[Resolvido] &nbspProblema com o services.exe

[re_goulart 0]

Boa Noite

 

Estou com problemas com o services.exe

 

"O services.exe encontrou um problema e precisa ser fechado."

daí logo aparece isso:

 

Desligamento do sistema

 

O sistema está sendo desligado. Salve os trabalhos em andamento e faça logoff. As alterações não salvas serão perdidas. Esta operação foi iniciada por AUTORIDADE NT/SYSTEM

 

Tempo de desligamento: 00:00:XX

 

Mensagem

O processo do sistema "C:\WINDOWS\system32\services.exe" terminou inesperadamente com o código de status - 1073741819. O sistema será agora desligado e reiniciado.

 

Logfile of HijackThis v1.99.1

Scan saved at 5:55:30 PM, on 9/7/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

D:\Downloads\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [ljmiedyn] C:\WINDOWS\System32\ljmiedyn.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [ljmiedyn] C:\Documents and Settings\Renato Goulart\ljmiedyn.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: 1uqqlcc.exe

O4 - Startup: 3iiduup.exe

O4 - Startup: 3ssneez.exe

O4 - Startup: 5o1efk8.exe

O4 - Startup: 66o86a8.exe

O4 - Startup: 6ee6qq6.exe

O4 - Startup: 70zvqq6.exe

O4 - Startup: 86k81wh.exe

O4 - Startup: 9o1kggb.exe

O4 - Startup: bssneezq.exe

O4 - Startup: ccsi1z70.exe

O4 - Startup: cxnojzavwr.exe

O4 - Startup: dzz2q5lhcdi.exe

O4 - Startup: e3ggbssneez.exe

O4 - Startup: i3upv60x91.exe

O4 - Startup: k1gccxoo.exe

O4 - Startup: kfwwriiduu.exe

O4 - Startup: kkfwwriidu.exe

O4 - Startup: lhcc6oo6.exe

O4 - Startup: ll66c86o81a.exe

O4 - Startup: mm6yy6kfb.exe

O4 - Startup: ndo1efk86w8.exe

O4 - Startup: o3qqlccxooj.exe

O4 - Startup: o70plgg6s.exe

O4 - Startup: pklq81cnoj.exe

O4 - Startup: qrw86i81uf.exe

O4 - Startup: s1okkfww.exe

O4 - Startup: t2zav5g0.exe

O4 - Startup: tpkk6ww6.exe

O4 - Startup: vvrhhdttppf.exe

O4 - Startup: xoojaavm.exe

O4 - Startup: xxtjjfvvrhh.exe

O4 - Startup: y81kvwrhi.exe

O4 - Startup: ze81qbcxno.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{417E9080-F22B-4D59-8BA1-E530FF645FD2}: NameServer = 192.168.1.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{417E9080-F22B-4D59-8BA1-E530FF645FD2}: NameServer = 192.168.1.1

O17 - HKLM\System\CS2\Services\Tcpip\..\{417E9080-F22B-4D59-8BA1-E530FF645FD2}: NameServer = 192.168.1.1

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O20 - Winlogon Notify: cbssreg - C:\Documents and Settings\All Users\Documents\Settings\cbss.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: RUMBA AS/400 Shared Folders (kc3aeleqeiooyiy) - Unknown owner - C:\WINDOWS\system32\vydahoog.exe (file missing)

 

 

Não consigo fazer nada que leve mais do que 2 minutos no pc. Espero ajuda. Inclusive estou mandando esse e-mail pelo modo de segurança.

Obrigado

[wings 22]

*Faça um scan online com o NOD32

 

 

*Ao término cole o relatório criado em C:\Arquivos de programas\EsetOnlineScanner\log

[re_goulart 0]

*Faça um scan online com o NOD32'>http://eset.com/onlinescan"]NOD32

 

 

*Ao término cole o relatório criado em C:\Arquivos de programas\EsetOnlineScanner\log

 

 

 

Ok, fiz tudo conforme você disse... E está ai o log depois da realização... Estou no aguardo.. Obrigado...

 

 

 

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=83e5ac7f164588449bbf5d2097078aca

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2010-09-07 10:50:58

# local_time=2010-09-07 07:50:58 (-0300, E. South America Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=768 16777215 100 0 708397 708397 0 0

# compatibility_mode=1797 16774122 100 94 0 55615870 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=27838

# found=41

# cleaned=41

# scan_time=2505

C:\Documents and Settings\LocalService\Application Data\Microsoft\quoji.exe a variant of Win32/Kryptik.GHU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\LocalService\Application Data\Microsoft\soowourapu.exe a variant of Win32/Kryptik.GHU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Renato Goulart\ljmiedyn.exe a variant of Win32/Kryptik.GPK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Renato Goulart\msgvn.exe a variant of Win32/Injector.CTM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Renato Goulart\Application Data\ozzfhv.exe Win32/Bflient.K worm (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Renato Goulart\Local Settings\temp\238.exe a variant of Win32/Injector.CTK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Renato Goulart\Local Settings\temp\25728.exe Win32/Peerfrag.FL worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Renato Goulart\Local Settings\temp\3701.exe a variant of Win32/Injector.CRC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Renato Goulart\Local Settings\temp\497.exe a variant of Win32/Injector.CTK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Renato Goulart\Local Settings\temp\610.exe a variant of Win32/Injector.CTK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Renato Goulart\Local Settings\temp\701.exe a variant of Win32/Injector.CTK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Renato Goulart\Local Settings\temp\750.exe a variant of Win32/Injector.CTK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Renato Goulart\Local Settings\temp\755.exe a variant of Win32/Injector.CTK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Renato Goulart\Local Settings\temp\80601.exe a variant of Win32/Injector.CRC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Renato Goulart\Local Settings\Temporary Internet Files\Content.IE5\DOJWJL0W\icq600[1].exe Win32/Peerfrag.FL worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Renato Goulart\Local Settings\Temporary Internet Files\Content.IE5\JM4773KK\prepacked[1].exe a variant of Win32/Kryptik.GPK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Renato Goulart\Local Settings\Temporary Internet Files\Content.IE5\KTZ69EBZ\fewmij[1].exe a variant of Win32/Injector.CTK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Renato Goulart\Local Settings\Temporary Internet Files\Content.IE5\KTZ69EBZ\vfgweregw[1].exe a variant of Win32/Injector.CTK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Renato Goulart\Local Settings\Temporary Internet Files\Content.IE5\R1K3DNOG\mir600[1].exe a variant of Win32/Injector.CRC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Renato Goulart\Start Menu\Programs\Startup\66o86a8.exe a variant of Win32/Injector.CTK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Renato Goulart\Start Menu\Programs\Startup\70zvqq6.exe a variant of Win32/Injector.CTK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Renato Goulart\Start Menu\Programs\Startup\ccsi1z70.exe a variant of Win32/Injector.CTK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Renato Goulart\Start Menu\Programs\Startup\cxnojzavwr.exe a variant of Win32/Injector.CTK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Renato Goulart\Start Menu\Programs\Startup\dzz2q5lhcdi.exe a variant of Win32/Injector.CTK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Renato Goulart\Start Menu\Programs\Startup\k1gccxoo.exe a variant of Win32/Injector.CTK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Renato Goulart\Start Menu\Programs\Startup\kfwwriiduu.exe a variant of Win32/Injector.CTK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Renato Goulart\Start Menu\Programs\Startup\pklq81cnoj.exe a variant of Win32/Injector.CTK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Renato Goulart\Start Menu\Programs\Startup\t2zav5g0.exe a variant of Win32/Injector.CTK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Renato Goulart\Start Menu\Programs\Startup\tpkk6ww6.exe a variant of Win32/Injector.CTK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Renato Goulart\Start Menu\Programs\Startup\xoojaavm.exe a variant of Win32/Injector.CTK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Renato Goulart\Start Menu\Programs\Startup\y81kvwrhi.exe a variant of Win32/Injector.CTK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Renato Goulart\Start Menu\Programs\Startup\ze81qbcxno.exe a variant of Win32/Injector.CTK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\unlock\programs.rar Win32/Adware.ErrorRepairPro application (deleted - quarantined) 00000000000000000000000000000000 C

