[Resolvido!] Me infectei e gostaria de remover

[ekobol 0]

Olá, boa tarde a todos, meu anti virus Avira Antivir esta detectando virus e nao consigo remove-los, pesquisando aqui no forum vi que alguns realmente são virus e outros eu nao tenho certeza, postarei o log e fico no aguardo de uma avalição, desde ja obrigado e se eu infringi alguma regr ja peço desculpa desde ja... é minha primeira postagem aqui.

 

log do hijack this:

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 11:25:00, on 26/8/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\vsnpstd.exe

C:\Arquivos de programas\WindowsUpdate\wuauserv.exe

C:\Arquivos de programas\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe

C:\Arquivos de programas\Google\Quick Search Box\GoogleQuickSearchBox.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe

C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Arquivos de programas\ManyCam 2.4\ManyCam.exe

C:\Arquivos de programas\McAfee Security Scan\2.0.181\SSScheduler.exe

C:\WINDOWS\system32\sistray.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\Arquivos de programas\Mozilla Firefox\plugin-container.exe

C:\Documents and Settings\Usuário\Meus documentos\hijack\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orkut.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Arquivos de programas\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Arquivos de programas\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe

O4 - HKLM\..\Run: [Windows Update Automatic Updates] C:\Arquivos de programas\WindowsUpdate\wuauserv.exe

O4 - HKLM\..\Run: [Microsoft Text Input Processor] C:\Arquivos de programas\Common Files\System\TableTextService.exe

O4 - HKLM\..\Run: [siSRaid] C:\Arquivos de programas\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe

O4 - HKLM\..\Run: [Microsoft Office quick launch] C:\Arquivos de programas\Microsoft Office\Office11\OSA.exe

O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Arquivos de programas\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [googletalk] C:\Arquivos de programas\Google\Google Talk\googletalk.exe /autostart

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [kill] c:\windows\setup.exe

O4 - HKLM\..\Run: [system] C:\WINDOWS\svcr.exe

O4 - HKLM\..\Run: [win32] C:\WINDOWS\system32\install\server.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Windows Update Automatic Updates] C:\Arquivos de programas\WindowsUpdate\wuauserv.exe

O4 - HKCU\..\Run: [Microsoft Text Input Processor] C:\Arquivos de programas\Common Files\System\TableTextService.exe

O4 - HKCU\..\Run: [WS9E3IQBKY] C:\WINDOWS\msb.exe

O4 - HKCU\..\Run: [swg] "C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [bMIMZMHMFM] C:\DOCUME~1\USURIO~1\CONFIG~1\Temp\Cfd.exe

O4 - HKCU\..\Run: [ManyCam] "C:\Arquivos de programas\ManyCam 2.4\ManyCam.exe"

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Usuário\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [Adobe Update Manager] C:\Arquivos de programas\Adobe\Reader 9.0\Reader\AdobeUpdater.exe

O4 - HKCU\..\Run: [RegistryBooster] "C:\Arquivos de programas\Uniblue\RegistryBooster\launcher.exe" delay 20000

O4 - HKCU\..\Run: [system] C:\WINDOWS\svcr.exe

O4 - HKCU\..\Run: [win32] C:\WINDOWS\system32\install\server.exe

O4 - HKLM\..\Policies\Explorer\Run: [Policies] C:\WINDOWS\system32\install\server.exe

O4 - HKCU\..\Policies\Explorer\Run: [Policies] C:\WINDOWS\system32\install\server.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [Adobe Update Manager] C:\Arquivos de programas\Common Files\Adobe\Updater6\AdobeUpdater.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: McAfee Security Scan Plus.lnk = ?

O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

O8 - Extra context menu item: Google Sidewiki... - res://C:\Arquivos de programas\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1255721915234

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1256798990625

O16 - DPF: {C1B7E532-3ECB-4E9E-BB3A-2951FFE67C61} (DownloaderActiveX Control) - http://c6.community.alice.it/download/DownloaderActiveX.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{DBFC9B47-4B37-4F76-A577-83CA8621F23F}: NameServer = 200.204.0.10 200.204.0.138

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Avira AntiVir Programador (AntiVirSchedulerService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Arquivos de programas\McAfee Security Scan\2.0.181\McCHSvc.exe

O23 - Service: Yahoo Auto Updater (YUpdater) - Unknown owner - C:\Arquivos de programas\Yahoo!\Messenger\YUpdater.exe (file missing)

 

--

End of file - 8769 bytes

[wings 22]

Boa tarde....

 

1.

*Baixe o Bankerfix e salve-o no desktop

*Desative temporariamente seu antivírus

 

Clique com o botão direito do mouse no ícone do Avira ao lado do relógio

Clique na opção "Antivir Guard enable".

*Execute o bankerfix

*Clique [OK] > [sIM] (se pedir alguma atualização) > [OK]

*Tecle [ENTER] e aguarde.

