[Resolvido] &nbspAnálise de Log

[João Álvaro 0]

Computador demonstrando lentidão nos últimos dias, além do avast detectar sempre um vírus na memória ram e o vírus autorun.inf no meu pendrive.

 

Segue abaixo o log do Hijackthis:

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 11:06:23 PM, on 2/11/2011

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17023)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\Acer\Empowering Technology\admServ.exe

C:\WINDOWS\system32\csrcs.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Launch Manager\LaunchAp.exe

C:\Program Files\Launch Manager\PowerKey.exe

C:\Program Files\Launch Manager\OSDCtrl.exe

C:\Program Files\Launch Manager\Wbutton.exe

C:\acer\Empowering Technology\ePower\epm-dm.exe

C:\Acer\Empowering Technology\eRecovery\Monitor.exe

C:\Acer\Empowering Technology\admtray.exe

C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Real\RealPlayer\update\realsched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\HijackThis\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://vshare.toolbarhome.com/?hp=df

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 114.127.246.36

F2 - REG:system.ini: Shell=Explorer.exe csrcs.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\WINDOWS\Downloaded Program Files\gbiehabn.dll

O3 - Toolbar: Acer eDataSecurity Management - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\system32\ToolBand.dll

O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"

O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"

O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"

O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"

O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"

O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"

O4 - HKLM\..\Run: [EPM-DM] c:\acer\Empowering Technology\ePower\epm-dm.exe

O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot

O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe

O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"

O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real\RealPlayer\update\realsched.exe" -osboot

O4 - HKLM\..\RunServices: [csrcs] C:\WINDOWS\system32\csrcs.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [iBest.baloon] "C:\Program Files\Yahoo! Acesso Grátis\baloon.exe"

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKLM\..\Policies\Explorer\Run: [status] present

O4 - HKLM\..\Policies\Explorer\Run: [csrcs] C:\WINDOWS\system32\csrcs.exe

O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\system32\ToolBand.dll/MENUSEARCH.HTM

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe

O23 - Service: Gbp Service (GbpSv) - GAS Tecnologia LTDA - C:\Program Files\GbPlugin\GbpSv.exe

 

--

End of file - 8047 bytes

 

 

 

Grato desde já.

[wings 22]

Olá João Álvaro

 

 

*Baixe o MalwareBytes Anti-malware e salve-o no desktop

 

*Instale o programa e aceite a atualização

*O programa será aberto automaticamente

*Selecione [Verificação completa] e clique [Verificar] > [Verificar]

*Ao finalizar o scan, clique [sIM] > [OK] > [Ver Resultados] > [Remover Selecionados]

*Cole o relatório apresentado

[João Álvaro 0]

Olá João Álvaro

 

 

*Baixe o MalwareBytes Anti-malware e salve-o no desktop

 

*Instale o programa e aceite a atualização

*O programa será aberto automaticamente

*Selecione [Verificação completa] e clique [Verificar] > [Verificar]

*Ao finalizar o scan, clique [sIM] > [OK] > [Ver Resultados] > [Remover Selecionados]

*Cole o relatório apresentado

 

 

Durante a verificaçao o avast detectou vários vírus

 

Segue relatório do Malwarebytes:

 

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

 

Versão da Base de Dados: 5748

 

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

 

2/12/2011 2:48:22 PM

mbam-log-2011-02-12 (14-48-22).txt

 

Tipo de Verificação: Verificação Completa (C:\|D:\|)

Objetos escaneados: 192881

Tempo decorrido: 1 hora(s), 19 minuto(s), 25 segundo(s)

 

Processos de Memória Infectados: 1

Módulos de Memória Infectados: 0

Chaves de Registro Infectadas: 1

Valores de Registro Infectados: 4

Itens de Dados no Registro Infectados: 3

Pastas Infectadas: 2

Arquivos Infectados: 10

 

Processos de Memória Infectados:

c:\WINDOWS\system32\csrcs.exe (Trojan.Agent) -> 1424 -> Unloaded process successfully.

