[Resolvido] &nbspPC lento,sem area de trabalho, sem nada...

[rehcarlos 0]

Ola pessoal, nem sei como estou aqui abrindo este topico pois meu pc praticamente esta sem nada agora, quando clico em iniciar->programas aparece VAZIO, minha area de trabalho esta sem nada, resumindo, ta feio

 

Segue o log do Hijack this:

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 20:31:41, on 23/11/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

c:\Arquivos de programas\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Microsoft Security Client\msseces.exe

C:\WINDOWS\system32\RunDLL32.exe

C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe

C:\Arquivos de programas\Scramby\voicetunerserver.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\lib\NMBgMonitor.exe

C:\Arquivos de programas\ATnotes\ATnotes.exe

C:\Arquivos de programas\Pando Networks\Media Booster\PMB.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\internet explorer\iexplore.exe

C:\Arquivos de programas\Windows Live\Toolbar\wltuser.exe

C:\WINDOWS\system32\msiexec.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Source Engine\OSE.EXE

C:\Arquivos de programas\internet explorer\iexplore.exe

C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Arquivos de programas\internet explorer\iexplore.exe

C:\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com.br/0SEPTBR/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://sw.viewsing.com:8083/connect.dat

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Arquivos de programas\Arquivos comuns\InstallShield\Nero\nerocheck.exe

O1 - Hosts: 184.106.78.246 www.hotmail.com

O1 - Hosts: 184.106.78.246 www.spc.com.br

O1 - Hosts: 184.106.78.246 hotmail.com

O1 - Hosts: 184.106.78.246 msn.com

O1 - Hosts: 184.106.78.246 live.com

O1 - Hosts: 184.106.78.246 www4.bradesco.com.br

O1 - Hosts: 184.106.78.246 www.prime.com.br

O1 - Hosts: 184.106.78.246 prime.com.br

O1 - Hosts: 184.106.78.246 bradesconetempresa.com.br

O1 - Hosts: 184.106.78.246 www.bradesconetempresa.com.br

O1 - Hosts: 184.106.78.246 www.bradescopj.com.br

O1 - Hosts: 184.106.78.246 bradescopj.com.br

O1 - Hosts: 184.106.78.246 www.bradescopessoajuridica.com.br

O1 - Hosts: 184.106.78.246 bradescopessoajuridica.com.br

O1 - Hosts: 184.106.78.246 www4.santander.com.br

O1 - Hosts: 184.106.78.246 www.santandernet.com.br

O1 - Hosts: 184.106.78.246 santandernet.com.br

O1 - Hosts: 184.106.78.246 www4.banrisul.com.br

O1 - Hosts: 184.106.78.246 www2.americanexpress.com.br

O1 - Hosts: 184.106.78.246 www.caixaeconomica.com.br

O1 - Hosts: 184.106.78.246 caixaeconomica.com.br

O1 - Hosts: 184.106.78.246 www.caixaeconomica.gov.br

O1 - Hosts: 184.106.78.246 caixaeconomica.gov.br

O1 - Hosts: 184.106.78.246 www.caixaeconomicafederal.com.br

O1 - Hosts: 184.106.78.246 caixaeconomicafederal.com.br

O1 - Hosts: 184.106.78.246 www.caixaeconomicafederal.gov.br

O1 - Hosts: 184.106.78.246 caixaeconomicafederal.gov.br

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Arquivos de programas\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Arquivos de programas\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: Serviço de Compartilhamento de Rede do Windows Media Player - {86D10093-B5BC-4F9F-AC85-0EE1948A1F85} - C:\WINDOWS\system32\wmpnetwkv9r1.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Arquivos de programas\styler\TB\StylerTB.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [Nero Check] C:\Arquivos de programas\arquivos comuns\nero check\nerochek.exe

O4 - HKLM\..\Run: [MSC] "c:\Arquivos de programas\Microsoft Security Client\msseces.exe" -hide -runkey

O4 - HKLM\..\Run: [Adobe ARM] "C:\Arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login

O4 - HKLM\..\Run: [nwiz] C:\Arquivos de programas\NVIDIA Corporation\nView\nwiz.exe /installquiet

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [GwDAKVOVed.exe] C:\Documents and Settings\All Users\Dados de aplicativos\GwDAKVOVed.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [ATnotes.exe] C:\Arquivos de programas\ATnotes\ATnotes.exe

O4 - HKCU\..\Run: [Pando Media Booster] C:\Arquivos de programas\Pando Networks\Media Booster\PMB.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Network] rundll32.exe "C:\Documents and Settings\Administrador\sys32config.dll",network

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [{67DE634D-7AD1-1F39-B59B-25CBD1313CEA}] "C:\Documents and Settings\Administrador\Dados de aplicativos\Rili\olodirv.exe"

O4 - HKUS\S-1-5-21-448539723-1757981266-1801674531-1005\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'UpdatusUser')

O4 - HKUS\S-1-5-21-448539723-1757981266-1801674531-1005\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'UpdatusUser')

O4 - HKUS\S-1-5-21-448539723-1757981266-1801674531-1005\..\RunOnce: [NeroHomeFirstStart] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMFirstStart.exe (User 'UpdatusUser')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

O8 - Extra context menu item: Abrir em uma nova guia do plano de fundo - res://C:\Arquivos de programas\Windows Live Toolbar\Components\pt-br\msntabres.dll.mui/229?4072c717e10e44b48d03be992d4ab2b5

O8 - Extra context menu item: Abrir em uma nova guia do primeiro plano - res://C:\Arquivos de programas\Windows Live Toolbar\Components\pt-br\msntabres.dll.mui/230?4072c717e10e44b48d03be992d4ab2b5

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Arquivos de programas\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Arquivos de programas\PokerStars\PokerStarsUpdate.exe