C:\Program Files\DiskTrix\DefragExpress\DefragExpress.exe a variant of Win32/Kryptik.AQF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\RECYCLER\S-1-5-21-2250668070-8504493393-669983024-3536\yv8g67.exe a variant of Win32/Injector.CRC trojan (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\ljmiedyn.exe a variant of Win32/Kryptik.GPK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\quoji.exe a variant of Win32/Kryptik.GHU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\soowourapu.exe a variant of Win32/Kryptik.GHU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\drivers\bdr56d7.sys Win32/Otlard.I trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\drivers\cese693.sys Win32/Otlard.I trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

D:\Downloads\DefragExpress.rar a variant of Win32/Kryptik.AQF trojan (deleted - quarantined) 00000000000000000000000000000000 C

[wings 22]

1.

*Execute o arquivo c:\arquivos de programas\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe

 

2.

*Baixe o MalwareBytes Anti-malware e salve-o no desktop

 

*Instale o programa e aguarde a atualização

*O programa será aberto automaticamente

*Na aba [Verificação], selecione [Verificação completa]

*Clique [Verificar] e selecione as partições a serem examinadas (geralmente C:\ e D:\)

*Ao finalizar o scan, clique [sIM] > [OK] > [Mostrar Resultados]

*Clique [Remover Selecionados]

*Cole o relatório apresentado

[re_goulart 0]

1.

*Execute o arquivo c:\arquivos de programas\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe

 

2.

*Baixe o MalwareBytes'>http://www.techspot.com/downloads/4716-malwarebytes-anti-malware.html"]MalwareBytes Anti-malware e salve-o no desktop

 

*Instale o programa e aguarde a atualização

*O programa será aberto automaticamente

*Na aba [Verificação], selecione [Verificação completa]

*Clique [Verificar] e selecione as partições a serem examinadas (geralmente C:\ e D:\)

*Ao finalizar o scan, clique [sIM] > [OK] > [Mostrar Resultados]

*Clique [Remover Selecionados]

*Cole o relatório apresentado

 

 

 

Ok, tudo certo. Pórem com a remoção me fez a seguinte pergunta: Alguns item maliciosos nao puderam ser removidos. Seu computador precisa ser reiniciado para completar o processo de remoção. Reiniciar agora??

 

Eu reinicio agora? Se sim, continuarei no modo de segurança, senao irá travar, certo??

 

Segue abaixo o log com o relatório apresentado após o scan.

 

 

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

 

Versão da Base de Dados: 4566

 

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 6.0.2900.5512

 

9/7/2010 11:12:59 PM

mbam-log-2010-09-07 (23-12-59).txt

 

Tipo de Verificação: Verificação Completa (C:\|D:\|)

Objetos escaneados: 161717

Tempo decorrido: 15 minuto(s), 55 segundo(s)

 

Processos de Memória Infectados: 0

Módulos de Memória Infectados: 1

Chaves de Registro Infectadas: 1

Valores de Registro Infectados: 3

Itens de Dados no Registro Infectados: 1

Pastas Infectadas: 0

Arquivos Infectados: 74

 

Processos de Memória Infectados:

(Não foram detectados ítens maliciosos)

 

Módulos de Memória Infectados:

C:\Documents and Settings\All Users\Documents\Settings\cbss.dll (Trojan.Agent) -> Delete on reboot.

 

Chaves de Registro Infectadas:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbssreg (Trojan.Agent) -> Delete on reboot.

 

Valores de Registro Infectados:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Worm.AutoRun) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\userini (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\userini (Trojan.Agent) -> Quarantined and deleted successfully.

 

Itens de Dados no Registro Infectados:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (C:\Documents and Settings\Renato Goulart\Application Data\ozzfhv.exe,explorer.exe,C:\RECYCLER\S-1-5-21-2250668070-8504493393-669983024-3536\yv8g67.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

 

Pastas Infectadas:

(Não foram detectados ítens maliciosos)

 

Arquivos Infectados:

C:\Documents and Settings\Renato Goulart\Application Data\ozzfhv.exe (Trojan.Downloader) -> Delete on reboot.

C:\Documents and Settings\Renato Goulart\Local Settings\temp\1976218.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Renato Goulart\Start Menu\Programs\Startup\6ee6qq6.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Renato Goulart\Start Menu\Programs\Startup\mm6yy6kfb.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Renato Goulart\Start Menu\Programs\Startup\o70plgg6s.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Renato Goulart\Start Menu\Programs\Startup\xxtjjfvvrhh.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-2250668070-8504493393-669983024-3536\yv8g67.exe (Trojan.Spy) -> Delete on reboot.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP75\A0007839.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP78\A0009990.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP79\A0010024.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP79\A0010145.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP79\A0010802.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP79\A0011802.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP79\A0011803.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP80\A0011938.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP83\A0012040.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP83\A0012041.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP83\A0012042.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP84\A0012060.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP84\A0012067.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP85\A0012082.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP85\A0012119.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0019153.exe (Trojan.Ddox) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0019154.exe (BackDoor.Refroso) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0019155.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0019156.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0019158.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0019159.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0019161.exe (BackDoor.Refroso) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0019162.exe (Trojan.Ddox) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0019163.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0019164.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0019165.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0019167.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0019168.exe (Trojan.Ddox) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0019170.exe (Trojan.Ddox) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0019172.exe (BackDoor.Refroso) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0019173.exe (Trojan.Ddox) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0019174.exe (BackDoor.Refroso) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0019175.exe (Trojan.Ddox) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0019176.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0019177.exe (BackDoor.Refroso) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0019178.exe (Trojan.Ddox) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0019179.exe (BackDoor.Refroso) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0019180.exe (BackDoor.Refroso) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0019181.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0019182.exe (BackDoor.Refroso) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0019183.exe (Trojan.Ddox) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0019184.exe (Trojan.Ddox) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0019185.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0019186.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0019187.exe (Trojan.Ddox) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0019188.exe (Trojan.Ddox) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0019189.exe (Trojan.Ddox) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0020205.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0021205.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0021210.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0024215.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0027218.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0030223.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0032231.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0032250.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0032260.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0035662.exe (Trojan.Spy) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0037755.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0037756.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0037757.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0037770.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0037771.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0037772.sys (BackDoor.Gootkit) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP86\A0037773.sys (BackDoor.Gootkit) -> Quarantined and deleted successfully.

C:\WINDOWS\pss\xxtjjfvvrhh.exeStartup (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Renato Goulart\Application Data\wiaservg.log (Malware.Trace) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Documents\Settings\cbss.dll (Trojan.Agent) -> Delete on

[wings 22]

1.