*Ao término tecle [ENTER]

*Cole o relatório criado em C:\LinhaDefensiva\relatorio.txt

[ekobol 0]

Boa tarde....

 

1.

*Baixe o Bankerfix'>http://www.linhadefensiva.org/dl/bankerfix"]Bankerfix e salve-o no desktop

*Desative temporariamente seu antivírus

 

Clique com o botão direito do mouse no ícone do Avira ao lado do relógio

Clique na opção "Antivir Guard enable".

*Execute o bankerfix

*Clique [OK] > [sIM] (se pedir alguma atualização) > [OK]

*Tecle [ENTER] e aguarde.

*Ao término tecle [ENTER]

*Cole o relatório criado em C:\LinhaDefensiva\relatorio.txt

 

 

Obrigado por estar me ajudando Wings, fiz este procedimento e o relatorio gerado segue abaixo:

 

 

BankerFix 3.1 VALKYRIE - Removedor de Bankers

Linha Defensiva | http://www.linhadefensiva.org

http://www.linhadefensiva.org/bankerfix/

-------------------------------------------------------

Data: 2010-08-26 - 18:03

-------------------------------------------------------

Lista de Definição: 2010-08-03-1 | CORE: 2010-01-14-1

=======================================================

 

Arquivo infectado detectado: C:\DOCUME~1\USURIO~1\CONFIG~1\Temp\6.tmp

Arquivo infectado removido com sucesso!

 

 

 

----- Fim -------------------------

[wings 22]

1.

*Delete o Bankerfix e a pasta C:\LinhaDefensiva

 

2.

*Baixe o MalwareBytes Anti-malware e salve-o no desktop

*Instale o programa

*Se alguma atualização existir, o download será automático. Aguarde...

*O programa será aberto automaticamente.

*Na aba [Verificação], selecione a opção [Verificação completa]

*Clique em [Verificar] e selecione as partições a serem examinadas (geralmente C:\ e D:\)

*Ao término do scan, poderá ser interrogado se deseja remover objetos da memória. Clique [sIM] > [OK] > [Mostrar Resultados]

*Clique em [Remover Selecionados]

*Um relatório (mbam-log-ano-mês-data.txt) será apresentado.

*Cole-o na sua próxima resposta

[ekobol 0]

1.

*Delete o Bankerfix e a pasta C:\LinhaDefensiva

 

2.

*Baixe o MalwareBytes'>http://www.techspot.com/downloads/4716-malwarebytes-anti-malware.html"]MalwareBytes Anti-malware e salve-o no desktop

*Instale o programa

*Se alguma atualização existir, o download será automático. Aguarde...

*O programa será aberto automaticamente.

*Na aba [Verificação], selecione a opção [Verificação completa]

*Clique em [Verificar] e selecione as partições a serem examinadas (geralmente C:\ e D:\)

*Ao término do scan, poderá ser interrogado se deseja remover objetos da memória. Clique [sIM] > [OK] > [Mostrar Resultados]

*Clique em [Remover Selecionados]

*Um relatório (mbam-log-ano-mês-data.txt) será apresentado.

*Cole-o na sua próxima resposta

 

 

Aqui esta o log:

 

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

 

Versão da Base de Dados: 4487

 

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

 

26/8/2010 23:12:47

mbam-log-2010-08-26 (23-12-47).txt

 

Tipo de Verificação: Verificação Completa (C:\|D:\|)

Objetos escaneados: 156654

Tempo decorrido: 19 minuto(s), 57 segundo(s)

 

Processos de Memória Infectados: 0

Módulos de Memória Infectados: 0

Chaves de Registro Infectadas: 8

Valores de Registro Infectados: 6

Itens de Dados no Registro Infectados: 0

Pastas Infectadas: 0

Arquivos Infectados: 5

 

Processos de Memória Infectados:

(Não foram detectados ítens maliciosos)

 

Módulos de Memória Infectados:

(Não foram detectados ítens maliciosos)

 

Chaves de Registro Infectadas:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{hr1h3vge-xi38-8eyi-h8i3-44556j2lvfcy} (Generic.Bot.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{2bf41070-b2b1-21d1-b5c1-0305f4055515} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5y99ae78-58tt-11dw-be53-y67078979y} (Backdoor.ProRat) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2bf41070-b2b1-21d1-b5c1-0305f4055515} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\BMIMZMHMFM (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\WS9E3IQBKY (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

 

Valores de Registro Infectados:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\policies (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bmimzmhmfm (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows update automatic updates (Backdoor.IRCBot) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ws9e3iqbky (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\policies (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows update automatic updates (Trojan.Agent) -> Quarantined and deleted successfully.

 

Itens de Dados no Registro Infectados:

(Não foram detectados ítens maliciosos)

 

Pastas Infectadas:

(Não foram detectados ítens maliciosos)

 

Arquivos Infectados:

C:\Documents and Settings\Usuário\Configurações locais\Temp\mmCrypt$Temp\temp.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Usuário\Dados de aplicativos\addon.dat (Malware.Trace) -> Quarantined and deleted successfully.

