[Arquivado] &nbspAnalise de Log

[iSombra 0]

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

 

Versão da Base de Dados: 6253

 

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

 

3/4/2011 02:38:39

mbam-log-2011-04-03 (02-38-39).txt

 

Tipo de Verificação: Verificação Completa (C:\|)

Objetos escaneados: 218891

Tempo decorrido: 44 minuto(s), 39 segundo(s)

 

Processos de Memória Infectados: 0

Módulos de Memória Infectados: 0

Chaves de Registro Infectadas: 0

Valores de Registro Infectados: 1

Itens de Dados no Registro Infectados: 0

Pastas Infectadas: 1

Arquivos Infectados: 22

 

Processos de Memória Infectados:

(Não foram detectados ítens maliciosos)

 

Módulos de Memória Infectados:

(Não foram detectados ítens maliciosos)

 

Chaves de Registro Infectadas:

(Não foram detectados ítens maliciosos)

 

Valores de Registro Infectados:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdVantage (Adware.Vomba) -> Value: AdVantage -> Quarantined and deleted successfully.

 

Itens de Dados no Registro Infectados:

(Não foram detectados ítens maliciosos)

 

Pastas Infectadas:

c:\documents and settings\all users\menu iniciar\programas\ardamax keylogger (PUP.ArdamaxKeyLogger) -> Not selected for removal.

 

Arquivos Infectados:

c:\documents and settings\all users\documentos\afqjop.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\documents and settings\usuario\dados de aplicativos\wplugin.dll (Trojan.Dropper) -> Quarantined and deleted successfully.

c:\documents and settings\Usuario\Desktop\# Igor\RAGNAROK\cópia de ragnarok online\GF.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\Usuario\Desktop\# Igor\Igor\downloads e instaladores\warcraft iii\xpam.exe (Trojan.MultiDropper) -> Quarantined and deleted successfully.

c:\documents and settings\Usuario\Desktop\my shared folder\penis drive\sony vegas pro 10\sony vegas 10 32-bit\Keygen.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.

c:\arquivos de programas\htv\htv.003 (PUP.ArdamaxKeyLogger) -> Not selected for removal.

c:\arquivos de programas\htv\htv.004 (PUP.ArdamaxKeyLogger) -> Not selected for removal.

c:\arquivos de programas\htv\htv.007 (PUP.ArdamaxKeyLogger) -> Not selected for removal.

c:\arquivos de programas\htv\jeremias cabra homem.exe (Spyware.Ardamax) -> Quarantined and deleted successfully.

c:\windows\wplugin.dll (Trojan.Dropper) -> Quarantined and deleted successfully.

c:\windows\system32\dp1.fne (Worm.Autorun) -> Quarantined and deleted successfully.

c:\windows\system32\internet.fne (HackTool.Patcher) -> Quarantined and deleted successfully.

c:\windows\system32\pv40f20.exe (Trojan.FlyStudi.Gen) -> Quarantined and deleted successfully.

c:\windows\system32\zh262.exe (Trojan.FlyStudi.Gen) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\krnln.fnr (Trojan.Agent) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\og.dll (Worm.AutoRun) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\og.EDT (Worm.AutoRun) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\ul.dll (Worm.AutoRun) -> Quarantined and deleted successfully.

c:\documents and settings\Usuario\dados de aplicativos\advantage\advantage.exe (Adware.Vomba) -> Quarantined and deleted successfully.

c:\documents and settings\all users\menu iniciar\programas\ardamax keylogger\ardamax keylogger.lnk (PUP.ArdamaxKeyLogger) -> Not selected for removal.

c:\documents and settings\all users\menu iniciar\programas\ardamax keylogger\Help.lnk (PUP.ArdamaxKeyLogger) -> Not selected for removal.

c:\documents and settings\all users\menu iniciar\programas\ardamax keylogger\log viewer.lnk (PUP.ArdamaxKeyLogger) -> Not selected for removal.

 

Observações:

Eu não deletei a pasta porque logo após verificar o Malwarebytes' Anti-Malware, não mexi em mais nada além de remover os selecionados e, como pode ser visto no log, tudo sobre o Ardamax não estava selecionado e por precaução, também não selecionei. Qualquer dúvida sobre o uso do mesmo, posso responder também, rs.