*Reinicie o PC

 

2.

*Desative temporariamente seu antivírus

 

Clique com o botão direito do mouse no ícone do Avira ao lado do relógio

Clique na opção "Antivir Guard enable".

*Baixe o ComboFix e salve-o no desktop

 

*Execute o Combofix e aceite o contrato

 

*Se o console de recuperação do Windows já estiver instalado, o ComboFix continuará o processo automaticamente. Caso contrário, clique [sIM] para instalar e depois [sIM] para continuar.

 

 

 

*Aguarde a conclusão de todas as etapas

 

 

*Evite usar o mouse e o teclado durante a execução do Combofix!!..... Para interromper o procedimento tecle [N] ou [2] e depois [ENTER]

 

*Ao finalizar, o relatório C:\combofix.txt será apresentado.

*Cole-o na próxima resposta.

 

*Se for reiniciar o PC haverá uma opção, na inicialização, chamada Console de Recuperação. Não entre no Windows através do mesmo desde que devidamente orientado(a)!

[re_goulart 0]

1.

*Reinicie o PC

 

2.

*Desative temporariamente seu antivírus

 

Clique com o botão direito do mouse no ícone do Avira ao lado do relógio

Clique na opção "Antivir Guard enable".

*Baixe o ComboFix'>http://download.bleepingcomputer.com/sUBs/ComboFix.exe"]ComboFix e salve-o no desktop

 

*Execute o Combofix e aceite o contrato

 

*Se o console de recuperação do Windows já estiver instalado, o ComboFix continuará o processo automaticamente. Caso contrário, clique [sIM] para instalar e depois [sIM] para continuar.

 

 

 

*Aguarde a conclusão de todas as etapas

 

 

*Evite usar o mouse e o teclado durante a execução do Combofix!!..... Para interromper o procedimento tecle [N] ou [2] e depois [ENTER]

 

*Ao finalizar, o relatório C:\combofix.txt será apresentado.

*Cole-o na próxima resposta.

 

*Se for reiniciar o PC haverá uma opção, na inicialização, chamada Console de Recuperação. Não entre no Windows através do mesmo desde que devidamente orientado(a)!

 

 

 

Ok!! Tudo feito como dito acima, e como planejado... Muito obrigado pela ajuda até então!

Segue abaixo o log do combofix... Aguardo o próximo passo...

 

ComboFix 10-09-07.01 - Renato Goulart 09/08/2010 0:02.3.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.55.1033.18.1022.837 [GMT -3:00]

Executando de: c:\documents and settings\Renato Goulart\Desktop\ComboFix.exe

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\All Users.\documents\settings

c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\1uqqlcc.exe

c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\3iiduup.exe

c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\3ssneez.exe

c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\5o1efk8.exe

c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\86k81wh.exe

c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\9o1kggb.exe

c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\bssneezq.exe

c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\e3ggbssneez.exe

c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\i3upv60x91.exe

c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\kkfwwriidu.exe

c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\lhcc6oo6.exe

c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\ll66c86o81a.exe

c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\ndo1efk86w8.exe

c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\o3qqlccxooj.exe

c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\qrw86i81uf.exe

c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\s1okkfww.exe

c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\vvrhhdttppf.exe

c:\documents and settings\unlock\wrar380.exe

c:\windows\system32\ReadMe.txt

 

estava faltando c:\windows\system32\grpconv.exe

Cópia restaurada de - c:\system volume information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP82\A0012027.exe

 

A cópia de c:\windows\system32\drivers\ndis.sys foi encontrada e desinfectada

Cópia restaurada de - c:\system volume information\_restore{ABA237B3-4913-4DFE-9AD1-CA1DDF3B4A90}\RP74\A0007684.sys

.

(((((((((((((((( Arquivos/Ficheiros criados de 2010-08-08 to 2010-09-08 ))))))))))))))))))))))))))))

.

 

2010-09-08 03:06 . 2008-04-14 12:00 39424 ----a-w- c:\windows\system32\grpconv.exe

2010-09-08 01:53 . 2010-09-08 01:53 -------- d-----w- c:\documents and settings\Renato Goulart\Application Data\Malwarebytes

2010-09-08 01:53 . 2010-04-29 18:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-08 01:53 . 2010-09-08 01:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-09-08 01:53 . 2010-09-08 01:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-08 01:53 . 2010-04-29 18:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-07 21:01 . 2010-09-07 21:01 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-09-07 20:06 . 2010-09-07 20:06 53248 ----a-w- c:\windows\PSEXESVC.EXE

2010-09-07 20:05 . 2010-09-07 20:05 389120 ----a-w- c:\windows\system32\CF11471.exe

2010-09-02 17:40 . 2009-11-25 14:19 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-09-01 03:38 . 2008-04-14 12:00 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

2010-08-23 04:20 . 2010-08-23 04:20 -------- d-----w- c:\program files\eMule

2010-08-20 02:22 . 2010-08-20 02:22 -------- d-----w- c:\program files\Alwil Software

2010-08-20 02:22 . 2010-08-20 02:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

2010-08-19 04:34 . 2006-06-29 16:07 14048 ------w- c:\windows\system32\spmsg2.dll

2010-08-19 04:34 . 2010-08-19 04:34 -------- d-----w- c:\windows\system32\pt-BR

2010-08-19 04:33 . 2010-08-19 04:33 2272 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-08-19 04:32 . 2010-08-19 04:34 -------- d-----w- c:\windows\system32\XPSViewer

2010-08-19 04:32 . 2010-08-19 04:32 -------- d-----w- c:\program files\Reference Assemblies

2010-08-19 04:32 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll

2010-08-19 04:32 . 2007-11-30 11:18 26488 ----a-w- c:\windows\system32\spupdsvc.exe

2010-08-19 04:31 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2010-08-19 04:31 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2010-08-19 04:31 . 2010-08-19 04:32 -------- d-----w- C:\1ec54ec83daf27049c16acf13232fb

2010-08-19 04:31 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2010-08-19 04:31 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2010-08-19 04:31 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2010-08-19 04:31 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2010-08-19 04:31 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2010-08-19 04:31 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe

2010-08-19 03:53 . 2010-08-19 04:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Sports Interactive

2010-08-19 03:53 . 2010-08-19 03:56 -------- d-----w- c:\documents and settings\Renato Goulart\Application Data\Sports Interactive

2010-08-19 03:42 . 2010-08-19 04:19 -------- d--h--w- c:\windows\msdownld.tmp

2010-08-19 03:42 . 2010-08-19 03:42 -------- d-----w- c:\windows\Logs

2010-08-19 03:07 . 2010-08-19 03:07 691696 ----a-w- c:\windows\system32\drivers\sptd.sys

2010-08-19 03:06 . 2010-08-19 03:26 -------- d-----w- c:\documents and settings\Renato Goulart\Application Data\DAEMON Tools Lite

2010-08-19 03:06 . 2010-08-19 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite

2010-08-16 20:27 . 2010-08-16 20:27 -------- d-----w- c:\documents and settings\Renato Goulart\Local Settings\Application Data\NitroPC

2010-08-16 20:27 . 2010-08-16 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-31 15:48 . 2010-06-13 22:39 65752 ----a-w- c:\documents and settings\Renato Goulart\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-08-27 10:37 . 2008-04-14 12:00 1033728 ----a-w- c:\windows\explorer.exe