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{406B8789-CA90-4EAF-BEE9-1294A2DA258D}: NameServer = 200.175.5.139,200.175.189.139

O17 - HKLM\System\CS1\Services\Tcpip\..\{406B8789-CA90-4EAF-BEE9-1294A2DA258D}: NameServer = 200.175.5.139,200.175.189.139

O17 - HKLM\System\CS2\Services\Tcpip\..\{406B8789-CA90-4EAF-BEE9-1294A2DA258D}: NameServer = 200.175.5.139,200.175.189.139

O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Dispositivo Celular da Apple (Apple Mobile Device) - Apple Inc. - C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Arquivos de programas\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PostgreSQL Server 8.4 (postgresql-8.4) - PostgreSQL Global Development Group - C:/Arquivos de programas/PostgreSQL/8.4/bin/pg_ctl.exe

O23 - Service: Voice Tuner (voicetuner) - RapidSolution - C:\Arquivos de programas\Scramby\voicetunerserver.exe

 

--

End of file - 12482 bytes

[wings 22]

Olá rehcarlos

 

 

1.

*Baixe o HostsXpert

*Execute-o e clique [Restore Microsoft's Hosts File]

 

2.

*Baixe o Bankerfix

*Execute-o, clique [OK] > [sIM] (se pedir alguma atualização) > [OK] > [ENTER]

*Ao finalizar, tecle [ENTER]

*Cole o relatório C:\LinhaDefensiva\relatorio.txt

 

3.

*Instale o MalwareBytes

*Aguarde a atualização e o programa será aberto automaticamente

*Na aba [Verificação], selecione [Verificação completa]

*Clique [Verificar] e selecione a partição onde o Windows está instalado

*Ao finalizar o scan, clique [sIM] > [OK] > [Ver Resultados] > [Remover Selecionados]

*Cole o relatório apresentado

[rehcarlos 0]

Relatorio do BankerFix:

 

BankerFix 3.1 VALKYRIE - Removedor de Bankers

Linha Defensiva | http://www.linhadefensiva.org

http://www.linhadefensiva.org/bankerfix/

-------------------------------------------------------

Data: 2011-11-23 - 21:17

-------------------------------------------------------

Lista de Definição: 2011-08-28-1 | CORE: 2010-12-28-6

=======================================================

 

Arquivo infectado detectado: C:\Install.exe

Arquivo infectado removido com sucesso!

 

Arquivo infectado detectado: C:\WINDOWS\Media\logo.dll

Arquivo infectado removido com sucesso!

 

Arquivo infectado detectado: C:\WINDOWS\Media\mp3configuration.ini

Arquivo infectado removido com sucesso!

 

Arquivo infectado detectado: C:\WINDOWS\Media\NewIcon.ico

Arquivo infectado removido com sucesso!

 

Arquivo infectado detectado: C:\WINDOWS\system32\firefox.exe

Arquivo infectado removido com sucesso!

 

Arquivo infectado detectado: C:\WINDOWS\system32\whv2.exe

Arquivo infectado removido com sucesso!

 

Arquivo infectado detectado: C:\WINDOWS\system32\winbkl_8004.gif

Arquivo infectado removido com sucesso!

 

Arquivo infectado detectado: C:\WINDOWS\system32\wingfr_4411.gif

Arquivo infectado removido com sucesso!

 

Arquivo infectado detectado: C:\WINDOWS\system32\wingfr_580A.gif

Arquivo infectado removido com sucesso!

 

Arquivo infectado detectado: C:\WINDOWS\system32\wingfr_7001.gif

Arquivo infectado removido com sucesso!

 

Arquivo infectado detectado: C:\WINDOWS\system32\winloc_0003.gif

Arquivo infectado removido com sucesso!

 

Arquivo infectado detectado: C:\WINDOWS\system32\winstl_3125.gif

Arquivo infectado removido com sucesso!

 

Arquivo infectado detectado: C:\WINDOWS\system32\wmpnetwkv9r1.dll

Arquivo infectado removido com sucesso!

 

Arquivo infectado detectado: C:\Documents and Settings\Administrador\c.ini

Arquivo infectado removido com sucesso!

 

Arquivo infectado detectado: C:\Documents and Settings\Administrador\system.exe

Arquivo infectado removido com sucesso!

 

Proxy/Internet Explorer (HKCU): sw.viewsing.com

 

Proxy/Internet Explorer (HKCU): sw.viewsing.com:8083

 

Proxy/Internet Explorer (HKCU): sw.viewsing.com:8083/connect.dat

 

Proxy/Firefox: sw.viewsing.com

 

 

 

----- Fim -------------------------

 

 

Relatorio do MalwareBytes:

 

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

 

Versão da Base de Dados: 8227

 

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

 

24/11/2011 05:52:19

mbam-log-2011-11-24 (05-52-19).txt

 

Tipo de Verificação: Verificação Completa (C:\|)

Objetos escaneados: 341945

Tempo decorrido: 1 hora(s), 8 minuto(s), 50 segundo(s)

 

Processos de Memória Infectados: 2

Módulos de Memória Infectados: 0

Chaves de Registro Infectadas: 0

Valores de Registro Infectados: 3

Itens de Dados no Registro Infectados: 8

Pastas Infectadas: 0

Arquivos Infectados: 17

 

Processos de Memória Infectados:

c:\documents and settings\all users\dados de aplicativos\gwdakvoved.exe (Rogue.FakeHDD) -> 2296 -> Unloaded process successfully.

c:\documents and settings\all users\dados de aplicativos\vzd90hcstotaqc.exe (Rogue.FakeHDD) -> 3476 -> Unloaded process successfully.

