 18:00 . 2010-05-03 18:00 -------- d-----w- d:\arquivos de programas\Avira 2010-05-03 18:00 . 2009-05-11 15:49 45416 ----a-w- d:\windows\system32\drivers\avgntdd.sys 2010-05-03 01:06 . 2010-05-03 01:06 0 ----a-w- d:\documents and settings\edsom luis\settings.dat 2010-05-02 21:04 . 2010-04-29 18:39 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys 2010-05-02 21:04 . 2010-04-29 18:39 20952 ----a-w- d:\windows\system32\drivers\mbam.sys 2010-05-01 14:11 . 2010-05-01 14:11 -------- d-----w- d:\arquivos de programas\Opera 2010-04-30 21:42 . 2008-04-13 17:44 2560 ----a-w- d:\documents and settings\All Users\Dados de aplicativos\Microsoft\USMT\iconlib.dll 2010-04-30 01:07 . 2010-04-29 20:56 699512 ----a-w- d:\documents and settings\edsom luis\Dados de aplicativos\Mozilla\Firefox\Profiles\izozpjim.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll 2010-04-30 01:07 . 2010-04-29 20:56 863312 ----a-w- d:\documents and settings\edsom luis\Dados de aplicativos\Mozilla\Firefox\Profiles\izozpjim.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll 2010-04-30 00:45 . 2010-04-30 00:45 -------- d-----w- d:\windows\system32\wbem\Repository 2010-04-29 23:16 . 2010-04-29 23:16 54624 ----a-w- d:\windows\system32\9877.sys 2010-04-29 22:09 . 2007-01-18 12:00 3968 ----a-w- d:\windows\system32\drivers\AvgArCln.sys 2010-04-26 22:45 . 2010-04-26 22:45 -------- d-----w- d:\arquivos de programas\Yahoo! 2010-04-25 17:52 . 2010-04-25 17:52 -------- d--h--w- d:\windows\NiwradSoft Shell Pack 2010-04-24 20:13 . 2010-04-24 20:13 -------- d-----w- d:\windows\speech 2010-04-22 23:54 . 2010-04-22 23:54 -------- d-----w- d:\arquivos de programas\Malwarebytes' Anti-Malware 2010-04-22 18:28 . 2009-12-17 07:41 345600 ------w- d:\windows\system32\dllcache\mspaint.exe 2010-04-22 15:34 . 2009-06-30 12:37 28552 ----a-w- d:\windows\system32\drivers\pavboot.sys 2010-04-22 13:45 . 2010-04-22 13:45 -------- d---a-w- D:\Navilog1 2010-04-21 18:09 . 2010-04-21 18:09 -------- d-----w- D:\Lop SD 2010-04-18 20:27 . 2010-04-18 20:27 -------- d-----w- d:\arquivos de programas\Arquivos comuns\Stardock 2010-04-18 01:03 . 2010-04-21 18:22 79488 ----a-w- d:\documents and settings\edsom luis\Dados de aplicativos\Sun\Java\jre1.6.0_20\gtapi.dll 2010-04-18 01:03 . 2010-04-21 18:22 152576 ----a-w- d:\documents and settings\edsom luis\Dados de aplicativos\Sun\Java\jre1.6.0_20\lzma.dll 2010-04-18 00:33 . 2010-04-18 00:33 411368 ----a-w- d:\windows\system32\deployJava1.dll 2010-04-17 17:51 . 2010-04-17 17:51 -------- d-----w- d:\windows\Crystal 2010-04-17 17:40 . 2010-04-17 17:40 -------- d-----w- D:\APTDatabase 2010-04-06 01:42 . 2010-04-06 01:42 -------- d-----w- d:\arquivos de programas\Safari 2010-04-06 01:41 . 2010-04-06 01:41 -------- d-----w- d:\arquivos de programas\Apple Software Update 2010-04-05 00:25 . 2010-04-05 00:25 -------- d--h--w- d:\documents and settings\edsom luis\Recent(8) . ((((((((((((((((((((((((((((((((((((( Relatório Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-04 21:23 . 2010-02-06 22:21 12 ----a-w- d:\windows\system32\drivers\IncompleteBoot.cnt 2010-05-03 13:58 . 2009-08-27 01:37 664 ----a-w- d:\windows\system32\d3d9caps.dat 2010-04-29 23:54 . 2009-09-22 20:52 1 ----a-w- d:\documents and settings\edsom luis\Dados de aplicativos\BrOffice.org\3\user\uno_packages\cache\stamp.sys 2010-04-25 21:25 . 2004-08-04 10:45 219648 ----a-w- d:\windows\system32\uxtheme.dll 2010-04-04 19:14 . 2010-04-04 19:14 -------- d-----w- d:\arquivos de programas\Arquivos comuns\Apple 2010-04-04 19:14 . 2010-04-04 19:14 -------- d-----w- d:\documents and settings\All Users\Dados de aplicativos\Apple 2010-04-04 16:04 . 2010-01-26 00:59 537842 ----a-w- D:\HaxFix.exe 2010-04-03 14:18 . 2010-04-03 14:18 -------- d-----w- d:\arquivos de programas\Windows Live 2010-04-01 20:31 . 2010-04-01 20:31 -------- d-----w- d:\documents and settings\All Users\Dados de aplicativos\WinZip 2010-03-10 06:16 . 2004-08-04 10:45 420352 ----a-w- d:\windows\system32\vbscript.dll 2010-03-04 07:00 . 2010-03-04 07:00 79144 ----a-w- d:\documents and settings\All Users\Dados de aplicativos\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe 2010-03-04 01:54 . 2001-10-28 21:07 80630 ----a-w- d:\windows\system32\perfc016.dat 2010-03-04 01:54 . 2001-10-28 21:07 471828 ----a-w- d:\windows\system32\perfh016.dat 2010-02-25 06:17 . 2004-08-04 10:45 983040 ----a-w- d:\windows\system32\wininet.dll 2010-02-24 13:11 . 2004-08-04 09:15 455680 ----a-w- d:\windows\system32\drivers\mrxsmb.sys 2010-02-17 17:07 . 2004-08-04 10:40 2354304 ----a-w- d:\windows\system32\ntoskrnl.exe 2010-02-17 04:06 . 2010-02-17 04:06 126976 ----a-w- d:\windows\MSKeyStoreJNI.dll 2010-02-16 19:07 . 2004-08-04 03:40 2231168 ----a-w- d:\windows\system32\ntkrnlpa.exe 2010-02-12 04:34 . 2004-08-04 10:45 100864 ----a-w- d:\windows\system32\6to4svc.dll 2010-02-11 12:02 . 2004-08-04 09:07 226880 ----a-w- d:\windows\system32\drivers\tcpip6.sys 2010-02-08 11:23 . 2010-01-16 19:07 7725 ----a-w- d:\windows\system32\tcpip.reg 2009-12-01 18:16 . 2009-12-01 18:16 38338 ------w- d:\arquivos de programas\Uninst.isu 2009-11-27 21:47 . 2009-11-13 21:19 218 ------w- d:\arquivos de programas\Arquivos comuns\operaprefs_default.ini 2009-11-20 22:11 . 2009-11-20 22:11 15828 ------w- d:\arquivos de programas\Arquivos comuns\license.rtf 2009-11-20 22:01 . 2009-11-20 22:01 832296 ------w- d:\arquivos de programas\Arquivos comuns\opera.exe 2009-11-20 22:01 . 2009-11-20 22:01 4450088 ------w- d:\arquivos de programas\Arquivos comuns\opera.dll 2009-11-20 22:00 . 2009-11-20 22:00 20480 ------w- d:\arquivos de programas\Arquivos comuns\OUniAnsi.dll 2009-11-20 22:00 . 2009-11-20 22:00 653419 ------w- d:\arquivos de programas\Arquivos comuns\encoding.bin 2009-11-13 21:19 . 2009-03-27 23:27 2320 ------w- d:\arquivos de programas\Arquivos comuns\operadef6.ini 2009-08-19 08:39 . 2009-08-19 08:39 330 ------w- d:\arquivos de programas\setup.ini 2009-07-10 06:20 . 2009-12-01 18:16 621546 ----a-w- d:\arquivos de programas\Arquivos comuns\ACIHELP.HLP.vir 2009-07-10 06:20 . 2009-12-01 18:16 3219 ----a-w- d:\arquivos de programas\Arquivos comuns\Acihelp.cnt.vir 2009-06-17 17:41 . 2009-06-17 17:41 3870 ----a-w- d:\arquivos de programas\Arquivos comuns\lngcode.txt.vir 2008-06-09 13:17 . 2008-06-09 13:17 301 ----a-w- d:\arquivos de programas\Arquivos comuns\c3nform.vxml.vir 2004-02-26 16:35 . 2004-02-26 16:35 7904 ------w- d:\arquivos de programas\Arquivos comuns\html40_entities.dtd 2002-03-11 09:06 . 2002-03-11 09:06 1822520 ------w- d:\arquivos de programas\instmsiw.exe 2002-03-11 08:45 . 2002-03-11 08:45 1708856 ------w- d:\arquivos de programas\instmsia.exe 2009-11-24 09:18 . 2009-04-29 23:59 32 --sha-w- d:\windows\system32\drivers\fidbox.dat 2009-03-08 17:09 . 2010-04-25 18:01 638816 --sha-w- d:\windows\NiwradSoft Shell Pack\Backup\iexplore.exe 2008-04-14 03:21 . 2010-04-25 18:01 73728 --sha-w- d:\windows\NiwradSoft Shell Pack\Backup\wmplayer.exe . ------- Sigcheck ------- [-] 2008-04-14 . B0C0BF2504B830BFC1E93CA39F3C75FE . 549376 . . [5.1.2600.5512] . . d:\windows\system32\winlogon.exe [-] 2008-04-14 . B0C0BF2504B830BFC1E93CA39F3C75FE . 549376 . . [5.1.2600.5512] . . d:\windows\system32\dllcache\winlogon.exe [7] 2008-04-14 . 71D440F79B711627B12B567FB2EADB42 . 509952 . . [5.1.2600.5512] . . d:\windows\ERDNT\cache\winlogon.exe [7] 2008-04-14 . 71D440F79B711627B12B567FB2EADB42 . 509952 . . [5.1.2600.5512] . . d:\windows\NiwradSoft Shell Pack\Backup\winlogon.exe [-] 2008-04-14 . B0C0BF2504B830BFC1E93CA39F3C75FE . 549376 . . [5.1.2600.5512] . . d:\windows\ServicePackFiles\i386\winlogon.exe [-] 2008-04-14 . 302CD5BE4CA48200F9AC1C6074D71805 . 643072 . . [5.82] . . d:\windows\system32\comctl32.dll [7] 2008-04-14 . 085C5892D9C1E19B3CEFD1B79F5BBF13 . 617472 . . [5.82] . . d:\windows\ERDNT\cache\comctl32.dll [7] 2008-04-14 . 085C5892D9C1E19B3CEFD1B79F5BBF13 . 617472 . . [5.82] . . d:\windows\NiwradSoft Shell Pack\Backup\comctl32.dll [-] 2008-04-14 . 302CD5BE4CA48200F9AC1C6074D71805 . 643072 . . [5.82] . . d:\windows\ServicePackFiles\i386\comctl32.dll [-] 2010-02-25 . A709662B2C291B04B765FAC8583AC8E0 . 6106112 . . [8.00.6001.18904] . . d:\windows\system32\mshtml.dll [-] 2010-02-25 . A709662B2C291B04B765FAC8583AC8E0 . 6106112 . . [8.00.6001.18904] . . d:\windows\system32\dllcache\mshtml.dll [7] 2010-02-25 . 23099BB44DA6A7D80B15FF4F7C51877D . 5944832 . . [8.00.6001.18904] . . d:\windows\ERDNT\cache\mshtml.dll [7] 2010-02-25 . 23099BB44DA6A7D80B15FF4F7C51877D . 5944832 . . [8.00.6001.18904] . . d:\windows\NiwradSoft Shell Pack\Backup\mshtml.dll [-] 2010-02-25 . A709662B2C291B04B765FAC8583AC8E0 . 6106112 . . [8.00.6001.18904] . . d:\windows\ServicePackFiles\i386\mshtml.dll [7] 2010-02-25 . 6D179FBB1B42A3C33955652D3A38BFDF . 5946880 . . [8.00.6001.22995] . . d:\windows\$hf_mig$\KB980182-IE8\SP3QFE\mshtml.dll [7] 2009-12-21 . B5A5C997C2F926C40CCC64A3BD377D4B . 5942784 . . [8.00.6001.18876] . . d:\windows\ie8updates\KB980182-IE8\mshtml.dll [7] 2009-12-21 . AAD700DEA94EE6E56E591C351111941A . 5945856 . . [8.00.6001.22967] . . d:\windows\$hf_mig$\KB978207-IE8\SP3QFE\mshtml.dll [7] 2009-10-29 . 58A17D0C94F23CD59346720B0C374A90 . 5940736 . . [8.00.6001.18854] . . d:\windows\ie8updates\KB978207-IE8\mshtml.dll [7] 2009-10-29 . 80F9322FBC4BBBC3A0DB6E9B3C953C60 . 5944320 . . [8.00.6001.22945] . . d:\windows\$hf_mig$\KB976325-IE8\SP3QFE\mshtml.dll [7] 2009-10-22 . 61245C5B4B4F06058F4038DC2C7D9C72 . 5939712 . . [8.00.6001.18852] . . d:\windows\ie8updates\KB976325-IE8\mshtml.dll [7] 2009-10-22 . 4E0FB322DCCB816F5DD56E9B2BE5E664 . 5943296 . . [8.00.6001.22942] . . d:\windows\$hf_mig$\KB976749-IE8\SP3QFE\mshtml.dll [7] 2009-08-29 . DB337CCC2E1111068F0FFD08982810F7 . 5940224 . . [8.00.6001.18828] . . d:\windows\ie8updates\KB976749-IE8\mshtml.dll [7] 2009-08-29 . E719DAF5D7972B69647CF32C9FD1601D . 5942272 . . [8.00.6001.22918] . . d:\windows\$hf_mig$\KB974455-IE8\SP3QFE\mshtml.dll [7] 2009-07-19 . CD4DC10D4F812033C4B402C9620F10BB . 5937152 . . [8.00.6001.18812] . . d:\windows\ie8updates\KB974455-IE8\mshtml.dll [7] 2009-07-19 . 5B7C8A16598E79AD559323C81737AC4D . 5938176 . . [8.00.6001.22902] . . d:\windows\$hf_mig$\KB972260-IE8\SP3QFE\mshtml.dll [7] 2009-05-13 . BE87C13E58E44084D7B81B047EB1121B . 5936128 . . [8.00.6001.22873] . . d:\windows\$hf_mig$\KB969897-IE8\SP3QFE\mshtml.dll [7] 2009-05-13 . 285B63B5E7BE2B4237F6528DFE11CDB4 . 5936128 . . [8.00.6001.18783] . . d:\windows\ie8updates\KB972260-IE8\mshtml.dll [7] 2009-03-08 . D469A0EBA2EF5C6BEE8065B7E3196E5E . 5937152 . . [8.00.6001.18702] . . d:\windows\ie8updates\KB969897-IE8\mshtml.dll [7] 2009-01-17 . BC083F2B02EA9E69A636970859AF8DAF . 3594752 . . [7.00.6000.16809] . . d:\windows\ie8\mshtml.dll [7] 2009-01-16 . 628A8E851FBA1F2183CE327B76E19E3E . 