[Arquivado] &nbspVirus

learner27 · Outubro 19, 2010

Prezados, boa noite.

Minha máquina começou de dois dias para cá a reiniciar sozinha e o antivírus tem detectado alguns vírus, porem não tem conseguido excluir. A máquina esta super lenta e já não sei mais o que fazer, por isso recorro a ajuda de vcs.

Obrigada.

Segue o log do hijackthis:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:07:44, on 18/10/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\Documents and Settings\User\Configurações locais\Dados de aplicativos\CrossLoop\CrossLoopService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Arquivos de programas\borland\interbase\bin\ibguard.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Arquivos de programas\Softwin\BitDefender10\bdmcon.exe

C:\Arquivos de programas\Softwin\BitDefender10\bdagent.exe

C:\Arquivos de programas\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Arquivos de programas\iTunes\iTunesHelper.exe

C:\WINDOWS\PixArt\PAC207\Monitor.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Arquivos comuns\Softwin\BitDefender Communicator\xcommsvr.exe

C:\Arquivos de programas\Arquivos comuns\Softwin\BitDefender Scan Server\bdss.exe

C:\windows\system32\wuaucldt.exe

C:\Arquivos de programas\Arquivos comuns\Softwin\BitDefender Update Service\livesrv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\garihewil.exe

C:\WINDOWS\NCLAUNCH.EXe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Windows Media Player\WMPNetwk.exe

C:\Arquivos de programas\Google\Chrome\Application\chrome.exe

C:\Arquivos de programas\Softwin\BitDefender10\vsserv.exe

C:\Arquivos de programas\borland\interbase\bin\ibserver.exe

C:\Arquivos de programas\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\User\Desktop\HiJackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://search.condui...&ctid=CT2269050

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

R3 - URLSearchHook: (no name) - {edbca961-4bf8-4cbe-8c63-a11dff9ed2d9} - (no file)

R3 - URLSearchHook: (no name) - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - (no file)

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de

programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer -

{3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Dados de

aplicativos\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de

programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de

programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\Arquivos de

programas\GbPlugin\gbiehCef.dll

O2 - BHO: G-Buster Browser Defense Banco Real - {C41A1C0E-EA6C-11D4-B1B8-444553540007} -

C:\ARQUIV~1\GbPlugin\gbiehAbn.dll

O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} -

C:\ARQUIV~1\GbPlugin\gbiehUni.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Arquivos de

programas\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: (no name) - {edbca961-4bf8-4cbe-8c63-a11dff9ed2d9} - (no file)

O3 - Toolbar: (no name) - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - (no file)

O4 - HKLM\..\Run: [bDMCon] "C:\Arquivos de programas\Softwin\BitDefender10\bdmcon.exe" /reg

O4 - HKLM\..\Run: [bDAgent] "C:\Arquivos de programas\Softwin\BitDefender10\bdagent.exe"

O4 - HKLM\..\Run: [Network] rundll32.exe shell32.dll,Control_RunDLL network.cpl

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader

8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Arquivos de programas\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe

O4 - HKLM\..\Run: [wuaucldt] c:\windows\system32\wuaucldt.exe

O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe

O4 - HKLM\..\Run: [fouwopa] C:\WINDOWS\system32\garihewil.exe

O4 - HKLM\..\RunServices: [fouwopa] C:\WINDOWS\system32\garihewil.exe

O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [ccleaner] "C:\Arquivos de programas\CCleaner\CCleaner.exe" /AUTO

O4 - HKCU\..\Run: [wuaucldt] c:\documents and settings\user\wuaucldt.exe

O4 - HKCU\..\Run: [MSConfig] C:\Documents and Settings\User\ocpy.exe \u

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [Magnify] Magnify.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [Magnify] Magnify.exe (User 'Default user')

O4 - Startup: 0jo3k5q.exe

O4 - Startup: 71lvrmn.exe

O4 - Startup: 970qqwb.exe

O4 - Startup: kql081sd.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de

programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de

programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de

programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer -

{219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows

Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de

programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de

programas\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O15 - Trusted Zone: http://www.bancoreal.com.br

O15 - Trusted Zone: http://www.santander.com.br

O17 - HKLM\System\CCS\Services\Tcpip\..\{A63F7ADB-89D7-472E-9494-8E0D1E26F4F0}: NameServer =

208.67.220.220,208.67.222.222

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -

C:\ARQUIV~1\ARQUIV~1\Skype\Skype4COM.dll

O20 - Winlogon Notify: GbPluginAbn - C:\ARQUIV~1\GbPlugin\gbiehAbn.dll

O20 - Winlogon Notify: GbPluginCef - C:\Arquivos de programas\GbPlugin\gbiehcef.dll

O20 - Winlogon Notify: GbPluginUni - C:\ARQUIV~1\GbPlugin\gbiehUni.dll

O23 - Service: Dispositivo Celular da Apple (Apple Mobile Device) - Apple Inc. - C:\Arquivos de programas\Arquivos

comuns\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: Backbone Service (ay6e1yzauiojyo) - Unknown owner - C:\WINDOWS\system32\ludutidoow.exe

O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Arquivos de programas\Arquivos

comuns\Softwin\BitDefender Scan Server\bdss.exe

O23 - Service: Serviço de transferência inteligente de plano de fundo (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: Serviço do Bonjour (Bonjour Service) - Apple Inc. - C:\Arquivos de

programas\Bonjour\mDNSResponder.exe

O23 - Service: CrossLoop Service (CrossLoopService) - CrossLoop Inc - C:\Documents and

Settings\User\Configurações locais\Dados de aplicativos\CrossLoop\CrossLoopService.exe

O23 - Service: Gbp Service (GbpSv) - - C:\ARQUIV~1\GbPlugin\GbpSv.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Arquivos de

programas\Google\Update\GoogleUpdate.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de

programas\Arquivos comuns\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Arquivos de

programas\borland\interbase\bin\ibguard.exe

O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Arquivos de

programas\borland\interbase\bin\ibserver.exe

O23 - Service: iPod Service - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: KMDP - Unknown owner - C:\DOCUME~1\User\CONFIG~1\Temp\KMDP.exe (file missing)

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Arquivos de

programas\Arquivos comuns\Softwin\BitDefender Update Service\livesrv.exe

O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Arquivos de

programas\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de

programas\CyberLink\Shared Files\RichVideo.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Arquivos de programas\Arquivos

comuns\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

O23 - Service: uvnc_service - UltraVNC - C:\Documents and Settings\User\Configurações locais\Dados de

aplicativos\CrossLoop\winvnc.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Arquivos de

programas\Softwin\BitDefender10\vsserv.exe

O23 - Service: Atualizações Automáticas (wuauserv) - Unknown owner - C:\WINDOWS\

O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Arquivos de programas\Arquivos

comuns\Softwin\BitDefender Communicator\xcommsvr.exe

--

End of file - 12602 bytes

Power Max · Outubro 19, 2010

:) Olá learner27!