 

Módulos de Memória Infectados:

(Não foram detectados ítens maliciosos)

 

Chaves de Registro Infectadas:

(Não foram detectados ítens maliciosos)

 

Valores de Registro Infectados:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GwDAKVOVed.exe (Rogue.FakeHDD) -> Value: GwDAKVOVed.exe -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Network (Trojan.Agent) -> Value: Network -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nero Check (Trojan.Banker) -> Value: Nero Check -> Quarantined and deleted successfully.

 

Itens de Dados no Registro Infectados:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

 

Pastas Infectadas:

(Não foram detectados ítens maliciosos)

 

Arquivos Infectados:

c:\documents and settings\all users\dados de aplicativos\gwdakvoved.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.

c:\documents and settings\all users\dados de aplicativos\vzd90hcstotaqc.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.

c:\linhadefensiva\QUA\Arquivos\administrador\system.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.

c:\system volume information\_restore{d23a61e8-ea72-47f4-8db7-770bf6902cda}\RP472\A0176631.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.

c:\system volume information\_restore{d23a61e8-ea72-47f4-8db7-770bf6902cda}\RP472\A0176632.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.

c:\system volume information\_restore{d23a61e8-ea72-47f4-8db7-770bf6902cda}\RP472\A0176633.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.

c:\system volume information\_restore{d23a61e8-ea72-47f4-8db7-770bf6902cda}\RP472\A0176634.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.

c:\system volume information\_restore{d23a61e8-ea72-47f4-8db7-770bf6902cda}\RP472\A0176636.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.

c:\system volume information\_restore{d23a61e8-ea72-47f4-8db7-770bf6902cda}\RP472\A0176637.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.

c:\system volume information\_restore{d23a61e8-ea72-47f4-8db7-770bf6902cda}\RP472\A0176638.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.

c:\system volume information\_restore{d23a61e8-ea72-47f4-8db7-770bf6902cda}\RP472\A0176639.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.

c:\system volume information\_restore{d23a61e8-ea72-47f4-8db7-770bf6902cda}\RP480\A0177889.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.

c:\system volume information\_restore{d23a61e8-ea72-47f4-8db7-770bf6902cda}\RP488\A0190468.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\faun\flvplayersetup.exe (Adware.Agent) -> Quarantined and deleted successfully.

c:\tempi\msnmsgr.exe (Trojan.Banker) -> Quarantined and deleted successfully.

c:\arquivos de programas\arquivos comuns\nero check\logaa.dll (Trojan.Banker) -> Quarantined and deleted successfully.

c:\arquivos de programas\arquivos comuns\nero check\loga.dll (Trojan.Banker) -> Quarantined and deleted successfully.

[wings 22]

1.

*Delete o Bankerfix e a pasta C:\LinhaDefensiva

 

2.

*Execute o Malwarebytes, clique na aba [Quarentena], selecione todos os resultados e clique [Apagar tudo]

*Clique na aba [Logs], selecione o relatório e clique [Apagar]

*Feche o Malwarebytes

 

3

*Baixe o ERUNT

*Crie uma pasta em C:\ chamada ERUNT e extraia para ela

*Execute o arquivo C:\ERUNT\ERUNT.exe

*Clique [OK] > [OK] > [sim] > [OK]

 

4.

*Desative temporariamente seu antivírus

 

*Baixe o ComboFix e salve-o no desktop

*Execute-o e aceite o contrato

*Se o Console de Recuperação do Microsoft Windows não estiver instalado, aceite a sua instalação

*Após a instalação do Console, clique [sim] e aguarde a conclusão das etapas

 

Algumas observações:

1) Não use o mouse nem o teclado durante as etapas!!

2) Para interromper o scan, tecle N

 

*Cole o relatório apresentado e novo log do hijack

[rehcarlos 0]

Opa wings beleza?

 

Segui os passos, menos o de desinstalar o BankerFix ja que nao o encontrei, e nao consigo rodar o ComboFix, ele carrega a barrinha desaparece e pronto, nenhum console vem. (obs: ja desativei o antivirus->microsoft security essentials)

 

segue o log do hijack this:

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 13:54:16, on 24/11/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Arquivos de programas\Scramby\voicetunerserver.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Microsoft Security Client\msseces.exe

C:\WINDOWS\system32\RunDLL32.exe

C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\lib\NMBgMonitor.exe

C:\Arquivos de programas\ATnotes\ATnotes.exe

C:\Arquivos de programas\Pando Networks\Media Booster\PMB.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jucheck.exe

C:\Documents and Settings\Administrador\Desktop\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com.br/0SEPTBR/SAOS01?FORM=TOOLBR

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Arquivos de programas\Arquivos comuns\InstallShield\Nero\nerocheck.exe,

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Arquivos de programas\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Arquivos de programas\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: Serviço de Compartilhamento de Rede do Windows Media Player - {86D10093-B5BC-4F9F-AC85-0EE1948A1F85} - C:\WINDOWS\system32\wmpnetwkv9r1.dll (file missing)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Arquivos de programas\styler\TB\StylerTB.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [MSC] "c:\Arquivos de programas\Microsoft Security Client\msseces.exe" -hide -runkey

O4 - HKLM\..\Run: [Adobe ARM] "C:\Arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login

O4 - HKLM\..\Run: [nwiz] C:\Arquivos de programas\NVIDIA Corporation\nView\nwiz.exe /installquiet

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [ATnotes.exe] C:\Arquivos de programas\ATnotes\ATnotes.exe

O4 - HKCU\..\Run: [Pando Media Booster] C:\Arquivos de programas\Pando Networks\Media Booster\PMB.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [{67DE634D-7AD1-1F39-B59B-25CBD1313CEA}] "C:\Documents and Settings\Administrador\Dados de aplicativos\Rili\olodirv.exe"

O4 - HKUS\S-1-5-21-448539723-1757981266-1801674531-1005\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'UpdatusUser')

O4 - HKUS\S-1-5-21-448539723-1757981266-1801674531-1005\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'UpdatusUser')