2010-08-25 03:20 . 2010-07-04 23:33 -------- d-----w- c:\program files\Warcraft III

2010-08-19 04:32 . 2010-06-13 22:44 -------- d-----w- c:\program files\MSBuild

2010-08-07 07:16 . 2010-06-13 17:38 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-07-19 22:23 . 2010-07-19 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-07-19 16:05 . 2010-07-19 16:04 2605008 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe

2010-06-30 00:32 . 2010-06-12 22:03 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2010-06-13 23:48 . 2010-06-13 23:48 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll

2010-06-13 23:48 . 2010-06-13 23:48 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll

2010-06-13 23:48 . 2010-06-13 23:48 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll

2010-06-13 23:48 . 2010-06-13 23:48 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll

2010-06-13 23:48 . 2010-06-13 23:48 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll

2010-06-13 23:48 . 2010-06-13 23:48 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll

2010-06-13 23:48 . 2010-06-13 23:48 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll

2010-06-13 23:48 . 2010-06-13 23:48 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll

2010-06-13 23:48 . 2010-06-13 23:48 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

2010-06-13 23:47 . 2010-06-13 23:47 499712 ----a-w- c:\windows\system32\msvcp71.dll

2010-06-13 23:47 . 2010-06-13 23:47 348160 ----a-w- c:\windows\system32\msvcr71.dll

2010-06-13 22:36 . 2010-06-13 22:36 0 ----a-w- c:\windows\nsreg.dat

2010-06-12 22:01 . 2010-06-12 22:01 21640 ----a-w- c:\windows\system32\emptyregdb.dat

.

 

------- Sigcheck -------

 

[-] 2009-09-20 . 68F06FE0021B01E670AF37B8C5964FDF . 361344 . . [5.1.2600.5512] . . c:\windows\system32\drivers\tcpip.sys

 

[-] 2009-09-20 . AB9E8F44D2F80A8060BEFB29192F4249 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"_nltide_3"="advpack.dll" [2008-04-14 99840]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /M:8ce1d9a2c88

 

[HKLM\~\startupfolder\C:^Documents and Settings^Renato Goulart^Start Menu^Programs^Startup^3iiduup.exe]

path=c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\3iiduup.exe

backup=c:\windows\pss\3iiduup.exeStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Renato Goulart^Start Menu^Programs^Startup^bssneezq.exe]

path=c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\bssneezq.exe

backup=c:\windows\pss\bssneezq.exeStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Renato Goulart^Start Menu^Programs^Startup^e3ggbssneez.exe]

path=c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\e3ggbssneez.exe

backup=c:\windows\pss\e3ggbssneez.exeStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Renato Goulart^Start Menu^Programs^Startup^ll66c86o81a.exe]

path=c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\ll66c86o81a.exe

backup=c:\windows\pss\ll66c86o81a.exeStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Renato Goulart^Start Menu^Programs^Startup^o3qqlccxooj.exe]

path=c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\o3qqlccxooj.exe

backup=c:\windows\pss\o3qqlccxooj.exeStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Renato Goulart^Start Menu^Programs^Startup^qrw86i81uf.exe]

path=c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\qrw86i81uf.exe

backup=c:\windows\pss\qrw86i81uf.exeStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Renato Goulart^Start Menu^Programs^Startup^s1okkfww.exe]

path=c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\s1okkfww.exe

backup=c:\windows\pss\s1okkfww.exeStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Renato Goulart^Start Menu^Programs^Startup^xxtjjfvvrhh.exe]

path=c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\xxtjjfvvrhh.exe

backup=c:\windows\pss\xxtjjfvvrhh.exeStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8169Diag]

2008-05-12 15:30 139264 ----a-w- c:\program files\Realtek\Diagnostics Utility\8169Diag.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-06-17 06:24 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

2006-10-27 03:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

2010-03-17 19:52 19520544 ----a-w- c:\windows\RTHDCPL.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2010-06-13 23:47 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

 

S1 cese693;cese693;c:\windows\system32\drivers\cese693.sys --> c:\windows\system32\drivers\cese693.sys [?]

S2 kc3aeleqeiooyiy;RUMBA AS/400 Shared Folders;c:\windows\system32\vydahoog.exe --> c:\windows\system32\vydahoog.exe [?]

S2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [13/6/2010 18:02 8960]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [13/6/2010 20:53 1691480]

S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [13/6/2010 18:02 11264]

S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\RENATO~1\LOCALS~1\Temp\CRT36.tmp --> c:\docume~1\RENATO~1\LOCALS~1\Temp\CRT36.tmp [?]

S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [13/6/2010 18:02 16640]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [19/8/2010 00:07 691696]

.

Conteúdo da pasta 'Tarefas Agendadas'

 

2010-09-08 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1004336348-1801674531-1606980848-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 01:09]

 

2010-09-07 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1004336348-1801674531-1606980848-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 01:09]

.

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.uol.com.br/

IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: {417E9080-F22B-4D59-8BA1-E530FF645FD2} = 192.168.1.1

FF - ProfilePath - c:\documents and settings\Renato Goulart\Application Data\Mozilla\Firefox\Profiles\q5xge7t0.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.uol.com.br/

FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll

FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll

 

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORFÃOS REMOVIDOS - - - -

 

MSConfigStartUp-avgnt - c:\program files\Avira\AntiVir Desktop\avgnt.exe

MSConfigStartUp-ctfmon - \\WINDOWS\\system32\\ctfmon.exe

MSConfigStartUp-kuquy - c:\windows\system32\soowourapu.exe

MSConfigStartUp-ljmiedyns - c:\documents and settings\Renato Goulart\ljmiedyns.exe

MSConfigStartUp-Local Security Authentication Server - c:\documents and settings\Renato Goulart\Application Data\lsass.exe

MSConfigStartUp-NitroPC - c:\program files\NitroPC\NitroPC.exe

MSConfigStartUp-userini - c:\windows\system32\userini.exe

AddRemove-HijackThis - c:\documents and settings\Renato Goulart\Desktop\HijackThis.exe

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-08 00:07

Windows 5.1.2600 Service Pack 3 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]

"ImagePath"="\??\c:\docume~1\RENATO~1\LOCALS~1\Temp\CRT36.tmp"

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'winlogon.exe'(628)

c:\windows\system32\Ati2evxx.dll

 

- - - - - - - > 'explorer.exe'(1196)

c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll

.