 

Agradeço desde já.

Abraços, iSombra.

[Felipe_88 0]

Olá, iSombra! Seja Bem Vindo ao iMasters Fóruns!

 

Equívoco não! Pode ter certeza.. e foi instalado manualmente pelo jeito...

 

Deseja verificar se o Ardamax ainda está ativo e prosseguir com análise/remoção dos vírus?

[iSombra 0]

Olá, obrigado pelas boas-vindas e atenção imediata ao meu problema. Parabéns.

@Topic

 

Bom.. sinceramente ele foi instalado sim manualmente. Gostaria de verificar sim e, se possível saber se eu estou sendo vigiado por ter instalado ele ou se ele está apenas para meu uso e, quais danos estou sendo exposto.

 

Agradeço novamente, boa noite. Obrigado :D

 

@Offtopic

Bom, eu estou com um problema também, e pra ser sincero, acho que é descuido meu visto que não formato minha máquina desde o ano passado, mas qualquer pasta que eu vou abrir, ela abre a pasta "Meus Documentos" antes e, a a pasta "Meus Documentos" está um pouco... diferente. Segue a print da pasta:

 

up?

[Felipe_88 0]

iSombra,

 

Faça conforme a Regra Nº2 - Utilizando o hijackthis

 

Fico no aguardo!

[iSombra 0]

Creio que fiz corretamente né ?

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 15:04:19, on 14/4/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\TeamViewer\Version6\TeamViewer_Service.exe

C:\Arquivos de programas\IObit\Game Booster\GameBox.exe

C:\ARQUIV~1\ALWILS~1\Avast5\avastUI.exe

C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe

C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Arquivos de programas\Real\RealPlayer\update\realsched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

C:\Arquivos de programas\Windows Live\Contacts\wlcomm.exe

C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Arquivos de programas\Orbitdownloader\orbitdm.exe

C:\Arquivos de programas\Orbitdownloader\orbitnet.exe

C:\Downloads\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.localstrike.com.ar/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.localstrike.com.ar/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://search.localstrike.com.ar/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.localstrike.com.ar/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.localstrike.com.ar/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.localstrike.com.ar/

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Arquivos de programas\Orbitdownloader\orbitcth.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Dados de aplicativos\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Arquivos de programas\Orbitdownloader\GrabPro.dll

O4 - HKLM\..\Run: [avast5] C:\ARQUIV~1\ALWILS~1\Avast5\avastUI.exe /nogui

O4 - HKLM\..\Run: [PDVD9LanguageShortcut] "C:\Arquivos de programas\CyberLink\PowerDVD9\Language\Language.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] C:\Arquivos de programas\NVIDIA Corporation\nView\nwiz.exe /installquiet

O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Real\RealPlayer\update\realsched.exe" -osboot

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [ccleaner] "C:\Arquivos de programas\CCleaner\CCleaner.exe" /AUTO

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [badoo Desktop] "C:\Documents and Settings\All Users\Dados de aplicativos\Badoo\Badoo Desktop\1.2.22.828\Badoo.Desktop.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: &Download by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/201

O8 - Extra context menu item: &Grab video by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/204

O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/203

O8 - Extra context menu item: Down&load all by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/202

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/pt/uno1/GAME_UNO1.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! Antivirus - AVAST Software - C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Mail Scanner - AVAST Software - C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Web Scanner - AVAST Software - C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: TeamViewer 6 (TeamViewer6) - TeamViewer GmbH - C:\Arquivos de programas\TeamViewer\Version6\TeamViewer_Service.exe

 

--

End of file - 8944 bytes

[Felipe_88 0]

iSombra,

 

1º

Abra novamente o hijackthis clique em » Do a system scam only marque a(s) seguinte(s) linha(s) abaixo, clique em Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.localstrike.com.ar/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.localstrike.com.ar/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://search.localstrike.com.ar/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.localstrike.com.ar/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.localstrike.com.ar/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.localstrike.com.ar/

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

 

2º

*Baixe o ComboFix e salve-o no desktop

* Desative seu antivírus temporariamente:

Clique com o botão direito do mouse no ícone do Avast ao lado do relógio > Selecione "Pausar a proteção residente" > Confirme.