:seta: Sugiro que você salve ou imprima essas instruções abaixo, pois em alguns momentos você poderá precisar usar o computador sem o acesso à internet:

Faça o download do ComboFix

Salve-o no Desktop (área de trabalho).

* Desabilite as proteções residente de: antivírus, antispywares e firewall ( menos o do Windows! )

* Feche todas as janelas e execute a ferramenta.

* Ps: A execução, por comando, também é possível:

* Vá em Iniciar --> Executar --> Digite ou cole:

"%userprofile%\desktop\Combofix.exe" /killall

* Clique em Ok.

* Na solicitação: "Negação de garantia de software" --> Clique em Sim.

* Não possuindo o "'>http://support.microsoft.com/kb/307654/pt-br"]Console de Recuperação",aceite optar pela instalação do mesmo.

* Terminando,clique Sim ou Yes. --> Aguarde.

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

:!: Caso aconteça a notificação de: Aplicativo Win32 inválido ou alguma mensagem parecida com esta, delete a ferramenta ComboFix.exe e faça, novamente, seu download.

* Salve-a no Desktop,renomeada como: Kombo.exe

* Ps: Nomeie durante o salvamento,e não após salvá-la!

* Ps: Surgindo alguma mensagem de erro, rode o ComboFix.exe em "'>http://dicasetutoriaisparapc.blogspot.com/2009/11/ferramentas-para-reparar-o-modo-seguro.html"]Modo Seguro". <-- Link!

* Ps: Na presença de atividades rootkit,teremos a seguinte janela de notificação:

* Ps: Anote essas detecções, e dê o OK. Neste caso poste estas detecções que você terá anotado em sua próxima resposta juntamente com os logs pedidos.

* Ps: Para completar as remoções, talvez haja necessidade da ferramenta reiniciar o computador. <-- Aguarde!

* Ps: Para evitar problemas, siga todas as recomendações propostas.

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

* Abrir-se-á a janela Auto Scan. --> Aguarde!

* Para finalizar remoções, o ComboFix poderá reiniciar o computador.

* Se houver necessidade, digite a opção ( 1 ) --> Aperte Enter! --> Aguarde a conclusão!

* Durante o scan, evite manusear o mouse ou teclado! <-- Importante!

* Caso, por algum motivo de força maior, precise parar ou sair do ComboFix,tecle "N" ou "2" --> Aperte Enter.

<><><><><><><><><><><><>

O log do Combofix estará em C:\ComboFix.txt

__________________________

:seta: Siga também as dicas deste tutorial para fazer uma limpeza de seu PC com o Malwarebytes:

'>http://dicasetutoriaisparapc.blogspot.com/2009/10/tutorial-do-malwarebytes-anti-malware.html"]Tutorial do Malwarebytes Anti-Malware

Na sua próxima resposta poste este log do Malwarebytes juntamente com um novo log do Hijackthis e o log do Combofix que estará em C:\ComboFix.txt e nos diga como está o seu PC após estes procedimentos.

Ficamos no aguardo.

learner27 · Outubro 20, 2010

Boa Noite Antonio,

Obrigada pelas orientações.

O ComboFix detectou rootkit e reiniciou a maquina. Não demonstrou nenhum nome. Ao final informou: C:\windows\system32\driver\ndis.sy.

Seguem os relatórios:

ComboFix:

ComboFix 10-10-18.06 - User 19/10/2010 22:07:23.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.959.396 [GMT -2:00]

Executando de: c:\documents and settings\User\Desktop\ComboFix.exe

AV: Bitdefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}

AV: ESET NOD32 sistema antivírus 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

.

ADS - drivers: deleted 408 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Execuções precedente -------

.

c:\arquivos de programas\Crack

c:\arquivos de programas\Crack\aw.dat

c:\arquivos de programas\Crack\awcloth.dat

c:\arquivos de programas\Crack\awkeygen.exe

c:\arquivos de programas\Crack\install.txt

c:\documents and settings\All Users\Dados de aplicativos\common.data

c:\documents and settings\All Users\Dados de aplicativos\hpe352.dll

c:\documents and settings\User\Dados de aplicativos\AD ON Multimedia

c:\documents and settings\User\Dados de aplicativos\AD ON Multimedia\eBay Shortcuts\eBayShortcuts.exe

c:\documents and settings\User\Dados de aplicativos\Desktopicon

c:\documents and settings\User\Dados de aplicativos\Desktopicon\eBayShortcuts.exe

c:\documents and settings\User\Dados de aplicativos\Desktopicon\mc.ico

c:\documents and settings\User\Dados de aplicativos\inst.exe

c:\documents and settings\User\Dados de aplicativos\juzjf.exe

c:\documents and settings\User\Dados de aplicativos\PriceGong

c:\documents and settings\User\Dados de aplicativos\PriceGong\Data\1.xml

c:\documents and settings\User\Dados de aplicativos\PriceGong\Data\a.xml

c:\documents and settings\User\Dados de aplicativos\PriceGong\Data\b.xml

c:\documents and settings\User\Dados de aplicativos\PriceGong\Data\c.xml

c:\documents and settings\User\Dados de aplicativos\PriceGong\Data\d.xml

c:\documents and settings\User\Dados de aplicativos\PriceGong\Data\e.xml

c:\documents and settings\User\Dados de aplicativos\PriceGong\Data\f.xml

c:\documents and settings\User\Dados de aplicativos\PriceGong\Data\g.xml

c:\documents and settings\User\Dados de aplicativos\PriceGong\Data\h.xml

c:\documents and settings\User\Dados de aplicativos\PriceGong\Data\i.xml

c:\documents and settings\User\Dados de aplicativos\PriceGong\Data\J.xml

c:\documents and settings\User\Dados de aplicativos\PriceGong\Data\k.xml

c:\documents and settings\User\Dados de aplicativos\PriceGong\Data\l.xml

c:\documents and settings\User\Dados de aplicativos\PriceGong\Data\m.xml

c:\documents and settings\User\Dados de aplicativos\PriceGong\Data\n.xml

c:\documents and settings\User\Dados de aplicativos\PriceGong\Data\o.xml

c:\documents and settings\User\Dados de aplicativos\PriceGong\Data\p.xml

c:\documents and settings\User\Dados de aplicativos\PriceGong\Data\q.xml

c:\documents and settings\User\Dados de aplicativos\PriceGong\Data\r.xml

c:\documents and settings\User\Dados de aplicativos\PriceGong\Data\s.xml

c:\documents and settings\User\Dados de aplicativos\PriceGong\Data\t.xml

c:\documents and settings\User\Dados de aplicativos\PriceGong\Data\u.xml

c:\documents and settings\User\Dados de aplicativos\PriceGong\Data\v.xml

c:\documents and settings\User\Dados de aplicativos\PriceGong\Data\w.xml

c:\documents and settings\User\Dados de aplicativos\PriceGong\Data\x.xml

c:\documents and settings\User\Dados de aplicativos\PriceGong\Data\y.xml

c:\documents and settings\User\Dados de aplicativos\PriceGong\Data\z.xml

c:\documents and settings\User\Dados de aplicativos\wiaserva.log

c:\documents and settings\User\vxljahv.exe

c:\documents and settings\User\yjhck.exe

c:\windows\Fonts\I2of5nt.ttf

c:\windows\My.ini

c:\windows\recover.reg

c:\windows\ST6UNST.000

c:\windows\system32\aviso.bak

c:\windows\system32\Cache

c:\windows\system32\Thumbs.db

c:\windows\system32\UpMedia

c:\windows\system32\vbzlib1.dll

c:\windows\system32\winsys.txt

c:\windows\system32\wuaucldt.exe

-- Execuções precedente --

c:\windows\system32\Drivers\zikmbkgj.sys . . . está infectado!! . . . Failed to find a valid replacement.