O4 - HKUS\S-1-5-21-448539723-1757981266-1801674531-1005\..\RunOnce: [NeroHomeFirstStart] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMFirstStart.exe (User 'UpdatusUser')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

O8 - Extra context menu item: Abrir em uma nova guia do plano de fundo - res://C:\Arquivos de programas\Windows Live Toolbar\Components\pt-br\msntabres.dll.mui/229?4072c717e10e44b48d03be992d4ab2b5

O8 - Extra context menu item: Abrir em uma nova guia do primeiro plano - res://C:\Arquivos de programas\Windows Live Toolbar\Components\pt-br\msntabres.dll.mui/230?4072c717e10e44b48d03be992d4ab2b5

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Arquivos de programas\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Arquivos de programas\PokerStars\PokerStarsUpdate.exe

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{406B8789-CA90-4EAF-BEE9-1294A2DA258D}: NameServer = 200.175.5.139,200.175.189.139

O17 - HKLM\System\CS1\Services\Tcpip\..\{406B8789-CA90-4EAF-BEE9-1294A2DA258D}: NameServer = 200.175.5.139,200.175.189.139

O17 - HKLM\System\CS2\Services\Tcpip\..\{406B8789-CA90-4EAF-BEE9-1294A2DA258D}: NameServer = 200.175.5.139,200.175.189.139

O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Dispositivo Celular da Apple (Apple Mobile Device) - Apple Inc. - C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Arquivos de programas\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PostgreSQL Server 8.4 (postgresql-8.4) - PostgreSQL Global Development Group - C:/Arquivos de programas/PostgreSQL/8.4/bin/pg_ctl.exe

O23 - Service: Voice Tuner (voicetuner) - RapidSolution - C:\Arquivos de programas\Scramby\voicetunerserver.exe

 

--

End of file - 10332 bytes

[wings 22]

1.

*Renomei o Combofix para Uninstall

*Execute-o e aguarde a mensagem "ComboFix está desinstalado"

 

2.

*Baixe novamente o Combofix e salve-o no desktop

 

3.

Clique [iniciar] > [Executar] > copie e cole:

"%userprofile%\desktop\combofix.exe" /killall

 

 

Clique [OK] > [Executar]....aguarde a execução do programa

 

Se não conseguir novamente, desinstale o combofix conforme informei no passo 1, baixe novamente, renomei-o para Kombo e execute-o.

[rehcarlos 0]

Pronto, usei o ComboFix!

 

Segue o log do Hijackthis:

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 16:17:22, on 24/11/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

c:\Arquivos de programas\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Scramby\voicetunerserver.exe

C:\Arquivos de programas\Microsoft Security Client\msseces.exe

C:\WINDOWS\system32\RunDLL32.exe

C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\lib\NMBgMonitor.exe

C:\Arquivos de programas\ATnotes\ATnotes.exe

C:\Arquivos de programas\VisualTaskTips\VisualTaskTips.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jucheck.exe

C:\Documents and Settings\Administrador\Desktop\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com.br/0SEPTBR/SAOS01?FORM=TOOLBR

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Arquivos de programas\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Arquivos de programas\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: Serviço de Compartilhamento de Rede do Windows Media Player - {86D10093-B5BC-4F9F-AC85-0EE1948A1F85} - C:\WINDOWS\system32\wmpnetwkv9r1.dll (file missing)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Arquivos de programas\styler\TB\StylerTB.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [MSC] "c:\Arquivos de programas\Microsoft Security Client\msseces.exe" -hide -runkey

O4 - HKLM\..\Run: [Adobe ARM] "C:\Arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login

O4 - HKLM\..\Run: [nwiz] C:\Arquivos de programas\NVIDIA Corporation\nView\nwiz.exe /installquiet

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe"

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [ATnotes.exe] C:\Arquivos de programas\ATnotes\ATnotes.exe

O4 - HKCU\..\Run: [Pando Media Booster] C:\Arquivos de programas\Pando Networks\Media Booster\PMB.exe

O4 - HKCU\..\Run: [{67DE634D-7AD1-1F39-B59B-25CBD1313CEA}] "C:\Documents and Settings\Administrador\Dados de aplicativos\Rili\olodirv.exe"

O4 - HKUS\S-1-5-21-448539723-1757981266-1801674531-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'postgres')

O4 - HKUS\S-1-5-21-448539723-1757981266-1801674531-1004\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'postgres')

O4 - HKUS\S-1-5-21-448539723-1757981266-1801674531-1004\..\RunOnce: [NeroHomeFirstStart] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMFirstStart.exe (User 'postgres')

O4 - HKUS\S-1-5-21-448539723-1757981266-1801674531-1005\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'UpdatusUser')

O4 - HKUS\S-1-5-21-448539723-1757981266-1801674531-1005\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'UpdatusUser')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

O4 - Global Startup: VisualTaskTips.lnk = C:\Arquivos de programas\VisualTaskTips\VisualTaskTips.exe

O8 - Extra context menu item: Abrir em uma nova guia do plano de fundo - res://C:\Arquivos de programas\Windows Live Toolbar\Components\pt-br\msntabres.dll.mui/229?4072c717e10e44b48d03be992d4ab2b5

O8 - Extra context menu item: Abrir em uma nova guia do primeiro plano - res://C:\Arquivos de programas\Windows Live Toolbar\Components\pt-br\msntabres.dll.mui/230?4072c717e10e44b48d03be992d4ab2b5

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Arquivos de programas\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Arquivos de programas\PokerStars\PokerStarsUpdate.exe

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{406B8789-CA90-4EAF-BEE9-1294A2DA258D}: NameServer = 200.175.5.139,200.175.189.139

O17 - HKLM\System\CS1\Services\Tcpip\..\{406B8789-CA90-4EAF-BEE9-1294A2DA258D}: NameServer = 200.175.5.139,200.175.189.139

O17 - HKLM\System\CS2\Services\Tcpip\..\{406B8789-CA90-4EAF-BEE9-1294A2DA258D}: NameServer = 200.175.5.139,200.175.189.139

O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Dispositivo Celular da Apple (Apple Mobile Device) - Apple Inc. - C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Arquivos de programas\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PostgreSQL Server 8.4 (postgresql-8.4) - PostgreSQL Global Development Group - C:/Arquivos de programas/PostgreSQL/8.4/bin/pg_ctl.exe

O23 - Service: Voice Tuner (voicetuner) - RapidSolution - C:\Arquivos de programas\Scramby\voicetunerserver.exe

 

--

End of file - 10207 bytes

 

Muito obrigado pela ajuda wings!!!

