[Resolvido] &nbspAnálise HijackThis

[Crepo Nalin 0]

Eu baixei um programa de um site que eu achava não ser muito confiável e na hora de instalar eu vacilei e nem reparei no tamanho do arquivo, mas era um arquivo pequeno demais para ser o arquivo original, e quando cliquei pra instalar abriu o programa direto, pulando a instalação e baixou as atualizações do programa e o programa não funcionou.Já escaniei com anti-virus e anti-spywares, mas axo que ainda tenha algum problema no pc, suspeito que seja um keylogger.

 

Não notei queda de rendimento no pc por enquanto e as vezes acontece alguns erros aqui :/ mas eles ja aconteciam antes do ocorrido acima, então são problemas a parte.Eu também não entendo muito do hijack mas pela minha análise genérica eu sei que tem um negócio ai no meio é que é algo ruim, só não achei a descrição do que é

 

Alguma sugestão para saber se estou com um kl ou não, também seria muito bem vinda

 

tá ai o log

 

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 18:35:02, on 10/10/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Arquivos de programas\Webroot\WebrootSecurity\WRConsumerService.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\DAEMON Tools Lite\DTLite.exe

C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Documents and Settings\cliente\Menu Iniciar\Programas\Inicializar\windate.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Webroot\WebrootSecurity\SpySweeper.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\mom.exe

C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

C:\Nova pasta\HiJackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.localstrike.com.ar/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://search.localstrike.com.ar/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.localstrike.com.ar/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.localstrike.com.ar/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.localstrike.com.ar/

R3 - URLSearchHook: Messenger Plus Live Toolbar - {9b339f6e-ddcd-401b-8764-230adbd01761} - C:\Arquivos de programas\Messenger_Plus_Live\tbMes0.dll

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Messenger Plus Live Toolbar - {9b339f6e-ddcd-401b-8764-230adbd01761} - C:\Arquivos de programas\Messenger_Plus_Live\tbMes0.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Arquivos de programas\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Messenger Plus Live Toolbar - {9b339f6e-ddcd-401b-8764-230adbd01761} - C:\Arquivos de programas\Messenger_Plus_Live\tbMes0.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Arquivos de programas\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [sXe Injected] C:\Arquivos de programas\sXe Injected\sXe Injected.exe

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [spySweeper] "C:\Arquivos de programas\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray

O4 - HKLM\..\Run: [iObit Security 360] "C:\Arquivos de programas\IObit\IObit Security 360\IS360tray.exe" /autostart

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Arquivos de programas\DAEMON Tools Lite\DTLite.exe" -autorun

O4 - HKCU\..\Run: [swg] "C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: windate.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Arquivos de programas\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Avira AntiVir Programador (AntiVirSchedulerService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: IS360service - IObit - C:\Arquivos de programas\IObit\IObit Security 360\IS360srv.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Arquivos de programas\Webroot\WebrootSecurity\SpySweeper.exe

O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Arquivos de programas\Webroot\WebrootSecurity\WRConsumerService.exe

 

--

End of file - 9311 bytes

 

 

Obrigado :)

[wings 22]

Olá Crepo Nalin

 

*Desative temporariamente seu antivírus

 

Clique com o botão direito do mouse no ícone do Avira ao lado do relógio

Clique na opção "Antivir Guard enable".

*Baixe o ComboFix e salve-o no desktop

 

*Execute o Combofix e aceite o contrato

 

*Se o console de recuperação do Windows já estiver instalado, o ComboFix continuará o processo automaticamente. Caso contrário, clique [sIM] para instalar e depois [sIM] para continuar.

 

 

 

*Aguarde a conclusão de todas as etapas

 

 

*Evite usar o mouse e o teclado durante a execução do Combofix!!..... Para interromper o procedimento tecle [N] ou [2] e depois [ENTER]

 

*Cole o relatório C:\combofix.txt

 

*Se for reiniciar o PC haverá uma opção, na inicialização, chamada Console de Recuperação. Não entre no Windows através do mesmo desde que devidamente orientado(a)!

[Crepo Nalin 0]

Olá, obrigado pela atenção

 

Mas acho que fiz uma cagada aqui:

A primeira vez que fui rodar o combo fix o programa deu um erro e reiniciou o pc, ai logo antes de inicializar por completo o combo fix rodou normalmente e gerou o log

Porém, apenas para ter certeza de que estava tudo certo salvei o log anterior e fui repetir o processo, porem o combofix acusou do antivírus de estar ativo mesmo não estando e disse que poderia gerar problemas e era por conta em risco, então reiniciei o pc antes do processo começar.

Gerei então o 2º log normalmente e sem erros, com o antivirus e o spysweeper desativados, mas ai os logs ficaram um pouco diferentes, ai não sei qual eu posto mas na dúvida está ai os dois:

 

 

ComboFix 10-10-11.01 - cliente 11/10/2010 16:00:17.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.2047.1591 [GMT -3:00]

Executando de: c:\documents and settings\cliente\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Webroot Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\Ic.Inf

 

.

