[Arquivado] Analise de log

Leandroctp · Maio 31, 2010

sempre quando ligo o pc o Avira detecta o sknc.dll, mas se eu deixo o Avira bloquear ele não consigo me contectar a internet nem abrir varios programas, ai tenho que desativar a proteção do Avira.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:25:18, on 31/5/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avfwsvc.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avshadow.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Arquivos de programas\Google\Update\1.2.183.23\GoogleCrashHandler.exe

C:\Arquivos de programas\CDBurnerXP\NMSAccessU.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avmailc.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\AVWEBGRD.EXE

C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\WINDOWS\tsnp2std.exe

C:\WINDOWS\vsnp2std.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Java\jre6\bin\jucheck.exe

C:\HiJackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\Msdxm6.ocx

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe

O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKLM\..\RunServices: [csrcs] C:\WINDOWS\system32\csrcs.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\leandro.PESSOAL\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /c

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{35A03B08-0A09-4F67-A951-B61F702D5965}: NameServer = 200.165.132.148 200.165.132.155

O17 - HKLM\System\CS1\Services\Tcpip\..\{35A03B08-0A09-4F67-A951-B61F702D5965}: NameServer = 200.165.132.148 200.165.132.155

O20 - Winlogon Notify: GbPluginBb - C:\Arquivos de programas\GbPlugin\gbieh.dll

O23 - Service: Avira Firewall (AntiVirFirewallService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avfwsvc.exe

O23 - Service: Avira AntiVir MailGuard (AntiVirMailService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avmailc.exe

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Avira AntiVir WebGuard (AntiVirWebService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\AVWEBGRD.EXE

O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - Firebird Project - C:\Arquivos de programas\Firebird\Firebird_2_1\bin\fbguard.exe

O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - Firebird Project - C:\Arquivos de programas\Firebird\Firebird_2_1\bin\fbserver.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Gbp Service (GbpSv) - - C:\ARQUIV~1\GbPlugin\GbpSv.exe

O23 - Service: Google Update Service (gupdate1ca2d8e9b0d77bc) (gupdate1ca2d8e9b0d77bc) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: NMSAccessU - Unknown owner - C:\Arquivos de programas\CDBurnerXP\NMSAccessU.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--

End of file - 9493 bytes

DigRam · Junho 4, 2010

Boa Tarde! Leandroctp

<!> Você possui infecção,por cavalo de tróia,que compromete a partição NTFS do Windows.

<!> Recomenda-se a formatação ou..caso queira,tente esta correção.

<!> Faça backups,para uma possível formatação ou tente,também,estas orientações: < Buzzle.com >

00000000000000000000000

ooooooooooooooooooooooo

<@> Baixe: < ws2_32.zip >

<@> Descompacte-o para o diretório: C:\WINDOWS\ServicePackFiles\i386 <--

<@> Ps: Onde teremos o caminho: C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll

<@> Descompacte-o,também,para o diretório: C:\WINDOWS\system32 <--

<@> Ps: Onde teremos o caminho: C:\WINDOWS\system32\ws2_32.dll

00000000000000000000000

ooooooooooooooooooooooo

<@> Baixe: < > ( ...by sUBs )

<@> Salve-o no desktop!

<@> Desabilite o Avira!

<@> Selecione e copie,todo o conteúdo que está na área do QUOTE,para o Bloco de Notas.

<@> Salve-o,no Desktop,com o nome: CFScript.txt

File::
C:\WINDOWS\system32\csrcs.exe

C:\WINDOWS\system32\sknc.dll

C:\WINDOWS\system32\old_ws2.old

RESTORE::

C:\WINDOWS\system32\ws2_32.dll

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

"csrcs.exe"=-

<@> Arraste,o CFScript.txt para o ícone/interior do ComboFix.

<@> Veja a demonstração!

<@> Atenda à solicitação,que deverá surgir,para rodar o ComboFix.

<@> Ps: Faça o arraste,até surgir essa solicitação! ( janela )

<@> Terminando,poste os relatórios: C:\ComboFix.txt + HijackThis,atualizado.

Abraços!