[wings 22]

Cole o relatório do combofix. Ele está em C:\combofix.txt

[rehcarlos 0]

ComboFix 10-06-03.01 - Administrador 04/06/2010 23:43:04.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.2047.1571 [GMT -3:00]

Executando de: c:\documents and settings\Administrador\Desktop\ComboFix.exe

AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Autorun.inf

C:\Thumbs.db

C:\USER-3820A0E53B.txt

C:\winxsystem.log

 

A cópia de c:\windows\system32\midimap.dll foi encontrada e desinfectada

Cópia restaurada de - c:\windows\VistaMizer\old\midimap.dll

 

.

(((((((((((((((( Arquivos/Ficheiros criados de 2010-05-05 to 2010-06-05 ))))))))))))))))))))))))))))

.

 

2010-06-04 18:03 . 2010-06-04 18:03 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\Malwarebytes

2010-06-04 18:03 . 2010-04-29 18:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-04 18:03 . 2010-06-04 18:03 -------- d-----w- c:\arquivos de programas\Malwarebytes' Anti-Malware

2010-06-04 18:03 . 2010-06-04 18:03 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes

2010-06-04 18:03 . 2010-04-29 18:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-04 15:37 . 2010-06-04 15:37 -------- d-----w- C:\Hijack

2010-06-04 13:47 . 2010-06-04 13:47 503808 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7cf425b0-n\msvcp71.dll

2010-06-04 13:47 . 2010-06-04 13:47 499712 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7cf425b0-n\jmc.dll

2010-06-04 13:47 . 2010-06-04 13:47 348160 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7cf425b0-n\msvcr71.dll

2010-06-04 13:39 . 2010-06-04 13:39 61440 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-15a159bb-n\decora-sse.dll

2010-06-04 13:39 . 2010-06-04 13:39 12800 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-15a159bb-n\decora-d3d.dll

2010-05-10 00:08 . 2005-01-03 15:43 4682 ----a-w- c:\windows\system32\npptNT2.sys

2010-05-09 23:56 . 2010-05-09 23:56 -------- d-----w- c:\arquivos de programas\Gpotato

2010-05-09 23:03 . 2010-05-09 23:53 -------- d-----w- c:\arquivos de programas\FlyFF

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-04 12:02 . 2009-09-09 20:06 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2010-05-15 12:44 . 2009-09-08 22:49 -------- d-----w- c:\arquivos de programas\Google

2010-05-09 23:04 . 2010-01-11 11:17 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\PMB Files

2010-04-27 18:50 . 2010-04-27 18:50 503808 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-651611bf-n\msvcp71.dll

2010-04-27 18:50 . 2010-04-27 18:50 499712 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-651611bf-n\jmc.dll

2010-04-27 18:50 . 2010-04-27 18:50 348160 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-651611bf-n\msvcr71.dll

2010-04-27 18:34 . 2010-04-27 18:34 61440 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4bfd33f8-n\decora-sse.dll

2010-04-27 18:34 . 2010-04-27 18:34 12800 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4bfd33f8-n\decora-d3d.dll

2010-04-27 18:33 . 2010-04-27 18:33 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Java

2010-04-27 18:33 . 2009-09-09 09:24 -------- d-----w- c:\arquivos de programas\Java

2010-04-24 12:45 . 2009-09-11 23:19 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\U3

2010-04-12 20:29 . 2010-04-27 18:33 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-03-30 01:40 . 2010-03-30 01:40 665456 ----a-w- C:\incredimail_install.exe

2010-03-28 03:24 . 2010-03-28 03:24 165107 ----a-w- C:\gilsonResolve2960.zip

2010-03-18 23:48 . 2010-03-18 23:48 269629 ----a-w- C:\redes_comunicacao01.zip

2010-03-18 23:47 . 2010-03-18 23:47 263818 ----a-w- C:\projeto_basico_rede_local.zip

2010-03-15 17:19 . 2010-03-15 17:19 238996 ----a-w- C:\roteadores.zip

2010-03-15 01:12 . 2010-03-15 01:12 574766 ----a-w- C:\Redes_Basic.zip

2010-03-14 23:21 . 2010-03-14 23:21 250871 ----a-w- C:\aula01_infra-estrutura.zip

2010-03-14 23:17 . 2010-03-14 23:17 293371 ----a-w- C:\construcao08_projeto_da_rede_logica_topologia_01_2006.zip

2010-03-14 23:04 . 2001-10-28 12:07 80198 ----a-w- c:\windows\system32\perfc016.dat

2010-03-14 23:04 . 2001-10-28 12:07 471376 ----a-w- c:\windows\system32\perfh016.dat

.