A cópia de c:\windows\system32\drivers\cdrom.sys foi encontrada e desinfectada

Cópia restaurada de - c:\windows\ServicePackFiles\i386\cdrom.sys

--------

A cópia de c:\windows\system32\drivers\ndis.sys foi encontrada e desinfectada

Cópia restaurada de - c:\windows\ServicePackFiles\i386\ndis.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_zikmbkgj

-------\Service_zikmbkgj

(((((((((((((((( Arquivos/Ficheiros criados de 2010-09-20 to 2010-10-20 ))))))))))))))))))))))))))))

.

2010-10-20 00:17 . 2010-10-20 00:17 -------- d-----w- c:\windows\LastGood

2010-10-19 01:34 . 2009-06-30 12:37 28552 -c--a-w- c:\windows\system32\drivers\pavboot.sys

2010-10-19 01:33 . 2010-10-19 01:33 -------- d-----w- c:\arquivos de programas\Panda Security

2010-10-18 17:26 . 2010-10-18 17:55 -------- dc----w- C:\LG3G

2010-10-13 14:59 . 2010-10-13 14:59 30720 ----a-w- c:\windows\system32\wkrnovva.exe

2010-10-03 23:31 . 2010-10-03 23:31 -------- d-----w- c:\arquivos de programas\Justiça Eleitoral

2010-09-30 00:15 . 2010-09-30 00:15 -------- d-----w- c:\documents and settings\User\Dados de aplicativos\Octoshape

2010-09-23 17:42 . 2010-09-23 17:42 95672 ----a-w- c:\arquivos de programas\Mozilla Firefox\plugins\nppdf32.dll

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NCLaunch"="c:\windows\NCLAUNCH.EXe" [2009-12-12 40960]

"ccleaner"="c:\arquivos de programas\CCleaner\CCleaner.exe" [2009-12-21 1803064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Network"="shell32.dll" [2008-06-17 8491008]

"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]

"Adobe ARM"="c:\arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"QuickTime Task"="c:\arquivos de programas\QuickTime\qttask.exe" [2010-03-19 421888]

"iTunesHelper"="c:\arquivos de programas\iTunes\iTunesHelper.exe" [2010-07-16 141608]

"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"Magnify"="Magnify.exe" [2008-04-14 72192]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399003}"= "c:\arquivos de programas\GbPlugin\gbiehcef.dll" [2010-06-09 329768]

"{E37CB5F0-51F5-4395-A808-5FA49E399008}"= "c:\arquiv~1\GbPlugin\gbiehUni.dll" [2010-06-08 337384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginAbn]

2010-08-12 12:28 331304 ----a-w- c:\arquiv~1\GbPlugin\gbiehAbn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginCef]

2010-06-09 15:03 329768 ----a-w- c:\arquivos de programas\GbPlugin\gbiehcef.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginUni]

2010-06-08 22:53 337384 ----a-w- c:\arquiv~1\GbPlugin\gbiehUni.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Desktop Manager.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Desktop Manager.lnk

backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Menu Iniciar^Programas^Inicializar^0jo3k5q.exe]

path=c:\documents and settings\User\Menu Iniciar\Programas\Inicializar\0jo3k5q.exe

backup=c:\windows\pss\0jo3k5q.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Menu Iniciar^Programas^Inicializar^1i3upv2.exe]

path=c:\documents and settings\User\Menu Iniciar\Programas\Inicializar\1i3upv2.exe

backup=c:\windows\pss\1i3upv2.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Menu Iniciar^Programas^Inicializar^1ijo870.exe]

path=c:\documents and settings\User\Menu Iniciar\Programas\Inicializar\1ijo870.exe

backup=c:\windows\pss\1ijo870.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Menu Iniciar^Programas^Inicializar^6c81zuv.exe]

path=c:\documents and settings\User\Menu Iniciar\Programas\Inicializar\6c81zuv.exe

backup=c:\windows\pss\6c81zuv.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Menu Iniciar^Programas^Inicializar^703e1ab.exe]

path=c:\documents and settings\User\Menu Iniciar\Programas\Inicializar\703e1ab.exe

backup=c:\windows\pss\703e1ab.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Menu Iniciar^Programas^Inicializar^71lvrmn.exe]

path=c:\documents and settings\User\Menu Iniciar\Programas\Inicializar\71lvrmn.exe

backup=c:\windows\pss\71lvrmn.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Menu Iniciar^Programas^Inicializar^970qqwb.exe]

path=c:\documents and settings\User\Menu Iniciar\Programas\Inicializar\970qqwb.exe

backup=c:\windows\pss\970qqwb.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Menu Iniciar^Programas^Inicializar^dtuplw1m.exe]

path=c:\documents and settings\User\Menu Iniciar\Programas\Inicializar\dtuplw1m.exe

backup=c:\windows\pss\dtuplw1m.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Menu Iniciar^Programas^Inicializar^fl66c3y0.exe]

path=c:\documents and settings\User\Menu Iniciar\Programas\Inicializar\fl66c3y0.exe

backup=c:\windows\pss\fl66c3y0.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Menu Iniciar^Programas^Inicializar^hm86y8fkvl.exe]

path=c:\documents and settings\User\Menu Iniciar\Programas\Inicializar\hm86y8fkvl.exe

backup=c:\windows\pss\hm86y8fkvl.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Menu Iniciar^Programas^Inicializar^kql081sd.exe]

path=c:\documents and settings\User\Menu Iniciar\Programas\Inicializar\kql081sd.exe

backup=c:\windows\pss\kql081sd.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Menu Iniciar^Programas^Inicializar^setup_9.0.0.722_06.05.2010_03-24.lnk]

path=c:\documents and settings\User\Menu Iniciar\Programas\Inicializar\setup_9.0.0.722_06.05.2010_03-24.lnk

backup=c:\windows\pss\setup_9.0.0.722_06.05.2010_03-24.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Menu Iniciar^Programas^Inicializar^wrx66o3k1g.exe]

path=c:\documents and settings\User\Menu Iniciar\Programas\Inicializar\wrx66o3k1g.exe

backup=c:\windows\pss\wrx66o3k1g.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDAgent]