*Execute o Combofix e aceite o contrato

*Se o console de recuperação do Windows já estiver instalado, o ComboFix continuará o processo automaticamente. Caso contrário, clique em [sIM] para a sua instalação.

*Clique em [sIM] para continuar.

*Aguarde a conclusão de todas as etapas

*Enquanto o ComboFix estiver em execução, evite usar o mouse e o teclado!!..... Para interromper o procedimento tecle N ou 2 e depois ENTER.

*O programa será fechado automaticamente e um relatório (C:\combofix.txt) será apresentado. Cole-o na próxima resposta.

 

No Aguardo.

[iSombra 0]

Felipe_88,

 

Após ter feito o processo indicado nesse tópico pelo HiJackThis, fiz outro análise para ver se fiz tudo corretamente, segue o log:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 13:48:22, on 16/4/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\IObit\Game Booster\GameBox.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\TeamViewer\Version6\TeamViewer_Service.exe

C:\Arquivos de programas\TeamViewer\Version6\TeamViewer.exe

C:\Arquivos de programas\TeamViewer\Version6\tv_w32.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\ARQUIV~1\ALWILS~1\Avast5\avastUI.exe

C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe

C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Arquivos de programas\Real\RealPlayer\update\realsched.exe

C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

C:\Documents and Settings\All Users\Dados de aplicativos\Badoo\Badoo Desktop\1.2.22.828\Badoo.Desktop.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\downloads\HiJackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Arquivos de programas\Orbitdownloader\orbitcth.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Dados de aplicativos\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Arquivos de programas\Orbitdownloader\GrabPro.dll

O4 - HKLM\..\Run: [avast5] C:\ARQUIV~1\ALWILS~1\Avast5\avastUI.exe /nogui

O4 - HKLM\..\Run: [PDVD9LanguageShortcut] "C:\Arquivos de programas\CyberLink\PowerDVD9\Language\Language.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] C:\Arquivos de programas\NVIDIA Corporation\nView\nwiz.exe /installquiet

O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Real\RealPlayer\update\realsched.exe" -osboot

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [ccleaner] "C:\Arquivos de programas\CCleaner\CCleaner.exe" /AUTO

O4 - HKCU\..\Run: [badoo Desktop] "C:\Documents and Settings\All Users\Dados de aplicativos\Badoo\Badoo Desktop\1.2.22.828\Badoo.Desktop.exe"

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: &Download by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/201

O8 - Extra context menu item: &Grab video by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/204

O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/203

O8 - Extra context menu item: Down&load all by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/202

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/pt/uno1/GAME_UNO1.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! Antivirus - AVAST Software - C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Mail Scanner - AVAST Software - C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Web Scanner - AVAST Software - C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: TeamViewer 6 (TeamViewer6) - TeamViewer GmbH - C:\Arquivos de programas\TeamViewer\Version6\TeamViewer_Service.exe

 

--

End of file - 7884 bytes

 

 

 

 

 

 

 

 

 

 

Agora o processo feito pelo ComboFix, segue o log:

 

ComboFix 11-04-15.06 - Usuario 16/04/2011 13:23:08.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.1533.976 [GMT -3:00]

Executando de: c:\downloads\ComboFix.exe

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\arquivos de programas\HTV

c:\arquivos de programas\HTV\akv.cfg

c:\arquivos de programas\HTV\HTV.001

c:\arquivos de programas\HTV\HTV.002

c:\arquivos de programas\HTV\HTV.009

c:\arquivos de programas\HTV\HTV.chm

c:\arquivos de programas\HTV\menu.gif

c:\arquivos de programas\HTV\qs.html

c:\arquivos de programas\HTV\tray.gif

c:\arquivos de programas\HTV\Uninstall.exe

c:\documents and settings\All Users\Dados de aplicativos\Adobe Systems

c:\documents and settings\All Users\Dados de aplicativos\Adobe Systems\Product licenses\B2B86000.dat

c:\documents and settings\All Users\Menu Iniciar\Programas\Ardamax Keylogger

c:\documents and settings\All Users\Menu Iniciar\Programas\Ardamax Keylogger\Ardamax Keylogger.lnk

c:\documents and settings\All Users\Menu Iniciar\Programas\Ardamax Keylogger\Help.lnk