C:\Documents and Settings\Usuário\Dados de aplicativos\logs.dat (Bifrose.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\ktd32.atm (Backdoor.ProRat) -> Quarantined and deleted successfully.

C:\Arquivos de programas\WindowsUpdate\wuauserv.exe (Backdoor.IRCBot) -> Delete on reboot.

[wings 22]

1.

*Baixe o ERUNT e salve-o no desktop

*Crie uma pasta chamada ERUNT em C:\ e extraia o conteúdo para ela

*Duplo clique em ERUNT.exe

*Clique [OK] > [OK] > [sim] > [OK]

 

2.

*Baixe o SCRP e salve-o no desktop

*Extraia para o desktop

*Execute o SCRP, aguarde e clique em [OK]

 

3.

*Desative temporariamente seu antivírus

 

*Baixe o ComboFix e salve-o no desktop

 

*Execute o Combofix e aceite o contrato

 

*Se o console de recuperação do Windows já estiver instalado, o ComboFix continuará o processo automaticamente. Caso contrário, clique em [sIM] para a sua instalação.

 

 

*Clique em [sIM] para continuar.

 

 

*Aguarde a conclusão de todas as etapas

 

 

*Enquanto o ComboFix estiver em execução, evite usar o mouse e o teclado!!..... Para interromper o procedimento tecle N ou 2 e depois ENTER.

 

*O programa será fechado automaticamente e um relatório (C:\combofix.txt) será apresentado. Cole-o na próxima resposta.

 

*Se for reiniciar o PC haverá uma opção, na inicialização, chamada Console de Recuperação. Não entre no Windows através do mesmo desde que devidamente orientado(a)!

[ekobol 0]

Aqui está o log:

 

 

ComboFix 10-08-26.02 - Usuário 27/08/2010 0:16.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.735.264 [GMT -3:00]

Executando de: c:\documents and settings\Usuário\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\~ms1.tmp

C:\~ms2.tmp

C:\~ms3.tmp

C:\~ms4.tmp

C:\~ms5.tmp

C:\~ms6.tmp

C:\~ms7.tmp

C:\~ms8.tmp

C:\~ms9.tmp

c:\windows\DOWNLO~1\DOWNlo~1.ocx

c:\windows\explorer.exe.local

c:\windows\system32\msconfig32.sys

c:\windows\system32\zf32.dll

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_SSHNAS

 

 

(((((((((((((((( Arquivos/Ficheiros criados de 2010-07-27 to 2010-08-27 ))))))))))))))))))))))))))))

.

 

2010-08-27 02:59 . 2010-08-27 03:01 -------- d-----w- C:\ERUNT

2010-08-27 01:47 . 2010-04-29 18:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-27 01:47 . 2010-08-27 01:47 -------- d-----w- c:\arquivos de programas\Malwarebytes' Anti-Malware

2010-08-27 01:47 . 2010-08-27 01:47 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes

2010-08-27 01:47 . 2010-04-29 18:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-01 02:16 . 2010-08-19 17:53 -------- d--h--w- c:\windows\system32\windows7

2010-07-30 03:36 . 2010-07-30 22:21 0 ----a-w- c:\windows\Pplugin9.dat

2010-07-30 03:25 . 2010-07-30 22:22 206 ----a-w- c:\windows\Pplugin4.dat

2010-07-29 21:21 . 2010-07-29 21:21 -------- d-----w- c:\arquivos de programas\Senna Spy Tools

2010-07-29 17:52 . 2010-07-29 17:52 -------- d-----w- c:\arquivos de programas\No-IP

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-27 02:46 . 2001-10-28 12:07 86054 ----a-w- c:\windows\system32\perfc016.dat

2010-08-27 02:46 . 2001-10-28 12:07 506118 ----a-w- c:\windows\system32\perfh016.dat

2010-08-27 01:24 . 2009-12-30 02:32 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Messenger Plus!

2010-08-27 00:29 . 2009-10-18 00:29 -------- d-----w- c:\arquivos de programas\Windows Live

2010-08-03 05:10 . 2009-11-12 20:25 -------- d-----w- c:\arquivos de programas\Corel

2010-08-03 05:09 . 2009-12-22 23:15 -------- d-----w- c:\arquivos de programas\Valve

2010-08-03 04:26 . 2009-10-19 04:39 -------- d-----w- c:\arquivos de programas\OpenOffice.org 3

2010-08-03 04:25 . 2010-03-28 16:52 -------- d-----w- c:\arquivos de programas\Panda Security

2010-07-18 01:24 . 2009-11-12 20:26 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys

2010-07-18 01:24 . 2009-11-12 20:26 88 --sh--r- c:\windows\system32\E314E0C661.sys