2007-03-26 17:49 69632 ----a-w- c:\arquivos de programas\Softwin\BitDefender10\bdagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDMCon]

2007-04-02 18:48 290816 ----a-w- c:\arquivos de programas\Softwin\BitDefender10\bdmcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 02:20 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-07-16 10:41 141608 ----a-w- c:\arquivos de programas\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]

2006-12-06 01:55 54832 -c----w- c:\arquivos de programas\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU]

2009-11-29 15:49 557056 -c--a-w- c:\arquivos de programas\lg_fwupdate\fwupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-03-19 01:16 421888 ----a-w- c:\arquivos de programas\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

2006-11-23 18:10 56928 -c----w- c:\arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVTray]

2007-04-24 16:27 749568 -c--a-w- c:\arquiv~1\ENCORE\TVTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WaitableTimer.exe]

2005-04-21 16:10 20480 -c--a-w- c:\arquivos de programas\ENCORE\WaitableTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Arquivos comuns\\Ahead\\Nero Web\\SetupX.exe"=

"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Arquivos de programas\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Arquivos de programas\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Arquivos de programas\\CyberLink\\PowerDVD\\PowerDVD.exe"=

"c:\\Arquivos de programas\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Java\\jre1.6.0_07\\bin\\javaw.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Arquivos de programas\\eMule\\emule.exe"=

"c:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Arquivos de programas\\WinRAR\\WinRAR.exe"=

"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=

"c:\\Arquivos de programas\\UltraVNC\\winvnc.exe"=

"c:\\Arquivos de programas\\UltraVNC\\vncviewer.exe"=

"c:\\Documents and Settings\\User\\Configurações locais\\Dados de aplicativos\\CrossLoop\\vncviewer.exe"=

"c:\\Documents and Settings\\User\\Configurações locais\\Dados de aplicativos\\CrossLoop\\CrossLoopConnect.exe"=

"c:\\Arquivos de programas\\Real\\RealPlayer\\realplay.exe"=

"c:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"=

"c:\\Arquivos de programas\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Arquivos de programas\\iTunes\\iTunes.exe"=

"c:\\Arquivos de programas\\Google\\Google Earth\\plugin\\geplugin.exe"=

"c:\\Arquivos de programas\\Sony Ericsson\\Update Service\\Update Service.exe"=

"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

"c:\\Arquivos de programas\\TeamViewer\\Version5\\TeamViewer.exe"=

"c:\\Arquivos de programas\\TeamViewer\\Version5\\TeamViewer_Service.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"86:TCP"= 86:TCP:BroadCam Web Server

"5900:TCP"= 5900:TCP:vnc5900

"5800:TCP"= 5800:TCP:vnc5800

"5910:TCP"= 5910:TCP:vnc5910

"1037:TCP"= 1037:TCP:Akamai NetSession Interface

"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R0 34776722;34776722 Boot Guard Driver;c:\windows\system32\drivers\34776722.sys [5/5/2010 22:00 37392]

R0 53195562;53195562 Boot Guard Driver;c:\windows\system32\drivers\53195562.sys [7/5/2010 21:49 37392]

R0 72655212;72655212 Boot Guard Driver;c:\windows\system32\drivers\72655212.sys [6/5/2010 21:38 37392]

R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\GbpKm.sys [26/3/2009 23:16 45800]

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [18/10/2010 23:34 28552]

R1 34776721;34776721;c:\windows\system32\drivers\34776721.sys [5/5/2010 22:00 128016]

R1 53195561;53195561;c:\windows\system32\drivers\53195561.sys [7/5/2010 21:49 128016]

R1 72655211;72655211;c:\windows\system32\drivers\72655211.sys [6/5/2010 21:38 128016]

R1 setup_9.0.0.722_06.05.2010_03-24drv;setup_9.0.0.722_06.05.2010_03-24drv;c:\windows\system32\drivers\5319556.sys [7/5/2010 21:49 315408]

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [4/8/2004 01:45 14336]

R2 CrossLoopService;CrossLoop Service;c:\documents and settings\User\Configurações locais\Dados de aplicativos\CrossLoop\CrossLoopService.exe [1/3/2010 15:57 560792]

R2 GbpSv;Gbp Service;c:\arquiv~1\GbPlugin\GbpSv.exe [26/3/2009 23:16 55400]

R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [16/11/2009 14:33 50704]

R2 OMSI download service;Sony Ericsson OMSI download service;c:\arquivos de programas\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [9/9/2010 00:00 90112]

R3 3xHybrid;Philips SAA713x PCI Card;c:\windows\system32\drivers\3xHybrid.sys [5/12/2007 13:45 554112]

R3 PAC207;PC Camera;c:\windows\system32\drivers\PFC027.SYS [29/5/2007 13:30 508160]

R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [9/9/2010 00:03 27632]

S2 gupdate;Google Update Service (gupdate);c:\arquivos de programas\Google\Update\GoogleUpdate.exe [8/5/2010 14:01 136176]

S3 DirectNT;DirectNT;\??\c:\documents and settings\User\Desktop\cpu test\DirectNT.sys --> c:\documents and settings\User\Desktop\cpu test\DirectNT.sys [?]

S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [29/12/2008 09:09 13224]

S3 KMDP;KMDP;c:\docume~1\User\CONFIG~1\Temp\KMDP.exe --> c:\docume~1\User\CONFIG~1\Temp\KMDP.exe [?]

S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [26/12/2009 22:42 9472]

S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [25/7/2009 14:21 86824]

S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [25/7/2009 14:21 15016]

S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [25/7/2009 14:21 114600]

S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [25/7/2009 14:21 108328]

S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [25/7/2009 14:21 26024]

S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [25/7/2009 14:21 104616]

S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [25/7/2009 14:21 109736]

S3 s916bus;Sony Ericsson Device 916 driver (WDM);c:\windows\system32\drivers\s916bus.sys [25/7/2009 14:21 83496]

S3 s916mdfl;Sony Ericsson Device 916 USB WMC Modem Filter;c:\windows\system32\drivers\s916mdfl.sys [25/7/2009 14:21 15016]

S3 s916mdm;Sony Ericsson Device 916 USB WMC Modem Driver;c:\windows\system32\drivers\s916mdm.sys [25/7/2009 14:21 109992]

S3 s916mgmt;Sony Ericsson Device 916 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s916mgmt.sys [25/7/2009 14:21 103976]

S3 s916obex;Sony Ericsson Device 916 USB WMC OBEX Interface;c:\windows\system32\drivers\s916obex.sys [25/7/2009 14:21 100008]

S3 utexnjq5;AVZ Kernel Driver;\??\c:\windows\system32\Drivers\utexnjq5.sys --> c:\windows\system32\Drivers\utexnjq5.sys [?]