3596288 . . [7.00.6000.20996] . . d:\windows\$hf_mig$\KB961260-IE7\SP2QFE\mshtml.dll [7] 2008-12-13 . A294B659329C4007D75FF675A8A3A94F . 3593216 . . [7.00.6000.16788] . . d:\windows\ie7updates\KB961260-IE7\mshtml.dll [7] 2008-12-13 . 4C2F6BAFA9236FA50620CC3E6DDF3BAD . 3594752 . . [7.00.6000.20973] . . d:\windows\$hf_mig$\KB960714-IE7\SP2QFE\mshtml.dll [7] 2008-10-16 . 2B042E339C0C5E1584D49EB5579ABBD1 . 3595264 . . [7.00.6000.20935] . . d:\windows\$hf_mig$\KB958215-IE7\SP2QFE\mshtml.dll [7] 2008-02-16 . 9D318F222A6FF820D92EC97F4F1935EC . 3087872 . . [6.00.2900.3314] . . d:\windows\$hf_mig$\KB947864\SP2QFE\mshtml.dll [7] 2007-08-13 . C6EC2493346ED8888A549F59210A8ED3 . 3578368 . . [7.00.5730.13] . . d:\windows\ie7updates\KB960714-IE7\mshtml.dll [-] 2010-02-17 . 16F9B5E8C253A9211ED01885077C7526 . 2354304 . . [5.1.2600.5938] . . d:\windows\system32\ntoskrnl.exe [-] 2010-02-17 . 16F9B5E8C253A9211ED01885077C7526 . 2354304 . . [5.1.2600.5938] . . d:\windows\system32\dllcache\ntoskrnl.exe [7] 2010-02-17 . 124F4EC97A7683D1A67B3AECFE258ABD . 2194176 . . [5.1.2600.5938] . . d:\windows\Driver Cache\i386\ntoskrnl.exe [7] 2010-02-17 . 124F4EC97A7683D1A67B3AECFE258ABD . 2194176 . . [5.1.2600.5938] . . d:\windows\ERDNT\cache\ntoskrnl.exe [7] 2010-02-17 . 124F4EC97A7683D1A67B3AECFE258ABD . 2194176 . . [5.1.2600.5938] . . d:\windows\NiwradSoft Shell Pack\Backup\ntoskrnl.exe [-] 2010-02-17 . 16F9B5E8C253A9211ED01885077C7526 . 2354304 . . [5.1.2600.5938] . . d:\windows\ServicePackFiles\i386\ntoskrnl.exe [7] 2010-02-16 . 8A47EB27E99109826F8A54BB64BE8131 . 2194304 . . [5.1.2600.5938] . . d:\windows\$hf_mig$\KB979683\SP3QFE\ntoskrnl.exe [7] 2009-12-09 . C25035B93BDF12E2CB89C6F5BF8B99F1 . 2193536 . . [5.1.2600.5913] . . d:\windows\$hf_mig$\KB977165\SP3QFE\ntoskrnl.exe [7] 2009-12-09 . EB331E36934D9016B66CDF694954A8AF . 2193408 . . [5.1.2600.5913] . . d:\windows\$NtUninstallKB979683$\ntoskrnl.exe [7] 2009-08-04 . 3B75E61D1546C05A959EDFE11F1510D1 . 2193536 . . [5.1.2600.5857] . . d:\windows\$hf_mig$\KB971486\SP3QFE\ntoskrnl.exe [7] 2009-02-10 . B0BF079AF000D97D8C043D1DFF08086D . 2193408 . . [5.1.2600.5755] . . d:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe [7] 2008-08-14 . A42CC3CFC02A7B2BAEC7B0D45808B257 . 2193408 . . [5.1.2600.5657] . . d:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe [7] 2008-08-14 . B72A025A758683552C4FEC7EABCB0661 . 2190208 . . [5.1.2600.3427] . . d:\windows\$hf_mig$\KB956841\SP2QFE\ntoskrnl.exe [7] 2008-08-14 . 04BA43B0D2A13BD6B06D707299243CFC . 2193408 . . [5.1.2600.5657] . . d:\windows\$hf_mig$\KB956841\SP3GDR\ntoskrnl.exe [7] 2007-02-28 . BFB4C8761976CCE0B544D557B4C70825 . 2186368 . . [5.1.2600.3093] . . d:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe [7] 2005-03-02 . 6E3AB4241E058B248CB7CDC5157449C3 . 2183808 . . [5.1.2600.2622] . . d:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe [-] 2008-04-14 . A9B36030497E98C29210E4544700649D . 579072 . . [5.1.2600.5512] . . d:\windows\system32\user32.dll [-] 2008-04-14 . A9B36030497E98C29210E4544700649D . 579072 . . [5.1.2600.5512] . . d:\windows\system32\dllcache\user32.dll [7] 2008-04-14 . 54907DB28872A7A6D3EE2B4747A23828 . 579072 . . [5.1.2600.5512] . . d:\windows\ERDNT\cache\user32.dll [7] 2008-04-14 . 54907DB28872A7A6D3EE2B4747A23828 . 579072 . . [5.1.2600.5512] . . d:\windows\NiwradSoft Shell Pack\Backup\user32.dll [-] 2008-04-14 . A9B36030497E98C29210E4544700649D . 579072 . . [5.1.2600.5512] . . d:\windows\ServicePackFiles\i386\user32.dll [7] 2005-03-02 . 3ED0A4D74EFD5AAF8408095F452E2613 . 577536 . . [5.1.2600.2622] . . d:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll [-] 2010-02-25 . 9B25F4F2E1C0622CB951FCAED549F0A9 . 983040 . . [8.00.6001.18904] . . d:\windows\system32\wininet.dll [-] 2010-02-25 . 9B25F4F2E1C0622CB951FCAED549F0A9 . 983040 . . [8.00.6001.18904] . . d:\windows\system32\dllcache\wininet.dll [7] 2010-02-25 . E5CC74D62E06066451D59248CBFBAED0 . 916480 . . [8.00.6001.18904] . . d:\windows\ERDNT\cache\wininet.dll [7] 2010-02-25 . E5CC74D62E06066451D59248CBFBAED0 . 916480 . . [8.00.6001.18904] . . d:\windows\NiwradSoft Shell Pack\Backup\wininet.dll [-] 2010-02-25 . 9B25F4F2E1C0622CB951FCAED549F0A9 . 983040 . . [8.00.6001.18904] . . d:\windows\ServicePackFiles\i386\wininet.dll [7] 2010-02-25 . D8E3E2FD8928B2BD8BEB2518C2E45ED1 . 919040 . . [8.00.6001.22995] . . d:\windows\$hf_mig$\KB980182-IE8\SP3QFE\wininet.dll [7] 2009-12-21 . 79805286A6D381A658A1871F6B3588B9 . 916480 . . [8.00.6001.18876] . . d:\windows\ie8updates\KB980182-IE8\wininet.dll [7] 2009-12-21 . 11162780821A0531D39E675A662D766F . 916480 . . [8.00.6001.22967] . . d:\windows\$hf_mig$\KB978207-IE8\SP3QFE\wininet.dll [7] 2009-10-29 . 191FFB2798E4DB25F04C2E71C9595A85 . 916480 . . [8.00.6001.18854] . . d:\windows\ie8updates\KB978207-IE8\wininet.dll [7] 2009-10-29 . E30B8F0D3BFAF4B403C57F05242AEF74 . 916480 . . [8.00.6001.22945] . . d:\windows\$hf_mig$\KB976325-IE8\SP3QFE\wininet.dll [7] 2009-08-29 . 83438BBF93CA586ED5149B1E1AA1BDBB . 916480 . . [8.00.6001.18828] . . d:\windows\ie8updates\KB976325-IE8\wininet.dll [7] 2009-08-29 . 4F4F8F0B432A8B4B0D23829375358F34 . 916480 . . [8.00.6001.22918] . . d:\windows\$hf_mig$\KB974455-IE8\SP3QFE\wininet.dll [7] 2009-07-03 . 9572842DA52CF071068FAAB8AD4D74A5 . 915456 . . [8.00.6001.22896] . . d:\windows\$hf_mig$\KB972260-IE8\SP3QFE\wininet.dll [7] 2009-07-03 . 903350F08A1DF38714EF37F09EA11BB4 . 915456 . . [8.00.6001.18806] . . d:\windows\ie8updates\KB974455-IE8\wininet.dll [7] 2009-05-13 . 4E74AEBA5546A61C9DC35BC531EFFA23 . 915456 . . [8.00.6001.22873] . . d:\windows\$hf_mig$\KB969897-IE8\SP3QFE\wininet.dll [7] 2009-05-13 . 14E350ABCCBE0279D042AF2854E6D894 . 915456 . . [8.00.6001.18783] . . d:\windows\ie8updates\KB972260-IE8\wininet.dll [7] 2009-03-08 . 6CE32F7778061CCC5814D5E0F282D369 . 914944 . . [8.00.6001.18702] . . d:\windows\ie8updates\KB969897-IE8\wininet.dll [7] 2008-12-21 . E048867C310B09ED1C79E59B68DB8050 . 827904 . . [7.00.6000.20978] . . d:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll [7] 2008-12-20 . 94A623D9C0F2632796B4CE2753331F98 . 826368 . . [7.00.6000.16791] . . d:\windows\ie8\wininet.dll [7] 2008-10-16 . 779479E6F38BC77831F26BD9AAE3FAD3 . 826368 . . [7.00.6000.16762] . . d:\windows\ie7updates\KB961260-IE7\wininet.dll [7] 2008-10-16 . 4BCD45D77BD42A5E9C2DD2E847A5467E . 827904 . . [7.00.6000.20935] . . d:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll [7] 2008-02-16 . F3AD9DF6B30D5A3F67B5561109640958 . 668160 . . [6.00.2900.3314] . . d:\windows\$hf_mig$\KB947864\SP2QFE\wininet.dll [7] 2007-08-13 . A4A0FC92358F39538A6494C42EF99FE9 . 818688 . . [7.00.5730.13] . . d:\windows\ie7updates\KB958215-IE7\wininet.dll [-] 2008-04-14 . 77F71BF6970EA10B4CC9AA1D45654AA0 . 1542656 . . [6.00.2900.5512] . . d:\windows\explorer.exe [-] 2008-04-14 . 77F71BF6970EA10B4CC9AA1D45654AA0 . 1542656 . . [6.00.2900.5512] . . d:\windows\system32\dllcache\explorer.exe [7] 2008-04-14 . 064EC7FF5F58B928C3E119402977FA6D . 1035776 . . [6.00.2900.5512] . . d:\windows\ERDNT\cache\explorer.exe [7] 2008-04-14 . 064EC7FF5F58B928C3E119402977FA6D . 1035776 . . [6.00.2900.5512] . . d:\windows\NiwradSoft Shell Pack\Backup\explorer.exe [-] 2008-04-14 . 77F71BF6970EA10B4CC9AA1D45654AA0 . 1542656 . . [6.00.2900.5512] . . d:\windows\ServicePackFiles\i386\explorer.exe [7] 2007-06-13 . 45D521506825A10B80833B4E9621CCF6 . 1035264 . . [6.00.2900.3156] . . d:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe [-] 2008-04-14 . 584450C5B2439571755D40444589C63D . 40448 . . [5.1.2600.5512] . . d:\windows\system32\ctfmon.exe [-] 2008-04-14 . 584450C5B2439571755D40444589C63D . 40448 . . [5.1.2600.5512] . . d:\windows\system32\dllcache\ctfmon.exe [7] 2008-04-14 . 4E486ADFE3A0B9ED0EB0639902E9F64F . 15360 . . [5.1.2600.5512] . . d:\windows\ERDNT\cache\ctfmon.exe [7] 2008-04-14 . 4E486ADFE3A0B9ED0EB0639902E9F64F . 15360 . . [5.1.2600.5512] . . d:\windows\NiwradSoft Shell Pack\Backup\ctfmon.exe [-] 2008-04-14 . 584450C5B2439571755D40444589C63D . 40448 . . [5.1.2600.5512] . . d:\windows\ServicePackFiles\i386\ctfmon.exe [-] 2010-02-16 . 297C1AE40DE572E38618042B781EEE15 . 2231168 . . [5.1.2600.5938] . . d:\windows\system32\ntkrnlpa.exe [-] 2010-02-16 . 297C1AE40DE572E38618042B781EEE15 . 2231168 . . [5.1.2600.5938] . . d:\windows\system32\dllcache\ntkrnlpa.exe [7] 2010-02-16 . 1F54DE75A9C8EC46E9FB53C1890C9ED3 . 2071040 . . [5.1.2600.5938] . . d:\windows\Driver Cache\i386\ntkrnlpa.exe [7] 2010-02-16 . 1F54DE75A9C8EC46E9FB53C1890C9ED3 . 2071040 . . [5.1.2600.5938] . . d:\windows\ERDNT\cache\ntkrnlpa.exe [7] 2010-02-16 . 1F54DE75A9C8EC46E9FB53C1890C9ED3 . 2071040 . . [5.1.2600.5938] . . d:\windows\NiwradSoft Shell Pack\Backup\ntkrnlpa.exe [-] 2010-02-16 . 297C1AE40DE572E38618042B781EEE15 . 2231168 . . [5.1.2600.5938] . . d:\windows\ServicePackFiles\i386\ntkrnlpa.exe [7] 2010-02-16 . E94AC126E7ADFD40DC4E38D2E91236D8 . 2071168 . . [5.1.2600.5938] . . d:\windows\$hf_mig$\KB979683\SP3QFE\ntkrnlpa.exe [7] 2009-12-09 . 7D45AF0A376A7EEE59B2A4BCDC304C9C . 2070400 . . [5.1.2600.5913] . . d:\windows\$hf_mig$\KB977165\SP3QFE\ntkrnlpa.exe [7] 2009-12-09 . FA72BE44F0715BD88A37C77559ACB3B7 . 2070272 . . [5.1.2600.5913] . . d:\windows\$NtUninstallKB979683$\ntkrnlpa.exe [7] 2009-08-05 . 6FEC1B436323CC29B3008D7C5BF2A10F . 2070400 . . [5.1.2600.5857] . . d:\windows\$hf_mig$\KB971486\SP3QFE\ntkrnlpa.exe [7] 2009-02-09 . FF7FE874B6DA494303EE3DD9B97AB007 . 2070400 . . [5.1.2600.5755] . . d:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe [7] 2008-08-14 . 586A93E0C23F6A1893F6706F36B22598 . 2070272 . . [5.1.2600.5657] . . d:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe [7] 2008-08-14 . 145CD2BBA58988B7A2E9B910AC4D4CA4 . 2067200 . . [5.1.2600.3427] . . d:\windows\$hf_mig$\KB956841\SP2QFE\ntkrnlpa.exe [7] 2008-08-14 . A62251C7C1F0DBC3241ABF1985EDE75E . 2070272 . . [5.1.2600.5657] . . d:\windows\$hf_mig$\KB956841\SP3GDR\ntkrnlpa.exe [7] 2007-02-28 . D027F0097B8F099C09369B8CC97D7C32 . 2063616 . . [5.1.2600.3093] . . d:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe [7] 2005-03-02 . AED7B3AA86AD031CF39C6E4BBA37E818 . 2061184 . . [5.1.2600.2622] . . d:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe . (((((((((((((((((((((((((( Pontos de Carregamento do Registro ))))))))))))))))))))))))))))))))))))))) . . *Nota* entradas vazias e legítimas por defeito não são mostradas. REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CursorXP"="d:\arquivos de programas\CursorXP\CursorXP.exe" [2005-01-19 128000] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NeroCheck"="c:\windows\System32\NeroCheck.exe" [2001-07-09 155648] "Adobe Reader Speed Launcher"="d:\arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272] "Adobe ARM"="d:\arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768] "SunJavaUpdateSched"="d:\arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe" [2010-02-18 248040] "avgnt"="d:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "HonorAutoRunSetting"= 0 (0x0) "NoResolveTrack"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoRealMode"= 0 (0x0) "HonorAutoRunSetting"= 0 (0x0) "NoFileUrl"= 0 (0x0) "NoUpdateCheck"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=d:\windows\system32\wbsys.