(((((((((((((((( Arquivos/Ficheiros criados de 2010-09-11 to 2010-10-11 ))))))))))))))))))))))))))))

.

 

2010-10-11 01:40 . 2010-10-11 01:40 -------- d-----w- c:\arquivos de programas\MSXML 4.0

2010-10-10 21:34 . 2010-10-10 21:35 -------- d-----w- C:\Nova pasta

2010-10-10 21:06 . 2010-10-10 21:30 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2010-10-10 21:06 . 2010-10-10 21:08 -------- d-----w- c:\arquivos de programas\Spybot - Search & Destroy

2010-10-10 16:55 . 2010-10-10 16:55 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\IObit

2010-10-10 16:55 . 2010-10-10 16:55 -------- d-----w- c:\arquivos de programas\IObit

2010-10-10 16:29 . 2009-06-30 13:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys

2010-10-10 16:29 . 2010-10-10 16:29 -------- d-----w- c:\arquivos de programas\Panda Security

2010-10-09 17:03 . 2010-10-09 17:03 -------- d-----w- c:\arquivos de programas\MSSOAP

2010-10-09 17:03 . 2010-10-09 17:09 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Webroot

2010-10-09 17:03 . 2010-10-09 17:03 -------- d-----w- c:\documents and settings\cliente\Dados de aplicativos\Webroot

2010-10-09 17:03 . 2010-10-09 17:03 -------- d-----w- c:\arquivos de programas\Webroot

2010-10-09 17:03 . 2009-11-06 18:19 1563008 ----a-w- c:\windows\WRSetup.dll

2010-09-29 21:58 . 2010-10-10 23:03 -------- d-----w- c:\arquivos de programas\Tibia8.6

2010-09-28 21:47 . 2010-10-01 01:37 -------- d-----w- c:\documents and settings\cliente\Dados de aplicativos\Tibia

2010-09-28 21:43 . 2010-09-28 21:43 -------- d-----w- c:\arquivos de programas\Asprate

2010-09-28 21:39 . 2010-09-28 21:39 45056 ----a-w- c:\windows\Ip Changer Updater.exe

2010-09-28 21:39 . 2010-09-28 21:39 323584 ----a-w- c:\windows\Tibia MULTI-ip changer.exe

2010-09-28 21:38 . 2010-09-28 21:38 -------- d-----w- c:\windows\Language

2010-09-28 21:38 . 2010-09-23 04:49 489223 ----a-w- c:\windows\windate.exe

2010-09-28 21:38 . 2010-08-24 19:18 105760 ----a-w- c:\windows\os4.exe

2010-09-28 21:38 . 2009-11-26 00:47 315392 ----a-w- c:\windows\ipchanger.exe

2010-09-28 21:38 . 2009-02-26 15:46 176128 ----a-w- c:\windows\libcurl.dll

2010-09-28 21:38 . 2009-02-26 15:45 59904 ----a-w- c:\windows\zlib1.dll

2010-09-28 21:38 . 2004-03-10 09:45 152848 ----a-w- c:\windows\comdlg32.ocx

2010-09-28 21:38 . 2010-09-28 21:38 -------- d-----w- c:\arquivos de programas\Tibia8.54

2010-09-27 04:29 . 2010-09-27 04:29 -------- d-----w- c:\arquivos de programas\MSECache

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

 

------- Sigcheck -------

 

[7] 2008-04-14 12:00 . 60103CA5992F18B1EEF8D4511318C4B3 . 52736 . . [9.0.1.56] . . c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll

[-] 2006-10-19 00:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll

[-] 2006-10-19 00:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\dllcache\mspmsnsv.dll

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{9b339f6e-ddcd-401b-8764-230adbd01761}"= "c:\arquivos de programas\Messenger_Plus_Live\tbMes0.dll" [2010-10-04 2735200]

 

[HKEY_CLASSES_ROOT\clsid\{9b339f6e-ddcd-401b-8764-230adbd01761}]

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9b339f6e-ddcd-401b-8764-230adbd01761}]

2010-10-04 17:38 2735200 ----a-w- c:\arquivos de programas\Messenger_Plus_Live\tbMes0.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{9b339f6e-ddcd-401b-8764-230adbd01761}"= "c:\arquivos de programas\Messenger_Plus_Live\tbMes0.dll" [2010-10-04 2735200]

 

[HKEY_CLASSES_ROOT\clsid\{9b339f6e-ddcd-401b-8764-230adbd01761}]

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{9B339F6E-DDCD-401B-8764-230ADBD01761}"= "c:\arquivos de programas\Messenger_Plus_Live\tbMes0.dll" [2010-10-04 2735200]

 