S3 uvnc_service;uvnc_service;c:\documents and settings\User\Configurações locais\Dados de aplicativos\CrossLoop\winvnc.exe [1/3/2010 15:57 1590216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

Akamai REG_MULTI_SZ Akamai

.

Conteúdo da pasta 'Tarefas Agendadas'

2010-10-12 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\arquivos de programas\Apple Software Update\SoftwareUpdate.exe [2009-10-22 14:50]

2010-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2010-05-08 16:01]

2010-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2010-05-08 16:01]

2010-10-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1085031214-573735546-682003330-1003.job

- c:\arquivos de programas\Real\RealUpgrade\realupgrade.exe [2010-02-25 01:09]

2010-10-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1085031214-573735546-682003330-1003.job

- c:\arquivos de programas\Real\RealUpgrade\realupgrade.exe [2010-02-25 01:09]

2010-10-20 c:\windows\Tasks\User_Feed_Synchronization-{4542F54C-4300-45CD-B031-6CC7A523169D}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 13:58]

2010-10-20 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-05-19 01:18]

.

------- Scan Suplementar -------

.

uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2269050

mStart Page = about:blank

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

Trusted Zone: avon.com.br\www

Trusted Zone: bancoreal.com.br\www

Trusted Zone: blogger.com\www

Trusted Zone: blogspot.com\nilldomingos

Trusted Zone: google.com.br\www

Trusted Zone: ig.com.br\www

Trusted Zone: natura.net\www

Trusted Zone: realsecureweb.com.br\www

Trusted Zone: realsecureweb.com.br\www2

Trusted Zone: realsecureweb.com.br\wwws

Trusted Zone: santander.com.br\www

Trusted Zone: santandernet.com.br\www

Trusted Zone: secureweb.com.br\www

Trusted Zone: uol.com.br\www

TCP: {A63F7ADB-89D7-472E-9494-8E0D1E26F4F0} = 208.67.220.220,208.67.222.222

FF - ProfilePath - c:\documents and settings\User\Dados de aplicativos\Mozilla\Firefox\Profiles\d60paaau.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.br/

FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13925&gct=&gc=1&q=

FF - prefs.js: network.proxy.type - 0

FF - component: c:\documents and settings\All Users\Dados de aplicativos\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll

FF - component: c:\documents and settings\User\Dados de aplicativos\Mozilla\Firefox\Profiles\d60paaau.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll

FF - plugin: c:\arquivos de programas\Arquivos comuns\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll

FF - plugin: c:\arquivos de programas\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\arquivos de programas\Google\Update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\arquivos de programas\Microsoft\Office Live\npOLW.dll

FF - plugin: c:\arquivos de programas\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: c:\documents and settings\User\Dados de aplicativos\Mozilla\Firefox\Profiles\d60paaau.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

---- FIREFOX POLICIES ----

FF - user.js: content.interrupt.parsing - true

FF - user.js: content.max.tokenizing.time - 2250000

FF - user.js: content.notify.interval - 750000

FF - user.js: content.notify.ontimer - true

FF - user.js: content.switch.threshold - 750000

FF - user.js: nglayout.initialpaint.delay - 0

FF - user.js: network.http.max-connections - 48

FF - user.js: network.http.max-connections-per-server - 16

FF - user.js: network.http.max-persistent-connections-per-proxy - 16

FF - user.js: network.http.max-persistent-connections-per-server - 8

FF - user.js: browser.cache.memory.capacity - 65536

FF - user.js: browser.blink_allowed - true

FF - user.js: browser.xul.error_pages.enabled - false

FF - user.js: browser.urlbar.autoFill - true

FF - user.js: browser.urlbar.hideGoButton - false

FF - user.js: browser.cache.disk_cache_ssl - false

FF - user.js: config.trim_on_minimize - false

FF - user.js: ui.submenuDelay - 65000

FF - user.js: firefox.booster.misctweak - 1:0:1:0:0:0:65000

FF - user.js: firefox.booster.speedmode - 0c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORFÃOS REMOVIDOS - - - -

URLSearchHooks-{edbca961-4bf8-4cbe-8c63-a11dff9ed2d9} - (no file)

URLSearchHooks-{872b5b88-9db5-4310-bdd0-ac189557e5f5} - (no file)

Toolbar-{edbca961-4bf8-4cbe-8c63-a11dff9ed2d9} - (no file)

Toolbar-{872b5b88-9db5-4310-bdd0-ac189557e5f5} - (no file)

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

WebBrowser-{EDBCA961-4BF8-4CBE-8C63-A11DFF9ED2D9} - (no file)

WebBrowser-{872B5B88-9DB5-4310-BDD0-AC189557E5F5} - (no file)

HKCU-Run-wuaucldt - c:\documents and settings\user\wuaucldt.exe

SafeBoot-zikmbkgj.sys

MSConfigStartUp-AppleSyncNotifier - c:\arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

MSConfigStartUp-BlackBerryAutoUpdate - c:\arquivos de programas\Arquivos comuns\Research In Motion\Auto Update\RIMAutoUpdate.exe

MSConfigStartUp-fouwopa - c:\windows\system32\garihewil.exe

MSConfigStartUp-wuaucldt - c:\documents and settings\user\wuaucldt.exe

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

[HKEY_USERS\S-1-5-21-1085031214-573735546-682003330-1003\Software\10Moons\þV * *Gr * *Om * *È‰ * *hV *\Bars\Settings-Bar0]

"BarID"=dword:0000e81b

"Bars"=dword:00000003

"Bar#0"=dword:00000000

"Bar#1"=dword:0000e800

"Bar#2"=dword:00000000

[HKEY_USERS\S-1-5-21-1085031214-573735546-682003330-1003\Software\10Moons\þV * *Gr * *Om * *È‰ * *hV *\Bars\Settings-Bar1]

"BarID"=dword:0000e81c

"Bars"=dword:00000004

"Bar#0"=dword:00000000

"Bar#1"=dword:0000e807

"Bar#2"=dword:0000e806

"Bar#3"=dword:00000000

[HKEY_USERS\S-1-5-21-1085031214-573735546-682003330-1003\Software\10Moons\þV * *Gr * *Om * *È‰ * *hV *\Bars\Settings-Bar2]

"BarID"=dword:0000e800

"XPos"=dword:fffffffe

"YPos"=dword:fffffffe

"Docking"=dword:00000001

"MRUDockID"=dword:00000000

"MRUDockLeftPos"=dword:fffffffe

"MRUDockTopPos"=dword:fffffffe

"MRUDockRightPos"=dword:000001f5

"MRUDockBottomPos"=dword:00000036

"MRUFloatStyle"=dword:00002000

"MRUFloatXPos"=dword:80000000

"MRUFloatYPos"=dword:cdcdcdcd

[HKEY_USERS\S-1-5-21-1085031214-573735546-682003330-1003\Software\10Moons\þV * *Gr * *Om * *È‰ * *hV *\Bars\Settings-Bar3]