2010-07-16 00:35 . 2010-07-16 00:35 -------- d-----w- c:\arquivos de programas\SuperCanais MiniPopup

2004-08-04 03:45 . 2010-01-25 03:57 28672 --sh--r- c:\windows\system32\Setup\zf32.dll

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-29 39408]

"ManyCam"="c:\arquivos de programas\ManyCam 2.4\ManyCam.exe" [2009-12-19 1824040]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SiSPower"="SiSPower.dll" [2005-08-25 49152]

"snpstd"="c:\windows\vsnpstd.exe" [2004-06-11 286720]

"SiSRaid"="c:\arquivos de programas\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe" [2005-05-19 905216]

"Google Quick Search Box"="c:\arquivos de programas\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2010-02-07 126976]

"avgnt"="c:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"googletalk"="c:\arquivos de programas\Google\Google Talk\googletalk.exe" [2007-01-01 3735552]

"SunJavaUpdateSched"="c:\arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe" [2010-02-18 248040]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

 

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

McAfee Security Scan Plus.lnk - c:\arquivos de programas\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

Utility Tray.lnk - c:\windows\system32\sistray.exe [2009-10-17 262144]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\YUpdater]

@="Service"

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Documents and Settings\\Usuário\\Configurações locais\\Dados de aplicativos\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Arquivos de programas\\Google\\Google Talk\\googletalk.exe"=

"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

 

R2 AntiVirSchedulerService;Avira AntiVir Programador;c:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [9/3/2010 16:42 108289]

R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [14/1/2008 07:06 21632]

S2 gupdate;Google Update Service (gupdate);c:\arquivos de programas\Google\Update\GoogleUpdate.exe [7/2/2010 17:43 135664]

S2 YUpdater;Yahoo Auto Updater;c:\arquivos de programas\Yahoo!\Messenger\YUpdater.exe --> c:\arquivos de programas\Yahoo!\Messenger\YUpdater.exe [?]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\arquivos de programas\McAfee Security Scan\2.0.181\McCHSvc.exe [15/1/2010 09:49 227232]

.

Conteúdo da pasta 'Tarefas Agendadas'

 

2010-08-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2010-02-07 20:43]

 

2010-08-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2010-02-07 20:43]

.

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.orkut.com/

IE: Google Sidewiki... - c:\arquivos de programas\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

FF - ProfilePath - c:\documents and settings\Usuário\Dados de aplicativos\Mozilla\Firefox\Profiles\m7ytflmm.default\

FF - prefs.js: browser.startup.homepage - www.4shared.com

FF - plugin: c:\arquivos de programas\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\arquivos de programas\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\arquivos de programas\Java\jre6\bin\new_plugin\npdeployJava1.dll

 

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORFÃOS REMOVIDOS - - - -

 

HKCU-Run-Microsoft Text Input Processor - c:\arquivos de programas\Common Files\System\TableTextService.exe

HKCU-Run-Google Update - c:\documents and settings\Usuário\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe

HKCU-Run-Adobe Update Manager - c:\arquivos de programas\Adobe\Reader 9.0\Reader\AdobeUpdater.exe

HKCU-Run-RegistryBooster - c:\arquivos de programas\Uniblue\RegistryBooster\launcher.exe

HKLM-Run-Cmaudio - cmicnfg.cpl

HKLM-Run-Microsoft Text Input Processor - c:\arquivos de programas\Common Files\System\TableTextService.exe

HKLM-Run-Microsoft Office quick launch - c:\arquivos de programas\Microsoft Office\Office11\OSA.exe

HKU-Default-Run-Microsoft Text Input Processor - c:\arquivos de programas\Windows NT\TableTextService\TableTextService.exe

HKU-Default-Run-Windows Update Automatic Updates - c:\arquivos de programas\WindowsUpdate\wuauserv.exe

HKU-Default-Run-Adobe Update Manager - c:\arquivos de programas\Common Files\Adobe\Updater6\AdobeUpdater.exe

ActiveSetup-{F1A77149-A742-9103-8BCC-88A1CBA8EABE} - c:\windows\system32\windows7\drive.exe

AddRemove-Google Chrome - c:\documents and settings\Usuário\Configurações locais\Dados de aplicativos\Google\Chrome\Application\5.0.375.127\Installer\setup.exe

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-27 00:21

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'lsass.exe'(584)

c:\windows\system32\mswsock.dll

 

- - - - - - - > 'explorer.exe'(1128)

c:\windows\system32\ieframe.dll

c:\arquivos de programas\Google\Quick Search Box\bin\1.2.1151.245\qsb.dll

c:\windows\system32\msi.dll

c:\windows\system32\webcheck.dll

.

------------------------ Outros Processos em Execução ------------------------

.

c:\arquivos de programas\Avira\AntiVir Desktop\avguard.exe

c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

c:\arquivos de programas\Java\jre6\bin\jqs.exe

c:\windows\system32\wbem\wmiapsrv.exe

.