[HKEY_CLASSES_ROOT\clsid\{9b339f6e-ddcd-401b-8764-230adbd01761}]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883840]

"DAEMON Tools Lite"="c:\arquivos de programas\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]

"swg"="c:\arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-31 39408]

"SpybotSD TeaTimer"="c:\arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]

"Adobe ARM"="c:\arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"sXe Injected"="c:\arquivos de programas\sXe Injected\sXe Injected.exe" [2010-10-03 1867776]

"avgnt"="c:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"SpySweeper"="c:\arquivos de programas\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-11-06 6515784]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

c:\documents and settings\cliente\Menu Iniciar\Programas\Inicializar\

windate.exe [2010-9-28 489223]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]

@="Service"

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Synchronizer.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Synchronizer.lnk

backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

2008-06-19 08:20 57344 ----a-w- c:\windows\ALCMTR.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]

2009-03-02 16:08 209153 ----a-w- c:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

2007-01-15 19:14 147456 ----a-w- c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-04-02 00:53 136176 ----atw- c:\documents and settings\cliente\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2008-09-16 06:01 178712 ----a-r- c:\windows\system32\hkcmd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2008-09-16 06:02 150040 ----a-r- c:\windows\system32\igfxtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

2009-07-26 19:44 3883840 ----a-w- c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2006-01-12 18:40 155648 ----a-w- c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

2008-09-16 06:02 150040 ----a-r- c:\windows\system32\igfxpers.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

2008-10-28 09:18 17331200 ----a-w- c:\windows\RTHDCPL.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]

2009-11-25 00:24 98304 ----a-w- c:\arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-02-18 14:43 248040 ----a-w- c:\arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2010-03-31 22:22 39408 ----a-w- c:\arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\Java\\jre1.6.0_01\\bin\\javaw.exe"=

"c:\\Arquivos de programas\\Valve\\hl.exe"=

"c:\\Arquivos de programas\\ONGAME\\Metin2\\metin2.bin"=

"c:\\Arquivos de programas\\Java\\jre6\\bin\\javaw.exe"=

"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

 

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [10/10/2010 13:29 28552]

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [6/11/2009 12:00 29808]

R2 AntiVirSchedulerService;Avira AntiVir Programador;c:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [30/8/2010 17:05 108289]

R2 WRConsumerService;Webroot Client Service;c:\arquivos de programas\Webroot\WebrootSecurity\WRConsumerService.exe [9/10/2010 14:04 1201640]

S2 gupdate;Google Update Service (gupdate);c:\arquivos de programas\Google\Update\GoogleUpdate.exe [1/4/2010 21:56 135664]

S3 FXDrv32;FXDrv32;\??\d:\fxdrv32.sys --> d:\FXDrv32.sys [?]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

S3 XDva347;XDva347;\??\c:\windows\system32\XDva347.sys --> c:\windows\system32\XDva347.sys [?]

S3 XDva349;XDva349;\??\c:\windows\system32\XDva349.sys --> c:\windows\system32\XDva349.sys [?]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/5/2010 22:50 691696]

.

Conteúdo da pasta 'Tarefas Agendadas'

 

2010-10-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2010-04-02 00:56]

 

2010-10-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2010-04-02 00:56]

 

2010-10-11 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 18:07]

.

.

------- Scan Suplementar -------

.

uStart Page = hxxp://search.localstrike.com.ar/

mStart Page = hxxp://search.localstrike.com.ar/

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\arquivos de programas\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

.

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

 

[HKEY_USERS\S-1-5-21-725345543-1390067357-1801674531-1003\Software\G*e*n*i*e*"!\FM Genie Scout 10]

"GameDir"="c:\\Documents and Settings\\cliente\\Meus documentos\\Sports Interactive\\Football Manager 2010\\games"

"ShortlistDir"=""

"ScreenshotsDir"="c:\\Documents and Settings\\cliente\\Meus documentos\\Sports Interactive\\Football Manager 2010"

"SaveDir"="c:\\Documents and Settings\\cliente\\Meus documentos\\Sports Interactive\\Football Manager 2010\\"

"HistoryDir"="c:\\Documents and Settings\\cliente\\Meus documentos\\Downloads\\FM Genie Scout 10\\History Points"

"LangDB"="c:\\Documents and Settings\\cliente\\Meus documentos\\Downloads\\Football Manager 2010\\data\\db\\1000\\lang_db.dat"

"LastSaveGame"="c:\\Documents and Settings\\cliente\\Meus documentos\\Sports Interactive\\Football Manager 2010\\games\\Sem Título (v02).fm"

"Language"="English"

"LoadLangDB"=dword:00000001

"CompressHistoryPoints"=dword:00000000

"HighlightedAttributes"=dword:00000000

"MinCondition"=dword:00000050

"GraphStep"=dword:00000000

"SkinName"="Steklo Black"