"BarID"=dword:0000e806

"XPos"=dword:fffffffe

"YPos"=dword:00000141

"Docking"=dword:00000001

"MRUDockID"=dword:0000e81c

"MRUDockLeftPos"=dword:fffffffe

"MRUDockTopPos"=dword:00000141

"MRUDockRightPos"=dword:000000c6

"MRUDockBottomPos"=dword:00000287

"MRUFloatStyle"=dword:00002004

"MRUFloatXPos"=dword:80000000

"MRUFloatYPos"=dword:cdcdcdcd

[HKEY_USERS\S-1-5-21-1085031214-573735546-682003330-1003\Software\10Moons\þV * *Gr * *Om * *È‰ * *hV *\Bars\Settings-Bar4]

"BarID"=dword:0000e807

"XPos"=dword:fffffffe

"YPos"=dword:fffffffe

"Docking"=dword:00000001

"MRUDockID"=dword:00000000

"MRUDockLeftPos"=dword:fffffffe

"MRUDockTopPos"=dword:fffffffe

"MRUDockRightPos"=dword:000000c6

"MRUDockBottomPos"=dword:00000143

"MRUFloatStyle"=dword:00002004

"MRUFloatXPos"=dword:80000000

"MRUFloatYPos"=dword:cdcdcdcd

[HKEY_USERS\S-1-5-21-1085031214-573735546-682003330-1003\Software\10Moons\þV * *Gr * *Om * *È‰ * *hV *\Bars\Settings-Summary]

"Bars"=dword:00000005

"ScreenCX"=dword:00000400

"ScreenCY"=dword:00000300

[HKEY_USERS\S-1-5-21-1085031214-573735546-682003330-1003\Software\10Moons\þV * *Gr * *Om * *È‰ * *hV *\Settings]

"FirstRun"=dword:00000000

"xScreen"=dword:00000400

"yScreen"=dword:000002c4

"lastDir"="c:\\WINNT\\"

"floats"="1.000000 0.500000 0.500000 120 120"

"skin"="ISR_10Moons.dll"

[HKEY_USERS\S-1-5-21-1085031214-573735546-682003330-1003\Software\10Moons\þV * *Gr * *Om * *È‰ * *hV *\WNDSTATUS]

"FLAG"=dword:00000000

"SHOWCMD"=dword:00000001

"LEFT"=dword:fffffffc

"TOP"=dword:fffffffc

"RIGHT"=dword:00000404

"BOTTOM"=dword:000002e2

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•6~*]

"6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(716)

c:\arquiv~1\GbPlugin\gbiehAbn.dll

c:\arquivos de programas\GbPlugin\gbiehCef.dll

c:\arquiv~1\GbPlugin\gbiehUni.dll

- - - - - - - > 'explorer.exe'(1080)

c:\windows\system32\msi.dll

c:\arquiv~1\GbPlugin\gbiehUni.dll

c:\arquiv~1\GbPlugin\gbiehAbn.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\arquivos de programas\GbPlugin\gbiehCef.dll

.

------------------------ Outros Processos em Execução ------------------------

.

c:\arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\arquivos de programas\Bonjour\mDNSResponder.exe

c:\windows\system32\inetsrv\inetinfo.exe

c:\arquivos de programas\borland\interbase\bin\ibguard.exe

c:\arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\HPZipm12.exe

c:\arquivos de programas\CyberLink\Shared Files\RichVideo.exe

c:\arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\arquivos de programas\Arquivos comuns\Softwin\BitDefender Communicator\xcommsvr.exe

c:\arquivos de programas\Arquivos comuns\Softwin\BitDefender Update Service\livesrv.exe

c:\arquivos de programas\Windows Media Player\WMPNetwk.exe

c:\arquivos de programas\borland\interbase\bin\ibserver.exe

c:\arquivos de programas\Arquivos comuns\Softwin\BitDefender Scan Server\bdss.exe

c:\arquivos de programas\Softwin\BitDefender10\vsserv.exe

c:\arquivos de programas\iPod\bin\iPodService.exe

.

**************************************************************************

.

Tempo para conclusão: 2010-10-19 22:53:14 - Máquina reiniciou

ComboFix-quarantined-files.txt 2010-10-20 00:53

Pré-execução: 11 pasta(s) 24.089.665.536 bytes disponíveis

Pós execução: 15 pasta(s) 23.926.165.504 bytes disponíveis

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=1 Default=1 Failed=4 LastKnownGood=5 Sets=1,2,3,4,5

- - End Of File - - 2A3864D190FD63627463F8802C7F4682

Malwarebytes:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Versão da Base de Dados: 4887

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

19/10/2010 23:41:37

mbam-log-2010-10-19 (23-41-37).txt

Tipo de Verificação: Verificação Completa (C:\|)

Objetos escaneados: 248517

Tempo decorrido: 37 minuto(s), 22 segundo(s)

Processos de Memória Infectados: 0

Módulos de Memória Infectados: 0

Chaves de Registro Infectadas: 14

Valores de Registro Infectados: 0

Itens de Dados no Registro Infectados: 0

Pastas Infectadas: 3

Arquivos Infectados: 29

Processos de Memória Infectados:

(Não foram detectados ítens maliciosos)

Módulos de Memória Infectados:

(Não foram detectados ítens maliciosos)

Chaves de Registro Infectadas:

HKEY_CLASSES_ROOT\Interface\{2b8437ad-4e51-4dba-bd02-b80b4c048c83} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\{7ab85ec7-22e7-4b5d-89da-a9ebd1af3520} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{fb35da3f-3ebd-4f8a-8b5f-521aba109398} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{86a44ef9-78fc-4e18-a564-b18f806f7f56} (Trojan.MultiDefender) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\findbasic (Adware.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{dabf362d-d442-4402-9208-ca9ed70dd01e} (Adware.Advantage) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{5ac3a9ef-c0f8-41d4-b4e2-b7cebb794151} (Adware.Advantage) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{862def42-89aa-49fa-ae1f-8a84b1b08a17} (Adware.Advantage) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{f6e4845d-1d13-4bc0-942d-b9191524cc48} (Adware.Advantage) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{602d9049-b4ac-4a25-bf75-a9b54d747cba} (Adware.Advantage) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\advantage (Adware.Vomba) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Findbasic (Adware.FindBasic) -> Quarantined and deleted successfully.

Valores de Registro Infectados:

(Não foram detectados ítens maliciosos)

Itens de Dados no Registro Infectados:

(Não foram detectados ítens maliciosos)

Pastas Infectadas:

C:\Documents and Settings\All Users\Dados de aplicativos\Findbasic (Adware.FindBasic) -> Quarantined and deleted successfully.

C:\Arquivos de programas\Advantage (Adware.Advantage) -> Quarantined and deleted successfully.