**************************************************************************

.

Tempo para conclusão: 2010-08-27 00:26:10 - Máquina reiniciou

ComboFix-quarantined-files.txt 2010-08-27 03:26

 

Pré-execução: 6 pasta(s) 26.319.605.760 bytes disponíveis

Pós execução: 7 pasta(s) 30.305.529.856 bytes disponíveis

 

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

 

- - End Of File - - EBD82654F7C539B125F4A1224CB00BAD

[wings 22]

*Envie o arquivo abaixo para análise em http://www.virustotal.com.br

 

c:\windows\system32\Setup\zf32.dll

*Cole o link contendo o resultado.

[ekobol 0]

link do resultado:

 

http://www.virustotal.com/file-scan/compact.html?id=1ccc522b30441d2f3eb08530ee0370431b45d8a5e90c16c745e71df1238d8113-1280954699

[wings 22]

*Abra o bloco de notas e cole nele o código abaixo:

 

File::

c:\windows\Pplugin9.dat

c:\windows\Pplugin4.dat

Dirlook::

c:\windows\system32\windows7

*Salve o arquivo no desktop como CFScript.txt

*Arraste o arquivo para o Combofix conforme ilustração abaixo:

 

 

*Importante: enquanto o combofix estiver em execução, evite usar o mouse e o teclado!!..para interromper o processo tecle N ou 2.

*Cole o relatório criado em C:\combofix.txt

[ekobol 0]

*Cole o relatório criado em C:\combofix.txt

 

 

 

ComboFix 10-08-26.02 - Usuário 27/08/2010 1:51.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.735.269 [GMT -3:00]

Executando de: c:\documents and settings\Usuário\Desktop\ComboFix.exe

Comandos utilizados :: c:\documents and settings\Usuário\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

 

FILE ::

"c:\windows\Pplugin4.dat"

"c:\windows\Pplugin9.dat"

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\Pplugin4.dat

c:\windows\Pplugin9.dat

 

.

(((((((((((((((( Arquivos/Ficheiros criados de 2010-07-27 to 2010-08-27 ))))))))))))))))))))))))))))

.

 

2010-08-27 02:59 . 2010-08-27 03:01 -------- d-----w- C:\ERUNT

2010-08-27 01:47 . 2010-04-29 18:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-27 01:47 . 2010-08-27 01:47 -------- d-----w- c:\arquivos de programas\Malwarebytes' Anti-Malware

2010-08-27 01:47 . 2010-08-27 01:47 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes

2010-08-27 01:47 . 2010-04-29 18:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-01 02:16 . 2010-08-19 17:53 -------- d--h--w- c:\windows\system32\windows7

2010-07-29 21:21 . 2010-07-29 21:21 -------- d-----w- c:\arquivos de programas\Senna Spy Tools

2010-07-29 17:52 . 2010-07-29 17:52 -------- d-----w- c:\arquivos de programas\No-IP

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-27 02:46 . 2001-10-28 12:07 86054 ----a-w- c:\windows\system32\perfc016.dat

2010-08-27 02:46 . 2001-10-28 12:07 506118 ----a-w- c:\windows\system32\perfh016.dat

2010-08-27 01:24 . 2009-12-30 02:32 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Messenger Plus!

2010-08-27 00:29 . 2009-10-18 00:29 -------- d-----w- c:\arquivos de programas\Windows Live

2010-08-03 05:10 . 2009-11-12 20:25 -------- d-----w- c:\arquivos de programas\Corel

2010-08-03 05:09 . 2009-12-22 23:15 -------- d-----w- c:\arquivos de programas\Valve

2010-08-03 04:26 . 2009-10-19 04:39 -------- d-----w- c:\arquivos de programas\OpenOffice.org 3

2010-08-03 04:25 . 2010-03-28 16:52 -------- d-----w- c:\arquivos de programas\Panda Security

2010-07-18 01:24 . 2009-11-12 20:26 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys

2010-07-18 01:24 . 2009-11-12 20:26 88 --sh--r- c:\windows\system32\E314E0C661.sys

2010-07-16 00:35 . 2010-07-16 00:35 -------- d-----w- c:\arquivos de programas\SuperCanais MiniPopup

2004-08-04 03:45 . 2010-01-25 03:57 28672 --sh--r- c:\windows\system32\Setup\zf32.dll

.