"LastUpdateCheck"=dword:00000000

"HighQualityGUI"=dword:00000001

"AutomaticallyUpdateCheck"=dword:00000001

"AdvancedGeneration"=dword:00000000

"TranslateStaffSkills"=dword:00000001

"TranslatePlayerSkills"=dword:00000001

"TranslatePositions"=dword:00000001

"ShowHistory"=dword:00000001

"Version"=dword:0000006e

"UniqueID"="E4-8B00-E4DF"

"UseProxy"=dword:00000000

"ProxyHost"=""

"ProxyPort"=""

"UseAuthentication"=dword:00000000

"UserName"=""

"UserPassword"=""

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•6~*]

"6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'winlogon.exe'(756)

c:\windows\system32\Ati2evxx.dll

.

Tempo para conclusão: 2010-10-11 16:03:21

ComboFix-quarantined-files.txt 2010-10-11 19:03

 

Pré-execução: 9 pasta(s) 231.730.651.136 bytes disponíveis

Pós execução: 12 pasta(s) 231.789.395.968 bytes disponíveis

 

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

 

- - End Of File - - 7BFD4DD9AB797BBB5989248E256E55A1

 

 

 

 

 

eis o 1º e este o 2º \/ :

 

 

 

 

 

ComboFix 10-10-11.01 - cliente 11/10/2010 16:14:09.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.2047.1529 [GMT -3:00]

Executando de: c:\documents and settings\cliente\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Webroot Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}

.

 

(((((((((((((((( Arquivos/Ficheiros criados de 2010-09-11 to 2010-10-11 ))))))))))))))))))))))))))))

.

 

2010-10-11 01:40 . 2010-10-11 01:40 -------- d-----w- c:\arquivos de programas\MSXML 4.0

2010-10-10 21:34 . 2010-10-10 21:35 -------- d-----w- C:\Nova pasta

2010-10-10 21:06 . 2010-10-10 21:30 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2010-10-10 21:06 . 2010-10-10 21:08 -------- d-----w- c:\arquivos de programas\Spybot - Search & Destroy

2010-10-10 16:55 . 2010-10-10 16:55 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\IObit

2010-10-10 16:55 . 2010-10-10 16:55 -------- d-----w- c:\arquivos de programas\IObit

2010-10-10 16:29 . 2009-06-30 13:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys

2010-10-10 16:29 . 2010-10-10 16:29 -------- d-----w- c:\arquivos de programas\Panda Security

2010-10-09 17:03 . 2010-10-09 17:03 -------- d-----w- c:\arquivos de programas\MSSOAP

2010-10-09 17:03 . 2010-10-09 17:09 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Webroot

2010-10-09 17:03 . 2010-10-09 17:03 -------- d-----w- c:\documents and settings\cliente\Dados de aplicativos\Webroot

2010-10-09 17:03 . 2010-10-09 17:03 -------- d-----w- c:\arquivos de programas\Webroot

2010-10-09 17:03 . 2009-11-06 18:19 1563008 ----a-w- c:\windows\WRSetup.dll

2010-09-29 21:58 . 2010-10-10 23:03 -------- d-----w- c:\arquivos de programas\Tibia8.6

2010-09-28 21:47 . 2010-10-01 01:37 -------- d-----w- c:\documents and settings\cliente\Dados de aplicativos\Tibia

2010-09-28 21:43 . 2010-09-28 21:43 -------- d-----w- c:\arquivos de programas\Asprate

2010-09-28 21:39 . 2010-09-28 21:39 45056 ----a-w- c:\windows\Ip Changer Updater.exe

2010-09-28 21:39 . 2010-09-28 21:39 323584 ----a-w- c:\windows\Tibia MULTI-ip changer.exe

2010-09-28 21:38 . 2010-09-28 21:38 -------- d-----w- c:\windows\Language

2010-09-28 21:38 . 2010-09-23 04:49 489223 ----a-w- c:\windows\windate.exe

2010-09-28 21:38 . 2010-08-24 19:18 105760 ----a-w- c:\windows\os4.exe

2010-09-28 21:38 . 2009-11-26 00:47 315392 ----a-w- c:\windows\ipchanger.exe

2010-09-28 21:38 . 2009-02-26 15:46 176128 ----a-w- c:\windows\libcurl.dll

2010-09-28 21:38 . 2009-02-26 15:45 59904 ----a-w- c:\windows\zlib1.dll

2010-09-28 21:38 . 2004-03-10 09:45 152848 ----a-w- c:\windows\comdlg32.ocx

2010-09-28 21:38 . 2010-09-28 21:38 -------- d-----w- c:\arquivos de programas\Tibia8.54

2010-09-27 04:29 . 2010-09-27 04:29 -------- d-----w- c:\arquivos de programas\MSECache

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

 

------- Sigcheck -------

 