 

Módulos de Memória Infectados:

(Não foram detectados ítens maliciosos)

 

Chaves de Registro Infectadas:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\amty (Worm.Autorun) -> Quarantined and deleted successfully.

 

Valores de Registro Infectados:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\csrcs (Trojan.Agent) -> Value: csrcs -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\csrcs (Trojan.Agent) -> Value: csrcs -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Worm.Palevo) -> Value: Shell -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\status (Trojan.Agent) -> Value: status -> Quarantined and deleted successfully.

 

Itens de Dados no Registro Infectados:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Trojan.Agent) -> Bad: (csrcs.exe) Good: () -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (C:\RECYCLER\S-1-5-21-1866652667-4418901761-901729011-5658\nvapbar.exe,C:\Documents and Settings\teste\Application Data\cfnlg.exe,explorer.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe csrcs.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

 

Pastas Infectadas:

c:\heap41a (Trojan.Agent) -> Quarantined and deleted successfully.

c:\heap41a\offspring (Trojan.Agent) -> Quarantined and deleted successfully.

 

Arquivos Infectados:

c:\documents and settings\teste\local settings\temp\ljvf.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.

c:\documents and settings\teste\application data\cfnlg.exe (Heuristics.Shuriken) -> Delete on reboot.

c:\system volume information\_restore{64c55bae-0167-4e29-a424-980e0bca06f2}\rp101\a0022197.exe (Worm.Autorun) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\csrcs.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\heap41a\drivelist.txt (Trojan.Agent) -> Quarantined and deleted successfully.

c:\heap41a\2.mp3 (Trojan.Agent) -> Quarantined and deleted successfully.

c:\heap41a\Icon.ico (Trojan.Agent) -> Quarantined and deleted successfully.

c:\heap41a\reproduce.txt (Trojan.Agent) -> Quarantined and deleted successfully.

c:\heap41a\std.txt (Trojan.Agent) -> Quarantined and deleted successfully.

c:\heap41a\script1.txt (Trojan.Agent) -> Quarantined and deleted successfully.

[wings 22]

*Desative temporariamente seu antivírus

Clique com o botão direito do mouse no ícone do Avast ao lado do relógio > Selecione "Pausar a proteção residente" > Confirme.

*Baixe o ComboFix e salve-o no desktop

 

*Execute-o e aceite o contrato

 

*Caso o console de recuperação do Windows não estiver instalado, clique [sIM] > [sIM]

 

*Aguarde a conclusão de todas as etapas

 

 

*Não use o mouse e o teclado durante o procedimento!!

 

*Cole o relatório C:\combofix.txt

[João Álvaro 0]

*Desative temporariamente seu antivírus

Clique com o botão direito do mouse no ícone do Avast ao lado do relógio > Selecione "Pausar a proteção residente" > Confirme.

*Baixe o ComboFix e salve-o no desktop

 

*Execute-o e aceite o contrato

 

*Caso o console de recuperação do Windows não estiver instalado, clique [sIM] > [sIM]

 

*Aguarde a conclusão de todas as etapas

 

 

*Não use o mouse e o teclado durante o procedimento!!

 

*Cole o relatório C:\combofix.txt

 

Segue o relatório do Combofix:

 

 

 

ComboFix 11-02-13.04 - teste 07/03/2004 0:20.1.1 - FAT32x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.606 [GMT -3:00]

Running from: c:\documents and settings\teste\Desktop\ComboFix.exe

AV: avast! antivirus 4.8.1296 [VPS 110211-0] *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\system\WINSPOOL.DRV

c:\windows\system32\autorun.i

c:\windows\system32\autorun.in

c:\windows\system32\midas.dll

c:\windows\system32\Videod4a19626Drivers.dll

c:\windows\system32\zip32.dll

c:\windows\Temp\log.txt

D:\AUTORUN.INF

 

c:\windows\system32\msgsvc.dll . . . is infected!!