Leandroctp · Junho 18, 2010

desculpe a demora para responder, tive alguns problemas pessoais e não pude fazer o procedimento

aparentemente está tudo ok com o pc agora

muito obrigado

edit: nao consegui realizar o procedimento:

<@> Baixe: < ws2_32.zip >

<@> Descompacte-o para o diretório: C:\WINDOWS\ServicePackFiles\i386 <--

<@> Ps: Onde teremos o caminho: C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll

<@> Descompacte-o,também,para o diretório: C:\WINDOWS\system32 <--

<@> Ps: Onde teremos o caminho: C:\WINDOWS\system32\ws2_32.dll

nao existe a pasta C:\WINDOWS\ServicePackFiles\i386 e na pasta "system32" nao consegui substituir o arquivo ja existente

logs:

ComboFix 10-06-17.02 - leandro 18/06/2010 10:27:05.1.1 - x86

Executando de: c:\documents and settings\leandro.PESSOAL\Desktop\ComboFix.exe

Comandos utilizados :: c:\documents and settings\leandro.PESSOAL\Desktop\CFScript.txt

* Criado um novo ponto de restauração

ATENÇAO - ESTA MAQUINA NAO TEM O CONSOLE DE RECUPERAÇÃO INSTALADA !!

FILE ::

"c:\windows\system32\csrcs.exe"

"c:\windows\system32\old_ws2.old"

"c:\windows\system32\sknc.dll"

.

ADS - drivers: deleted 204 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\arquivos de programas\Cheat Engine\dbk32.sys

c:\windows\system32\AutoRun.inf

c:\windows\system32\csrcs.exe

c:\windows\system32\msconfig.exe

c:\windows\system32\old_ws2.old

c:\windows\system32\sknc.dll

c:\windows\system32\win.com

A cópia de c:\windows\system32\ws2_32.dll foi encontrada e desinfectada

Cópia restaurada de - c:\windows\system32\dllcache\ws2_32.dll

.

(((((((((((((((( Arquivos/Ficheiros criados de 2010-05-18 to 2010-06-18 ))))))))))))))))))))))))))))

.

2010-06-17 21:37 . 2007-05-16 04:00 42368 ----a-r- c:\windows\system32\drivers\SiSGbeXP.sys

2010-06-17 21:37 . 2010-06-17 21:37 -------- d-----w- c:\arquivos de programas\On-line Help Console

2010-06-17 21:36 . 2010-06-17 21:36 -------- d-----w- c:\windows\system32\Tools

2010-06-17 21:35 . 2006-12-25 20:31 4864 ----a-r- c:\windows\system32\drivers\PortIo.sys

2010-06-13 00:36 . 2010-06-13 00:36 -------- d-----w- C:\found.001

2010-06-10 06:49 . 2010-06-10 06:49 -------- d-----w- C:\gPotato.com

2010-06-09 13:36 . 2010-05-06 10:34 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-08 16:24 . 2008-07-31 13:41 68616 ----a-w- c:\windows\system32\XAPOFX1_1.dll

2010-06-08 16:24 . 2008-07-31 13:40 509448 ----a-w- c:\windows\system32\XAudio2_2.dll

2010-06-08 16:24 . 2008-07-31 13:41 238088 ----a-w- c:\windows\system32\xactengine3_2.dll

2010-06-08 16:24 . 2008-07-10 14:01 467984 ----a-w- c:\windows\system32\d3dx10_39.dll

2010-06-08 16:24 . 2008-07-10 14:00 1493528 ----a-w- c:\windows\system32\D3DCompiler_39.dll

2010-06-08 16:24 . 2008-07-10 14:00 3851784 ----a-w- c:\windows\system32\D3DX9_39.dll

2010-06-08 16:23 . 2010-06-08 16:23 -------- d-----w- c:\arquivos de programas\TrueGames

2010-06-02 14:03 . 2010-06-02 14:03 -------- d-----w- C:\found.000

2010-05-31 16:21 . 2010-05-31 16:21 401720 ----a-w- C:\HiJackThis.exe

2010-05-30 14:38 . 2010-05-30 14:38 -------- d-----w- c:\documents and settings\leandro.PESSOAL\Dados de aplicativos\Malwarebytes

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-18 13:35 . 2009-06-25 17:52 -------- d-----w- c:\arquivos de programas\Cheat Engine

2010-06-17 21:37 . 2009-06-12 17:57 -------- d--h--w- c:\arquivos de programas\InstallShield Installation Information