[7] 2008-04-14 12:00 . 60103CA5992F18B1EEF8D4511318C4B3 . 52736 . . [9.0.1.56] . . c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll

[-] 2006-10-19 00:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll

[-] 2006-10-19 00:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\dllcache\mspmsnsv.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-10-11_19.02.15 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-10-11 19:12 . 2010-10-11 19:12 16384 c:\windows\Temp\Perflib_Perfdata_8bc.dat

+ 2010-10-11 19:12 . 2010-10-11 19:12 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2010-03-31 21:59 . 2010-10-11 16:34 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2010-03-31 21:59 . 2010-10-11 19:12 32768 c:\windows\system32\config\systemprofile\Configurações locais\Temporary Internet Files\Content.IE5\index.dat

- 2010-03-31 21:59 . 2010-10-11 16:34 32768 c:\windows\system32\config\systemprofile\Configurações locais\Temporary Internet Files\Content.IE5\index.dat

+ 2010-03-31 21:59 . 2010-10-11 19:12 32768 c:\windows\system32\config\systemprofile\Configurações locais\Histórico\History.IE5\index.dat

- 2010-03-31 21:59 . 2010-10-11 16:34 32768 c:\windows\system32\config\systemprofile\Configurações locais\Histórico\History.IE5\index.dat

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{9b339f6e-ddcd-401b-8764-230adbd01761}"= "c:\arquivos de programas\Messenger_Plus_Live\tbMes0.dll" [2010-10-04 2735200]

 

[HKEY_CLASSES_ROOT\clsid\{9b339f6e-ddcd-401b-8764-230adbd01761}]

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9b339f6e-ddcd-401b-8764-230adbd01761}]

2010-10-04 17:38 2735200 ----a-w- c:\arquivos de programas\Messenger_Plus_Live\tbMes0.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{9b339f6e-ddcd-401b-8764-230adbd01761}"= "c:\arquivos de programas\Messenger_Plus_Live\tbMes0.dll" [2010-10-04 2735200]

 

[HKEY_CLASSES_ROOT\clsid\{9b339f6e-ddcd-401b-8764-230adbd01761}]

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{9B339F6E-DDCD-401B-8764-230ADBD01761}"= "c:\arquivos de programas\Messenger_Plus_Live\tbMes0.dll" [2010-10-04 2735200]

 

[HKEY_CLASSES_ROOT\clsid\{9b339f6e-ddcd-401b-8764-230adbd01761}]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883840]

"DAEMON Tools Lite"="c:\arquivos de programas\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]

"swg"="c:\arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-31 39408]

"SpybotSD TeaTimer"="c:\arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]

"Adobe ARM"="c:\arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"sXe Injected"="c:\arquivos de programas\sXe Injected\sXe Injected.exe" [2010-10-03 1867776]

"avgnt"="c:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"SpySweeper"="c:\arquivos de programas\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-11-06 6515784]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

c:\documents and settings\cliente\Menu Iniciar\Programas\Inicializar\

windate.exe [2010-9-28 489223]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]

@="Service"

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Synchronizer.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Synchronizer.lnk

backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

2008-06-19 08:20 57344 ----a-w- c:\windows\ALCMTR.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]

2009-03-02 16:08 209153 ----a-w- c:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

2007-01-15 19:14 147456 ----a-w- c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-04-02 00:53 136176 ----atw- c:\documents and settings\cliente\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2008-09-16 06:01 178712 ----a-r- c:\windows\system32\hkcmd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2008-09-16 06:02 150040 ----a-r- c:\windows\system32\igfxtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

2009-07-26 19:44 3883840 ----a-w- c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2006-01-12 18:40 155648 ----a-w- c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

2008-09-16 06:02 150040 ----a-r- c:\windows\system32\igfxpers.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

2008-10-28 09:18 17331200 ----a-w- c:\windows\RTHDCPL.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]

2009-11-25 00:24 98304 ----a-w- c:\arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-02-18 14:43 248040 ----a-w- c:\arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2010-03-31 22:22 39408 ----a-w- c:\arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\Java\\jre1.6.0_01\\bin\\javaw.exe"=

"c:\\Arquivos de programas\\Valve\\hl.exe"=

"c:\\Arquivos de programas\\ONGAME\\Metin2\\metin2.bin"=

"c:\\Arquivos de programas\\Java\\jre6\\bin\\javaw.exe"=

"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

 

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [10/10/2010 13:29 28552]

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [6/11/2009 12:00 29808]

R2 AntiVirSchedulerService;Avira AntiVir Programador;c:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [30/8/2010 17:05 108289]

R2 WRConsumerService;Webroot Client Service;c:\arquivos de programas\Webroot\WebrootSecurity\WRConsumerService.exe [9/10/2010 14:04 1201640]

S2 gupdate;Google Update Service (gupdate);c:\arquivos de programas\Google\Update\GoogleUpdate.exe [1/4/2010 21:56 135664]

S3 FXDrv32;FXDrv32;\??\d:\fxdrv32.sys --> d:\FXDrv32.sys [?]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

S3 XDva347;XDva347;\??\c:\windows\system32\XDva347.sys --> c:\windows\system32\XDva347.sys [?]