C:\Arquivos de programas\findbasic (Adware.FindBasic) -> Quarantined and deleted successfully.

Arquivos Infectados:

C:\WINDOWS\system32\drivers\34776722.sys (Rootkit.Agent.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\72655211.sys (Rootkit.Agent.H) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\Documents and Settings\User\vxljahv.exe.vir (Backdoor.Agent) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\Documents and Settings\User\yjhck.exe.vir (Backdoor.Agent) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\Documents and Settings\User\Dados de aplicativos\juzjf.exe.vir (Worm.Palevo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\Documents and Settings\User\Dados de aplicativos\AD ON Multimedia\eBay Shortcuts\eBayShortcuts.exe.vir (Adware.ADON) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\Documents and Settings\User\Dados de aplicativos\Desktopicon\eBayShortcuts.exe.vir (Adware.ADON) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\wuaucldt.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Arquivos de programas\sXe Injected\sXeInjected_5.7.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Arquivos de programas\Findbasic\uninstall.exe (Adware.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Dados de aplicativos\BitDefender\Desktop\Quarantine\ Me Apaixonei Pela Pessoa Errada - Exaltasamba sucesso. +_+__+2010.mp3.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Dados de aplicativos\BitDefender\Desktop\Quarantine\Turma do Pagode = Um amor de novela [NOVO CD PROMOCIONAL JUNIOR CD E DVDs DO MEIO DO ANO 2010].mp3.mp4.mp5.mp6.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{FCF1CA08-5577-4423-9EE0-AC76FE17FBCD}\RP1144\A0362020.exe (Backdoor.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wkrnovva.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\pss\0jo3k5q.exeStartup (Trojan.Refroso.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\pss\1i3upv2.exeStartup (Trojan.Refroso.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\pss\1ijo870.exeStartup (Trojan.Refroso.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\pss\6c81zuv.exeStartup (Trojan.Refroso.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\pss\703e1ab.exeStartup (Trojan.Refroso.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\pss\71lvrmn.exeStartup (Trojan.Refroso.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\pss\970qqwb.exeStartup (Trojan.Refroso.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\pss\dtuplw1m.exeStartup (Trojan.Refroso.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\pss\fl66c3y0.exeStartup (Trojan.Refroso.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\pss\hm86y8fkvl.exeStartup (Trojan.Refroso.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\pss\kql081sd.exeStartup (Trojan.Refroso.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\pss\wrx66o3k1g.exeStartup (Trojan.Refroso.Gen) -> Quarantined and deleted successfully.

C:\Arquivos de programas\Advantage\AdVantage.htm (Adware.Advantage) -> Quarantined and deleted successfully.

C:\Arquivos de programas\Advantage\ffext.mod (Adware.Advantage) -> Quarantined and deleted successfully.

C:\Arquivos de programas\Advantage\TR.dll (Adware.Advantage) -> Quarantined and deleted successfully.

HijackThis:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:45:52, on 19/10/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\Documents and Settings\User\Configurações locais\Dados de aplicativos\CrossLoop\CrossLoopService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Arquivos de programas\borland\interbase\bin\ibguard.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Arquivos comuns\Softwin\BitDefender Communicator\xcommsvr.exe

C:\Arquivos de programas\Arquivos comuns\Softwin\BitDefender Scan Server\bdss.exe

C:\Arquivos de programas\Arquivos comuns\Softwin\BitDefender Update Service\livesrv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Windows Media Player\WMPNetwk.exe

C:\Arquivos de programas\iTunes\iTunesHelper.exe

C:\WINDOWS\PixArt\PAC207\Monitor.exe

C:\Arquivos de programas\Adobe\Reader 8.0\Reader\AcroRd32.exe

C:\WINDOWS\NCLAUNCH.EXe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Arquivos de programas\Softwin\BitDefender10\vsserv.exe

C:\Arquivos de programas\borland\interbase\bin\ibserver.exe

C:\Arquivos de programas\iPod\bin\iPodService.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Arquivos de programas\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\User\Desktop\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT2269050

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Dados de aplicativos\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\Arquivos de programas\GbPlugin\gbiehCef.dll

O2 - BHO: G-Buster Browser Defense Banco Real - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\ARQUIV~1\GbPlugin\gbiehAbn.dll

O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\ARQUIV~1\GbPlugin\gbiehUni.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll

O4 - HKLM\..\Run: [Network] rundll32.exe shell32.dll,Control_RunDLL network.cpl

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Arquivos de programas\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe

O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe

O4 - HKCU\..\Run: [ccleaner] "C:\Arquivos de programas\CCleaner\CCleaner.exe" /AUTO

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [Magnify] Magnify.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [Magnify] Magnify.exe (User 'Default user')

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O15 - Trusted Zone: http://www.bancoreal.com.br

O15 - Trusted Zone: http://www.santander.com.br

O17 - HKLM\System\CCS\Services\Tcpip\..\{A63F7ADB-89D7-472E-9494-8E0D1E26F4F0}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\Skype4COM.dll

O20 - Winlogon Notify: GbPluginAbn - C:\ARQUIV~1\GbPlugin\gbiehAbn.dll

O20 - Winlogon Notify: GbPluginCef - C:\Arquivos de programas\GbPlugin\gbiehcef.dll

O20 - Winlogon Notify: GbPluginUni - C:\ARQUIV~1\GbPlugin\gbiehUni.dll

O23 - Service: Dispositivo Celular da Apple (Apple Mobile Device) - Apple Inc. - C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Softwin\BitDefender Scan Server\bdss.exe

O23 - Service: Serviço do Bonjour (Bonjour Service) - Apple Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe

O23 - Service: CrossLoop Service (CrossLoopService) - CrossLoop Inc - C:\Documents and Settings\User\Configurações locais\Dados de aplicativos\CrossLoop\CrossLoopService.exe

O23 - Service: Gbp Service (GbpSv) - - C:\ARQUIV~1\GbPlugin\GbpSv.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Arquivos de programas\borland\interbase\bin\ibguard.exe

O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Arquivos de programas\borland\interbase\bin\ibserver.exe

O23 - Service: iPod Service - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: KMDP - Unknown owner - C:\DOCUME~1\User\CONFIG~1\Temp\KMDP.exe (file missing)

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Arquivos de programas\Arquivos comuns\Softwin\BitDefender Update Service\livesrv.exe

O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Arquivos de programas\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

O23 - Service: uvnc_service - UltraVNC - C:\Documents and Settings\User\Configurações locais\Dados de aplicativos\CrossLoop\winvnc.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Arquivos de programas\Softwin\BitDefender10\vsserv.exe

O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Arquivos de programas\Arquivos comuns\Softwin\BitDefender Communicator\xcommsvr.exe

--

End of file - 10663 bytes

Power Max · Outubro 20, 2010

:) Vários problemas foram removidos.