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ \0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HDDirect.sys] @="Driver" [HKLM\~\startupfolder\D:^Documents and Settings^edsom luis^Menu Iniciar^Programas^Inicializar^BrOffice.org 3.1.lnk] [HKLM\~\startupfolder\D:^Documents and Settings^edsom luis^Menu Iniciar^Programas^Inicializar^setup_9.0.0.722_15.01.2010_15-37.lnk] [HKLM\~\startupfolder\D:^Documents and Settings^edsom luis^Menu Iniciar^Programas^Inicializar^setup_9.0.0.722_18.02.2010_16-03.lnk] [HKLM\~\startupfolder\^.mjsync_pt_BR] path=\.mjsync_pt_BR [HKLM\~\startupfolder\^catchme.exe] path=\catchme.exe [HKLM\~\startupfolder\^Desktop.rar] path=\Desktop.rar [HKLM\~\startupfolder\^dumphive.exe] path=\dumphive.exe [HKLM\~\startupfolder\^Favoritos.rar] path=\Favoritos.rar [HKLM\~\startupfolder\^haxoth2.txt] path=\haxoth2.txt [HKLM\~\startupfolder\^md5file.exe] path=\md5file.exe [HKLM\~\startupfolder\^moveex.exe] path=\moveex.exe [HKLM\~\startupfolder\^NTUSER.DAT] path=\ntuser.dat [HKLM\~\startupfolder\^NTUSER.DAT.bak_jv16pt] path=\NTUSER.DAT.bak_jv16pt [HKLM\~\startupfolder\^ntuser.dat.LOG] path=\ntuser.dat.LOG [HKLM\~\startupfolder\^NTUSER.DAT.tmp.LOG] path=\NTUSER.DAT.tmp.LOG [HKLM\~\startupfolder\^ntuser.ini] path=\ntuser.ini [HKLM\~\startupfolder\^ntuser.pol] path=\ntuser.pol [HKLM\~\startupfolder\^PrivacIE.rar] path=\PrivacIE.rar [HKLM\~\startupfolder\^process.exe] path=\process.exe [HKLM\~\startupfolder\^rebuilt.Menu Iniciar.rar] path=\rebuilt.Menu Iniciar.rar [HKLM\~\startupfolder\^rebuilt.UserData.rar] path=\rebuilt.UserData.rar [HKLM\~\startupfolder\^run2.hax] path=\run2.hax [HKLM\~\startupfolder\^swreg.exe] path=\swreg.exe [HKLM\~\startupfolder\^swsc.exe] path=\swsc.exe [HKLM\~\startupfolder\^tool_en.log] path=\tool_en.log [HKLM\~\startupfolder\^UserData.rar] path=\UserData.rar [HKLM\~\startupfolder\^vfind.exe] path=\vfind.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2010-03-24 18:17 952768 ----a-w- d:\arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2010-04-04 05:42 36272 ----a-w- d:\arquivos de programas\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-14 03:20 40448 ----a-w- d:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CursorXP] 2005-01-19 19:34 128000 ----a-w- d:\arquivos de programas\CursorXP\CursorXP.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting] 2008-11-04 04:44 435096 ------w- d:\arquiv~1\ARQUIV~1\MICROS~1\DW\DWTRIG20.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2010-02-18 14:43 248040 ----a-w- d:\arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "GoogleDesktopManager-060409-093314"=3 (0x3) "ZeppelinService"=2 (0x2) "idsvc"=3 (0x3) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "d:\\Arquivos de programas\\Arquivos comuns\\opera.exe"= "d:\\WINDOWS\\system32\\usmt\\migwiz.exe"= "d:\\Arquivos de programas\\Opera\\opera.exe"= R0 Lbd;Lbd;d:\windows\system32\drivers\Lbd.sys [11/9/2009 17:13 64160] R1 VBoxDrv;VirtualBox Service;d:\windows\system32\drivers\VBoxDrv.sys [18/9/2009 13:11 115856] R1 VBoxUSBMon;VirtualBox USB Monitor Driver;d:\windows\system32\drivers\VBoxUSBMon.sys [18/9/2009 13:10 41424] R2 713xTVCard;SAA7131 TV Card;d:\windows\system32\drivers\SAA713x.sys [15/3/2005 12:00 277504] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [3/5/2010 15:00 135336] R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;d:\windows\system32\drivers\VBoxNetAdp.sys [18/9/2009 13:11 91856] R3 VBoxNetFlt;VBoxNetFlt Service;d:\windows\system32\drivers\VBoxNetFlt.sys [9/9/2009 20:15 100368] R3 xpvcom;XPVCOM Port;d:\windows\system32\drivers\XPVCOM.sys [23/3/2007 02:00 30032] S0 GbpKm;Gbp KernelMode;d:\windows\system32\drivers\GbpKm.sys [18/4/2009 21:46 26568] S3 HDDirect;Hard Disk Direct Control;d:\windows\system32\drivers\hddirect.sys [4/5/2010 15:34 12552] S3 RegGuard;RegGuard;d:\windows\system32\drivers\regguard.sys [17/9/2009 17:43 29584] S3 rspSanity;rspSanity;d:\windows\system32\drivers\rspSanity32.sys [14/4/2009 19:51 30136] . Conteúdo da pasta 'Tarefas Agendadas' 2010-05-04 d:\windows\Tasks\User_Feed_Synchronization-{85870EB0-73F3-41E1-92DD-7C153C1F486E}.job - d:\windows\system32\msfeedssync.exe [2007-08-13 07:31] . . ------- Scan Suplementar ------- . mWindow Title = IE: E&xportar para o Microsoft Excel FF - ProfilePath - d:\documents and settings\edsom luis\Dados de aplicativos\Mozilla\Firefox\Profiles\izozpjim.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.br/webhp?hl=pt-BR FF - component: d:\documents and settings\edsom luis\Dados de aplicativos\Mozilla\Firefox\Profiles\izozpjim.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll FF - plugin: d:\arquivos de programas\Java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: d:\documents and settings\edsom luis\Dados de aplicativos\Mozilla\Firefox\Profiles\izozpjim.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll ---- FIREFOX POLICIES ---- d:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); d:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); d:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); d:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); d:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); d:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); d:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); d:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); d:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); d:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false); d:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); d:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); d:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); d:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); d:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); d:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); d:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false); d:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true); d:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); d:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); d:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); d:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); d:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); d:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); d:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); d:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); d:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); d:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); d:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); d:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); d:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); d:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); d:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); d:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); d:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); d:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); d:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br"); . . ------- Associação de arquivos/ficheiros ------- . .txt= . - - - - ORFÃOS REMOVIDOS - - - - SafeBoot-HDDirect ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-04 18:25 Windows 5.1.2600 Service Pack 3 FAT NTAPI Procurando processos ocultos ... Procurando entradas auto inicializáveis ocultas ... Procurando ficheiros/arquivos ocultos ... Varredura completada com sucesso arquivos/ficheiros ocultos: 0 ************************************************************************** . --------------------- CHAVES DO REGISTRO BLOQUEADAS --------------------- [HKEY_USERS\.Default\Software\Stardock\WindowBlinds] @DACL=(02 0000) [HKEY_USERS\S-1-5-21-839522115-1409082233-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID] @Denied: (Full) (LocalSystem) [HKEY_LOCAL_MACHINE\software\Classes\Installer\Products\740714A303E250D498777F604DB0FF93\SourceList] @DACL=(02 0000) "PackageName"="Dashboard.msi" [HKEY_LOCAL_MACHINE\software\Classes\Installer\Products\B37BDAE8D62087948A0FE1FEE5E1EC7C\SourceList] @DACL=(02 0000) "PackageName"="Install_{8EADB73B-026D-4978-A8F0-1EEF5E1ECEC7}.msi" "LastUsedSource"=expand:"n;1;d:\\Arquivos de programas\\Arquivos comuns\\WindowsLiveInstaller\\MsiSources\\" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•6~*] "6140110900063D11C8EF10054038389C"="D?\\WINDOWS\\system32\\FM20ENU.DLL" [HKEY_LOCAL_MACHINE\System\ControlSet004\Enum\Root\LEGACY_REMOVEANY\0000] @DACL=(02 0000) "Service"="RemoveAny" "Legacy"=dword:00000001 "ConfigFlags"=dword:00000000 "Class"="LegacyDriver" "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}" "DeviceDesc"="RemoveAny driver" "Capabilities"=dword:00000000 [HKEY_LOCAL_MACHINE\System\ControlSet004\Enum\Root\LEGACY_TMCOMM\0000] @DACL=(02 0000) "Service"="tmcomm" "Legacy"=dword:00000001 "ConfigFlags"=dword:00000000 "Class"="LegacyDriver" "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}" "DeviceDesc"="tmcomm" "Capabilities"=dword:00000000 . --------------------- DLLs Carregadas Sob os Processos em Execução --------------------- - - - - - - - > 'winlogon.exe'(1308) d:\windows\system32\SETUPAPI.dll d:\windows\system32\sfc_os.dll d:\windows\system32\cscui.dll - - - - - - - > 'lsass.exe'(1364) d:\windows\system32\SETUPAPI.dll d:\windows\system32\psbase.dll - - - - - - - > 'explorer.exe'(3292) d:\windows\system32\WININET.dll d:\windows\system32\COMRes.dll d:\windows\System32\cscui.dll d:\windows\system32\msi.dll d:\windows\system32\ntshrui.dll d:\windows\system32\LINKINFO.dll d:\windows\system32\webcheck.dll d:\windows\system32\SETUPAPI.dll d:\windows\system32\WPDShServiceObj.dll d:\windows\system32\NETSHELL.dll d:\windows\system32\credui.dll d:\windows\system32\PortableDeviceTypes.dll d:\windows\system32\PortableDeviceApi.dll d:\arquivos de programas\CursorXP\CurXP0.dll . ------------------------ Outros Processos em Execução ------------------------ . d:\arquivos de programas\Avira\AntiVir Desktop\avguard.exe d:\arquivos de programas\Java\jre6\bin\jqs.exe d:\arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE d:\arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe d:\arquivos de programas\Avira\AntiVir Desktop\avshadow.exe d:\windows\system32\wbem\wmiapsrv.exe . ************************************************************************** . Tempo para conclusão: 2010-05-04 18:28:03 - Máquina reiniciou ComboFix-quarantined-files.txt 2010-05-04 21:28 ComboFix2.txt 2010-04-22 02:19 ComboFix3.txt 2010-04-18 21:54 ComboFix4.txt 2010-04-02 14:33 ComboFix5.txt 2010-05-04 21:14 Pré-execução: 22 pasta(s) 41.508.929.536 bytes disponíveis Pós execução: 24 pasta(s) 41.756.688.384 bytes disponíveis - - End Of File - - 8B08E43C8295541EE8101277D9D73802 Abraços Compartilhar este post Link para o post Compartilhar em outros sites