S3 XDva349;XDva349;\??\c:\windows\system32\XDva349.sys --> c:\windows\system32\XDva349.sys [?]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/5/2010 22:50 691696]

.

Conteúdo da pasta 'Tarefas Agendadas'

 

2010-10-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2010-04-02 00:56]

 

2010-10-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2010-04-02 00:56]

 

2010-10-11 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 18:07]

.

.

------- Scan Suplementar -------

.

uStart Page = hxxp://search.localstrike.com.ar/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mStart Page = hxxp://search.localstrike.com.ar/

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\arquivos de programas\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

.

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

 

[HKEY_USERS\S-1-5-21-725345543-1390067357-1801674531-1003\Software\G*e*n*i*e*"!\FM Genie Scout 10]

"GameDir"="c:\\Documents and Settings\\cliente\\Meus documentos\\Sports Interactive\\Football Manager 2010\\games"

"ShortlistDir"=""

"ScreenshotsDir"="c:\\Documents and Settings\\cliente\\Meus documentos\\Sports Interactive\\Football Manager 2010"

"SaveDir"="c:\\Documents and Settings\\cliente\\Meus documentos\\Sports Interactive\\Football Manager 2010\\"

"HistoryDir"="c:\\Documents and Settings\\cliente\\Meus documentos\\Downloads\\FM Genie Scout 10\\History Points"

"LangDB"="c:\\Documents and Settings\\cliente\\Meus documentos\\Downloads\\Football Manager 2010\\data\\db\\1000\\lang_db.dat"

"LastSaveGame"="c:\\Documents and Settings\\cliente\\Meus documentos\\Sports Interactive\\Football Manager 2010\\games\\Sem Título (v02).fm"

"Language"="English"

"LoadLangDB"=dword:00000001

"CompressHistoryPoints"=dword:00000000

"HighlightedAttributes"=dword:00000000

"MinCondition"=dword:00000050

"GraphStep"=dword:00000000

"SkinName"="Steklo Black"

"LastUpdateCheck"=dword:00000000

"HighQualityGUI"=dword:00000001

"AutomaticallyUpdateCheck"=dword:00000001

"AdvancedGeneration"=dword:00000000

"TranslateStaffSkills"=dword:00000001

"TranslatePlayerSkills"=dword:00000001

"TranslatePositions"=dword:00000001

"ShowHistory"=dword:00000001

"Version"=dword:0000006e

"UniqueID"="E4-8B00-E4DF"

"UseProxy"=dword:00000000

"ProxyHost"=""

"ProxyPort"=""

"UseAuthentication"=dword:00000000

"UserName"=""

"UserPassword"=""

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•6~*]

"6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'winlogon.exe'(756)

c:\windows\system32\Ati2evxx.dll

 

- - - - - - - > 'explorer.exe'(2512)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Tempo para conclusão: 2010-10-11 16:18:12

ComboFix-quarantined-files.txt 2010-10-11 19:18

ComboFix2.txt 2010-10-11 19:03

 

Pré-execução: 11 pasta(s) 231.745.581.056 bytes disponíveis

Pós execução: 12 pasta(s) 231.729.889.280 bytes disponíveis

 

- - End Of File - - 46104E1DC52B08F846417422C30D177D

 

 

 

Obrigado

[wings 22]

*Abra o bloco de notas e cole nele o código abaixo:

 

File::

c:\windows\windate.exe

c:\windows\os4.exe

c:\documents and settings\cliente\Menu Iniciar\Programas\Inicializar\

windate.exe

*Salve o arquivo no desktop como CFScript.txt

*Arraste o arquivo para o Combofix conforme ilustração abaixo:

 

 

*Importante: enquanto o combofix estiver em execução, evite usar o mouse e o teclado!!..para interromper o processo tecle N ou 2.

 

*Cole o relatório C:\combofix.txt

[Crepo Nalin 0]

O pc simplesmente reinicia ao final do processo do combofix e não gera nenhum log, e o arquivo CFScript.txt some da área de trabalho quando o pc carrega de novo.

[wings 22]

Olá Crepo Nalin

 

1.

*Clique em [iniciar] > [Executar] > copie e cole: Combofix /uninstall

 

 

*Clique [OK] > [Executar]

*Aguarde surgir a mensagem: "ComboFix está desinstalado"

*Clique [OK]

 

2.