 

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of c:\windows\system32\windows7 ----

 

2010-08-01 02:16 . 2010-08-19 20:27 922749 ---ha-w- c:\windows\system32\windows7\klog.dat

 

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-29 39408]

"ManyCam"="c:\arquivos de programas\ManyCam 2.4\ManyCam.exe" [2009-12-19 1824040]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SiSPower"="SiSPower.dll" [2005-08-25 49152]

"snpstd"="c:\windows\vsnpstd.exe" [2004-06-11 286720]

"SiSRaid"="c:\arquivos de programas\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe" [2005-05-19 905216]

"Google Quick Search Box"="c:\arquivos de programas\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2010-02-07 126976]

"avgnt"="c:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"googletalk"="c:\arquivos de programas\Google\Google Talk\googletalk.exe" [2007-01-01 3735552]

"SunJavaUpdateSched"="c:\arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe" [2010-02-18 248040]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

 

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

McAfee Security Scan Plus.lnk - c:\arquivos de programas\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

Utility Tray.lnk - c:\windows\system32\sistray.exe [2009-10-17 262144]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\YUpdater]

@="Service"

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Documents and Settings\\Usuário\\Configurações locais\\Dados de aplicativos\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Arquivos de programas\\Google\\Google Talk\\googletalk.exe"=

"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

 

R2 AntiVirSchedulerService;Avira AntiVir Programador;c:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [9/3/2010 16:42 108289]

R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [14/1/2008 07:06 21632]

S2 gupdate;Google Update Service (gupdate);c:\arquivos de programas\Google\Update\GoogleUpdate.exe [7/2/2010 17:43 135664]

S2 YUpdater;Yahoo Auto Updater;c:\arquivos de programas\Yahoo!\Messenger\YUpdater.exe --> c:\arquivos de programas\Yahoo!\Messenger\YUpdater.exe [?]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\arquivos de programas\McAfee Security Scan\2.0.181\McCHSvc.exe [15/1/2010 09:49 227232]

.

Conteúdo da pasta 'Tarefas Agendadas'

 

2010-08-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2010-02-07 20:43]

 

2010-08-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2010-02-07 20:43]

.

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.orkut.com/

IE: Google Sidewiki... - c:\arquivos de programas\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

TCP: {DBFC9B47-4B37-4F76-A577-83CA8621F23F} = 200.204.0.10 200.204.0.138

FF - ProfilePath - c:\documents and settings\Usuário\Dados de aplicativos\Mozilla\Firefox\Profiles\m7ytflmm.default\

FF - prefs.js: browser.startup.homepage - www.4shared.com

FF - plugin: c:\arquivos de programas\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\arquivos de programas\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\arquivos de programas\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\npdeployJava1.dll

 

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-27 01:54

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'lsass.exe'(584)

c:\windows\system32\mswsock.dll

.

Tempo para conclusão: 2010-08-27 01:56:40

ComboFix-quarantined-files.txt 2010-08-27 04:56

ComboFix2.txt 2010-08-27 03:26

 

Pré-execução: 6 pasta(s) 30.338.170.880 bytes disponíveis

Pós execução: 7 pasta(s) 30.330.355.712 bytes disponíveis

 

- - End Of File - - F2B0B94E0CB098AFA37F25B99284CF14

[wings 22]

1.

*Clique em [iniciar] > [Executar] > copie e cole: Combofix /uninstall

*Clique [OK]

 

 

*Clique em [Executar]

*Aguarde surgir a mensagem: "ComboFix está desinstalado"

*Clique [OK]

 

2.

*Clique em [iniciar] > [Executar] > digite: msconfig

*Clique OK

*Clique na aba "BOOT.INI"

*Selecione a linha C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

 

 

*Clique em [Verificar caminhos de inicialização]

*Clique em [sIM] > [OK]

 

 

*Reinicie o PC

*Ao iniciar o Windows, o utilitário de configuração informará que foi alterado.

*Clique em "Não mostrar esta mensagem ou iniciar o utilitário de configuração do sistema ao iniciar o Windows"

 

3.

*Baixe o Kaspersky Virus Removal Tool e salve-o no desktop

*Instale o programa

*A tela principal do programa será aberta automaticamente

*Selecione a opção:

 

[] Meu Computador

*Clique em [start scan]....aguarde. Pode demorar, seja paciente!

*Caso encontre algo, clique em [skip]

*Ao término do scan, clique em [Report]

*Uma janela chamada "Detailed report" será aberta

*Clique no sinal [+] ao lado de Autoscan para expandir os eventos encontrados

*Clique com o botão direito do mouse e selecione "Select all"

*Clique novamente com o botão direito do mouse e selecione "Copy"

*Abra o bloco de notas, cole (Ctrl+v) e salve o arquivo no desktop como log.txt

*Feche a janela "Detailed report" do Kasperky

*Na tela principal do Kaspersky clique em [Exit] > [No]

*Cole o relatório salvo no desktop na sua próxima resposta

 

 

Até mais tarde...