DigRam 144 Denunciar post Postado Maio 5, 2010 Bom Dia! EDSSX Esta infecção, HEUR:Trojan.Win32.Invader , nos diretórios logo infra das ferramentas francesas ; são falsos positivos ? <!> Sim! Mas essas ferramentas devem ser removidas,pois são sempre atualizadas. <!> Não justificando,portanto,sua permanência na máquina. <!> Estabeleça,agora,um Ponto de Restauração no Sistema. oooooooooooooooooooooo oooooooooooooooooooooo <@> Selecione e copie,todo o conteúdo que está na área da QUOTE,para o Bloco de Notas. <@> Salve-o,no Desktop,com o nome: CFScript.txt rootkit::d:\windows\system32\drivers\AvgArCln.sys d:\windows\system32\drivers\pavboot.sys d:\windows\system32\drivers\regguard.sys d:\windows\system32\drivers\Lbd.sys File:: D:\WINDOWS\system32\txmlutil.dll D:\desktop\download\haxfix.exe D:\desktop\download\haxfix\catchme.exe D:\desktop\download\LOP S&D.exe D:\desktop\download\LOP S&D\catchme.exe D:\HaxFix.exe D:\autorun.inf RegNull:: [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•6~*] RegLock:: [HKEY_USERS\S-1-5-21-839522115-1409082233-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID] [HKEY_LOCAL_MACHINE\software\Classes\Installer\Products\B37BDAE8D62087948A0FE1FEE5E1EC7C\SourceList] [HKEY_LOCAL_MACHINE\software\Classes\Installer\Products\740714A303E250D498777F604DB0FF93\SourceList] [HKEY_LOCAL_MACHINE\System\ControlSet004\Enum\Root\LEGACY_REMOVEANY\0000] [HKEY_LOCAL_MACHINE\System\ControlSet004\Enum\Root\LEGACY_TMCOMM\0000] [HKEY_USERS\.Default\Software\Stardock\WindowBlinds] RegLockDel:: [HKEY_LOCAL_MACHINE\System\ControlSet004\Enum\Root\LEGACY_REMOVEANY\0000] [HKEY_LOCAL_MACHINE\System\ControlSet004\Enum\Root\LEGACY_TMCOMM\0000] Registry:: [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoveAny] [-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoveAny] [-HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\LEGACY_TMCOMM] [-HKEY_LOCAL_MACHINE\System\ControlSet004\Enum\Root\LEGACY_REMOVEANY] [-HKEY_LOCAL_MACHINE\System\ControlSet004\Enum\Root\LEGACY_TMCOMM] [-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\tmcomm] [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tmcomm] [-HKEY_CURRENT_USER\Software\RemoveAny] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"="" Driver:: "ewqvudyvrsaa" "LEGACY_REMOVEANY" "LEGACY_TMCOMM" "RegGuard" "AvgArCln" "pavboot" "Lbd" Folder:: d:\arquivos de programas\navilog1 D:\desktop\download\LOP S&D D:\desktop\download\haxfix D:\autorun.inf D:\Navilog1 D:\Lop SD <@> Ps: É recomendável que esteja desconectado,ao rodar o script. <@> Ps: Desabilite,temporariamente,seu antivírus. <@> Ps: Não utilizem este script em outra máquina! <@> Arraste,o CFScript.txt para o ícone/interior do ComboFix. <@> Veja a demonstração! <@> Atenda à solicitação,que deverá surgir,para rodar o ComboFix. <@> Ps: Faça o arraste,até surgir essa solicitação! ( janela ) <@> Terminando,poste: D:\ComboFix.txt oooooooooooooooooooooo oooooooooooooooooooooo <@> Baixe: < UsbFix.exe > ( ...par Chiquitine29 et Chimay8 ) <@> Salve-a em Arquivos de programas! <@> Desabilite seu antivírus! <@> Instale e execute a ferramenta,com um duplo-clique em: < > <@> Nas opções da língua,escolha "PT-BR" --> Enter. <@> Escolha a opção 2: 2. Suppression des fichiers infectieux --> Aperte Enter. <@> Surgirá uma mensagem,pedindo que seja conectada sua(s) mídia(s) removíveis,ao computador. ( pendrive,mp3,mp4,iPods,etc... ) <@> Aceite a solicitação,e dê o Ok. --> À seguir clique,novamente,em Ok. <@> O computador irá reiniciar. <-- Aguarde! <@> Terminando,clique em "Continue" e aguarde a finalização da ferramenta. <@> Ps: Não desconecte,ainda,sua(s) mídia(s) removíveis! <-- Importante! <@> Surgirá a mensagem: "Nettoyage effectue" --> Aperte Enter. <@> Poste o relatório,que estará em: D:\UsbFix.txt Abraços! Compartilhar este post Link para o post Compartilhar em outros sites
EDSSX 0 Denunciar post Postado Maio 5, 2010 Bom dia ! Segue os logs : ComboFix 10-05-04.06 - edsom luis 05/05/2010 9:34.8.1 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.511.277 [GMT -3:00] Executando de: d:\documents and settings\edsom luis\Desktop\ComboFix.exe Comandos utilizados :: d:\documents and settings\edsom luis\Desktop\CFScript.txt AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} FILE :: "D:\autorun.inf" "d:\desktop\download\haxfix.exe" "d:\desktop\download\haxfix\catchme.exe" "d:\desktop\download\LOP S&D.exe" "d:\desktop\download\LOP S&D\catchme.exe" "D:\HaxFix.exe" "d:\windows\system32\txmlutil.dll" . ((((((((((((((((((((((((((((((((((((( Outras Exclusões ))))))))))))))))))))))))))))))))))))))))))))))))))) . d:\arquivos de programas\navilog1 D:\autorun.inf d:\autorun.inf\lpt3.This folder was created by UsbFix D:\HaxFix.exe D:\Lop SD d:\lop sd\App-Prog.lsd d:\lop sd\AuDoss.lsd d:\lop sd\AutrInf.cmd d:\lop sd\AWF.cmd d:\lop sd\Back.cmd d:\lop sd\Backup-Lop\Hosts\Hosts d:\lop sd\Backup-Lop\Reg\HKCU_Run.reg d:\lop sd\Backup-Lop\Reg\HKLM_Run.reg d:\lop sd\Backup-Lop\Reg\HKLM_Uninstall.reg d:\lop sd\Boo.reg d:\lop sd\BooFix.cmd d:\lop sd\catchme.exe d:\lop sd\catchme.log d:\lop sd\Changelog Lop SD.txt d:\lop sd\DirectFix.cmd d:\lop sd\Discl_en.vbs d:\lop sd\Discl_fr.vbs d:\lop sd\Discl_ne.vbs d:\lop sd\Discl_sp.vbs d:\lop sd\Discl_su.vbs d:\lop sd\Doss.lsd d:\lop sd\Icon_Lop.ico d:\lop sd\iNv.exe d:\lop sd\KILL.cmd d:\lop sd\Langues.cmd d:\lop sd\LopR_1.txt d:\lop sd\LopR_2.txt d:\lop sd\LopR_3.txt d:\lop sd\LopR_4.txt d:\lop sd\LopR_5.txt d:\lop sd\LopR_6.txt d:\lop sd\LopScript.cmd d:\lop sd\LopSD.cmd d:\lop sd\lsTasks.exe d:\lop sd\Orph.egd d:\lop sd\OsV.exe d:\lop sd\paths.bat d:\lop sd\Proc.txt d:\lop sd\pv.exe d:\lop sd\RegLop.reg d:\lop sd\Rkeys.txt d:\lop sd\RKit.lsd d:\lop sd\RoGUeS.lsd d:\lop sd\RunTool.txt d:\lop sd\S_LopV.cmd d:\lop sd\S_LopX.cmd d:\lop sd\sed.exe d:\lop sd\setpath.exe d:\lop sd\task.txt d:\lop sd\WhL.lsd D:\Navilog1 d:\navilog1\Contents\Filess.bat d:\navilog1\Contents\Folders.bat d:\navilog1\Contents\Folderss.bat d:\navilog1\Contents\Fss86.bat d:\navilog1\Contents\Gnc2.bat d:\navilog1\Contents\Gnc2su.bat d:\navilog1\Contents\Gncs.bat d:\navilog1\Contents\Gncssfil.bat d:\navilog1\Contents\Heurs.bat d:\navilog1\Contents\Heurss.bat d:\navilog1\Contents\Orphus.bat d:\navilog1\Contents\Setlang.bat d:\navilog1\Contents\Wlist.bat d:\navilog1\Fav.exe d:\navilog1\GetPaths.exe d:\navilog1\mvfile.bat d:\navilog1\navilog1.bat d:\navilog1\Navreb.bat d:\navilog1\oem2ansi.exe d:\navilog1\OsV.exe d:\navilog1\reg.exe d:\navilog1\regnavi.reg d:\navilog1\Report\debug.txt d:\navilog1\traite.bat d:\navilog1\traite2.bat d:\navilog1\traite3.bat d:\navilog1\Uninstal.bat d:\windows\rrxx.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Serviços ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_LBD -------\Legacy_REGGUARD -------\Service_Lbd -------\Service_RegGuard (((((((((((((((( Arquivos/Ficheiros criados de 2010-04-05 to 2010-05-05 )))))))))))))))))))))))))))) . 2010-05-04 18:34 . 2010-05-04 18:34 12552 ----a-w- d:\windows\system32\drivers\hddirect.sys 2010-05-04 03:41 . 2010-05-04 03:41 -------- d-----w- d:\arquivos de programas\CCleaner 2010-05-03 18:07 . 2010-05-03 18:07 -------- d-----w- d:\documents and settings\edsom luis\Dados de aplicativos\Avira 2010-05-03 18:00 . 2010-03-01 13:05 124784 ----a-w- d:\windows\system32\drivers\avipbb.sys 2010-05-03 18:00 . 2010-02-16 17:24 60936 ----a-w- d:\windows\system32\drivers\avgntflt.sys 2010-05-03 18:00 . 2009-05-11 15:49 22360 ----a-w- d:\windows\system32\drivers\avgntmgr.sys 2010-05-03 18:00 . 2010-05-03 18:00 -------- d-----w- d:\documents and settings\All Users\Dados de aplicativos\Avira 2010-05-03 18:00 . 2010-05-03 18:00 -------- d-----w- d:\arquivos de programas\Avira 2010-05-03 18:00 . 2009-05-11 15:49 45416 ----a-w- d:\windows\system32\drivers\avgntdd.sys 2010-05-03 01:06 . 2010-05-03 01:06 0 ----a-w- d:\documents and settings\edsom luis\settings.dat 2010-05-02 21:04 . 2010-04-29 18:39 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys 2010-05-02 21:04 . 2010-04-29 18:39 20952 ----a-w- d:\windows\system32\drivers\mbam.sys 2010-05-01 14:11 . 2010-05-01 14:11 -------- d-----w- d:\arquivos de programas\Opera 2010-04-30 21:42 . 2008-04-13 17:44 2560 ----a-w- d:\documents and settings\All Users\Dados de aplicativos\Microsoft\USMT\iconlib.dll 2010-04-30 01:07 . 2010-04-29 20:56 699512 ----a-w- d:\documents and settings\edsom luis\Dados de aplicativos\Mozilla\Firefox\Profiles\izozpjim.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll 2010-04-30 01:07 . 2010-04-29 20:56 863312 ----a-w- d:\documents and settings\edsom luis\Dados de aplicativos\Mozilla\Firefox\Profiles\izozpjim.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll 2010-04-30 00:45 . 2010-04-30 00:45 -------- d-----w- d:\windows\system32\wbem\Repository 2010-04-29 23:16 . 2010-04-29 23:16 54624 ----a-w- d:\windows\system32\9877.sys 2010-04-29 22:09 . 2007-01-18 12:00 3968 ----a-w- d:\windows\system32\drivers\AvgArCln.sys 2010-04-26 22:45 . 2010-04-26 22:45 -------- d-----w- d:\arquivos de programas\Yahoo! 2010-04-25 17:52 . 2010-04-25 17:52 -------- d--h--w- d:\windows\NiwradSoft Shell Pack 2010-04-24 20:13 . 2010-04-24 20:13 -------- d-----w- d:\windows\speech 2010-04-22 23:54 . 2010-04-22 23:54 -------- d-----w- d:\arquivos de programas\Malwarebytes' Anti-Malware 2010-04-22 18:28 . 2009-12-17 07:41 345600 ------w- d:\windows\system32\dllcache\mspaint.exe 2010-04-22 15:34 . 2009-06-30 12:37 28552 ----a-w- d:\windows\system32\drivers\pavboot.sys 2010-04-18 20:27 . 2010-04-18 20:27 -------- d-----w- d:\arquivos de programas\Arquivos comuns\Stardock 2010-04-18 01:03 . 2010-04-21 18:22 79488 ----a-w- d:\documents and settings\edsom luis\Dados de aplicativos\Sun\Java\jre1.6.0_20\gtapi.dll 2010-04-18 01:03 . 2010-04-21 18:22 152576 ----a-w- d:\documents and settings\edsom luis\Dados de aplicativos\Sun\Java\jre1.6.0_20\lzma.dll 2010-04-18 00:33 . 2010-04-18 00:33 411368 ----a-w- d:\windows\system32\deployJava1.dll 2010-04-17 17:51 . 2010-04-17 17:51 -------- d-----w- d:\windows\Crystal 2010-04-17 17:40 . 2010-04-17 17:40 -------- d-----w- D:\APTDatabase 2010-04-06 01:42 . 2010-04-06 01:42 -------- d-----w- d:\arquivos de programas\Safari 2010-04-06 01:41 . 2010-04-06 01:41 -------- d-----w- d:\arquivos de programas\Apple Software Update . ((((((((((((((((((((((((((((((((((((( Relatório Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-05 12:42 . 