Tempo para conclusão: 2010-09-08 00:09:23 - Máquina reiniciou

ComboFix-quarantined-files.txt 2010-09-08 03:09

 

Pré-execução: 31,147,638,784 bytes free

Pós execução: 7 pasta(s) 31,115,018,240 bytes disponíveis

 

- - End Of File - - 0EAB9E5C96A0700C29717B94C43E476B

[wings 22]

*Abra o bloco de notas e cole nele o código abaixo:

 

KILLALL::

File::

c:\windows\system32\drivers\cese693.sys

c:\windows\system32\vydahoog.exe

Registry::

[-HKLM\~\startupfolder\C:^Documents and Settings^Renato Goulart^Start Menu^Programs^Startup^3iiduup.exe]

[-HKLM\~\startupfolder\C:^Documents and Settings^Renato Goulart^Start Menu^Programs^Startup^bssneezq.exe]

[-HKLM\~\startupfolder\C:^Documents and Settings^Renato Goulart^Start Menu^Programs^Startup^e3ggbssneez.exe]

[-HKLM\~\startupfolder\C:^Documents and Settings^Renato Goulart^Start Menu^Programs^Startup^ll66c86o81a.exe]

[-HKLM\~\startupfolder\C:^Documents and Settings^Renato Goulart^Start Menu^Programs^Startup^o3qqlccxooj.exe]

[-HKLM\~\startupfolder\C:^Documents and Settings^Renato Goulart^Start Menu^Programs^Startup^qrw86i81uf.exe]

[-HKLM\~\startupfolder\C:^Documents and Settings^Renato Goulart^Start Menu^Programs^Startup^s1okkfww.exe]

[-HKLM\~\startupfolder\C:^Documents and Settings^Renato Goulart^Start Menu^Programs^Startup^xxtjjfvvrhh.exe]

Driver::

cese693

kc3aeleqeiooyiy

*Salve o arquivo no desktop como CFScript.txt

*Arraste o arquivo para o Combofix conforme ilustração abaixo:

 

 

*Importante: enquanto o combofix estiver em execução, evite usar o mouse e o teclado!!..para interromper o processo tecle N ou 2.

 

*Cole o relatório C:\combofix.txt

[re_goulart 0]

*Abra o bloco de notas e cole nele o código abaixo:

 

KILLALL::

File::

c:\windows\system32\drivers\cese693.sys

c:\windows\system32\vydahoog.exe

c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\3iiduup.exe

c:\windows\pss\3iiduup.exe

c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\bssneezq.exe

c:\windows\pss\bssneezq.exe

c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\e3ggbssneez.exe

c:\windows\pss\e3ggbssneez.exe

c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\ll66c86o81a.exe

c:\windows\pss\ll66c86o81a.exe

c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\o3qqlccxooj.exe

c:\windows\pss\o3qqlccxooj.exe

c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\qrw86i81uf.exe

c:\windows\pss\qrw86i81uf.exe

c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\s1okkfww.exe

c:\windows\pss\s1okkfww.exe

c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\xxtjjfvvrhh.exe

c:\windows\pss\xxtjjfvvrhh.exe

Registry::

[-HKLM\~\startupfolder\C:^Documents and Settings^Renato Goulart^Start Menu^Programs^Startup^3iiduup.exe]

[-HKLM\~\startupfolder\C:^Documents and Settings^Renato Goulart^Start Menu^Programs^Startup^bssneezq.exe]

[-HKLM\~\startupfolder\C:^Documents and Settings^Renato Goulart^Start Menu^Programs^Startup^e3ggbssneez.exe]

[-HKLM\~\startupfolder\C:^Documents and Settings^Renato Goulart^Start Menu^Programs^Startup^ll66c86o81a.exe]

[-HKLM\~\startupfolder\C:^Documents and Settings^Renato Goulart^Start Menu^Programs^Startup^o3qqlccxooj.exe]

[-HKLM\~\startupfolder\C:^Documents and Settings^Renato Goulart^Start Menu^Programs^Startup^qrw86i81uf.exe]

[-HKLM\~\startupfolder\C:^Documents and Settings^Renato Goulart^Start Menu^Programs^Startup^s1okkfww.exe]

[-HKLM\~\startupfolder\C:^Documents and Settings^Renato Goulart^Start Menu^Programs^Startup^xxtjjfvvrhh.exe]

Driver::

cese693

kc3aeleqeiooyiy

*Salve o arquivo no desktop como CFScript.txt

*Arraste o arquivo para o Combofix conforme ilustração abaixo:

 

 

*Importante: enquanto o combofix estiver em execução, evite usar o mouse e o teclado!!..para interromper o processo tecle N ou 2.

 

*Cole o relatório C:\combofix.txt

 

 

Ok, realizado com sucesso. Só para constar, todas etapas estão sendo realizadas em modo de segurança, mesmo quando pedido para reiniciar o computador...

 

Segue abaixo o log do combofix após a última etapa realizada...

 

ComboFix 10-09-07.01 - Renato Goulart 09/08/2010 0:41.4.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.55.1033.18.1022.700 [GMT -3:00]

Executando de: c:\documents and settings\Renato Goulart\Desktop\ComboFix.exe

Comandos utilizados :: c:\documents and settings\Renato Goulart\Desktop\CFScript.txt.txt

 

FILE ::

"c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\3iiduup.exe"

"c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\bssneezq.exe"

"c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\e3ggbssneez.exe"

"c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\ll66c86o81a.exe"

"c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\o3qqlccxooj.exe"

"c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\qrw86i81uf.exe"

"c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\s1okkfww.exe"

"c:\documents and settings\Renato Goulart\Start Menu\Programs\Startup\xxtjjfvvrhh.exe"

"c:\windows\pss\3iiduup.exe"

"c:\windows\pss\bssneezq.exe"

"c:\windows\pss\e3ggbssneez.exe"

"c:\windows\pss\ll66c86o81a.exe"

"c:\windows\pss\o3qqlccxooj.exe"

"c:\windows\pss\qrw86i81uf.exe"

"c:\windows\pss\s1okkfww.exe"

"c:\windows\pss\xxtjjfvvrhh.exe"

"c:\windows\system32\drivers\cese693.sys"

"c:\windows\system32\vydahoog.exe"

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_CESE693

-------\Legacy_KC3AELEQEIOOYIY

-------\Service_cese693

-------\Service_kc3aeleqeiooyiy

 

 

(((((((((((((((( Arquivos/Ficheiros criados de 2010-08-08 to 2010-09-08 ))))))))))))))))))))))))))))

.

 

2010-09-08 03:06 . 2008-04-14 12:00 39424 ----a-w- c:\windows\system32\grpconv.exe

2010-09-08 01:53 . 2010-09-08 01:53 -------- d-----w- c:\documents and settings\Renato Goulart\Application Data\Malwarebytes

2010-09-08 01:53 . 2010-04-29 18:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-08 01:53 . 2010-09-08 01:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-09-08 01:53 . 2010-09-08 01:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-08 01:53 . 2010-04-29 18:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-07 21:01 . 2010-09-07 21:01 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-09-07 20:06 . 2010-09-07 20:06 53248 ----a-w- c:\windows\PSEXESVC.EXE

2010-09-07 20:05 . 2010-09-07 20:05 389120 ----a-w- c:\windows\system32\CF11471.exe

2010-09-02 17:40 . 2009-11-25 14:19 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-09-01 03:38 . 2008-04-14 12:00 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

2010-08-23 04:20 . 2010-08-23 04:20 -------- d-----w- c:\program files\eMule

2010-08-20 02:22 . 2010-08-20 02:22 -------- d-----w- c:\program files\Alwil Software

2010-08-20 02:22 . 2010-08-20 02:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

2010-08-19 04:34 . 2006-06-29 16:07 14048 ------w- c:\windows\system32\spmsg2.dll

2010-08-19 04:34 . 2010-08-19 04:34 -------- d-----w- c:\windows\system32\pt-BR

2010-08-19 04:33 . 2010-08-19 04:33 2272 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-08-19 04:32 . 2010-08-19 04:34 -------- d-----w- c:\windows\system32\XPSViewer

2010-08-19 04:32 . 2010-08-19 04:32 -------- d-----w- c:\program files\Reference Assemblies

2010-08-19 04:32 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll

2010-08-19 04:32 . 2007-11-30 11:18 26488 ----a-w- c:\windows\system32\spupdsvc.exe