___________________________

:seta: Siga, por gentileza, as dicas destes tutoriais:

Tutorial do Norman Malware Cleaner

Tutorial do antivirus Nod32 Online

__________________________

:seta: Na sua próxima resposta poste o log do Nod32 Online que estará em C:\Arquivos de programas\Eset\Eset Online Scanner\log.txt juntamente com um novo log do Hijackthis e o log do Norman Malware Cleaner e nos diga, por gentileza, como está o seu PC após seguir estes procedimentos. Ficamos no aguardo de sua resposta.

learner27 · Outubro 21, 2010

Bom dia,

Seguem os relatórios.

Nod32:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=7.00.6000.17091 (vista_gdr.100824-1500)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=0d3c8b53a1a83c4ab3d0ffcb5f1caecf

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2010-10-21 04:19:17

# local_time=2010-10-21 02:19:17 (-0300, Horário brasileiro de verão)

# country="Brazil"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 13383948 13383948 0 0

# compatibility_mode=768 16777215 100 0 88426091 88426091 0 0

# compatibility_mode=1024 16777215 100 0 0 0 0 0

# compatibility_mode=8192 67108823 100 0 0 0 0 0

# scanned=99322

# found=1

# cleaned=1

# scan_time=5407

C:\Arquivos de programas\mahjong_setup.exe Win32/Adware.WhenU.SaveNow application (deleted - quarantined) 00000000000000000000000000000000 C

Norman:

Norman Malware Cleaner

Version 1.8.2

Norman Scanner Engine Version: 6.06.07

Nvcbin.def Version: 6.06.00, Date: 2010/10/19 23:36:56, Variants: 7835834

Scan started: 2010/10/20 22:02:59

Running pre-scan cleanup routine:

Operating System: Microsoft Windows XP Professional 5.1.2600 Service Pack 3

Logged on user: TESTE\User

Set registry value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLS = -> ""

Removed registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools = 0x00000000

Removed registry value: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDrives = 0x00000000

Removed registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDrives = 0x00000000

Removed registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoResolveSearch = 0x00000001

Scanning kernel...

Kernel scan complete

Scanning bootsectors...

Number of sectors found: 1

Number of sectors scanned: 1

Number of sectors not scanned: 0

Number of infections found: 0

Number of infections removed: 0

Total scanning time: 1s 109ms

Scanning running processes and process memory...

Number of processes/threads found: 4925

Number of processes/threads scanned: 4925

Number of processes/threads not scanned: 0

Number of infected processes/threads terminated: 0

Total scanning time: 4m 11s

Scanning file system...

Scanning: prescan

Scanning: C:\*.*

C:\Documents and Settings\All Users\Dados de aplicativos\BitDefender\Desktop\Profiles\Logs\deep_scan\1287448626.loginf (Infected with TXT/WhenU.E)

Deleted file

C:\Documents and Settings\User\Favoritos\Diversão\Top do Mês ˜ Charges.com.br.url (Error opening file: Not found)

C:\Qoobox\Quarantine\C\Documents and Settings\User\secupdat.dat.vir (Infected with Spam/Mailbot.A)

Deleted file

C:\Qoobox\Quarantine\C\Documents and Settings\User\_secupdat_.dat.zip/secupdat.dat (Infected with Spam/Mailbot.A)

Deleted file

C:\Qoobox\Quarantine\C\Documents and Settings\User\_secupdat_.dat.zip (Empty archive after cleaning)

Deleted file

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\cdrom.sys.vir (Infected with W32/Protector.D)

Deleted file

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\ndis.sys.vir (Infected with W32/Protector.B)

Repaired file

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\_zikmbkgj_.sys.zip/zikmbkgj.sys (Infected with W32/Smalldrp.AXIR)

Deleted file

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\_zikmbkgj_.sys.zip (Empty archive after cleaning)

Deleted file

C:\Qoobox\Quarantine\C\WINDOWS\system32\secupdat.dat.vir (Infected with Spam/Mailbot.A)

Deleted file

C:\Qoobox\Quarantine\C\WINDOWS\system32\_secupdat_.dat.zip/secupdat.dat (Infected with Spam/Mailbot.A)

Deleted file

C:\Qoobox\Quarantine\C\WINDOWS\system32\_secupdat_.dat.zip (Empty archive after cleaning)

Deleted file

C:\System Volume Information\_restore{FCF1CA08-5577-4423-9EE0-AC76FE17FBCD}\RP1144\A0362024.sys (Infected with W32/Protector.D)

Deleted file

C:\System Volume Information\_restore{FCF1CA08-5577-4423-9EE0-AC76FE17FBCD}\RP1144\A0362025.sys (Infected with W32/Protector.D)

Deleted file

C:\System Volume Information\_restore{FCF1CA08-5577-4423-9EE0-AC76FE17FBCD}\RP1145\A0363016.sys (Infected with W32/Protector.D)

Deleted file

C:\System Volume Information\_restore{FCF1CA08-5577-4423-9EE0-AC76FE17FBCD}\RP1145\A0363017.sys (Infected with W32/Protector.D)

Deleted file

C:\System Volume Information\_restore{FCF1CA08-5577-4423-9EE0-AC76FE17FBCD}\RP1146\A0364017.sys (Infected with W32/Protector.D)

Deleted file

C:\System Volume Information\_restore{FCF1CA08-5577-4423-9EE0-AC76FE17FBCD}\RP1146\A0364018.sys (Infected with W32/Protector.D)

Deleted file

C:\WINDOWS\uninstall Night_Fl.exe (Infected with W32/Suspicious_Gen2.QKII)

Deleted file

Scanning: D:\*.*

Scanning: E:\*.*

Scanning: C:\System Volume Information\*.*

Scanning: postscan

Running post-scan cleanup routine:

Number of files found: 376800

Number of archives unpacked: 3382

Number of files scanned: 376796

Number of files not scanned: 4

Number of files skipped due to exclude list: 0

Number of infected files found: 18

Number of infected files repaired/deleted: 18

Number of infections removed: 18

Total scanning time: 2h 18m 49s

HijackThis:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 08:33:31, on 21/10/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17091)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\Documents and Settings\User\Configurações locais\Dados de aplicativos\CrossLoop\CrossLoopService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Arquivos de programas\borland\interbase\bin\ibguard.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Arquivos de programas\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Arquivos comuns\Softwin\BitDefender Communicator\xcommsvr.exe

C:\Arquivos de programas\Arquivos comuns\Softwin\BitDefender Update Service\livesrv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\iTunes\iTunesHelper.exe

C:\WINDOWS\PixArt\PAC207\Monitor.exe

C:\Arquivos de programas\Softwin\BitDefender10\bdagent.exe

C:\Arquivos de programas\Softwin\BitDefender10\bdmcon.exe

C:\WINDOWS\NCLAUNCH.EXe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\borland\interbase\bin\ibserver.exe

C:\Arquivos de programas\iPod\bin\iPodService.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Arquivos de programas\Arquivos comuns\Softwin\BitDefender Update Service\upgrepl.exe