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_GBPSV

-------\Service_GbpSv

-------\Service_usnjsvc

 

 

((((((((((((((((((((((((( Files Created from 2004-06-03 to 2004-07-03 )))))))))))))))))))))))))))))))

.

 

2011-02-13 01:38 . 2011-02-13 01:38 -------- d-----w- C:\FOUND.001

2011-02-12 01:57 . 2011-02-12 01:57 -------- d-----w- C:\HijackThis

2009-03-21 17:40 . 2009-03-21 17:40 -------- d-----w- C:\Desk

2006-09-01 00:34 . 2006-09-01 00:34 -------- d-----w- C:\AVG

2006-09-01 00:23 . 2006-09-01 00:23 -------- d-----w- C:\Globalink

2006-08-31 23:43 . 2006-08-31 23:43 -------- d-----w- C:\Lattes

2006-08-17 05:39 . 2006-08-17 05:39 -------- d-----w- C:\Acer

2006-08-17 05:33 . 2006-08-17 05:33 -------- d-----w- C:\FOUND.000

2005-06-20 04:39 . 2005-06-20 04:39 -------- d-----w- C:\Sysinfo

2005-06-20 04:38 . 2005-06-20 04:38 -------- d-----w- C:\BOOK

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-14 14:30 . 2004-08-04 08:00 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpSvc.exe

2009-11-21 16:36 . 2004-08-04 08:00 470528 ----a-w- c:\windows\apppatch\AcLayers.dll

2005-10-05 18:57 . 2004-03-17 14:04 12544 ----a-w- c:\windows\system32\drivers\mdmxsdk.sys

2005-10-05 18:56 . 2004-03-17 14:00 86016 ----a-w- c:\windows\system32\mdmxsdk.dll

2004-08-04 08:00 . 2004-08-04 08:00 99840 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpHost.exe

2004-08-04 08:00 . 2004-08-04 08:00 768512 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpCtr.exe

2004-08-04 08:00 . 2004-08-04 08:00 725566 ----a-w- c:\windows\srchasst\srchui.dll

2004-08-04 08:00 . 2004-08-04 08:00 6656 ----a-w- c:\windows\pchealth\helpctr\binaries\HCAppRes.dll

2004-08-04 08:00 . 2004-08-04 08:00 58434 ----a-w- c:\windows\srchasst\srchctls.dll

2004-08-04 08:00 . 2004-08-04 08:00 38912 ----a-w- c:\windows\pchealth\helpctr\binaries\pchsvc.dll

2004-08-04 08:00 . 2004-08-04 08:00 376320 ----a-w- c:\windows\pchealth\helpctr\binaries\msinfo.dll

2004-08-04 08:00 . 2004-08-04 08:00 35328 ----a-w- c:\windows\pchealth\helpctr\binaries\notiflag.exe

2004-08-04 08:00 . 2004-08-04 08:00 34816 ----a-w- c:\windows\help\sniffpol.dll

2004-08-04 08:00 . 2004-08-04 08:00 3374640 ----a-w- c:\windows\help\Tours\mmTour\tour.exe

2004-08-04 08:00 . 2004-08-04 08:00 33280 ----a-w- c:\windows\help\sstub.dll

2004-08-04 08:00 . 2004-08-04 08:00 3166208 ----a-w- c:\windows\srchasst\msgr3en.dll

2004-08-04 08:00 . 2004-08-04 08:00 279040 ----a-w- c:\windows\help\tshoot.dll

2004-08-04 08:00 . 2004-08-04 08:00 244736 ----a-w- c:\windows\apppatch\AcSpecfc.dll

2004-08-04 08:00 . 2004-08-04 08:00 21504 ----a-w- c:\windows\pchealth\helpctr\binaries\brpinfo.dll

2004-08-04 08:00 . 2004-08-04 08:00 18944 ----a-w- c:\windows\pchealth\helpctr\binaries\HscUpd.exe

2004-08-04 08:00 . 2004-08-04 08:00 1852416 ----a-w- c:\windows\apppatch\AcGenral.dll

2004-08-04 08:00 . 2004-08-04 08:00 158208 ----a-w- c:\windows\pchealth\helpctr\binaries\msconfig.exe