2010-08-19 04:31 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2010-08-19 04:31 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2010-08-19 04:31 . 2010-08-19 04:32 -------- d-----w- C:\1ec54ec83daf27049c16acf13232fb

2010-08-19 04:31 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2010-08-19 04:31 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2010-08-19 04:31 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2010-08-19 04:31 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2010-08-19 04:31 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2010-08-19 04:31 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe

2010-08-19 03:53 . 2010-08-19 04:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Sports Interactive

2010-08-19 03:53 . 2010-08-19 03:56 -------- d-----w- c:\documents and settings\Renato Goulart\Application Data\Sports Interactive

2010-08-19 03:42 . 2010-08-19 04:19 -------- d--h--w- c:\windows\msdownld.tmp

2010-08-19 03:42 . 2010-08-19 03:42 -------- d-----w- c:\windows\Logs

2010-08-19 03:07 . 2010-08-19 03:07 691696 ----a-w- c:\windows\system32\drivers\sptd.sys

2010-08-19 03:06 . 2010-08-19 03:26 -------- d-----w- c:\documents and settings\Renato Goulart\Application Data\DAEMON Tools Lite

2010-08-19 03:06 . 2010-08-19 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite

2010-08-16 20:27 . 2010-08-16 20:27 -------- d-----w- c:\documents and settings\Renato Goulart\Local Settings\Application Data\NitroPC

2010-08-16 20:27 . 2010-08-16 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-31 15:48 . 2010-06-13 22:39 65752 ----a-w- c:\documents and settings\Renato Goulart\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-08-27 10:37 . 2008-04-14 12:00 1033728 ----a-w- c:\windows\explorer.exe

2010-08-25 03:20 . 2010-07-04 23:33 -------- d-----w- c:\program files\Warcraft III

2010-08-19 04:32 . 2010-06-13 22:44 -------- d-----w- c:\program files\MSBuild

2010-08-07 07:16 . 2010-06-13 17:38 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-07-19 22:23 . 2010-07-19 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-07-19 16:05 . 2010-07-19 16:04 2605008 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe

2010-06-30 00:32 . 2010-06-12 22:03 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2010-06-13 23:48 . 2010-06-13 23:48 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll

2010-06-13 23:48 . 2010-06-13 23:48 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll

2010-06-13 23:48 . 2010-06-13 23:48 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll

2010-06-13 23:48 . 2010-06-13 23:48 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll

2010-06-13 23:48 . 2010-06-13 23:48 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll

2010-06-13 23:48 . 2010-06-13 23:48 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll

2010-06-13 23:48 . 2010-06-13 23:48 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll

2010-06-13 23:48 . 2010-06-13 23:48 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll

2010-06-13 23:48 . 2010-06-13 23:48 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

2010-06-13 23:47 . 2010-06-13 23:47 499712 ----a-w- c:\windows\system32\msvcp71.dll

2010-06-13 23:47 . 2010-06-13 23:47 348160 ----a-w- c:\windows\system32\msvcr71.dll

2010-06-13 22:36 . 2010-06-13 22:36 0 ----a-w- c:\windows\nsreg.dat

2010-06-12 22:01 . 2010-06-12 22:01 21640 ----a-w- c:\windows\system32\emptyregdb.dat

.

 

------- Sigcheck -------

 

[-] 2009-09-20 . 68F06FE0021B01E670AF37B8C5964FDF . 361344 . . [5.1.2600.5512] . . c:\windows\system32\drivers\tcpip.sys

 

[-] 2009-09-20 . AB9E8F44D2F80A8060BEFB29192F4249 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"_nltide_3"="advpack.dll" [2008-04-14 99840]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /M:8ce1d9a2c88

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8169Diag]

2008-05-12 15:30 139264 ----a-w- c:\program files\Realtek\Diagnostics Utility\8169Diag.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-06-17 06:24 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

2006-10-27 03:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

2010-03-17 19:52 19520544 ----a-w- c:\windows\RTHDCPL.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2010-06-13 23:47 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

 

S2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [13/6/2010 18:02 8960]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [13/6/2010 20:53 1691480]

S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [13/6/2010 18:02 11264]

S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\RENATO~1\LOCALS~1\Temp\CRT36.tmp --> c:\docume~1\RENATO~1\LOCALS~1\Temp\CRT36.tmp [?]

S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [13/6/2010 18:02 16640]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [19/8/2010 00:07 691696]

.

Conteúdo da pasta 'Tarefas Agendadas'

 

2010-09-08 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1004336348-1801674531-1606980848-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 01:09]

 

2010-09-07 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1004336348-1801674531-1606980848-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 01:09]

.

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.uol.com.br/

IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: {417E9080-F22B-4D59-8BA1-E530FF645FD2} = 192.168.1.1

FF - ProfilePath - c:\documents and settings\Renato Goulart\Application Data\Mozilla\Firefox\Profiles\q5xge7t0.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.uol.com.br/

FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll

FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll

 

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-08 00:45

Windows 5.1.2600 Service Pack 3 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]

"ImagePath"="\??\c:\docume~1\RENATO~1\LOCALS~1\Temp\CRT36.tmp"

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'winlogon.exe'(628)

c:\windows\system32\Ati2evxx.dll

.

Tempo para conclusão: 2010-09-08 00:47:25 - Máquina reiniciou

ComboFix-quarantined-files.txt 2010-09-08 03:47

ComboFix2.txt 2010-09-08 03:09

 

Pré-execução: 31,104,290,816 bytes free

Pós execução: 31,031,947,264 bytes free

 

- - End Of File - - D7D26A36A030E5D9A6761AF24A9F1CE9

[wings 22]

1.

*Clique em [iniciar] > [Executar] > copie e cole: Combofix /uninstall

 

 

*Clique [OK] > [Executar]

*Aguarde surgir a mensagem: "ComboFix está desinstalado"

*Clique [OK]

 

2.

*Execute o Malwarebytes, clique na aba [Quarentena], selecione todos os resultados e clique [Apagar tudo]

*Clique na aba [Logs], selecione o relatório e clique [Apagar]

 

3.

*Baixe o Kaspersky Virus Removal Tool e salve-o no desktop

*Instale o programa

*Selecione a opção:

[X] Meu Computador

*Clique em [start scan]....aguarde. Pode demorar, seja paciente!

*Caso encontre algo, clique [skip]

*Ao finalizar, clique [Report]

*Uma janela chamada "Detailed report" será aberta

*Clique no sinal [+] ao lado de Autoscan para expandir os eventos encontrados

*Clique com o botão direito do mouse em Autoscan e selecione "Select all"

*Clique novamente com o botão direito do mouse e selecione "Copy"

*Abra o bloco de notas, cole (Ctrl+v) e salve o arquivo no desktop como log.txt

*Feche a janela "Detailed report" do Kasperky

*Na tela principal do Kaspersky clique em [Exit] > [No]

*Cole o relatório log.txt salvo no desktop

[re_goulart 0]

1.

*Clique em [iniciar] > [Executar] > copie e cole: Combofix /uninstall

 

 

*Clique [OK] > [Executar]

*Aguarde surgir a mensagem: "ComboFix está desinstalado"

*Clique [OK]

 

2.

*Execute o Malwarebytes, clique na aba [Quarentena], selecione todos os resultados e clique [Apagar tudo]

*Clique na aba [Logs], selecione o relatório e clique [Apagar]

 

3.