2010-06-17 18:51 . 2010-03-26 10:34 -------- d-----w- c:\documents and settings\leandro.PESSOAL\Dados de aplicativos\uTorrent

2010-06-16 17:19 . 2009-08-10 19:00 -------- d-----w- c:\arquivos de programas\Minilyrics

2010-06-13 04:11 . 2010-01-01 17:08 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\PMB Files

2010-06-13 00:39 . 2010-02-09 19:12 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\GbPlugin

2010-06-13 00:39 . 2010-02-09 19:12 -------- d-----w- c:\arquivos de programas\GbPlugin

2010-06-13 00:14 . 2009-11-08 16:17 -------- d-----w- c:\arquivos de programas\Unlocker

2010-06-10 06:15 . 2008-04-14 07:00 80246 ----a-w- c:\windows\system32\perfc016.dat

2010-06-10 06:15 . 2008-04-14 07:00 473318 ----a-w- c:\windows\system32\perfh016.dat

2010-06-05 14:19 . 2010-05-06 15:22 -------- d-----w- c:\arquivos de programas\Microsoft Silverlight

2010-05-30 14:42 . 2009-06-12 18:04 -------- d-----w- c:\arquivos de programas\Malwarebytes' Anti-Malware

2010-05-26 13:48 . 2010-02-09 19:12 45472 ----a-w- c:\windows\system32\drivers\gbpkm.sys

2010-05-19 05:20 . 2009-09-04 18:24 -------- d-----w- c:\arquivos de programas\Google

2010-05-18 19:07 . 2010-05-16 04:34 -------- d-----w- c:\documents and settings\leandro.PESSOAL\Dados de aplicativos\sqlitestudio

2010-05-18 18:42 . 2010-05-15 20:38 -------- d-----w- c:\documents and settings\leandro.PESSOAL\Dados de aplicativos\Tibia

2010-05-17 17:43 . 2010-05-17 17:43 -------- d-----w- c:\arquivos de programas\PingOut - by Machine

2010-05-17 14:56 . 2010-05-17 14:56 -------- d-----w- c:\arquivos de programas\Tibia 854

2010-05-17 14:23 . 2009-06-12 19:54 -------- d-----w- c:\arquivos de programas\uTorrent

2010-05-16 18:03 . 2009-06-13 15:08 -------- d-----w- c:\arquivos de programas\Tibia

2010-05-16 16:15 . 2010-05-16 16:15 -------- d-----w- c:\documents and settings\leandro.PESSOAL\Dados de aplicativos\Remere's Map Editor

2010-05-16 16:15 . 2010-05-16 16:15 -------- d-----w- c:\arquivos de programas\Remere's Map Editor

2010-05-16 02:29 . 2010-05-16 02:29 -------- d-----w- c:\arquivos de programas\No-IP

2010-05-14 13:07 . 2010-05-14 13:07 -------- d-----w- c:\arquivos de programas\1C Company

2010-05-13 13:54 . 2010-05-13 13:54 -------- d-----w- c:\arquivos de programas\WinDirStat

2010-05-13 13:50 . 2010-05-13 13:50 -------- d-----w- c:\arquivos de programas\SystemRequirementsLab

2010-05-12 17:37 . 2010-05-12 17:37 -------- d-----w- c:\arquivos de programas\Firebird

2010-05-11 15:40 . 2010-05-11 15:40 -------- d-----w- c:\documents and settings\leandro.PESSOAL\Dados de aplicativos\Nero

2010-05-06 10:34 . 2008-04-14 07:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 08:02 . 2009-03-21 14:20 1860480 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 18:39 . 2009-06-12 18:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 18:39 . 2009-06-12 18:04 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-29 02:56 . 2010-04-29 02:46 12006784 ----a-w- c:\windows\system32\drivers\snp2sxp.sys.off

2010-04-29 02:46 . 2010-04-29 02:46 -------- d-----w- c:\arquivos de programas\Arquivos comuns\snp2std

2010-04-29 02:45 . 2010-04-29 02:45 -------- d-----w- c:\documents and settings\leandro.PESSOAL\Dados de aplicativos\InstallShield

2010-04-23 00:13 . 2010-03-26 10:08 -------- d-----w- c:\documents and settings\leandro.PESSOAL\Dados de aplicativos\MessengerDiscovery 2

2010-04-20 05:31 . 2008-04-14 07:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-20 03:41 . 2010-04-20 03:41 -------- d-----w- c:\documents and settings\leandro.PESSOAL\Dados de aplicativos\Avira

2010-03-24 15:28 . 2009-06-12 01:03 79432 ----a-w- c:\windows\system32\drivers\avfwim.sys

2010-03-24 15:28 . 2009-06-12 01:03 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-03-24 15:28 . 2009-06-12 01:03 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-03-24 15:28 . 2009-06-12 01:03 102856 ----a-w- c:\windows\system32\drivers\avfwot.sys

.