 

------- Sigcheck -------

 

[-] 2008-04-13 . B0C0BF2504B830BFC1E93CA39F3C75FE . 549376 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-13 . B0C0BF2504B830BFC1E93CA39F3C75FE . 549376 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\winlogon.exe

[7] 2008-04-13 . 71D440F79B711627B12B567FB2EADB42 . 509952 . . [5.1.2600.5512] . . c:\windows\VistaMizer\old\winlogon.exe

 

[-] 2008-04-13 . 239EA1E791EA7A75E07BD9F144DF4406 . 724992 . . [5.82] . . c:\windows\system32\comctl32.dll

[-] 2008-04-13 . 239EA1E791EA7A75E07BD9F144DF4406 . 724992 . . [5.82] . . c:\windows\system32\dllcache\comctl32.dll

[7] 2008-04-13 . 085C5892D9C1E19B3CEFD1B79F5BBF13 . 617472 . . [5.82] . . c:\windows\VistaMizer\old\comctl32.dll

 

[-] 2008-04-13 . C7052E176D939D1C6D6585F62C02A8A2 . 1554432 . . [6.00.2900.5512] . . c:\windows\explorer.exe

[-] 2008-04-13 . C7052E176D939D1C6D6585F62C02A8A2 . 1554432 . . [6.00.2900.5512] . . c:\windows\system32\dllcache\explorer.exe

[7] 2008-04-13 . 064EC7FF5F58B928C3E119402977FA6D . 1035776 . . [6.00.2900.5512] . . c:\windows\VistaMizer\old\explorer.exe

 

[-] 2008-10-31 . 1D01C384F3BA123EB6F09769DEA005AC . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

 

[-] 2008-04-13 . D67945A2290E98BB54D7792F09E7504E . 25088 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe

[-] 2008-04-13 . D67945A2290E98BB54D7792F09E7504E . 25088 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ctfmon.exe

[7] 2008-04-13 . 4E486ADFE3A0B9ED0EB0639902E9F64F . 15360 . . [5.1.2600.5512] . . c:\windows\VistaMizer\old\ctfmon.exe

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\arquivos de programas\Arquivos comuns\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]

"ATnotes.exe"="c:\arquivos de programas\ATnotes\ATnotes.exe" [2005-01-05 1015808]

"Pando Media Booster"="c:\arquivos de programas\Pando Networks\Media Booster\PMB.exe" [2010-05-09 2938552]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]

"nwiz"="nwiz.exe" [2008-09-17 1657376]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]

"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"AVG8_TRAY"="c:\arquiv~1\AVG\AVG8\avgtray.exe" [2010-03-17 2046816]

"SunJavaUpdateSched"="c:\arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe" [2010-02-18 248040]

"QuickTime Task"="c:\arquivos de programas\QuickTime\QTTask.exe" [2009-11-11 417792]

"iTunesHelper"="c:\arquivos de programas\iTunes\iTunesHelper.exe" [2009-11-12 141600]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 25088]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_3"="advpack.dll" [2008-04-13 101376]

"_nltide_3"="advpack.dll" [2008-04-13 101376]

 

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

Adobe Reader Speed Launch.lnk - c:\arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]

Adobe Reader Synchronizer.lnk - c:\arquivos de programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]

VisualTaskTips.lnk - c:\arquivos de programas\VisualTaskTips\VisualTaskTips.exe [2006-7-31 36864]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-09-09 17:16 11952 ----a-w- c:\windows\system32\avgrsstx.dll

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\AVG\\AVG8\\avgam.exe"=

"c:\\Arquivos de programas\\AVG\\AVG8\\avgdiag.exe"=

"c:\\Arquivos de programas\\AVG\\AVG8\\avgdiagex.exe"=

"c:\\Arquivos de programas\\AVG\\AVG8\\avgupd.exe"=

"c:\\Arquivos de programas\\AVG\\AVG8\\avgnsx.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\Java\\jre6\\bin\\java.exe"=

"c:\\Arquivos de programas\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Arquivos de programas\\Activision\\Modern Warfare 2\\iw4mp.exe"=

"c:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"=

"c:\\Arquivos de programas\\iTunes\\iTunes.exe"=

"c:\\Arquivos de programas\\JDownloader\\downloads\\Quake3Arena\\Quake3Arena\\Quake III Arena\\quake3.exe"=

"c:\\Arquivos de programas\\Activision\\Prototype\\prototypef.exe"=

"c:\\Arquivos de programas\\Real Alternative\\Media Player Classic\\mplayerc.exe"=

"c:\\Arquivos de programas\\Pando Networks\\Media Booster\\PMB.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"58609:TCP"= 58609:TCP:Pando Media Booster

"58609:UDP"= 58609:UDP:Pando Media Booster

"58940:TCP"= 58940:TCP:Pando Media Booster

"58940:UDP"= 58940:UDP:Pando Media Booster

 

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [9/9/2009 06:31 12552]

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/12/2009 14:36 691696]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/9/2009 06:31 335240]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/9/2009 06:31 108552]

R2 avg8wd;AVG8 WatchDog;c:\arquiv~1\AVG\AVG8\avgwdsvc.exe [9/9/2009 14:16 297752]

R2 voicetuner;Voice Tuner;c:\arquivos de programas\Scramby\VoicetunerServer.exe [8/11/2009 14:31 391168]

R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [6/4/2009 12:19 23064]

R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [8/11/2009 15:32 17792]

S2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [9/12/2008 20:10 24636]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [5/11/2009 20:01 23288]

.

Conteúdo da pasta 'Tarefas Agendadas'

 

2010-04-27 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\arquivos de programas\Apple Software Update\SoftwareUpdate.exe [2008-07-30 14:34]

 

2010-06-05 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 18:07]

 

2010-06-05 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-09-11 01:18]

.

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.google.com.br/

uSearchURL,(Default) = hxxp://g.msn.com.br/0SEPTBR/SAOS01?FORM=TOOLBR

IE: Abrir em uma nova guia do plano de fundo - c:\arquivos de programas\Windows Live Toolbar\Components\pt-br\msntabres.dll.mui/229?4072c717e10e44b48d03be992d4ab2b5

IE: Abrir em uma nova guia do primeiro plano - c:\arquivos de programas\Windows Live Toolbar\Components\pt-br\msntabres.dll.mui/230?4072c717e10e44b48d03be992d4ab2b5

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\arquivos de programas\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

FF - ProfilePath - c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\ahfb6ogq.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://g1.globo.com/

FF - prefs.js: keyword.URL - hxxp://mystart.incredimail.com/?loc=ff_address_bar_im2_test_v2&search=

FF - prefs.js: network.proxy.type - 2

FF - plugin: c:\arquivos de programas\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\npwachk.dll

FF - plugin: c:\arquivos de programas\Pando Networks\Media Booster\npPandoWebPlugin.dll

FF - plugin: c:\documents and settings\All Users\Dados de aplicativos\id Software\QuakeLive\npquakezero.dll

 

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

- - - - ORFÃOS REMOVIDOS - - - -

 

HKCU-Run-PlayNC Launcher - (no file)

HKLM-Run-Tecnobyte Agenda - c:\tecnobyte\agenda\agenda.exe

AddRemove-Tecnobyte Agenda_is1 - c:\tecnobyte\agenda\unins000.exe

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-04 23:46

Windows 5.1.2600 Service Pack 3 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

 

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

 

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spay.sys >>UNKNOWN [0x89E04938]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xba8ecf28

\Driver\ACPI -> ACPI.sys @ 0xba674cb8

\Driver\atapi -> atapi.sys @ 0xba609b40

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

NDIS: Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xba512bb0

PacketIndicateHandler -> NDIS.sys @ 0xba51fa21

SendHandler -> NDIS.sys @ 0xba4fd87b

user & kernel MBR OK

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•6~*]

"6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'winlogon.exe'(708)

c:\windows\system32\sfc_os.dll

c:\windows\system32\cscui.dll

c:\windows\system32\COMRes.dll

 

- - - - - - - > 'explorer.exe'(3852)

c:\arquivos de programas\VisualTaskTips\VttHooks.dll

c:\windows\system32\COMRes.dll

c:\windows\System32\cscui.dll

c:\windows\system32\LINKINFO.dll

c:\windows\system32\ntshrui.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\windows\system32\NETSHELL.dll

c:\windows\system32\credui.dll

c:\windows\system32\MSVCP60.dll

.

------------------------ Outros Processos em Execução ------------------------

.

c:\arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\arquivos de programas\Bonjour\mDNSResponder.exe

c:\arquivos de programas\Java\jre6\bin\jqs.exe

c:\arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\nvsvc32.exe

c:\windows\system32\PnkBstrA.exe

c:\arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\arquiv~1\AVG\AVG8\avgam.exe

c:\arquiv~1\AVG\AVG8\avgrsx.exe

c:\arquiv~1\AVG\AVG8\avgnsx.exe

c:\windows\system32\wbem\wmiapsrv.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\RUNDLL32.EXE

c:\windows\RTHDCPL.EXE

c:\arquivos de programas\iPod\bin\iPodService.exe

.

**************************************************************************

.

Tempo para conclusão: 2010-06-04 23:50:25 - Máquina reiniciou

ComboFix-quarantined-files.txt 2010-06-05 02:50

 

Pré-execução: 45 pasta(s) 121.111.580.672 bytes disponíveis

Pós execução: 48 pasta(s) 121.104.224.256 bytes disponíveis

 

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

 

- - End Of File - - A9FC551D9C4219949B8086FA7D9B15B9

[wings 22]

1.

*Renomei o Combofix para Uninstall

*Execute-o e aguarde a mensagem "ComboFix está desinstalado"

 

2.

*No Firefox, clique [Ferramentas] > [Opções]

*Na aba "Avançado" clique [Rede] > [Configurar Conexão]

*Selecione "Sem proxy" e clique [OK]

 

Informe como está o PC e novo log do hijack.

[rehcarlos 0]

Ola wings, mais uma vez: obrigado!, o pc esta muito bom :)

 

Segue o log do Hijack:

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 21:27:01, on 24/11/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

c:\Arquivos de programas\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Scramby\voicetunerserver.exe

C:\Arquivos de programas\Microsoft Security Client\msseces.exe

C:\WINDOWS\system32\RunDLL32.exe

C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\lib\NMBgMonitor.exe

C:\Arquivos de programas\ATnotes\ATnotes.exe

C:\Arquivos de programas\VisualTaskTips\VisualTaskTips.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jucheck.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\Arquivos de programas\Mozilla Firefox\plugin-container.exe

C:\Documents and Settings\Administrador\Desktop\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com.br/0SEPTBR/SAOS01?FORM=TOOLBR

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Arquivos de programas\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Arquivos de programas\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: Serviço de Compartilhamento de Rede do Windows Media Player - {86D10093-B5BC-4F9F-AC85-0EE1948A1F85} - C:\WINDOWS\system32\wmpnetwkv9r1.dll (file missing)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Arquivos de programas\styler\TB\StylerTB.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [MSC] "c:\Arquivos de programas\Microsoft Security Client\msseces.exe" -hide -runkey

O4 - HKLM\..\Run: [Adobe ARM] "C:\Arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login

O4 - HKLM\..\Run: [nwiz] C:\Arquivos de programas\NVIDIA Corporation\nView\nwiz.exe /installquiet

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe"

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [ATnotes.exe] C:\Arquivos de programas\ATnotes\ATnotes.exe

O4 - HKCU\..\Run: [Pando Media Booster] C:\Arquivos de programas\Pando Networks\Media Booster\PMB.exe

O4 - HKCU\..\Run: [{67DE634D-7AD1-1F39-B59B-25CBD1313CEA}] "C:\Documents and Settings\Administrador\Dados de aplicativos\Rili\olodirv.exe"

O4 - HKUS\S-1-5-21-448539723-1757981266-1801674531-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'postgres')

O4 - HKUS\S-1-5-21-448539723-1757981266-1801674531-1004\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'postgres')

O4 - HKUS\S-1-5-21-448539723-1757981266-1801674531-1004\..\RunOnce: [NeroHomeFirstStart] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMFirstStart.exe (User 'postgres')

O4 - HKUS\S-1-5-21-448539723-1757981266-1801674531-1005\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'UpdatusUser')

O4 - HKUS\S-1-5-21-448539723-1757981266-1801674531-1005\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'UpdatusUser')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

O4 - Global Startup: VisualTaskTips.lnk = C:\Arquivos de programas\VisualTaskTips\VisualTaskTips.exe

O8 - Extra context menu item: Abrir em uma nova guia do plano de fundo - res://C:\Arquivos de programas\Windows Live Toolbar\Components\pt-br\msntabres.dll.mui/229?4072c717e10e44b48d03be992d4ab2b5

O8 - Extra context menu item: Abrir em uma nova guia do primeiro plano - res://C:\Arquivos de programas\Windows Live Toolbar\Components\pt-br\msntabres.dll.mui/230?4072c717e10e44b48d03be992d4ab2b5

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Arquivos de programas\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Arquivos de programas\PokerStars\PokerStarsUpdate.exe

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{406B8789-CA90-4EAF-BEE9-1294A2DA258D}: NameServer = 200.175.5.139,200.175.189.139

O17 - HKLM\System\CS1\Services\Tcpip\..\{406B8789-CA90-4EAF-BEE9-1294A2DA258D}: NameServer = 200.175.5.139,200.175.189.139

O17 - HKLM\System\CS2\Services\Tcpip\..\{406B8789-CA90-4EAF-BEE9-1294A2DA258D}: NameServer = 200.175.5.139,200.175.189.139

O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Dispositivo Celular da Apple (Apple Mobile Device) - Apple Inc. - C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Arquivos de programas\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PostgreSQL Server 8.4 (postgresql-8.4) - PostgreSQL Global Development Group - C:/Arquivos de programas/PostgreSQL/8.4/bin/pg_ctl.exe

O23 - Service: Voice Tuner (voicetuner) - RapidSolution - C:\Arquivos de programas\Scramby\voicetunerserver.exe

 

--

End of file - 10357 bytes

[wings 22]

1.

Você conhece o conteúdo desta pasta?

C:\Documents and Settings\Administrador\Dados de aplicativos\Rili

[rehcarlos 0]

Nao consigo imaginar de onde veio isso...

[wings 22]

OK...

 

1.

*Delete a pasta C:\Documents and Settings\Administrador\Dados de aplicativos\Rili

 

2.

*Execute o hijack, clique em [Do a system scan only], selecione a entrada abaixo e clique [Fix checked]

O4 - HKCU\..\Run: [{67DE634D-7AD1-1F39-B59B-25CBD1313CEA}] "C:\Documents and Settings\Administrador\Dados de aplicativos\Rili\olodirv.exe"

*Feche o hijack

 

3.

*Baixe o Kaspersky Virus Removal Tool Versão 11 e salve-o no desktop

 

*Execute-o, aguarde a instalação, selecione I accept the license agreement e clique [start]

 

*Clique

 

*Selecione: Meu computador

 

*Clique

 

*Clique [start scanning]

 

*Durante o scan, janelas surgirão. Nas janelas como a abaixo, não faça nada.

 

 

*Caso encontre algo, selecione Apply to all objects e clique [skip]

 

 

 

 

 

*Ao término, clique

 

 

*Clique Detected threats > [save] e salve no desktop como log.txt

 

*Cole o relatório log.txt salvo no desktop

[rehcarlos 0]

segue o relatorio:

 

Status: Detected (events: 2)

25/11/2011 00:00:38 Detected Trojan program Trojan.Win32.StartPage.uq C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Microsoft Antimalware\LocalCopy\{0D55349D-C542-4608-98DB-87E3980E37BF}-setup.exe High

 

25/11/2011 00:22:37 Detected Trojan program Trojan-Spy.Win32.Zbot.cpvm C:\RECYCLER\S-1-5-21-448539723-1757981266-1801674531-500\Dc359\olodirv.exe High

[wings 22]

*Execute o Kaspersky novamente

 

*Clique

 

*Clique Script execution

 

*Cole o código, em vermelho, no espaço abaixo de Insert text script in following box:

begin

DeleteFile('C:\RECYCLER\S-1-5-21-448539723-1757981266-1801674531-500\Dc359\olodirv.exe');

end.

*Clique [Run script]

 

*Clique [Manual Disinfection] e depois

 

*Clique [Manual Disinfection report] > [save][/b]

 

*Salve no desktop como log2.txt

 

*Cole o relatório log2.txt salvo no desktop

[rehcarlos 0]

Manual Disinfection: completed <1 minute ago (events: 4, time: 00:00:00)

25/11/2011 21:48:41 Task completed Manual Disinfection

25/11/2011 21:48:41 Script executed without errors

25/11/2011 21:48:41 Delete file: C:\RECYCLER\S-1-5-21-448539723-1757981266-1801674531-500\Dc359\olodirv.exe

25/11/2011 21:48:41 Task started Manual Disinfection

[wings 22]

Estamos terminando...:)

 

1.

*Delete o setup do Kaspersky e seus relatórios.

 

2.

*Baixe o MBR e salve-o no desktop

*Execute-o e cole o relatório apresentado

[rehcarlos 0]

Eu cliquei nele, ele gerou apenas isso:

 

General

Complete name : C:\Documents and Settings\Administrador\Desktop\mbr.log

File size : 304 Bytes

 

 

 

 

 

 

É isso mesmo?

[wings 22]

O relatório estará no desktop. Chama-se mbr.txt