*Baixe o Kaspersky'>http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/"]Kaspersky Virus Removal Tool e salve-o no desktop

*Instale o programa

*Selecione a opção:

[X] Meu Computador

*Clique em [start scan]....aguarde. Pode demorar, seja paciente!

*Caso encontre algo, clique [skip]

*Ao finalizar, clique [Report]

*Uma janela chamada "Detailed report" será aberta

*Clique no sinal [+] ao lado de Autoscan para expandir os eventos encontrados

*Clique com o botão direito do mouse em Autoscan e selecione "Select all"

*Clique novamente com o botão direito do mouse e selecione "Copy"

*Abra o bloco de notas, cole (Ctrl+v) e salve o arquivo no desktop como log.txt

*Feche a janela "Detailed report" do Kasperky

*Na tela principal do Kaspersky clique em [Exit] > [No]

*Cole o relatório log.txt salvo no desktop

 

 

Ok, após uma hora de scan, os resultados são os anexados abaixo:

 

Autoscan: completed 1 minute ago (events: 18, objects: 236227, time: 01:05:08)

9/8/2010 1:25:45 AM Task started

9/8/2010 2:05:09 AM Detected: Trojan.Win32.Ddox.rk C:\WINDOWS\pss\bssneezq.exeStartup

9/8/2010 2:05:09 AM Detected: Trojan.Win32.Ddox.rl C:\WINDOWS\pss\e3ggbssneez.exeStartup

9/8/2010 2:05:09 AM Detected: Trojan.Win32.Ddox.ro C:\WINDOWS\pss\3iiduup.exeStartup

9/8/2010 2:11:20 AM Untreated: Trojan.Win32.Ddox.rk C:\WINDOWS\pss\bssneezq.exeStartup Skipped by user

9/8/2010 2:11:20 AM Detected: Trojan.Win32.Ddox.rm C:\WINDOWS\pss\ll66c86o81a.exeStartup

9/8/2010 2:11:21 AM Untreated: Trojan.Win32.Ddox.rl C:\WINDOWS\pss\e3ggbssneez.exeStartup Skipped by user

9/8/2010 2:11:22 AM Detected: Trojan.Win32.Ddox.ro C:\WINDOWS\pss\o3qqlccxooj.exeStartup

9/8/2010 2:11:22 AM Untreated: Trojan.Win32.Ddox.ro C:\WINDOWS\pss\3iiduup.exeStartup Skipped by user

9/8/2010 2:11:23 AM Detected: Trojan.Win32.Ddox.rk C:\WINDOWS\pss\qrw86i81uf.exeStartup

9/8/2010 2:11:23 AM Untreated: Trojan.Win32.Ddox.rm C:\WINDOWS\pss\ll66c86o81a.exeStartup Skipped by user

9/8/2010 2:11:24 AM Detected: Trojan.Win32.Ddox.rn C:\WINDOWS\pss\s1okkfww.exeStartup

9/8/2010 2:11:25 AM Untreated: Trojan.Win32.Ddox.ro C:\WINDOWS\pss\o3qqlccxooj.exeStartup Skipped by user

9/8/2010 2:11:26 AM Untreated: Trojan.Win32.Ddox.rn C:\WINDOWS\pss\s1okkfww.exeStartup Skipped by user

9/8/2010 2:11:28 AM Untreated: Trojan.Win32.Ddox.rk C:\WINDOWS\pss\qrw86i81uf.exeStartup Skipped by user

9/8/2010 2:12:46 AM Detected: Virus.Win32.Protector.f C:\WINDOWS\system32\dllcache\ndis.sys

9/8/2010 2:12:50 AM Untreated: Virus.Win32.Protector.f C:\WINDOWS\system32\dllcache\ndis.sys Skipped by user

9/8/2010 2:30:53 AM Task completed

 

Estou no aguardo.. Obrigado..

[wings 22]

*Abra a pasta Virus Removal Tool, localizada no desktop, execute o atalho Start

*Selecione a opção:

[X] Meu Computador

*Clique em [start scan]....aguarde. Pode demorar, seja paciente!

*Caso encontre algo, clique [Disinfect], caso não seja possível, clique [Delete]

*Ao finalizar, clique [Report]

*Na caixa [important events] selecione "All events"

*Clique no sinal [+] ao lado de Autoscan para expandir os eventos encontrados

*Clique com o botão direito do mouse em Autoscan e selecione "Select all"

*Clique novamente com o botão direito do mouse e selecione "Copy"

*Abra o bloco de notas, cole (Ctrl+v) e salve o arquivo no desktop como log2.txt

*Feche a janela "Detailed report" do Kasperky

*Na tela principal do Kaspersky clique em [Exit] > [No]

*Cole o relatório log2.txt salvo no desktop

[re_goulart 0]

*Abra a pasta Virus Removal Tool, localizada no desktop, execute o atalho Start

*Selecione a opção:

[X] Meu Computador

*Clique em [start scan]....aguarde. Pode demorar, seja paciente!

*Caso encontre algo, clique [Disinfect], caso não seja possível, clique [Delete]

*Ao finalizar, clique [Report]

*Na caixa [important events] selecione "All events"

*Clique no sinal [+] ao lado de Autoscan para expandir os eventos encontrados

*Clique com o botão direito do mouse em Autoscan e selecione "Select all"

*Clique novamente com o botão direito do mouse e selecione "Copy"

*Abra o bloco de notas, cole (Ctrl+v) e salve o arquivo no desktop como log2.txt

*Feche a janela "Detailed report" do Kasperky

*Na tela principal do Kaspersky clique em [Exit] > [No]

*Cole o relatório log2.txt salvo no desktop

 

 

Parceiro, estou com um problema, por estar utilizando o computador em modo de segurança, ele não suporta arquivos muito carregados. O programa trava quando tento copiar todos os eventos do ultimo scan. O que eu faço? Copio e colo aqui como fiz anteriormente, apenas os importants events, ou iremos fazer de outo modo? Aguardo uma resposta... Obrigado

 

Se não tiver outra maneira, e realmente você precisar da opição all events, eu vou no manual mesmo, copio e colo parte a parte, vai demorar, mas tudo bem. Sem problemas, só espero confirmação sua sobre o que fazer... Obrigado

[wings 22]

OK....

 

*Novo log do hijack e informe como está o PC.

[re_goulart 0]

OK....

 

*Novo log do hijack e informe como está o PC.

 

 

Ok, vou mandar dois logs... Primeiro o que você pediu anteriormente, mas em vez de selecionar all events, colocarei no important events... E em seguida a esse log, posterei o novo log fo hijack, como solicitado...