2004-08-04 08:00 . 2004-08-04 08:00 152576 ----a-w- c:\windows\help\bnts.dll

2004-08-04 08:00 . 2004-08-04 08:00 150528 ----a-w- c:\windows\pchealth\UploadLB\Binaries\UploadM.exe

2004-08-04 08:00 . 2004-08-04 08:00 137728 ----a-w- c:\windows\apppatch\AcLua.dll

2004-08-04 08:00 . 2004-08-04 08:00 116224 ----a-w- c:\windows\apppatch\AcXtrnal.dll

2004-08-04 08:00 . 2004-08-04 08:00 102400 ----a-w- c:\windows\pchealth\helpctr\binaries\pchshell.dll

2004-05-14 16:04 . 2004-05-14 16:04 49152 ----a-w- c:\windows\XMLaunch.exe

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"preload"="c:\windows\RUNXMLPL.exe" [2005-05-19 32768]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-08-24 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-08-24 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-08-24 114688]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-04 102490]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-04 708698]

"SoundMan"="SOUNDMAN.EXE" [2005-04-15 77824]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]

"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2005-07-25 32768]

"PowerKey"="c:\program files\Launch Manager\PowerKey.exe" [2002-08-30 94208]

"LManager"="c:\program files\Launch Manager\HotkeyApp.exe" [2005-11-08 69632]

"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-09-16 20480]

"LMgrOSD"="c:\program files\Launch Manager\OSDCtrl.exe" [2005-07-25 241664]

"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2005-11-08 81920]

"EPM-DM"="c:\acer\Empowering Technology\ePower\epm-dm.exe" [2005-11-10 212992]

"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2005-11-09 3084288]

"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-02 397312]

"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]

"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-07-26 69632]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]

"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2004-11-05 273544]

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

 

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [3/21/2009 1:02 PM 111184]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/21/2009 1:02 PM 20560]

R3 POWERKEY;POWERKEY;c:\program files\Launch Manager\POWERKEY.SYS [8/17/2006 2:38 AM 2343]

S1 mailKmd;mailKmd; [x]

S2 GbpSv;Gbp Service;c:\program files\GbPlugin\GbpSv.exe [5/5/2007 4:24 PM 39936]

 

--- Other Services/Drivers In Memory ---

 

*NewlyCreated* - INT15.SYS

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://vshare.toolbarhome.com/?hp=df

uInternet Settings,ProxyServer = 114.127.246.36

uInternet Settings,ProxyOverride = <local>

IE: &Sample Toolband Serach - c:\windows\system32\ToolBand.dll/MENUSEARCH.HTM

IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\teste\Application Data\Mozilla\Firefox\Profiles\0b5ye9zx.default\

FF - prefs.js: browser.startup.homepage - hxxp://vshare.toolbarhome.com/?hp=df

FF - prefs.js: keyword.URL - hxxp://vshare.toolbarhome.com/search.aspx?srch=ku&q=

FF - prefs.js: network.proxy.ftp - 114.127.246.36

FF - prefs.js: network.proxy.gopher - 114.127.246.36

FF - prefs.js: network.proxy.http - 114.127.246.36

FF - prefs.js: network.proxy.socks - 114.127.246.36

FF - prefs.js: network.proxy.ssl - 114.127.246.36

FF - prefs.js: network.proxy.type - 1

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: vShare: vshare@toolbar - %profile%\extensions\vshare@toolbar

FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext

.

- - - - ORPHANS REMOVED - - - -

 

HKCU-Run-iBest.baloon - c:\program files\Yahoo! Acesso Grátis\baloon.exe

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

AddRemove-Curriculo Lattes - c:\lattes\Instalacao\DesinstalaCurriculo.exe

AddRemove-MEING - c:\dicescolar\MEING\desinstala.exe

AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2004-07-03 00:32

Windows 5.1.2600 Service Pack 2 FAT NTAPI

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ð•€|ÿÿÿÿ.•€|ù•A~*]

"6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(488)

c:\windows\Downloaded Program Files\gbiehabn.dll

 

- - - - - - - > 'explorer.exe'(2916)

c:\windows\system32\WININET.dll

c:\windows\system32\MSNChatHook.dll

c:\windows\system32\sysenv.dll

c:\windows\system32\MSVCR71.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Alwil Software\Avast4\aswUpdSv.exe

c:\program files\Alwil Software\Avast4\ashServ.exe

c:\acer\Empowering Technology\admServ.exe

c:\windows\SOUNDMAN.EXE

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Alwil Software\Avast4\ashMaiSv.exe

c:\program files\Alwil Software\Avast4\ashWebSv.exe

.

**************************************************************************

.

Completion time: 2004-07-03 00:36:13 - machine was rebooted

ComboFix-quarantined-files.txt 2004-07-03 03:36

 

Pre-Run: 1,461,338,112 bytes free

Post-Run: 1,879,998,464 bytes free

 

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

 

- - End Of File - - 6BAEA8C756BEAD1BFB3D6B9958B1ED4F

[wings 22]

1.

*Clique [iniciar] > [Executar] > copie e cole: Combofix /uninstall

 

 

*Clique [OK] > [Executar]

*Aguarde a mensagem: "ComboFix está desinstalado" e clique [OK]

 

2.

Clique com o botão direito do mouse no ícone do Avast ao lado do relógio > Selecione "Pausar a proteção residente" > Confirme.

 

3.

*Abra o Malwarebytes, clique [Atualização] > [baixar Atualizações] e aguarde o término

*Clique [Verificação], selecione [Verificação completa]

*Clique [Verificar] e selecione a partição onde o Windows está instalado

*Ao finalizar o scan, clique [sIM] > [OK] > [Ver Resultados]

*Clique [Remover Selecionados]

*Cole o relatório apresentado

 

4.

*Clique em [iniciar] > [Executar] > digite: sfc /scannow

 

 

*Clique OK

*Será solicitado o cd do Windows

*Coloque-o no CD-Rom e aguarde o término....

*Retire o CD e reinicie o PC

 

5.

*Mantenha desativado o antivírus

*Baixe o Combofix novamente e execute-o

*Cole o relatório apresentado

[João Álvaro 0]

1.

*Clique [iniciar] > [Executar] > copie e cole: Combofix /uninstall

 

 

*Clique [OK] > [Executar]

*Aguarde a mensagem: "ComboFix está desinstalado" e clique [OK]

 

2.

Clique com o botão direito do mouse no ícone do Avast ao lado do relógio > Selecione "Pausar a proteção residente" > Confirme.

 

3.

*Abra o Malwarebytes, clique [Atualização] > [baixar Atualizações] e aguarde o término

*Clique [Verificação], selecione [Verificação completa]

*Clique [Verificar] e selecione a partição onde o Windows está instalado

*Ao finalizar o scan, clique [sIM] > [OK] > [Ver Resultados]

*Clique [Remover Selecionados]

*Cole o relatório apresentado

 

4.

*Clique em [iniciar] > [Executar] > digite: sfc /scannow

 

 

*Clique OK

*Será solicitado o cd do Windows

*Coloque-o no CD-Rom e aguarde o término....

*Retire o CD e reinicie o PC

 

5.

*Mantenha desativado o antivírus

*Baixe o Combofix novamente e execute-o

*Cole o relatório apresentado

 

Dá para fazer o procedimento número 4 sem cd do windows?

 

Se não, pode ser qualquer cd, mesmo sendo aquele não usado no meu pc?

 

Grato

[wings 22]

Se não tem o CD esqueça os procedimentos 4 e 5.

 

*Baixe o SystemLook e salve-o no desktop

*Execute-o e cole o código no espaço em branco:

:file

c:\windows\system32\msgsvc.dll

:filefind

*msgsvc*

*Clique [Look]

*Cole o relatório apresentado

[wings 22]

PROBLEMA RESOLVIDO

 

Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.