c:\documents and settings\All Users\Menu Iniciar\Programas\Ardamax Keylogger\Log Viewer.lnk

c:\documents and settings\Usuario\Dados de aplicativos\AdVantage

c:\documents and settings\Usuario\Dados de aplicativos\PriceGong

c:\documents and settings\Usuario\Dados de aplicativos\PriceGong\Data\1.xml

c:\documents and settings\Usuario\Dados de aplicativos\PriceGong\Data\a.xml

c:\documents and settings\Usuario\Dados de aplicativos\PriceGong\Data\b.xml

c:\documents and settings\Usuario\Dados de aplicativos\PriceGong\Data\c.xml

c:\documents and settings\Usuario\Dados de aplicativos\PriceGong\Data\d.xml

c:\documents and settings\Usuario\Dados de aplicativos\PriceGong\Data\e.xml

c:\documents and settings\Usuario\Dados de aplicativos\PriceGong\Data\f.xml

c:\documents and settings\Usuario\Dados de aplicativos\PriceGong\Data\g.xml

c:\documents and settings\Usuario\Dados de aplicativos\PriceGong\Data\h.xml

c:\documents and settings\Usuario\Dados de aplicativos\PriceGong\Data\i.xml

c:\documents and settings\Usuario\Dados de aplicativos\PriceGong\Data\J.xml

c:\documents and settings\Usuario\Dados de aplicativos\PriceGong\Data\k.xml

c:\documents and settings\Usuario\Dados de aplicativos\PriceGong\Data\l.xml

c:\documents and settings\Usuario\Dados de aplicativos\PriceGong\Data\m.xml

c:\documents and settings\Usuario\Dados de aplicativos\PriceGong\Data\mru.xml

c:\documents and settings\Usuario\Dados de aplicativos\PriceGong\Data\n.xml

c:\documents and settings\Usuario\Dados de aplicativos\PriceGong\Data\o.xml

c:\documents and settings\Usuario\Dados de aplicativos\PriceGong\Data\p.xml

c:\documents and settings\Usuario\Dados de aplicativos\PriceGong\Data\q.xml

c:\documents and settings\Usuario\Dados de aplicativos\PriceGong\Data\r.xml

c:\documents and settings\Usuario\Dados de aplicativos\PriceGong\Data\s.xml

c:\documents and settings\Usuario\Dados de aplicativos\PriceGong\Data\t.xml

c:\documents and settings\Usuario\Dados de aplicativos\PriceGong\Data\u.xml

c:\documents and settings\Usuario\Dados de aplicativos\PriceGong\Data\v.xml

c:\documents and settings\Usuario\Dados de aplicativos\PriceGong\Data\w.xml

c:\documents and settings\Usuario\Dados de aplicativos\PriceGong\Data\x.xml

c:\documents and settings\Usuario\Dados de aplicativos\PriceGong\Data\y.xml

c:\documents and settings\Usuario\Dados de aplicativos\PriceGong\Data\z.xml

c:\documents and settings\Usuario\Desktop\# Igor\Igor\downloads e instaladores\Cópia de Ragnarok Online\skin\default\_desktop.ini

c:\documents and settings\Usuario\Desktop\# Igor\Igor\downloads e instaladores\Cópia de Ragnarok Online\skin\default\basic_interface\_desktop.ini

c:\documents and settings\Usuario\Desktop\# Igor\Igor\downloads e instaladores\Cópia de Ragnarok Online\skin\Scribbling Kid\_desktop.ini

c:\documents and settings\Usuario\Desktop\# Igor\Igor\downloads e instaladores\Cópia de Ragnarok Online\skin\Scribbling Kid\basic_interface\_desktop.ini

c:\documents and settings\Usuario\Desktop\# Igor\Igor\downloads e instaladores\Ragnarok Online\skin\default\basic_interface\_desktop.ini

c:\documents and settings\Usuario\Desktop\# Igor\Igor\downloads e instaladores\Ragnarok Online\skin\Scribbling Kid\_desktop.ini

c:\documents and settings\Usuario\Desktop\# Igor\Igor\downloads e instaladores\Ragnarok Online\skin\Scribbling Kid\basic_interface\_desktop.ini

c:\documents and settings\Usuario\Desktop\# Igor\RAGNAROK\Cópia de Ragnarok Online\skin\default\basic_interface\_desktop.ini

c:\documents and settings\Usuario\Desktop\# Igor\RAGNAROK\Cópia de Ragnarok Online\skin\Scribbling Kid\_desktop.ini

c:\documents and settings\Usuario\Desktop\# Igor\RAGNAROK\Cópia de Ragnarok Online\skin\Scribbling Kid\basic_interface\_desktop.ini

c:\documents and settings\Usuario\WINDOWS

c:\windows\explorer.exe.local

c:\windows\system32\AutoRun.inf

.

c:\windows\system32\userinit.exe . . . está infectado!!