*Baixe o SystemLook e salve-o no desktop

*Execute o SystemLook

*Cole o código no espaço em branco:

:file

c:\windows\windate.exe

c:\windows\os4.exe

c:\documents and settings\cliente\Menu Iniciar\Programas\Inicializar\

windate.exe

*Clique [Look]

*Cole o relatório SystemLook.txt localizado no desktop

[Crepo Nalin 0]

Olá wings

 

Eis o relatório:

 

 

SystemLook 04.09.10 by jpshortstuff

Log created at 18:17 on 18/10/2010 by cliente

Administrator - Elevation successful

 

========== file ==========

 

c:\windows\windate.exe - File found and opened.

MD5: 995E1309451791609A5AE85A11FFB793

Created at 21:38 on 28/09/2010

Modified at 04:49 on 23/09/2010

Size: 489223 bytes

Attributes: --a----

No version information available.

 

c:\windows\os4.exe - File found and opened.

MD5: F0991F13828CABEA35F9D08AA2BA105C

Created at 21:38 on 28/09/2010

Modified at 19:18 on 24/08/2010

Size: 105760 bytes

Attributes: --a----

No version information available.

 

c:\documents and settings\cliente\Menu Iniciar\Programas\Inicializar\ - Unable to find/read file.

 

windate.exe - Unable to find/read file.

 

-= EOF =-

[wings 22]

*Baixe o Avenger e salve-o no desktop

*Extraia para o desktop

*Selecione e copie (Ctrl+c) o código:

Files to delete:

c:\windows\windate.exe

c:\windows\os4.exe

c:\documents and settings\cliente\Menu Iniciar\Programas\Inicializar\

windate.exe

*Execute o Avenger

*Clique [Load Script] > [Paste from Clipboard]

*Clique [Execute] > [OK]

*O PC será reiniciado

*Cole o relatório C:\avenger.txt

[Crepo Nalin 0]

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

 

Platform: Windows XP

 

*******************

 

Script file opened successfully.

Script file read successfully.

 

Backups directory opened successfully at C:\Avenger

 

*******************

 

Beginning to process script file:

 

Rootkit scan active.

No rootkits found!

 

File "c:\windows\windate.exe" deleted successfully.

File "c:\windows\os4.exe" deleted successfully.

 

Error: "c:\documents and settings\cliente\Menu Iniciar\Programas\Inicializar\" is a folder, not a file!

Deletion of file "c:\documents and settings\cliente\Menu Iniciar\Programas\Inicializar\" failed!

Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)

--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

 

 

Error: file "windate.exe" not found!

Deletion of file "windate.exe" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

 

 

Completed script processing.

 

*******************

 

Finished! Terminate.

[wings 22]

Olá Crepo Nalin

 

Observe que quando eu peço para selecionar algo, é para clicar com o botão esquerdo do mouse e arrastar. O que aconteceu é que você escreveu dois distintos. Uma pasta e um arquivo.

 

c:\documents and settings\cliente\Menu Iniciar\Programas\Inicializar\

e

windate.exe

 

O que está abaixo é um único caminho:

c:\documents and settings\cliente\Menu Iniciar\Programas\Inicializar\

windate.exe

 

Por favor...novo log do hijack

[Crepo Nalin 0]

Ah sim, desculpe-me pelo erro, nem percebi na hora, apenas copiei e colei

 

Aqui está o log novo:

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 22:43:26, on 20/10/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Arquivos de programas\Webroot\WebrootSecurity\WRConsumerService.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe

C:\Arquivos de programas\Webroot\WebrootSecurity\SpySweeperUI.exe

C:\Arquivos de programas\DAEMON Tools Lite\DTLite.exe

C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Samsung\Samsung New PC Studio\NPSAgent.exe

C:\Documents and Settings\cliente\Menu Iniciar\Programas\Inicializar\windate.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\system32\FsUsbExService.Exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Webroot\WebrootSecurity\SpySweeper.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

C:\Arquivos de programas\Windows Live\Contacts\wlcomm.exe

C:\Nova pasta\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.minilua.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.localstrike.com.ar/

R3 - URLSearchHook: Messenger Plus Live Toolbar - {9b339f6e-ddcd-401b-8764-230adbd01761} - C:\Arquivos de programas\Messenger_Plus_Live\tbMes0.dll

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Messenger Plus Live Toolbar - {9b339f6e-ddcd-401b-8764-230adbd01761} - C:\Arquivos de programas\Messenger_Plus_Live\tbMes0.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Arquivos de programas\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Messenger Plus Live Toolbar - {9b339f6e-ddcd-401b-8764-230adbd01761} - C:\Arquivos de programas\Messenger_Plus_Live\tbMes0.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Arquivos de programas\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [sXe Injected] C:\Arquivos de programas\sXe Injected\sXe Injected.exe

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [KernelFaultCheck] "%systemroot%\system32\dumprep" 0 -k

O4 - HKLM\..\Run: [spySweeper] "C:\Arquivos de programas\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Arquivos de programas\DAEMON Tools Lite\DTLite.exe" -autorun