2010-02-06 22:21 12 ----a-w- d:\windows\system32\drivers\IncompleteBoot.cnt 2010-05-05 01:43 . 2009-08-27 01:37 664 ----a-w- d:\windows\system32\d3d9caps.dat 2010-04-29 23:54 . 2009-09-22 20:52 1 ----a-w- d:\documents and settings\edsom luis\Dados de aplicativos\BrOffice.org\3\user\uno_packages\cache\stamp.sys 2010-04-25 21:25 . 2004-08-04 10:45 219648 ----a-w- d:\windows\system32\uxtheme.dll 2010-04-04 19:14 . 2010-04-04 19:14 -------- d-----w- d:\arquivos de programas\Arquivos comuns\Apple 2010-04-04 19:14 . 2010-04-04 19:14 -------- d-----w- d:\documents and settings\All Users\Dados de aplicativos\Apple 2010-04-03 14:18 . 2010-04-03 14:18 -------- d-----w- d:\arquivos de programas\Windows Live 2010-04-01 20:31 . 2010-04-01 20:31 -------- d-----w- d:\documents and settings\All Users\Dados de aplicativos\WinZip 2010-03-10 06:16 . 2004-08-04 10:45 420352 ----a-w- d:\windows\system32\vbscript.dll 2010-03-04 07:00 . 2010-03-04 07:00 79144 ----a-w- d:\documents and settings\All Users\Dados de aplicativos\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe 2010-03-04 01:54 . 2001-10-28 21:07 80630 ----a-w- d:\windows\system32\perfc016.dat 2010-03-04 01:54 . 2001-10-28 21:07 471828 ----a-w- d:\windows\system32\perfh016.dat 2010-02-25 06:17 . 2004-08-04 10:45 983040 ----a-w- d:\windows\system32\wininet.dll 2010-02-24 13:11 . 2004-08-04 09:15 455680 ----a-w- d:\windows\system32\drivers\mrxsmb.sys 2010-02-17 17:07 . 2004-08-04 10:40 2354304 ----a-w- d:\windows\system32\ntoskrnl.exe 2010-02-17 04:06 . 2010-02-17 04:06 126976 ----a-w- d:\windows\MSKeyStoreJNI.dll 2010-02-16 19:07 . 2004-08-04 03:40 2231168 ----a-w- d:\windows\system32\ntkrnlpa.exe 2010-02-12 04:34 . 2004-08-04 10:45 100864 ----a-w- d:\windows\system32\6to4svc.dll 2010-02-11 12:02 . 2004-08-04 09:07 226880 ----a-w- d:\windows\system32\drivers\tcpip6.sys 2010-02-08 11:23 . 2010-01-16 19:07 7725 ----a-w- d:\windows\system32\tcpip.reg 2009-12-01 18:16 . 2009-12-01 18:16 38338 ------w- d:\arquivos de programas\Uninst.isu 2009-11-27 21:47 . 2009-11-13 21:19 218 ------w- d:\arquivos de programas\Arquivos comuns\operaprefs_default.ini 2009-11-20 22:11 . 2009-11-20 22:11 15828 ------w- d:\arquivos de programas\Arquivos comuns\license.rtf 2009-11-20 22:01 . 2009-11-20 22:01 832296 ------w- d:\arquivos de programas\Arquivos comuns\opera.exe 2009-11-20 22:01 . 2009-11-20 22:01 4450088 ------w- d:\arquivos de programas\Arquivos comuns\opera.dll 2009-11-20 22:00 . 2009-11-20 22:00 20480 ------w- d:\arquivos de programas\Arquivos comuns\OUniAnsi.dll 2009-11-20 22:00 . 2009-11-20 22:00 653419 ------w- d:\arquivos de programas\Arquivos comuns\encoding.bin 2009-11-13 21:19 . 2009-03-27 23:27 2320 ------w- d:\arquivos de programas\Arquivos comuns\operadef6.ini 2009-08-19 08:39 . 2009-08-19 08:39 330 ------w- d:\arquivos de programas\setup.ini 2009-07-10 06:20 . 2009-12-01 18:16 621546 ----a-w- d:\arquivos de programas\Arquivos comuns\ACIHELP.HLP.vir 2009-07-10 06:20 . 2009-12-01 18:16 3219 ----a-w- d:\arquivos de programas\Arquivos comuns\Acihelp.cnt.vir 2009-06-17 17:41 . 2009-06-17 17:41 3870 ----a-w- d:\arquivos de programas\Arquivos comuns\lngcode.txt.vir 2008-06-09 13:17 . 2008-06-09 13:17 301 ----a-w- d:\arquivos de programas\Arquivos comuns\c3nform.vxml.vir 2004-02-26 16:35 . 2004-02-26 16:35 7904 ------w- d:\arquivos de programas\Arquivos comuns\html40_entities.dtd 2002-03-11 09:06 . 2002-03-11 09:06 1822520 ------w- d:\arquivos de programas\instmsiw.exe 2002-03-11 08:45 . 2002-03-11 08:45 1708856 ------w- d:\arquivos de programas\instmsia.exe 2009-11-24 09:18 . 2009-04-29 23:59 32 --sha-w- d:\windows\system32\drivers\fidbox.dat 2009-03-08 17:09 . 2010-04-25 18:01 638816 --sha-w- d:\windows\NiwradSoft Shell Pack\Backup\iexplore.exe 2008-04-14 03:21 . 2010-04-25 18:01 73728 --sha-w- d:\windows\NiwradSoft Shell Pack\Backup\wmplayer.exe . ------- Sigcheck ------- [-] 2008-04-14 . B0C0BF2504B830BFC1E93CA39F3C75FE . 549376 . . [5.1.2600.5512] . . d:\windows\system32\winlogon.exe [-] 2008-04-14 . B0C0BF2504B830BFC1E93CA39F3C75FE . 549376 . . [5.1.2600.5512] . . d:\windows\system32\dllcache\winlogon.exe [7] 2008-04-14 . 71D440F79B711627B12B567FB2EADB42 . 509952 . . [5.1.2600.5512] . . d:\windows\ERDNT\cache\winlogon.exe [7] 2008-04-14 . 71D440F79B711627B12B567FB2EADB42 . 509952 . . [5.1.2600.5512] . . d:\windows\NiwradSoft Shell Pack\Backup\winlogon.exe [-] 2008-04-14 . B0C0BF2504B830BFC1E93CA39F3C75FE . 549376 . . [5.1.2600.5512] . . d:\windows\ServicePackFiles\i386\winlogon.exe [-] 2008-04-14 . 302CD5BE4CA48200F9AC1C6074D71805 . 643072 . . [5.82] . . d:\windows\system32\comctl32.dll [7] 2008-04-14 . 085C5892D9C1E19B3CEFD1B79F5BBF13 . 617472 . . [5.82] . . d:\windows\ERDNT\cache\comctl32.dll [7] 2008-04-14 . 085C5892D9C1E19B3CEFD1B79F5BBF13 . 617472 . . [5.82] . . d:\windows\NiwradSoft Shell Pack\Backup\comctl32.dll [-] 2008-04-14 . 302CD5BE4CA48200F9AC1C6074D71805 . 643072 . . [5.82] . . d:\windows\ServicePackFiles\i386\comctl32.dll [-] 2010-02-25 . A709662B2C291B04B765FAC8583AC8E0 . 6106112 . . [8.00.6001.18904] . . d:\windows\system32\mshtml.dll [-] 2010-02-25 . A709662B2C291B04B765FAC8583AC8E0 . 6106112 . . [8.00.6001.18904] . . d:\windows\system32\dllcache\mshtml.dll [7] 2010-02-25 . 23099BB44DA6A7D80B15FF4F7C51877D . 5944832 . . [8.00.6001.18904] . . d:\windows\ERDNT\cache\mshtml.dll [7] 2010-02-25 . 23099BB44DA6A7D80B15FF4F7C51877D . 5944832 . . [8.00.6001.18904] . . d:\windows\NiwradSoft Shell Pack\Backup\mshtml.dll [-] 2010-02-25 . A709662B2C291B04B765FAC8583AC8E0 . 6106112 . . [8.00.6001.18904] . . d:\windows\ServicePackFiles\i386\mshtml.dll [7] 2010-02-25 . 6D179FBB1B42A3C33955652D3A38BFDF . 5946880 . . [8.00.6001.22995] . . d:\windows\$hf_mig$\KB980182-IE8\SP3QFE\mshtml.dll [7] 2009-12-21 . B5A5C997C2F926C40CCC64A3BD377D4B . 5942784 . . [8.00.6001.18876] . . d:\windows\ie8updates\KB980182-IE8\mshtml.dll [7] 2009-12-21 . AAD700DEA94EE6E56E591C351111941A . 5945856 . . [8.00.6001.22967] . . d:\windows\$hf_mig$\KB978207-IE8\SP3QFE\mshtml.dll [7] 2009-10-29 . 58A17D0C94F23CD59346720B0C374A90 . 5940736 . . [8.00.6001.18854] . . d:\windows\ie8updates\KB978207-IE8\mshtml.dll [7] 2009-10-29 . 80F9322FBC4BBBC3A0DB6E9B3C953C60 . 5944320 . . [8.00.6001.22945] . . d:\windows\$hf_mig$\KB976325-IE8\SP3QFE\mshtml.dll [7] 2009-10-22 . 61245C5B4B4F06058F4038DC2C7D9C72 . 5939712 . . [8.00.6001.18852] . . d:\windows\ie8updates\KB976325-IE8\mshtml.dll [7] 2009-10-22 . 4E0FB322DCCB816F5DD56E9B2BE5E664 . 5943296 . . [8.00.6001.22942] . . d:\windows\$hf_mig$\KB976749-IE8\SP3QFE\mshtml.dll [7] 2009-08-29 . DB337CCC2E1111068F0FFD08982810F7 . 5940224 . . [8.00.6001.18828] . . d:\windows\ie8updates\KB976749-IE8\mshtml.dll [7] 2009-08-29 . E719DAF5D7972B69647CF32C9FD1601D . 5942272 . . [8.00.6001.22918] . . d:\windows\$hf_mig$\KB974455-IE8\SP3QFE\mshtml.dll [7] 2009-07-19 . CD4DC10D4F812033C4B402C9620F10BB . 5937152 . . [8.00.6001.18812] . . d:\windows\ie8updates\KB974455-IE8\mshtml.dll [7] 2009-07-19 . 5B7C8A16598E79AD559323C81737AC4D . 5938176 . . [8.00.6001.22902] . . d:\windows\$hf_mig$\KB972260-IE8\SP3QFE\mshtml.dll [7] 2009-05-13 . BE87C13E58E44084D7B81B047EB1121B . 5936128 . . [8.00.6001.22873] . . d:\windows\$hf_mig$\KB969897-IE8\SP3QFE\mshtml.dll [7] 2009-05-13 . 285B63B5E7BE2B4237F6528DFE11CDB4 . 5936128 . . [8.00.6001.18783] . . d:\windows\ie8updates\KB972260-IE8\mshtml.dll [7] 2009-03-08 . D469A0EBA2EF5C6BEE8065B7E3196E5E . 5937152 . . [8.00.6001.18702] . . d:\windows\ie8updates\KB969897-IE8\mshtml.dll [7] 2009-01-17 . BC083F2B02EA9E69A636970859AF8DAF . 3594752 . . [7.00.6000.16809] . . d:\windows\ie8\mshtml.dll [7] 2009-01-16 . 628A8E851FBA1F2183CE327B76E19E3E . 3596288 . . [7.00.6000.20996] . . d:\windows\$hf_mig$\KB961260-IE7\SP2QFE\mshtml.dll [7] 2008-12-13 . A294B659329C4007D75FF675A8A3A94F . 3593216 . . [7.00.6000.16788] . . d:\windows\ie7updates\KB961260-IE7\mshtml.dll [7] 2008-12-13 . 4C2F6BAFA9236FA50620CC3E6DDF3BAD . 3594752 . . [7.00.6000.20973] . . d:\windows\$hf_mig$\KB960714-IE7\SP2QFE\mshtml.dll [7] 2008-10-16 . 2B042E339C0C5E1584D49EB5579ABBD1 . 3595264 . . [7.00.6000.20935] . . d:\windows\$hf_mig$\KB958215-IE7\SP2QFE\mshtml.dll [7] 2008-02-16 . 9D318F222A6FF820D92EC97F4F1935EC . 3087872 . . [6.00.2900.3314] . . d:\windows\$hf_mig$\KB947864\SP2QFE\mshtml.dll [7] 2007-08-13 . C6EC2493346ED8888A549F59210A8ED3 . 3578368 . . [7.00.5730.13] . . d:\windows\ie7updates\KB960714-IE7\mshtml.dll [-] 2010-02-17 . 16F9B5E8C253A9211ED01885077C7526 . 2354304 . . [5.1.2600.5938] . . d:\windows\system32\ntoskrnl.exe [-] 2010-02-17 . 16F9B5E8C253A9211ED01885077C7526 . 2354304 . . [5.1.2600.5938] . . d:\windows\system32\dllcache\ntoskrnl.exe [7] 2010-02-17 . 124F4EC97A7683D1A67B3AECFE258ABD . 2194176 . . [5.1.2600.5938] . . d:\windows\Driver Cache\i386\ntoskrnl.exe [7] 2010-02-17 . 124F4EC97A7683D1A67B3AECFE258ABD . 2194176 . . [5.1.2600.5938] . . d:\windows\ERDNT\cache\ntoskrnl.exe [7] 2010-02-17 . 124F4EC97A7683D1A67B3AECFE258ABD . 2194176 . . [5.1.2600.5938] . . d:\windows\NiwradSoft Shell Pack\Backup\ntoskrnl.exe [-] 2010-02-17 . 16F9B5E8C253A9211ED01885077C7526 . 2354304 . . [5.1.2600.5938] . . d:\windows\ServicePackFiles\i386\ntoskrnl.exe [7] 2010-02-16 . 8A47EB27E99109826F8A54BB64BE8131 . 2194304 . . [5.1.2600.5938] . . d:\windows\$hf_mig$\KB979683\SP3QFE\ntoskrnl.exe [7] 2009-12-09 . C25035B93BDF12E2CB89C6F5BF8B99F1 . 2193536 . . [5.1.2600.5913] . . d:\windows\$hf_mig$\KB977165\SP3QFE\ntoskrnl.exe [7] 2009-12-09 . EB331E36934D9016B66CDF694954A8AF . 2193408 . . [5.1.2600.5913] . . d:\windows\$NtUninstallKB979683$\ntoskrnl.exe [7] 2009-08-04 . 3B75E61D1546C05A959EDFE11F1510D1 . 2193536 . . [5.1.2600.5857] . . d:\windows\$hf_mig$\KB971486\SP3QFE\ntoskrnl.exe [7] 2009-02-10 . B0BF079AF000D97D8C043D1DFF08086D . 2193408 . . [5.1.2600.5755] . . d:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe [7] 2008-08-14 . A42CC3CFC02A7B2BAEC7B0D45808B257 . 2193408 . . [5.1.2600.5657] . . d:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe [7] 2008-08-14 . B72A025A758683552C4FEC7EABCB0661 . 2190208 . . [5.1.2600.3427] . . d:\windows\$hf_mig$\KB956841\SP2QFE\ntoskrnl.exe [7] 2008-08-14 . 04BA43B0D2A13BD6B06D707299243CFC . 2193408 . . [5.1.2600.5657] . . d:\windows\$hf_mig$\KB956841\SP3GDR\ntoskrnl.exe [7] 2007-02-28 . BFB4C8761976CCE0B544D557B4C70825 . 2186368 . . [5.1.2600.3093] . . d:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe [7] 2005-03-02 . 6E3AB4241E058B248CB7CDC5157449C3 . 2183808 . . [5.1.2600.2622] . . d:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe [-] 2008-04-14 . A9B36030497E98C29210E4544700649D . 579072 . . [5.1.2600.5512] . . d:\windows\system32\user32.dll [-] 2008-04-14 . A9B36030497E98C29210E4544700649D . 579072 . . [5.1.2600.5512] . . d:\windows\system32\dllcache\user32.dll [7] 2008-04-14 . 