[ekobol 0]

Autoscan: completed 7 minutes ago (events: 18, objects: 83456, time: 00:20:34)

27/8/2010 02:40:29 Task started

27/8/2010 02:55:28 Detected: Trojan.Win32.Patched.dj C:\Documents and Settings\Usuário\Meus documentos\spy net\Spy-net Arquivos de funcionamento dos programas\Cliente\xupx.exe

27/8/2010 02:55:55 Detected: Trojan.Win32.Patched.dj C:\Documents and Settings\Usuário\Meus documentos\spy net\SpyNet [programas]\Adrenaline Binder.exe

27/8/2010 02:55:55 Detected: Trojan.Win32.Patched.dj C:\Documents and Settings\Usuário\Meus documentos\spy net\SpyNet [programas]\Bat_To_Exe_Converter.exe

27/8/2010 02:56:10 Untreated: Trojan.Win32.Patched.dj C:\Documents and Settings\Usuário\Meus documentos\spy net\Spy-net Arquivos de funcionamento dos programas\Cliente\xupx.exe Skipped by user

27/8/2010 02:56:12 Detected: Backdoor.Win32.SdBot.owu C:\Documents and Settings\Usuário\Meus documentos\spy net\SpyNet [programas]\metaMorph2.exe

27/8/2010 02:56:13 Untreated: Trojan.Win32.Patched.dj C:\Documents and Settings\Usuário\Meus documentos\spy net\SpyNet [programas]\Bat_To_Exe_Converter.exe Skipped by user

27/8/2010 02:56:14 Detected: Trojan-Dropper.Win32.Binder.ag C:\Documents and Settings\Usuário\Meus documentos\spy net\SpyNet [programas]\nova canção de ninar versao Caio kkk.scr

27/8/2010 02:56:15 Untreated: Trojan.Win32.Patched.dj C:\Documents and Settings\Usuário\Meus documentos\spy net\SpyNet [programas]\Adrenaline Binder.exe Skipped by user

27/8/2010 02:56:17 Untreated: Trojan-Dropper.Win32.Binder.ag C:\Documents and Settings\Usuário\Meus documentos\spy net\SpyNet [programas]\nova canção de ninar versao Caio kkk.scr Skipped by user

27/8/2010 02:56:17 Detected: Trojan.Win32.Llac.bdm C:\Documents and Settings\Usuário\Meus documentos\spy net\SpyNet [programas]\server.exe/UPX

27/8/2010 02:56:18 Untreated: Backdoor.Win32.SdBot.owu C:\Documents and Settings\Usuário\Meus documentos\spy net\SpyNet [programas]\metaMorph2.exe Skipped by user

27/8/2010 02:56:19 Detected: Trojan-Dropper.Win32.Decay.bys C:\Documents and Settings\Usuário\Meus documentos\spy net\SpyNet [programas]\SpyNet.exe

27/8/2010 02:56:20 Untreated: Trojan.Win32.Llac.bdm C:\Documents and Settings\Usuário\Meus documentos\spy net\SpyNet [programas]\server.exe/UPX Skipped by user

27/8/2010 02:56:21 Untreated: Trojan-Dropper.Win32.Decay.bys C:\Documents and Settings\Usuário\Meus documentos\spy net\SpyNet [programas]\SpyNet.exe Skipped by user

27/8/2010 02:56:33 Detected: Trojan.Win32.Patched.dj C:\Progra~1\SiSLan\uninst.exe

27/8/2010 02:57:03 Untreated: Trojan.Win32.Patched.dj C:\Progra~1\SiSLan\uninst.exe Skipped by user

27/8/2010 03:01:04 Task completed

[wings 22]

1.

Delete a pasta:

 

C:\Documents and Settings\Usuário\Meus documentos\spy net

 

2.

*Abra a pasta Virus Removal Tool, localizada no desktop, duplo clique no atalho Start

*A tela principal do Kaspersky será aberta novamente

*Clique em [Exit] > [Yes] > [sim] > [sim]

*O PC será reiniciado

*Delete o arquivo setup do Kaspersky e o relatório salvo no desktop

 

3.

*Baixe novamente o SystemLook e salve-o no desktop

*Execute o SystemLook

*Cole o código abaixo no espaço em branco:

 

:dir

c:\arquivos de programas\Senna Spy Tools

c:\windows\system32\Setup

:file

c:\windows\system32\Setup\zf32.dll

c:\windows\system32\windows7\klog.dat

*Clique em [Look]

*Cole o relatório SystemLook.txt localizado no desktop

[ekobol 0]

 

*Cole o relatório SystemLook.txt localizado no desktop

 

 

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 12:21 on 27/08/2010 by Usuário (Administrator - Elevation successful)

 

========== dir ==========

 

c:\arquivos de programas\Senna Spy Tools - Parameters: "(none)"

 

---Files---

None found.