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_UacFlt

-------\Service_UacFlt

.

.

(((((((((((((((( Arquivos/Ficheiros criados de 2011-03-16 to 2011-04-16 ))))))))))))))))))))))))))))

.

.

2011-04-15 16:37 . 2011-04-15 16:37 -------- d-----w- C:\ijji

2011-04-14 11:52 . 2011-04-14 11:52 -------- d-----w- c:\documents and settings\Usuario\Configurações locais\Dados de aplicativos\id Software

2011-04-14 11:48 . 2011-04-14 11:48 139152 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2011-04-14 11:48 . 2011-04-14 11:48 139152 ----a-w- c:\documents and settings\Usuario\Dados de aplicativos\PnkBstrK.sys

2011-04-14 11:48 . 2011-04-14 11:48 111928 ----a-w- c:\windows\system32\PnkBstrB.exe

2011-04-14 11:48 . 2011-04-14 11:48 794408 ----a-w- c:\windows\system32\pbsvc.exe

2011-04-14 11:48 . 2011-04-14 11:48 75064 ----a-w- c:\windows\system32\PnkBstrA.exe

2011-04-14 11:48 . 2011-04-14 11:48 -------- d-----w- c:\windows\system32\LogFiles

2011-04-14 11:09 . 2011-04-14 11:09 -------- d-----w- c:\arquivos de programas\Activision

2011-04-14 11:08 . 2011-04-14 11:08 -------- d-sh--w- c:\windows\ftpcache

2011-04-12 18:04 . 2011-04-12 18:04 -------- d-----w- c:\documents and settings\Usuario\Dados de aplicativos\ijjigame

2011-04-12 18:01 . 2010-07-27 19:13 27136 ----a-w- c:\arquivos de programas\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll

2011-04-12 18:01 . 2010-03-24 19:57 713312 ----a-w- c:\windows\system32\ijjiSetup.exe

2011-04-12 18:01 . 2010-03-24 19:56 62048 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe

2011-04-12 18:01 . 2011-04-16 05:44 -------- d-----w- c:\arquivos de programas\REACTOR

2011-04-07 11:38 . 2011-04-07 11:38 -------- d-----w- c:\documents and settings\Usuario\Dados de aplicativos\Sony Setup

2011-04-07 11:37 . 2011-04-07 11:37 -------- d-----w- c:\arquivos de programas\Sony Setup

2011-04-03 04:32 . 2011-04-03 04:32 -------- d-----w- c:\documents and settings\Usuario\Dados de aplicativos\Malwarebytes

2011-04-03 04:32 . 2011-04-03 04:32 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes

2011-04-03 04:32 . 2010-12-20 21:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-04-03 04:32 . 2011-04-03 04:32 -------- d-----w- c:\arquivos de programas\Malwarebytes' Anti-Malware

2011-04-03 04:32 . 2010-12-20 21:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-03-31 08:18 . 2011-03-31 08:18 -------- d-----w- c:\arquivos de programas\FreeTime

2011-03-31 08:14 . 2011-03-31 08:14 -------- d--h--w- c:\documents and settings\Usuario\Configurações locais\Dados de aplicativos\AlterGeo

2011-03-31 08:14 . 2011-03-31 08:14 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Badoo

2011-03-26 06:38 . 2011-03-26 06:38 11776 ----a-w- c:\arquivos de programas\Mozilla Firefox\plugins\nprjplug.dll

2011-03-26 06:37 . 2011-03-26 06:37 -------- d-----w- c:\arquivos de programas\Arquivos comuns\xing shared

2011-03-26 06:37 . 2011-03-26 06:37 150712 ----a-w- c:\arquivos de programas\Mozilla Firefox\plugins\nppl3260.dll

2011-03-26 06:37 . 2011-03-26 06:37 100864 ----a-w- c:\arquivos de programas\Mozilla Firefox\plugins\nprpjplug.dll

2011-03-24 18:28 . 2011-03-24 18:58 -------- d-----w- c:\documents and settings\Usuario\Dados de aplicativos\SpieleEntwicklungsKombinat

2011-03-24 18:28 . 2011-03-24 18:28 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\SpieleEntwicklungsKombinat

2011-03-22 02:31 . 2011-03-22 02:31 -------- d-----w- C:\Ntreev USA

.