 

Autoscan: completed 19 hours ago (events: 18, objects: 236227, time: 01:05:08)

Autoscan: completed 19 hours ago (events: 19, objects: 184951, time: 00:27:45)

9/8/2010 2:43:01 AM Task started

9/8/2010 2:50:05 AM Detected: Trojan.Win32.Ddox.rl C:\WINDOWS\pss\e3ggbssneez.exeStartup

9/8/2010 2:50:05 AM Detected: Trojan.Win32.Ddox.rk C:\WINDOWS\pss\bssneezq.exeStartup

9/8/2010 2:50:05 AM Detected: Trojan.Win32.Ddox.ro C:\WINDOWS\pss\3iiduup.exeStartup

9/8/2010 2:50:23 AM Deleted: Trojan.Win32.Ddox.rl C:\WINDOWS\pss\e3ggbssneez.exeStartup

9/8/2010 2:50:23 AM Detected: Trojan.Win32.Ddox.rm C:\WINDOWS\pss\ll66c86o81a.exeStartup

9/8/2010 2:50:24 AM Deleted: Trojan.Win32.Ddox.ro C:\WINDOWS\pss\3iiduup.exeStartup

9/8/2010 2:50:24 AM Detected: Trojan.Win32.Ddox.ro C:\WINDOWS\pss\o3qqlccxooj.exeStartup

9/8/2010 2:50:24 AM Deleted: Trojan.Win32.Ddox.rk C:\WINDOWS\pss\bssneezq.exeStartup

9/8/2010 2:50:24 AM Detected: Trojan.Win32.Ddox.rk C:\WINDOWS\pss\qrw86i81uf.exeStartup

9/8/2010 2:50:30 AM Deleted: Trojan.Win32.Ddox.rm C:\WINDOWS\pss\ll66c86o81a.exeStartup

9/8/2010 2:50:30 AM Detected: Trojan.Win32.Ddox.rn C:\WINDOWS\pss\s1okkfww.exeStartup

9/8/2010 2:50:30 AM Deleted: Trojan.Win32.Ddox.ro C:\WINDOWS\pss\o3qqlccxooj.exeStartup

9/8/2010 2:50:30 AM Deleted: Trojan.Win32.Ddox.rk C:\WINDOWS\pss\qrw86i81uf.exeStartup

9/8/2010 2:50:33 AM Deleted: Trojan.Win32.Ddox.rn C:\WINDOWS\pss\s1okkfww.exeStartup

9/8/2010 2:51:46 AM Detected: Virus.Win32.Protector.f C:\WINDOWS\system32\dllcache\ndis.sys

9/8/2010 2:51:53 AM Disinfected: Virus.Win32.Protector.f C:\WINDOWS\system32\dllcache\ndis.sys

9/8/2010 2:51:53 AM Disinfected: Virus.Win32.Protector.f C:\WINDOWS\system32\dllcache\ndis.sys

9/8/2010 3:10:46 AM Task completed

 

 

Segue agora o log no hijack

 

Logfile of HijackThis v1.99.1

Scan saved at 9:58:22 PM, on 9/8/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

D:\Downloads\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: setup_9.0.0.722_08.09.2010_04-24.lnk = C:\Documents and Settings\Renato Goulart\Desktop\Virus Removal Tool\setup_9.0.0.722_08.09.2010_04-24\startup.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{417E9080-F22B-4D59-8BA1-E530FF645FD2}: NameServer = 192.168.1.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{417E9080-F22B-4D59-8BA1-E530FF645FD2}: NameServer = 192.168.1.1

O17 - HKLM\System\CS2\Services\Tcpip\..\{417E9080-F22B-4D59-8BA1-E530FF645FD2}: NameServer = 192.168.1.1

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

[wings 22]

O log está limpo....

 

Como está o PC?

[re_goulart 0]

O log está limpo....

 

Como está o PC?

 

 

Nao sei, nao reiniciei desde quando estou recebendo seu auxilio... Vou reiniciar em modo normal, sem ser o de segurança, pra ver o que acontece... Tem mais alguma recomendação antes que eu reinicie??

Ah, descobri uma coisa, quando ligo em modo normal, com o cabo da internet desconectado, nao aparece a mensagem de auto desligamento...

Posso reiniciar em modo normal, pra ver oque acontece então??

[re_goulart 0]

O log está limpo....

 

Como está o PC?

 

 

Nao sei, nao reiniciei desde quando estou recebendo seu auxilio... Vou reiniciar em modo normal, sem ser o de segurança, pra ver o que acontece... Tem mais alguma recomendação antes que eu reinicie??

Ah, descobri uma coisa, quando ligo em modo normal, com o cabo da internet desconectado, nao aparece a mensagem de auto desligamento...

Posso reiniciar em modo normal, pra ver oque acontece então??

 

 

 

Aeeee.. Muito obrigado parceiro.. Deu tudo certo aki!!O problema acabou!!

Ótimo topico!! Valeu pela ajuda!!

[wings 22]

Reinicie em Modo Normal e conectado ao cabo.

 

1.

*Abra a pasta Virus Removal Tool, localizada no desktop, execute o atalho Start

*Clique em [Exit] > [Yes] > [sim] > [sim]

*O PC será reiniciado

*Delete os arquivos setup do Kaspersky e log.txt salvos no desktop

 

2.

*Baixe e instale o CCleaner

*Clique [Executar Limpeza]

*Clique [Registro] > [Procurar erros] > [Corrigir Erros Selecionados] > [Corrigir Todos os Erros Selecionados]

 

3.

*Baixe o MV RegClean e instale-o

*Execute o MV RegClean. Uma página da internet será aberta. Feche-a.

*Clique [iniciar] e aguarde

*Ao finalizar, clique [Remover] > [sim] > [OK]

*Feche o MV RegClean

 

4.

*Baixe o ATF-Cleaner e salve-o no desktop

*Execute o ATF-Cleaner

*Selecione:

 

[X] Select All

*Clique [Empty Selected]

 

=>Caso use Firefox ou Opera:

*Clique na aba "Firefox" ou em "Opera"

*Selecione:

 

[X] Select All

*Clique [sim] > [Empty Selected] > [sim]

 

Fique atento com o que executa!!!...boa sorte.

 

Um abraço.

[re_goulart 0]

Reinicie em Modo Normal e conectado ao cabo.

 

1.

*Abra a pasta Virus Removal Tool, localizada no desktop, execute o atalho Start

*Clique em [Exit] > [Yes] > [sim] > [sim]

*O PC será reiniciado

*Delete os arquivos setup do Kaspersky e log.txt salvos no desktop

 

2.

*Baixe e instale o CCleaner'>http://www.piriform.com/ccleaner/download/slim/downloadfile"]CCleaner

*Clique [Executar Limpeza]

*Clique [Registro] > [Procurar erros] > [Corrigir Erros Selecionados] > [Corrigir Todos os Erros Selecionados]

 

3.

*Baixe o MV'>http://www.velasco.com.br/mvregclean59-br.zip"]MV RegClean e instale-o

*Execute o MV RegClean. Uma página da internet será aberta. Feche-a.

*Clique [iniciar] e aguarde

*Ao finalizar, clique [Remover] > [sim] > [OK]

*Feche o MV RegClean

 

4.

*Baixe o ATF-Cleaner'>http://www.atribune.org/ccount/click.php?id=1"]ATF-Cleaner e salve-o no desktop

*Execute o ATF-Cleaner

*Selecione:

 

[X] Select All

*Clique [Empty Selected]

 

=>Caso use Firefox ou Opera:

*Clique na aba "Firefox" ou em "Opera"

*Selecione:

 

[X] Select All

*Clique [sim] > [Empty Selected] > [sim]

 

Fique atento com o que executa!!!...boa sorte.

 

Um abraço.

 

 

Aproveitando a oportunidade, para evitar criar um novo tópico, poderia me informar os programas que você recomenda, para utilizar no dia a dia, para um melhor funcionamento do PC, como um anti virus que você recomende, o programa CCclener, talvez um programa pra executar a desfragmentação de disco, essas coisas...

 

SOu muito grato, pela sua ajuda, nao precisarei formatar meu PC... Grande abraço!!