 

---Folders---

One EXE Maker 2001b d----- [21:21 29/07/2010]

 

c:\windows\system32\Setup - Parameters: "(none)"

 

---Files---

comsetup.dll --a--- 259584 bytes [12:06 28/10/2001] [12:06 28/10/2001]

fp40ext.dll --a--- 32828 bytes [03:45 04/08/2004] [03:45 04/08/2004]

fsconins.dll --a--- 6144 bytes [12:06 28/10/2001] [12:06 28/10/2001]

fxsocm.dll --a--- 132608 bytes [03:45 04/08/2004] [03:45 04/08/2004]

iis.dll --a--- 507392 bytes [03:45 04/08/2004] [03:45 04/08/2004]

imsinsnt.dll --a--- 117760 bytes [12:06 28/10/2001] [12:06 28/10/2001]

medctroc.dll --a--- 16896 bytes [03:45 04/08/2004] [03:45 04/08/2004]

msdtcstp.dll --a--- 82432 bytes [12:07 28/10/2001] [12:07 28/10/2001]

msgrocm.dll --a--- 15360 bytes [03:45 04/08/2004] [03:45 04/08/2004]

msmqocm.dll --a--- 169984 bytes [03:45 04/08/2004] [03:45 04/08/2004]

netfxocm.dll --a--- 126976 bytes [01:10 04/08/2004] [01:10 04/08/2004]

netoc.dll --a--- 77824 bytes [03:45 04/08/2004] [03:45 04/08/2004]

ntoc.dll --a--- 63488 bytes [03:45 04/08/2004] [03:45 04/08/2004]

ocgen.dll --a--- 15872 bytes [03:45 04/08/2004] [03:45 04/08/2004]

ocmsn.dll --a--- 17408 bytes [03:45 04/08/2004] [03:45 04/08/2004]

setupqry.dll --a--- 101888 bytes [03:45 04/08/2004] [03:45 04/08/2004]

tabletoc.dll --a--- 34304 bytes [03:45 04/08/2004] [03:45 04/08/2004]

tsoc.dll --a--- 123392 bytes [03:45 04/08/2004] [03:45 04/08/2004]

zf32.dll -r-hs- 28672 bytes [03:57 25/01/2010] [03:45 04/08/2004]

zoneoc.dll --a--- 8261 bytes [12:07 28/10/2001] [12:07 28/10/2001]

 

---Folders---

None found.

 

========== file ==========

 

c:\windows\system32\Setup\zf32.dll - File found and opened.

MD5: EB4ECA9943DA94E09D22134EA20DC602

Created at 03:57 on 25/01/2010

Modified at 03:45 on 04/08/2004

Size: 28672 bytes

Attributes: -r-hs-

FileDescription: zlib data compression library

FileVersion: 1.1.4.0

OriginalFilename: zlib.dll

InternalName: zlib

ProductName: ZLib.DLL

LegalCopyright: © 1995-2002 Jean-loup Gailly & Mark Adler

Comments: DLL support by Alessandro Iacopetti & Gilles Vollant

 

c:\windows\system32\windows7\klog.dat - File found and opened.

MD5: 71CC457CF033EF3F5AE25DF68662596C

Created at 02:16 on 01/08/2010

Modified at 20:27 on 19/08/2010

Size: 922749 bytes

Attributes: --ah--

No version information available.

 

-=End Of File=-

[wings 22]

1.

*Delete a pasta c:\arquivos de programas\Senna Spy Tools

 

2.

*Baixe o Avenger e salve-o no desktop

*Extraia o conteúdo para o desktop

*Selecione e copie (Ctrl+C) todo o código abaixo:

 

Folders to delete:

c:\windows\system32\windows7

*Execute o Avenger

*Clique em [Load Script] > [Paste from Clipboard]

*Clique em [Execute] > [OK]

*O PC será reiniciado

*Cole o relatório criado em C:\avenger.txt

[ekobol 0]

 

*Selecione e copie (Ctrl+C) todo o código abaixo:

 

Folders to delete:

c:\windows\system32\windows7

*Execute o Avenger

*Clique em [Load Script] > [Paste from Clipboard]

*Clique em [Execute] > [OK]

*O PC será reiniciado

*Cole o relatório criado em C:\avenger.txt

 

Desculpe amigo mas não entendi esta parte, o que devo fazer com o codigo copiado acima ?

[wings 22]

Basta seguir passo a passo amigo....não há como errar.

 

1) Selecionou e copiou (Ctrl+c) o código

 

2) Execute o Avenger

 

3) Clique em [Load Script] e depois em [Paste from Clipboard]

 

4) Clique em [Execute] e depois em [OK]

 

5) O PC será reiniciado

 

6) Cole o relatório criado em C:\avenger.txt

[ekobol 0]

ok, entendi e aqui esta o log gerado:

 

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

 

Platform: Windows XP

 

*******************

 

Script file opened successfully.

Script file read successfully.

 

Backups directory opened successfully at C:\Avenger

 

*******************

 

Beginning to process script file:

 

Rootkit scan active.

No rootkits found!

 

Folder "c:\windows\system32\windows7" deleted successfully.

 

Completed script processing.

 

*******************

 

Finished! Terminate.

[wings 22]

Informe como está o PC.