.

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-26 06:37 . 2010-09-30 01:41 499712 ----a-w- c:\windows\system32\msvcp71.dll

2011-03-26 06:37 . 2010-09-30 01:41 348160 ----a-w- c:\windows\system32\msvcr71.dll

2011-03-13 12:26 . 2011-03-13 12:26 2560 ----a-w- c:\windows\_MSRSTRT.EXE

2011-03-01 15:49 . 2011-03-10 07:31 4063560 ----a-w- c:\windows\system32\GameMon.des

2011-02-28 08:00 . 2011-03-17 04:00 80896 ----a-w- c:\windows\system32\ff_vfw.dll

.

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]

"ccleaner"="c:\arquivos de programas\CCleaner\CCleaner.exe" [2011-01-24 2200376]

"Badoo Desktop"="c:\documents and settings\All Users\Dados de aplicativos\Badoo\Badoo Desktop\1.2.22.828\Badoo.Desktop.exe" [2010-10-29 983552]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast5"="c:\arquiv~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]

"PDVD9LanguageShortcut"="c:\arquivos de programas\CyberLink\PowerDVD9\Language\Language.exe" [2008-10-13 50472]

"SunJavaUpdateSched"="c:\arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe" [2010-05-14 248552]

"HP Software Update"="c:\arquivos de programas\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-16 110696]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]

"nwiz"="c:\arquivos de programas\NVIDIA Corporation\nView\nwiz.exe" [2010-08-26 1753192]

"TkBellExe"="c:\arquivos de programas\Real\RealPlayer\update\realsched.exe" [2011-03-26 273544]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Usuario^Menu Iniciar^Programas^Inicializar^Adobe Gamma.lnk]

path=c:\documents and settings\Usuario\Menu Iniciar\Programas\Inicializar\Adobe Gamma.lnk

backup=c:\windows\pss\Adobe Gamma.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]

2009-02-28 22:40 75048 ----a-w- c:\arquivos de programas\CyberLink\Shared Files\brs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-13 18:20 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

2010-04-01 09:16 357696 ----a-w- c:\arquivos de programas\DAEMON Tools Lite\DTLite.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]

2009-03-28 21:11 3325952 ----a-w- c:\arquivos de programas\Electronic Arts\EADM\Core.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-10-15 19:09 136176 ----atw- c:\documents and settings\Usuario\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 01:21 1695232 ------w- c:\arquivos de programas\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2001-07-09 14:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2010-10-16 14:04 13851752 ----a-w- c:\windows\system32\nvcpl.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

2010-10-16 14:04 110696 ----a-w- c:\windows\system32\nvmctray.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl9]

2009-02-16 12:55 87336 ------w- c:\arquivos de programas\CyberLink\PowerDVD9\PDVD9Serv.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

2010-09-07 22:20 19573352 ----a-w- c:\windows\RTHDCPL.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2010-05-13 19:12 26192168 ----a-r- c:\arquivos de programas\Skype\Phone\Skype.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

"c:\\Documents and Settings\\Usuario\\Configurações locais\\Dados de aplicativos\\Kamuse\\KCSTrayDownloader\\KCSTrayDownloaderEngine.exe"=

"c:\\Arquivos de programas\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Arquivos de programas\\Ares\\Ares.exe"=

"c:\\Documents and Settings\\All Users\\Dados de aplicativos\\NexonUS\\NGM\\NGM.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\RkSoft\\Xadrez\\xadrez.exe"=