54907DB28872A7A6D3EE2B4747A23828 . 579072 . . [5.1.2600.5512] . . d:\windows\ERDNT\cache\user32.dll [7] 2008-04-14 . 54907DB28872A7A6D3EE2B4747A23828 . 579072 . . [5.1.2600.5512] . . d:\windows\NiwradSoft Shell Pack\Backup\user32.dll [-] 2008-04-14 . A9B36030497E98C29210E4544700649D . 579072 . . [5.1.2600.5512] . . d:\windows\ServicePackFiles\i386\user32.dll [7] 2005-03-02 . 3ED0A4D74EFD5AAF8408095F452E2613 . 577536 . . [5.1.2600.2622] . . d:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll [-] 2010-02-25 . 9B25F4F2E1C0622CB951FCAED549F0A9 . 983040 . . [8.00.6001.18904] . . d:\windows\system32\wininet.dll [-] 2010-02-25 . 9B25F4F2E1C0622CB951FCAED549F0A9 . 983040 . . [8.00.6001.18904] . . d:\windows\system32\dllcache\wininet.dll [7] 2010-02-25 . E5CC74D62E06066451D59248CBFBAED0 . 916480 . . [8.00.6001.18904] . . d:\windows\ERDNT\cache\wininet.dll [7] 2010-02-25 . E5CC74D62E06066451D59248CBFBAED0 . 916480 . . [8.00.6001.18904] . . d:\windows\NiwradSoft Shell Pack\Backup\wininet.dll [-] 2010-02-25 . 9B25F4F2E1C0622CB951FCAED549F0A9 . 983040 . . [8.00.6001.18904] . . d:\windows\ServicePackFiles\i386\wininet.dll [7] 2010-02-25 . D8E3E2FD8928B2BD8BEB2518C2E45ED1 . 919040 . . [8.00.6001.22995] . . d:\windows\$hf_mig$\KB980182-IE8\SP3QFE\wininet.dll [7] 2009-12-21 . 79805286A6D381A658A1871F6B3588B9 . 916480 . . [8.00.6001.18876] . . d:\windows\ie8updates\KB980182-IE8\wininet.dll [7] 2009-12-21 . 11162780821A0531D39E675A662D766F . 916480 . . [8.00.6001.22967] . . d:\windows\$hf_mig$\KB978207-IE8\SP3QFE\wininet.dll [7] 2009-10-29 . 191FFB2798E4DB25F04C2E71C9595A85 . 916480 . . [8.00.6001.18854] . . d:\windows\ie8updates\KB978207-IE8\wininet.dll [7] 2009-10-29 . E30B8F0D3BFAF4B403C57F05242AEF74 . 916480 . . [8.00.6001.22945] . . d:\windows\$hf_mig$\KB976325-IE8\SP3QFE\wininet.dll [7] 2009-08-29 . 83438BBF93CA586ED5149B1E1AA1BDBB . 916480 . . [8.00.6001.18828] . . d:\windows\ie8updates\KB976325-IE8\wininet.dll [7] 2009-08-29 . 4F4F8F0B432A8B4B0D23829375358F34 . 916480 . . [8.00.6001.22918] . . d:\windows\$hf_mig$\KB974455-IE8\SP3QFE\wininet.dll [7] 2009-07-03 . 9572842DA52CF071068FAAB8AD4D74A5 . 915456 . . [8.00.6001.22896] . . d:\windows\$hf_mig$\KB972260-IE8\SP3QFE\wininet.dll [7] 2009-07-03 . 903350F08A1DF38714EF37F09EA11BB4 . 915456 . . [8.00.6001.18806] . . d:\windows\ie8updates\KB974455-IE8\wininet.dll [7] 2009-05-13 . 4E74AEBA5546A61C9DC35BC531EFFA23 . 915456 . . [8.00.6001.22873] . . d:\windows\$hf_mig$\KB969897-IE8\SP3QFE\wininet.dll [7] 2009-05-13 . 14E350ABCCBE0279D042AF2854E6D894 . 915456 . . [8.00.6001.18783] . . d:\windows\ie8updates\KB972260-IE8\wininet.dll [7] 2009-03-08 . 6CE32F7778061CCC5814D5E0F282D369 . 914944 . . [8.00.6001.18702] . . d:\windows\ie8updates\KB969897-IE8\wininet.dll [7] 2008-12-21 . E048867C310B09ED1C79E59B68DB8050 . 827904 . . [7.00.6000.20978] . . d:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll [7] 2008-12-20 . 94A623D9C0F2632796B4CE2753331F98 . 826368 . . [7.00.6000.16791] . . d:\windows\ie8\wininet.dll [7] 2008-10-16 . 779479E6F38BC77831F26BD9AAE3FAD3 . 826368 . . [7.00.6000.16762] . . d:\windows\ie7updates\KB961260-IE7\wininet.dll [7] 2008-10-16 . 4BCD45D77BD42A5E9C2DD2E847A5467E . 827904 . . [7.00.6000.20935] . . d:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll [7] 2008-02-16 . F3AD9DF6B30D5A3F67B5561109640958 . 668160 . . [6.00.2900.3314] . . d:\windows\$hf_mig$\KB947864\SP2QFE\wininet.dll [7] 2007-08-13 . A4A0FC92358F39538A6494C42EF99FE9 . 818688 . . [7.00.5730.13] . . d:\windows\ie7updates\KB958215-IE7\wininet.dll [-] 2008-04-14 . 77F71BF6970EA10B4CC9AA1D45654AA0 . 1542656 . . [6.00.2900.5512] . . d:\windows\explorer.exe [-] 2008-04-14 . 77F71BF6970EA10B4CC9AA1D45654AA0 . 1542656 . . [6.00.2900.5512] . . d:\windows\system32\dllcache\explorer.exe [7] 2008-04-14 . 064EC7FF5F58B928C3E119402977FA6D . 1035776 . . [6.00.2900.5512] . . d:\windows\ERDNT\cache\explorer.exe [7] 2008-04-14 . 064EC7FF5F58B928C3E119402977FA6D . 1035776 . . [6.00.2900.5512] . . d:\windows\NiwradSoft Shell Pack\Backup\explorer.exe [-] 2008-04-14 . 77F71BF6970EA10B4CC9AA1D45654AA0 . 1542656 . . [6.00.2900.5512] . . d:\windows\ServicePackFiles\i386\explorer.exe [7] 2007-06-13 . 45D521506825A10B80833B4E9621CCF6 . 1035264 . . [6.00.2900.3156] . . d:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe [-] 2008-04-14 . 584450C5B2439571755D40444589C63D . 40448 . . [5.1.2600.5512] . . d:\windows\system32\ctfmon.exe [-] 2008-04-14 . 584450C5B2439571755D40444589C63D . 40448 . . [5.1.2600.5512] . . d:\windows\system32\dllcache\ctfmon.exe [7] 2008-04-14 . 4E486ADFE3A0B9ED0EB0639902E9F64F . 15360 . . [5.1.2600.5512] . . d:\windows\ERDNT\cache\ctfmon.exe [7] 2008-04-14 . 4E486ADFE3A0B9ED0EB0639902E9F64F . 15360 . . [5.1.2600.5512] . . d:\windows\NiwradSoft Shell Pack\Backup\ctfmon.exe [-] 2008-04-14 . 584450C5B2439571755D40444589C63D . 40448 . . [5.1.2600.5512] . . d:\windows\ServicePackFiles\i386\ctfmon.exe [-] 2010-02-16 . 297C1AE40DE572E38618042B781EEE15 . 2231168 . . [5.1.2600.5938] . . d:\windows\system32\ntkrnlpa.exe [-] 2010-02-16 . 297C1AE40DE572E38618042B781EEE15 . 2231168 . . [5.1.2600.5938] . . d:\windows\system32\dllcache\ntkrnlpa.exe [7] 2010-02-16 . 1F54DE75A9C8EC46E9FB53C1890C9ED3 . 2071040 . . [5.1.2600.5938] . . d:\windows\Driver Cache\i386\ntkrnlpa.exe [7] 2010-02-16 . 1F54DE75A9C8EC46E9FB53C1890C9ED3 . 2071040 . . [5.1.2600.5938] . . d:\windows\ERDNT\cache\ntkrnlpa.exe [7] 2010-02-16 . 1F54DE75A9C8EC46E9FB53C1890C9ED3 . 2071040 . . [5.1.2600.5938] . . d:\windows\NiwradSoft Shell Pack\Backup\ntkrnlpa.exe [-] 2010-02-16 . 297C1AE40DE572E38618042B781EEE15 . 2231168 . . [5.1.2600.5938] . . d:\windows\ServicePackFiles\i386\ntkrnlpa.exe [7] 2010-02-16 . E94AC126E7ADFD40DC4E38D2E91236D8 . 2071168 . . [5.1.2600.5938] . . d:\windows\$hf_mig$\KB979683\SP3QFE\ntkrnlpa.exe [7] 2009-12-09 . 7D45AF0A376A7EEE59B2A4BCDC304C9C . 2070400 . . [5.1.2600.5913] . . d:\windows\$hf_mig$\KB977165\SP3QFE\ntkrnlpa.exe [7] 2009-12-09 . FA72BE44F0715BD88A37C77559ACB3B7 . 2070272 . . [5.1.2600.5913] . . d:\windows\$NtUninstallKB979683$\ntkrnlpa.exe [7] 2009-08-05 . 6FEC1B436323CC29B3008D7C5BF2A10F . 2070400 . . [5.1.2600.5857] . . d:\windows\$hf_mig$\KB971486\SP3QFE\ntkrnlpa.exe [7] 2009-02-09 . FF7FE874B6DA494303EE3DD9B97AB007 . 2070400 . . [5.1.2600.5755] . . d:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe [7] 2008-08-14 . 586A93E0C23F6A1893F6706F36B22598 . 2070272 . . [5.1.2600.5657] . . d:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe [7] 2008-08-14 . 145CD2BBA58988B7A2E9B910AC4D4CA4 . 2067200 . . [5.1.2600.3427] . . d:\windows\$hf_mig$\KB956841\SP2QFE\ntkrnlpa.exe [7] 2008-08-14 . A62251C7C1F0DBC3241ABF1985EDE75E . 2070272 . . [5.1.2600.5657] . . d:\windows\$hf_mig$\KB956841\SP3GDR\ntkrnlpa.exe [7] 2007-02-28 . D027F0097B8F099C09369B8CC97D7C32 . 2063616 . . [5.1.2600.3093] . . d:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe [7] 2005-03-02 . AED7B3AA86AD031CF39C6E4BBA37E818 . 2061184 . . [5.1.2600.2622] . . d:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe . ((((((((((((((((((((((((((((( SnapShot@2010-05-04_22.16.09 ))))))))))))))))))))))))))))))))))))))))) . + 2010-05-05 12:42 . 2010-05-05 12:42 16384 d:\windows\temp\Perflib_Perfdata_304.dat . (((((((((((((((((((((((((( Pontos de Carregamento do Registro ))))))))))))))))))))))))))))))))))))))) . . *Nota* entradas vazias e legítimas por defeito não são mostradas. REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CursorXP"="d:\arquivos de programas\CursorXP\CursorXP.exe" [2005-01-19 128000] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NeroCheck"="c:\windows\System32\NeroCheck.exe" [2001-07-09 155648] "Adobe Reader Speed Launcher"="d:\arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272] "Adobe ARM"="d:\arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768] "SunJavaUpdateSched"="d:\arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe" [2010-02-18 248040] "avgnt"="d:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "HonorAutoRunSetting"= 0 (0x0) "NoResolveTrack"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoRealMode"= 0 (0x0) "HonorAutoRunSetting"= 0 (0x0) "NoFileUrl"= 0 (0x0) "NoUpdateCheck"= 0 (0x0) [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ \0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HDDirect.sys] @="Driver" [HKLM\~\startupfolder\D:^Documents and Settings^edsom luis^Menu Iniciar^Programas^Inicializar^BrOffice.org 3.1.lnk] [HKLM\~\startupfolder\D:^Documents and Settings^edsom luis^Menu Iniciar^Programas^Inicializar^setup_9.0.0.722_15.01.2010_15-37.lnk] [HKLM\~\startupfolder\D:^Documents and Settings^edsom luis^Menu Iniciar^Programas^Inicializar^setup_9.0.0.722_18.02.2010_16-03.lnk] [HKLM\~\startupfolder\^.mjsync_pt_BR] path=\.mjsync_pt_BR [HKLM\~\startupfolder\^catchme.exe] path=\catchme.exe [HKLM\~\startupfolder\^Desktop.rar] path=\Desktop.rar [HKLM\~\startupfolder\^dumphive.exe] path=\dumphive.exe [HKLM\~\startupfolder\^Favoritos.rar] path=\Favoritos.rar [HKLM\~\startupfolder\^haxoth2.txt] path=\haxoth2.txt [HKLM\~\startupfolder\^md5file.exe] path=\md5file.exe [HKLM\~\startupfolder\^moveex.exe] path=\moveex.exe [HKLM\~\startupfolder\^NTUSER.DAT] path=\ntuser.dat [HKLM\~\startupfolder\^NTUSER.DAT.bak_jv16pt] path=\NTUSER.DAT.bak_jv16pt [HKLM\~\startupfolder\^ntuser.dat.LOG] path=\ntuser.dat.LOG [HKLM\~\startupfolder\^NTUSER.DAT.tmp.LOG] path=\NTUSER.DAT.tmp.LOG [HKLM\~\startupfolder\^ntuser.ini] path=\ntuser.ini [HKLM\~\startupfolder\^ntuser.pol] path=\ntuser.pol [HKLM\~\startupfolder\^PrivacIE.rar] path=\PrivacIE.rar [HKLM\~\startupfolder\^process.exe] path=\process.exe [HKLM\~\startupfolder\^rebuilt.Menu Iniciar.rar] path=\rebuilt.Menu Iniciar.rar [HKLM\~\startupfolder\^rebuilt.UserData.rar] path=\rebuilt.UserData.rar [HKLM\~\startupfolder\^run2.hax] path=\run2.hax [HKLM\~\startupfolder\^swreg.exe] path=\swreg.exe [HKLM\~\startupfolder\^swsc.exe] path=\swsc.exe [HKLM\~\startupfolder\^tool_en.log] path=\tool_en.log [HKLM\~\startupfolder\^UserData.rar] path=\UserData.rar [HKLM\~\startupfolder\^vfind.exe] path=\vfind.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2010-03-24 18:17 952768 ----a-w- d:\arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2010-04-04 05:42 36272 ----a-w- d:\arquivos de programas\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-14 03:20 40448 ----a-w- d:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CursorXP] 2005-01-19 19:34 128000 ----a-w- d:\arquivos de programas\CursorXP\CursorXP.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting] 2008-11-04 04:44 435096 ------w- d:\arquiv~1\ARQUIV~1\MICROS~1\DW\DWTRIG20.