------- Sigcheck -------

[-] 2009-04-17 . 2A293D04F15B5D25FF3615D8ED8DD1B7 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

c:\windows\System32\wscntfy.exe ... está faltando !!

c:\windows\System32\regsvc.dll ... está faltando !!

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe" [2009-12-23 3883840]

"Google Update"="c:\documents and settings\leandro.PESSOAL\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" [2010-03-18 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avgnt"="c:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2010-03-24 282792]

"nwiz"="nwiz.exe" [2009-04-30 1657376]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-30 86016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-30 13750272]

"SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]

"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

"tsnp2std"="c:\windows\tsnp2std.exe" [2006-11-02 258048]

"snp2std"="c:\windows\vsnp2std.exe" [2006-09-15 675840]

"UnlockerAssistant"="c:\arquivos de programas\Unlocker\UnlockerAssistant.exe" [2010-03-09 15872]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_3"="advpack.dll" [2009-03-08 128512]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]

2010-05-26 13:47 335136 ----a-w- c:\arquivos de programas\GbPlugin\gbieh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]

2010-04-29 18:39 437584 ----a-w- c:\arquivos de programas\Malwarebytes' Anti-Malware\mbamgui.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Arquivos de programas\\uTorrent\\uTorrent.exe"=

"c:\\Arquivos de programas\\DNA\\btdna.exe"=

"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\Ventrilo\\Ventrilo.exe"=

"c:\\Arquivos de programas\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=

"c:\\Arquivos de programas\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=

"c:\\Arquivos de programas\\TrueGames\\Mytheon\\launcher.ui.exe"=

"c:\\Arquivos de programas\\TrueGames\\Mytheon\\MytheonClientR.exe"=

"c:\\Arquivos de programas\\TrueGames\\Mytheon\\ClientLauncherG.exe"=

"c:\\Arquivos de programas\\TrueGames\\Mytheon\\ClientLauncherR.exe"=

"c:\\Arquivos de programas\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\gPotato.com\\Allods Online\\bin\\Launcher0.exe"=

"c:\\gPotato.com\\Allods Online\\bin\\Launcher.exe"=

"c:\\gPotato.com\\Allods Online\\bin\\AOgame.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"56112:TCP"= 56112:TCP:Pando Media Booster

"56112:UDP"= 56112:UDP:Pando Media Booster

"3834:TCP"= 3834:TCP:3834

"7171:UDP"= 7171:UDP:otserv

"58422:TCP"= 58422:TCP:Pando Media Booster

"58422:UDP"= 58422:UDP:Pando Media Booster

R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\gbpkm.sys [9/2/2010 16:12 45472]

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [24/6/2009 07:51 721904]

R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [11/6/2009 22:03 102856]

R2 AntiVirFirewallService;Avira Firewall;c:\arquivos de programas\Avira\AntiVir Desktop\avfwsvc.exe [11/6/2009 22:03 536232]

R2 AntiVirMailService;Avira AntiVir MailGuard;c:\arquivos de programas\Avira\AntiVir Desktop\avmailc.exe [11/6/2009 22:03 337064]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [11/6/2009 22:03 135336]

R2 AntiVirWebService;Avira AntiVir WebGuard;c:\arquivos de programas\Avira\AntiVir Desktop\avwebgrd.exe [11/6/2009 22:03 405672]

R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\arquivos de programas\Firebird\Firebird_2_1\bin\fbguard.exe [12/5/2010 14:37 81920]

R2 GbpSv;Gbp Service;c:\arquiv~1\GbPlugin\GbpSv.exe [9/2/2010 16:12 55072]

R2 MBAMService;MBAMService;c:\arquivos de programas\Malwarebytes' Anti-Malware\mbamservice.exe [12/6/2009 15:04 304464]

R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [11/6/2009 22:03 79432]

R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\arquivos de programas\Firebird\Firebird_2_1\bin\fbserver.exe [12/5/2010 14:37 2723840]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/6/2009 15:04 20952]

S2 gupdate1ca2d8e9b0d77bc;Google Update Service (gupdate1ca2d8e9b0d77bc);c:\arquivos de programas\Google\Update\GoogleUpdate.exe [4/9/2009 15:36 133104]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [12/6/2009 15:04 38224]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 XDva286;XDva286;\??\c:\windows\system32\XDva286.sys --> c:\windows\system32\XDva286.sys [?]

--- =Outros Serviços/Drivers Na Memória ---

*NewlyCreated* - HELPSVC

.

Conteúdo da pasta 'Tarefas Agendadas'

2010-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2009-09-04 18:35]

2010-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2009-09-04 18:35]

2010-05-15 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-06-14 17:48]

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.google.com/

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

LSP: c:\arquivos de programas\Avira\AntiVir Desktop\avsda.dll

FF - ProfilePath - c:\documents and settings\leandro.PESSOAL\Dados de aplicativos\Mozilla\Firefox\Profiles\ex332ge4.default\

FF - plugin: c:\arquivos de programas\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\arquivos de programas\Google\Google Updater\2.4.1698.5652\npCIDetect13.dll

FF - plugin: c:\arquivos de programas\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\np-mswmp.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORFÃOS REMOVIDOS - - - -

MSConfigStartUp-ares - c:\arquivos de programas\Ares\Ares.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-18 10:40

Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sppn.sys >>UNKNOWN [0x8A301938]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xb80ecf28

\Driver\ACPI -> ACPI.sys @ 0xb7e66cb8

\Driver\atapi -> atapi.sys @ 0xb7dfbb40

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014

ParseProcedure -> ntkrnlpa.exe @ 0x80577c76

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014

ParseProcedure -> ntkrnlpa.exe @ 0x80577c76

NDIS: -> SendCompleteHandler -> 0x0

PacketIndicateHandler -> 0x0

SendHandler -> 0x0

user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•6~*]

"6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(1312)

c:\arquivos de programas\GBPLUGIN\gbieh.dll

- - - - - - - > 'lsass.exe'(1368)

c:\arquivos de programas\Avira\AntiVir Desktop\avsda.dll

- - - - - - - > 'explorer.exe'(3948)

c:\windows\system32\WININET.dll

c:\arquivos de programas\Unlocker\UnlockerHook.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\arquivos de programas\GBPLUGIN\gbieh.dll

.

------------------------ Outros Processos em Execução ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\arquivos de programas\Avira\AntiVir Desktop\avguard.exe

c:\arquivos de programas\Avira\AntiVir Desktop\avshadow.exe

c:\arquivos de programas\Java\jre6\bin\jqs.exe

c:\arquivos de programas\Google\Update\1.2.183.29\GoogleCrashHandler.exe

c:\arquivos de programas\CDBurnerXP\NMSAccessU.exe

c:\windows\system32\HPZipm12.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\PnkBstrB.exe

c:\windows\system32\RUNDLL32.EXE

c:\windows\SOUNDMAN.EXE

.

**************************************************************************

.

Tempo para conclusão: 2010-06-18 10:49:57 - Máquina reiniciou

ComboFix-quarantined-files.txt 2010-06-18 13:49

Pré-execução: 11 pasta(s) 23.844.777.984 bytes disponíveis

Pós execução: 15 pasta(s) 23.869.812.736 bytes disponíveis

- - End Of File - - 095F54B949518C1308000C082C9BE473

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:56:43, on 18/6/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avfwsvc.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

C:\Arquivos de programas\Firebird\Firebird_2_1\bin\fbguard.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avshadow.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Arquivos de programas\Google\Update\1.2.183.29\GoogleCrashHandler.exe

C:\Arquivos de programas\CDBurnerXP\NMSAccessU.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avmailc.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\AVWEBGRD.EXE

C:\Arquivos de programas\Firebird\Firebird_2_1\bin\fbserver.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\WINDOWS\tsnp2std.exe

C:\WINDOWS\vsnp2std.exe

C:\Arquivos de programas\Unlocker\UnlockerAssistant.exe

C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\HiJackThis\HiJackThis.exe