"c:\\Arquivos de programas\\Steam\\Steam.exe"=

"c:\\Arquivos de programas\\TeamViewer\\Version6\\TeamViewer.exe"=

"c:\\Arquivos de programas\\TeamViewer\\Version6\\TeamViewer_Service.exe"=

"c:\\Arquivos de programas\\Orbitdownloader\\orbitdm.exe"=

"c:\\Arquivos de programas\\Orbitdownloader\\orbitnet.exe"=

"c:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"=

"c:\\Arquivos de programas\\Garena\\Garena.exe"=

"c:\\Arquivos de programas\\uTorrent\\uTorrent.exe"=

"c:\\Arquivos de programas\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Documents and Settings\\Usuario\\Desktop\\# Igor\\Igor\\downloads e instaladores\\Combat Arms\\NMService.exe"=

"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Arquivos de programas\\Activision\\Wolfenstein\\MP\\Wolf2MP.exe"=

"c:\\Arquivos de programas\\Activision\\Wolfenstein\\MP\\Wolf2MPLite.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"58204:TCP"= 58204:TCP:Pando Media Booster

"58204:UDP"= 58204:UDP:Pando Media Booster

.

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [20/10/2010 17:58 691696]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [29/9/2010 21:30 165584]

R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2010/09/29 22:42];c:\arquivos de programas\CyberLink\PowerDVD9\000.fcl [28/2/2009 19:40 87536]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [29/9/2010 21:30 17744]

R2 TeamViewer6;TeamViewer 6;c:\arquivos de programas\TeamViewer\Version6\TeamViewer_Service.exe [16/12/2010 06:58 2228008]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [30/9/2010 00:25 100712]

R3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [23/1/2004 15:33 13952]

R3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [23/1/2004 15:32 28800]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [29/9/2010 21:14 1691480]

S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2/12/2010 14:24 16512]

S3 cpuz134;cpuz134;\??\c:\docume~1\Usuario\CONFIG~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\Usuario\CONFIG~1\Temp\cpuz134\cpuz134_x32.sys [?]

S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]

S3 GGSAFERDriver;GGSAFER Driver;\??\c:\arquivos de programas\Garena\safedrv.sys --> c:\arquivos de programas\Garena\safedrv.sys [?]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [1/7/2010 13:21 34896]

S3 vtany;vtany;\??\c:\windows\vtany.sys --> c:\windows\vtany.sys [?]

S3 XDva370;XDva370;\??\c:\windows\system32\XDva370.sys --> c:\windows\system32\XDva370.sys [?]

S3 XDva374;XDva374;\??\c:\windows\system32\XDva374.sys --> c:\windows\system32\XDva374.sys [?]

S3 xhunter1;xhunter1;\??\c:\windows\xhunter1.sys --> c:\windows\xhunter1.sys [?]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Conteúdo da pasta 'Tarefas Agendadas'

.

2011-04-16 c:\windows\Tasks\Game_Booster_Startup.job

- c:\arquivos de programas\IObit\Game Booster\GameBox.exe [2010-11-17 12:55]

.

2011-04-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-117609710-1637723038-1801674531-1003.job

- c:\arquivos de programas\Real\RealUpgrade\realupgrade.exe [2011-01-24 17:25]

.

2011-04-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-117609710-1637723038-1801674531-1003.job

- c:\arquivos de programas\Real\RealUpgrade\realupgrade.exe [2011-01-24 17:25]

.

.

------- Scan Suplementar -------

.

IE: &Download by Orbit - c:\arquivos de programas\Orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\arquivos de programas\Orbitdownloader\orbitmxt.dll/204

IE: Do&wnload selected by Orbit - c:\arquivos de programas\Orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\arquivos de programas\Orbitdownloader\orbitmxt.dll/202

FF - ProfilePath - c:\documents and settings\Usuario\Dados de aplicativos\Mozilla\Firefox\Profiles\v40zmihh.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.localstrike.com.ar/?q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.br/

FF - prefs.js: keyword.URL - hxxp://search.localstrike.com.ar/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\arquivos de programas\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\arquivos de programas\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\arquivos de programas\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\arquivos de programas\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}

FF - Ext: Stylish: {46551EC9-40F0-4e47-8E18-8E5CF550CFB8} - %profile%\extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}

FF - Ext: Orkut Manager: om.brunolm@gmail.com - %profile%\extensions\om.brunolm@gmail.com

FF - Ext: Java Quick Starter: jqs@sun.com - c:\arquivos de programas\Java\jre6\lib\deploy\jqs\ff

FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Dados de aplicativos\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext

.