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2010-02-18 14:43 248040 ----a-w- d:\arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "GoogleDesktopManager-060409-093314"=3 (0x3) "ZeppelinService"=2 (0x2) "idsvc"=3 (0x3) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "d:\\Arquivos de programas\\Arquivos comuns\\opera.exe"= "d:\\WINDOWS\\system32\\usmt\\migwiz.exe"= "d:\\Arquivos de programas\\Opera\\opera.exe"= R1 VBoxDrv;VirtualBox Service;d:\windows\system32\drivers\VBoxDrv.sys [18/9/2009 13:11 115856] R1 VBoxUSBMon;VirtualBox USB Monitor Driver;d:\windows\system32\drivers\VBoxUSBMon.sys [18/9/2009 13:10 41424] R2 713xTVCard;SAA7131 TV Card;d:\windows\system32\drivers\SAA713x.sys [15/3/2005 12:00 277504] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [3/5/2010 15:00 135336] R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;d:\windows\system32\drivers\VBoxNetAdp.sys [18/9/2009 13:11 91856] R3 VBoxNetFlt;VBoxNetFlt Service;d:\windows\system32\drivers\VBoxNetFlt.sys [9/9/2009 20:15 100368] R3 xpvcom;XPVCOM Port;d:\windows\system32\drivers\XPVCOM.sys [23/3/2007 02:00 30032] S0 GbpKm;Gbp KernelMode;d:\windows\system32\drivers\GbpKm.sys [18/4/2009 21:46 26568] S3 HDDirect;Hard Disk Direct Control;d:\windows\system32\drivers\hddirect.sys [4/5/2010 15:34 12552] S3 rspSanity;rspSanity;d:\windows\system32\drivers\rspSanity32.sys [14/4/2009 19:51 30136] . Conteúdo da pasta 'Tarefas Agendadas' 2010-05-05 d:\windows\Tasks\User_Feed_Synchronization-{85870EB0-73F3-41E1-92DD-7C153C1F486E}.job - d:\windows\system32\msfeedssync.exe [2007-08-13 07:31] . . ------- Scan Suplementar ------- . mWindow Title = IE: E&xportar para o Microsoft Excel FF - ProfilePath - d:\documents and settings\edsom luis\Dados de aplicativos\Mozilla\Firefox\Profiles\izozpjim.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.br/webhp?hl=pt-BR FF - component: d:\documents and settings\edsom luis\Dados de aplicativos\Mozilla\Firefox\Profiles\izozpjim.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll FF - plugin: d:\arquivos de programas\Java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: d:\documents and settings\edsom luis\Dados de aplicativos\Mozilla\Firefox\Profiles\izozpjim.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll ---- FIREFOX POLICIES ---- d:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); d:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); d:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); d:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); d:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); d:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); d:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); d:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); d:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); d:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false); d:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); d:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); d:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); d:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); d:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); d:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); d:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false); d:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true); d:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); d:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); d:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); d:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); d:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); d:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); d:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); d:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); d:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); d:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); d:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); d:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); d:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); d:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); d:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); d:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); d:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); d:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); d:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-05 09:44 Windows 5.1.2600 Service Pack 3 FAT NTAPI Procurando processos ocultos ... Procurando entradas auto inicializáveis ocultas ... Procurando ficheiros/arquivos ocultos ... Varredura completada com sucesso arquivos/ficheiros ocultos: 0 ************************************************************************** . --------------------- CHAVES DO REGISTRO BLOQUEADAS --------------------- [HKEY_USERS\.Default\Software\Stardock\WindowBlinds\WB5.ini\Installed] @DACL=(02 0000) [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•6~*] "6140110900063D11C8EF10054038389C"="D?\\WINDOWS\\system32\\FM20ENU.DLL" . --------------------- DLLs Carregadas Sob os Processos em Execução --------------------- - - - - - - - > 'winlogon.exe'(1300) d:\windows\system32\SETUPAPI.dll d:\windows\system32\sfc_os.dll d:\windows\system32\cscui.dll - - - - - - - > 'lsass.exe'(1356) d:\windows\system32\SETUPAPI.dll d:\windows\system32\psbase.dll - - - - - - - > 'explorer.exe'(3108) d:\windows\system32\WININET.dll d:\windows\system32\COMRes.dll d:\windows\System32\cscui.dll d:\windows\system32\msi.dll d:\arquivos de programas\CursorXP\CurXP0.dll d:\windows\system32\webcheck.dll d:\windows\system32\SETUPAPI.dll d:\windows\system32\WPDShServiceObj.dll d:\windows\system32\ntshrui.dll d:\windows\system32\LINKINFO.dll d:\windows\system32\NETSHELL.dll d:\windows\system32\credui.dll d:\windows\system32\PortableDeviceTypes.dll d:\windows\system32\PortableDeviceApi.dll . ------------------------ Outros Processos em Execução ------------------------ . d:\arquivos de programas\Avira\AntiVir Desktop\avguard.exe d:\arquivos de programas\Java\jre6\bin\jqs.exe d:\arquivos de programas\Avira\AntiVir Desktop\avshadow.exe d:\arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE d:\arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe d:\windows\system32\wbem\wmiapsrv.exe . ************************************************************************** . Tempo para conclusão: 2010-05-05 09:47:56 - Máquina reiniciou ComboFix-quarantined-files.txt 2010-05-05 12:47 ComboFix2.txt 2010-05-04 21:28 Pré-execução: 23 pasta(s) 41.903.718.400 bytes disponíveis Pós execução: 21 pasta(s) 41.890.971.648 bytes disponíveis - - End Of File - - 6D7C383267EEE2FC78B1C2035CDDC6F0 Editando : Faltava o do USBFIX ############################## | UsbFix V6.055 | User : edsom luis (Administradores) # EDIM Update on 18/11/2009 by Chiquitine29, C_XX & Chimay8 Start at: 10:02:49 | 5/5/2010 Website : http://pagesperso-orange.fr/NosTools/index.html Contact : FindyKill.Contact@gmail.com AMD Sempron 2400+ Microsoft Windows XP Professional (5.1.2600 32-bit) # Service Pack 3 Internet Explorer 8.0.6001.18702 Windows Firewall Status : Enabled AV : AntiVir Desktop 10.0.1.44 [ Enabled | Updated ] A:\ -> Unidade de disquete de 3 1/2 polegadas C:\ -> Disco fixo local # 17,28 Go (9,52 Go free) # FAT32 D:\ -> Disco fixo local # 59 Go (39,04 Go free) # FAT32 E:\ -> Disco CD-ROM ############################## | Processos activos | D:\WINDOWS\System32\smss.exe 1232 D:\WINDOWS\system32\csrss.exe 1276 D:\WINDOWS\system32\winlogon.exe 1300 D:\WINDOWS\system32\services.exe 1344 D:\WINDOWS\system32\lsass.exe 1356 D:\WINDOWS\system32\svchost.exe 1540 D:\WINDOWS\system32\svchost.exe 1620 D:\WINDOWS\System32\svchost.exe 628 D:\WINDOWS\system32\svchost.exe 724 D:\WINDOWS\system32\svchost.exe 988 D:\WINDOWS\system32\spoolsv.exe 1492 D:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe 1656 D:\WINDOWS\Explorer.EXE 1900 D:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe 232 D:\Arquivos de programas\Java\jre6\bin\jqs.exe 280 D:\Arquivos de programas\Avira\AntiVir Desktop\avshadow.exe 660 D:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE 732 D:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe 816 D:\WINDOWS\system32\wuauclt.exe 1016 D:\WINDOWS\system32\wbem\wmiapsrv.exe 940 D:\WINDOWS\system32\wbem\wmiprvse.exe 1040 D:\WINDOWS\System32\alg.exe 1084 D:\WINDOWS\system32\wbem\wmiprvse.exe 592 ################## | Ficheiros # pastas infeciosos | ################## | Registro # Chaves infectieuses | Supprimido ! [HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableRegistryTools" Supprimido ! [HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NoDrives" Supprimido ! [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NoDrives" Supprimido ! [HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NoResolveSearch" ################## | Registro # Mountpoints2 | ################## | Listing | [04/08/2004 05:38|-rahs----|47564] C:\NTDETECT.COM [28/10/2001 18:06|-rahs----|4952] C:\Bootfont.bin [25/11/2009 10:03|-rahs----|0] C:\MSDOS.SYS [25/11/2009 10:03|-rahs----|0] C:\IO.SYS [21/01/2009 11:15|-rahs----|251696] C:\ntldr [23/04/2010 20:20|--ahs----|391] C:\boot.ini [?|?|?] C:\pagefile.sys [03/08/2004 23:00|--a------|261856] C:\cmldr [01/03/2010 23:03|--a------|1388] C:\hpfr3500.log [13/01/2006 16:24|--a------|2982] C:\CONFIG.SYS [02/05/2010 17:45|--a------|6498] C:\bdlog.txt [16/01/2010 06:31|--a------|13030] C:\PDOXUSRS.NET [16/09/2005 16:14|--a------|2982] C:\CONFIG.003 [29/12/2005 17:09|--a------|2982] C:\CONFIG.004 [06/01/2006 00:38|--a------|2982] C:\CONFIG.005 [29/12/2005 12:35|--a------|24686] C:\29-12-05_1235.jpg [25/11/2005 17:12|--a------|21442] C:\25-11-05_1712.jpg [17/06/2005 16:13|--a------|4718826] C:\(ok) Depeche Mode - The singles 86-98 -cd1-4- Strangelove.mp3 [28/10/2005 10:15|--a------|1895713] C:\Disco1.zip [25/01/2002 12:07|--a------|578] C:\Config.Ini [26/10/2008 17:38|--a------|251392] C:\iertutil.dll [31/05/2005 20:30|--a------|23] C:\CONFIG.002 [26/10/2008 08:49|--a------|1132032] C:\PROPOSTA PRINCIPAL.doc [26/10/2008 08:51|--a------|404992] C:\BRASILIA GERAL.doc [26/10/2008 08:54|--a------|110080] C:\PROPOSTA BLINDAGEM 2.doc [26/10/2008 08:57|--a------|106496] C:\PROPOSTA BLINDAGEM ARQUITETONICA 2.doc [26/10/2008 08:59|--a------|1130496] C:\PROPOSTA LOGISTICA.doc [?|?|?] D:\pagefile.sys [02/04/2009 10:42|-r-hs----|48] D:\boot.ini [03/05/2010 19:18|--a------|11127] D:\lopR.txt [05/05/2010 09:47|--a------|38749] D:\ComboFix.txt [29/04/2010 11:04|--a------|5091] D:\TB.txt [27/04/2010 13:28|--a------|6770] D:\PureRa.txt [30/04/2010 19:00|--a------|894] D:\HaxFix.txt [30/04/2010 19:12|--a------|811] D:\cleannavi.txt [04/04/2010 13:04|--a------|537842] D:\HaxFix.exe [09/04/2007 09:58|--a------|1588659] D:\data1.cab [02/12/2008 17:18|---------|43] D:\GABRIEL FOTO.gif [02/12/2008 17:19|---------|43] D:\b.gif [09/04/2007 09:58|--a------|21328] D:\data1.hdr [09/04/2007 09:58|--a------|512] D:\data2.cab [25/04/2010 18:35|--a------|14448] D:\SAFEBOOT_REPAIR.TXT [05/05/2010 10:03|--a------|4755] D:\UsbFix.txt [17/04/2009 21:18|---------|69] D:\AskScreen.ini [29/12/2009 20:15|---------|209] D:\msnvirremOLD.log [20/01/2007 03:43|--a------|492032] D:\ISSetup.dll [09/04/2007 09:58|--a------|455] D:\layout.bin [09/04/2007 09:58|--a------|702] D:\setup.ini [09/04/2007 09:58|--a------|212839] D:\setup.inx [28/08/2006 15:23|--a------|527] D:\setup.iss [22/12/2004 13:18|--a------|106496] D:\stkbtnpn.dll [13/04/2007 16:32|--a------|2551] D:\SWI.XML [13/04/2007 07:20|--a------|11263] D:\tkbtnpn.cat [09/04/2007 09:59|--a------|35609] D:\tkbtnpn.inf [15/11/2005 10:03|--a------|7463] D:\tkbtnpn.sys [28/08/2006 13:48|--a------|1490999] D:\tkbtnpn1.dll [18/05/2006 00:21|--a------|385968] D:\_Setup.dll [17/06/2005 13:41|---------|30740480] D:\Titãs - Isso.mpg [19/06/2005 20:52|---------|36] D:\klextlock.dat [17/06/2005 22:04|---------|2899913] D:\Balão Mágico - Se Enamora.mp3 [17/06/2005 22:00|---------|3344634] D:\Balão Mágico - Amigos Para Sempre.mp3 [17/06/2005 22:22|---------|1825071] D:\Balão Mágico - Amigos do Peito.wma [17/06/2005 22:34|---------|3454976] D:\balao magico - zip e zap.mp3 [17/06/2005 22:37|---------|2656256] D:\balao magico - Eu e Voce.mp3 [18/06/2005 13:04|---------|2080047] D:\U2 & INXS-liveMexico.mp3 [18/06/2005 11:01|---------|2936114] D:\Ai Meu Nariz.mp3 ################## | Vaccinação | # C:\autorun.inf -> Folder criado por UsbFix. # D:\autorun.inf -> Folder criado por UsbFix. ################## | Suspeito | http://www.virustotal.com | ################## | Cracks / Keygens / Serials | ################## | Upload | Favor enviar o arquivo : D:\DOCUME~1\EDSOML~1\Desktop\UsbFix_Upload_Me_EDIM.zip : http://chiquitine.changelog.fr/Sample/Upload.php Obrigado pela sua contribuição . ################## | ! Fim do relatório # UsbFix V6.055 ! | Abraços Compartilhar este post Link para o post Compartilhar em outros sites
DigRam 144 Denunciar post Postado Maio 5, 2010 Boa Tarde! EDSSX ################## | Upload | Favor enviar o arquivo : D:\DOCUME~1\EDSOML~1\Desktop\UsbFix_Upload_Me_EDIM.zip : http://chiquitine.ch...mple/Upload.php Obrigado pela sua contribuição. <!> Caso queira,contribua enviando o arquivo em destaque. 00000000000000000000000 00000000000000000000000 <@> Vá em Iniciar --> Executar --> Digite ou cole: combofix.exe /uninstall --> Clique OK. < > <@> Abrir-se-á,a seguinte janela: ( Abrir arquivo - Aviso de Segurança ) <@> Clique em Executar --> Aguarde! <@> Surgirá,finalmente,a mensagem: "ComboFix está desinstalado" --> Clique OK. <@> Caso encontre,apague: D:\ComboFix <-- A pasta! + D:\ComboFix.txt <-- Relatório! <@> Ou,vá em Iniciar --> Executar --> Digite ou cole: "%userprofile%\desktop\combofix" /uninstall <@> Clique OK. 00000000000000000000000 00000000000000000000000 <@> Baixe: < TFC > ( by Old Timer ) <!> Link - 2 < http://www.geekstogo.com/forum/TFC-Temp-File-Cleaner-OldTimer-file187.html > <@> Salve-o no desktop! <@> Feche todos os programas! ( Internet,navegador,etc... ) <@> Execute TFC.exe,com um duplo-clique. <@> Ps: Para Windows Vista --> Clique direito --> Escolha: Executar como Administrador <@> Clique em Start --> Aguarde! <@> Terminando,reinicie o computador...caso a ferramenta não o solicite e dê início ao processo. ( reboot ) 00000000000000000000000 00000000000000000000000 <@> Baixe: < avz4en.zip > ou < avz_antiviral_toolkit > <@> Salve-o em Arquivos de programas,e descompacte-o aí mesmo! <@> Abra a pasta avz4 e execute o aplicativo,com um duplo-clique. <-- Ícone escudo e espada! <@> Conecte-se à Internet,e atualize o Toolkit --> "File" --> "Database Update". < > <@> Concluindo,não faça nenhuma verificação! <@> Em "File types",marque o botão "All files". <@> Em "Actions",marque: "Perform healing" <@> Nos campos,abaixo de "Perform healing",escolha "Report only",para todos os ítens. <@> Abaixo de "RiskWare",marque a caixa "Copy suspicious files to Quarantine" <-- Somente esta caixa! <@> No menu "Search parameters",marque todas as caixinhas e deixe o ajuste "Heuristic analyses" em "Minimum heuristics mode". <@> Ps: Não desmarque as que vieram assinaladas por default. <@> Feche programas que estejam abertos,e rode a ferramenta! <-- Clique em Start. <@> Terminando o scan,clique no ícone "Save log",para dispormos do relatório. ( avz_log ) <@> Clique,também,no ícone dos "óculos". <@> Clique em "Save as CSV". <@> Salve,este relatório,no desktop! <-- Formato texto. ( *.txt ) <@> Nomeie-o como: view_log <@> Copie e poste: avz_log.txt + view_log.txt,na sua resposta. Abraços! Compartilhar este post Link para o post Compartilhar em outros sites
EDSSX 0 Denunciar post Postado Maio 6, 2010 Bom dia ! DigRam Com os nossos proçedimentos de desinfecção supra, já consta um bom resultado; pois ao ligar o sistema o guarda chuva do avira abre sozinho rsrsrs . Ratifica que quando ligar o pc e o guarda chuva não abrir, sinal de contaminação rootkit . Ainda o avira antirootkit, não abre; pois pode estar relacionado à contaminação de rootkits ou não . Ainda consta a janela/mensagem logo infra . http://forum.imasters.com.br/index.php?/topic/389694-mensagem-de-erro/page__pid__1529616__st__0entry1529616 Segue os logs. Avz_log.txt : AVZ Antiviral Toolkit log; AVZ version is 4.32 Scanning started at 6/5/2010 07:01:25 Database loaded: signatures - 271941, NN profile(s) - 2, malware removal microprograms - 56, signature database released 05.05.2010 23:53 Heuristic microprograms loaded: 383 PVS microprograms loaded: 9 Digital signatures of system files loaded: 199341 Heuristic analyzer mode: Minimum heuristics mode Malware removal mode: enabled Windows version is: 5.1.2600, Service Pack 3 ; AVZ is run with administrator rights System Restore: enabled 1. Searching for Rootkits and other software intercepting API functions 1.1 Searching for user-mode API hooks Analysis: kernel32.dll, export table found in section .text Analysis: ntdll.dll, export table found in section .text Analysis: user32.dll, export table found in section .text Analysis: advapi32.dll, export table found in section .text Analysis: ws2_32.dll, export table found in section .text Analysis: wininet.dll, export table found in section .text Analysis: rasapi32.dll, export table found in section .text Analysis: urlmon.dll, export table found in section .text Analysis: netapi32.dll, export table found in section .text 1.2 Searching for kernel-mode API hooks Driver loaded successfully SDT found (RVA=083220) Kernel ntoskrnl.exe found in memory at address 804D7000 SDT = 8055A220 KiST = 804E26B8 (284) Functions checked: 284, intercepted: 0, restored: 0 1.3 Checking IDT and SYSENTER Analyzing CPU 1 CmpCallCallBacks = 0013AA8E Disable callback - óæå íåéòèðàëèçîâàíû Checking IDT and SYSENTER - complete 1.4 Searching for masking processes and drivers Checking not performed: extended monitoring driver (AVZPM) is not installed Driver loaded successfully 1.5 Checking IRP handlers Checking - complete 2. Scanning RAM Number of processes found: 26 Number of modules loaded: 345 Scanning RAM - complete 3. Scanning disks 4. Checking Winsock Layered Service Provider (SPI/LSP) LSP settings checked. No errors detected 5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs) D:\WINDOWS\system32\hnetcfg.dll --> Suspicion for Keylogger or Trojan DLL D:\WINDOWS\system32\hnetcfg.dll>>> Behaviour analysis Behaviour typical for keyloggers was not detected Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs 6. Searching for opened TCP/UDP ports used by malicious software In the database 317 port descriptions Opened at this PC: 12 TCP ports and 13 UDP ports Checking - complete; no suspicious ports detected 7. Heuristic system check Checking - complete 8. Searching for vulnerabilities >> Services: potentially dangerous service allowed: TermService (Serviços de terminal) >> Services: potentially dangerous service allowed: SSDPSRV (Serviço de descoberta SSDP) >> Services: potentially dangerous service allowed: TlntSvr (Telnet) >> Services: potentially dangerous service allowed: Schedule (Agendador de tarefas) > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled >> Security: administrative shares (C$, D$ ...) are enabled >> Security: anonymous user access is enabled >> Security: sending Remote Assistant queries is enabled Checking - complete 9. Troubleshooting wizard Checking - complete Files scanned: 371, extracted from archives: 0, malicious software found 0, suspicions - 0 Scanning finished at 6/5/2010 07:02:07 Time of scanning: 00:00:44 If you have a suspicion on presence of viruses or questions on the suspected objects, you can address http://virusinfo.info conference View_log.txt: D:\WINDOWS\system32\hnetcfg.dll;5;Suspicion for Keylogger or Trojan DLL Abraços Compartilhar este post Link para o post Compartilhar em outros sites
DigRam 144 Denunciar post Postado Maio 7, 2010 Boa Noite! EDSSX Ratifica que quando ligar o pc e o guarda chuva não abrir, sinal de contaminação rootkit. <!> Não podemos generalizar esse fato! Onde já tive casos,na qual esse fechamento não teve relação com rootkits. Ainda o avira antirootkit, não abre; pois pode estar relacionado à contaminação de rootkits ou não . Ainda consta a janela/mensagem logo infra. <!> Essa ferramenta,é standalone e dependente do bom funcionamento do antivírus Avira,já que compartilham um driver de detecção RK. <!> < Avira Support Forum > <!> Busque no Avira Support Forum,solução para esse problema. 00000000000000000000000 ooooooooooooooooooooooo <@> Acesse: < jotti.org > <@> Em File to upload,coloque: D:\WINDOWS\system32\hnetcfg.dll <@> Em seguida,clique em < > <@> Copie e poste,o resultado deste exame. 00000000000000000000000 ooooooooooooooooooooooo <@> Abra o avz4 e clique em AVZGuard --> Enable AVZGuard --> OK. <@> Clique em "File" --> "Custom scripts". <@> Cole,no campo,em "Runing scripts",estas informações sob o CODE: beginSearchRootkit(true, true);SetAVZGuardStatus(True);ClearHostsFile;DeleteFileMask('%Tmp%','*.*',true);BC_ImportDeletedList;ExecuteSysClean;BC_Activate;RebootWindows(true);end. <@> Busque erros de scripts,clicando em "Check syntax" --> OK. <@> Não havendo erros,clique em Run. <-- Aguarde! <@> Para completar as remoções,o computador irá reiniciar. <@> Terminando,clique em "Save". <@> Salve este relatório no desktop,nomeado como: AVZScript.log <-- Poste! <@> Volte ao menu AVZGuard,e clique em "Disable AVZGuard" --> OK. 00000000000000000000000 <!> Ps: Segundo sua postagem desse problema,na área Software,você relata que outros programas são/foram afetados pelo bug. Isso é correto? Abraços! Compartilhar este post Link para o post Compartilhar em outros sites