O4 - HKCU\..\Run: [swg] "C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] "C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe"

O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"

O4 - HKCU\..\Run: [AutoStartNPSAgent] "C:\Arquivos de programas\Samsung\Samsung New PC Studio\NPSAgent.exe"

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: windate.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Arquivos de programas\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Avira AntiVir Programador (AntiVirSchedulerService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: FsUsbExService - Teruten - C:\WINDOWS\system32\FsUsbExService.Exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Arquivos de programas\Webroot\WebrootSecurity\SpySweeper.exe

O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Arquivos de programas\Webroot\WebrootSecurity\WRConsumerService.exe

 

--

End of file - 8983 bytes

[wings 22]

Olá Crepo Nalin

 

1.

*Execute o hijack, clique em [Do a system scan only], selecione a entrada abaixo e clique em [Fix checked]

 

O4 - Startup: windate.exe

*Feche o hijack

 

2.

*Selecione e copie o código:

 

Files to delete:

c:\documents and settings\cliente\Menu Iniciar\Programas\Inicializar\windate.exe

*Execute o Avenger

*Clique [Load Script] > [Paste from Clipboard]

*Clique [Execute] > [OK]

*O PC será reiniciado

*Cole o relatório C:\avenger.txt e novo log do hijack

[Crepo Nalin 0]

Aqui está o log do Avenger:

 

 

Platform: Windows XP

 

*******************

 

Script file opened successfully.

Script file read successfully.

 

Backups directory opened successfully at C:\Avenger

 

*******************

 

Beginning to process script file:

 

Rootkit scan active.

No rootkits found!

 

 

Error: file "c:\documents and settings\cliente\Menu Iniciar\Programas\Inicializar\windate.exe" not found!

Deletion of file "c:\documents and settings\cliente\Menu Iniciar\Programas\Inicializar\windate.exe" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

 

 

Completed script processing.

 

*******************

 

Finished! Terminate.

 

 

 

E aqui o log do hijackthis:

 

 

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 19:01:46, on 21/10/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Arquivos de programas\Webroot\WebrootSecurity\WRConsumerService.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe

C:\Arquivos de programas\Webroot\WebrootSecurity\SpySweeperUI.exe

C:\Arquivos de programas\DAEMON Tools Lite\DTLite.exe

C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Samsung\Samsung New PC Studio\NPSAgent.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\system32\FsUsbExService.Exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Webroot\WebrootSecurity\SpySweeper.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Nova pasta\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.minilua.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.localstrike.com.ar/

R3 - URLSearchHook: Messenger Plus Live Toolbar - {9b339f6e-ddcd-401b-8764-230adbd01761} - C:\Arquivos de programas\Messenger_Plus_Live\tbMes0.dll

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Messenger Plus Live Toolbar - {9b339f6e-ddcd-401b-8764-230adbd01761} - C:\Arquivos de programas\Messenger_Plus_Live\tbMes0.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Arquivos de programas\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Messenger Plus Live Toolbar - {9b339f6e-ddcd-401b-8764-230adbd01761} - C:\Arquivos de programas\Messenger_Plus_Live\tbMes0.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Arquivos de programas\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [sXe Injected] C:\Arquivos de programas\sXe Injected\sXe Injected.exe

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [KernelFaultCheck] "%systemroot%\system32\dumprep" 0 -k

O4 - HKLM\..\Run: [spySweeper] "C:\Arquivos de programas\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Arquivos de programas\DAEMON Tools Lite\DTLite.exe" -autorun

O4 - HKCU\..\Run: [swg] "C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] "C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe"

O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"

O4 - HKCU\..\Run: [AutoStartNPSAgent] "C:\Arquivos de programas\Samsung\Samsung New PC Studio\NPSAgent.exe"

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Arquivos de programas\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Avira AntiVir Programador (AntiVirSchedulerService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: FsUsbExService - Teruten - C:\WINDOWS\system32\FsUsbExService.Exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Arquivos de programas\Webroot\WebrootSecurity\SpySweeper.exe

O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Arquivos de programas\Webroot\WebrootSecurity\WRConsumerService.exe

 

--

End of file - 8817 bytes

 

 

Obrigado :)

[wings 22]

Olá Crepo Nalin

 

O PC está limpo....:)

 

1.

*Delete o Avenger, a pasta C:\avenger e o arquivo C:\avenger.txt

 

2.

*Baixe e instale o CCleaner

*Clique [Executar Limpeza]

*Clique [Registro] > [Procurar erros] > [Corrigir Erros Selecionados] > [Corrigir Todos os Erros Selecionados]

 

Um abraço.

[Crepo Nalin 0]

Feito!

 

Obrigado :)

 

Um abraço

[wings 22]

PROBLEMA RESOLVIDO

 

Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.