- - - - ORFÃOS REMOVIDOS - - - -

.

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

MSConfigStartUp-WinampAgent - c:\arquivos de programas\Winamp\winampa.exe

AddRemove-Combat Arms - c:\level up! games\Combat Arms\NGM.exe

AddRemove-FansRO 6.0a_is1 - c:\documents and settings\Usuario\Desktop\# Igor\RAGNAROK\Fansro\fansro\unins000.exe

AddRemove-{87BD1A8C-9174-43A5-8C73-56327148F7BC}_is1 - c:\documents and settings\Usuario\Desktop\# Igor\RAGNAROK\Cópia de Ragnarok Online\RagnaFan - Aurora\unins000.exe

AddRemove-{9171DE58-8BA2-4850-B23B-A8A7498A7303}_is1 - c:\documents and settings\Usuario\Desktop\# Igor\RAGNAROK\RagnaFan - Promised\unins000.exe

AddRemove-{DDE3BD76-C160-4AA3-8DA7-6542CC2AC65B}_is1 - c:\documents and settings\Usuario\Desktop\# Igor\RAGNAROK\Cópia (2) de Ragnarok Online\RagnaFan - Aurora\unins000.exe

AddRemove-PointBlank - c:\ongame\Pointblank\PBUnInst.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-04-16 13:36

Windows 5.1.2600 Service Pack 3 NTFS

.

Procurando processos ocultos ...

.

Procurando entradas auto inicializáveis ocultas ...

.

Procurando ficheiros/arquivos ocultos ...

.

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]

"ImagePath"="\??\c:\arquivos de programas\CyberLink\PowerDVD9\000.fcl"

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

.

[HKEY_USERS\S-1-5-21-117609710-1637723038-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]

@Denied: (Full) (LocalSystem)

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

.

- - - - - - - > 'explorer.exe'(3160)

c:\arquiv~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\msi.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Outros Processos em Execução ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\arquivos de programas\Alwil Software\Avast5\AvastSvc.exe

c:\arquivos de programas\Java\jre6\bin\jqs.exe

c:\windows\system32\PnkBstrA.exe

c:\arquivos de programas\TeamViewer\Version6\TeamViewer.exe

c:\arquivos de programas\TeamViewer\Version6\tv_w32.exe

c:\windows\system32\wbem\wmiapsrv.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\RUNDLL32.EXE

.

**************************************************************************

.

Tempo para conclusão: 2011-04-16 13:41:07 - Máquina reiniciou

ComboFix-quarantined-files.txt 2011-04-16 16:41

.

Pré-execução: 15 pasta(s) 20.755.750.912 bytes disponíveis

Pós execução: 16 pasta(s) 20.766.785.536 bytes disponíveis

.

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe

[boot Loader]

timeout=2

Default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[Operating Systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="USB Repair NOT to Start Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 38448C0FE4C3EB331E834B1DA40569ED

 

Aguardo contato, abraços.

[Felipe_88 0]

iSombra,

 

Sabe a procedêcia dessa pasta?

C:\ijji

[iSombra 0]

Felipe_88,

 

Sim, é a pasta do fornecedor do jogo A.V.A (Alliance of Valiant Arms)

[Felipe_88 0]

iSombra,

 

Dando continuidade...

 

*Abra o bloco de notas, selecione, copie e cole nele todo o conteúdo do código abaixo:

Killall::

File::

c:\windows\vtany.sys

c:\windows\system32\XDva370.sys

c:\windows\system32\XDva374.sys

c:\windows\xhunter1.sys

Drivers::

vtany

XDva370

XDva374

*Salve o arquivo no desktop como CFScript.txt

*Arraste o arquivo para o Combofix conforme ilustração abaixo:

*Importante: enquanto o combofix estiver em execução, não use o mouse nem o teclado!!

*Ao final do procedimento, o programa será fechado automaticamente e será mostrado o relatório

*Cole o relatório criado em C:\combofix.txt

[wings 22]

Tópico Arquivado

 

Como o autor não respondeu por mais de 30 dias, o tópico foi arquivado.

 

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura.