[Resolvido] &nbspComputador com virus

[Magro Costa 0]

Boa tarde,

 

Sou novo por aqui e por recomendação do meu amigo venha aqui pedir uma ajuda.

Meu computador não deixa baixar arquivos .exe, não consigo scanear o anti virus.

Se puderem me ajudar agradeço.

Segue o log do Hijack.

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 13:29:52, on 13/6/2012

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\Arquivos de programas\Firebird\Firebird_2_1\bin\fbguard.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\Arquivos de programas\Arquivos comuns\Protexis\License Service\PsiService_2.exe

C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Arquivos comuns\Ulead Systems\DVD\ULCDRSvr.exe

C:\Arquivos de programas\SweetIM\Messenger\SweetIM.exe

C:\Arquivos de programas\SweetIM\Communicator\SweetPacksUpdateManager.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\lib\NMBgMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

C:\Documents and Settings\User\Dados de aplicativos\Dropbox\bin\Dropbox.exe

C:\Arquivos de programas\Firebird\Firebird_2_1\bin\fbserver.exe

C:\DOCUME~1\User\CONFIG~1\Temp\winwfkbu.exe

C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

C:\Arquivos de programas\Windows Live\Contacts\wlcomm.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\Arquivos de programas\Mozilla Firefox\plugin-container.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\mshta.exe

C:\Arquivos de programas\TeamViewer\Version7\TeamViewer.exe

C:\Arquivos de programas\TeamViewer\Version7\tv_w32.exe

c:\arquivos de programas\teamviewer\version7\TeamViewer_Desktop.exe

F:\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/?AF=101416&tt=290312_bexdll&babsrc=HP_ss&mntrId=704218fa0000000000000019d12ca2b1

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://br.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Arquivos de programas\SweetIM\Toolbars\Internet Explorer\mgHelper.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SuggestMeYesBHO - {0FB6A909-6086-458F-BD92-1F8EE10042A0} - C:\Arquivos de programas\AutocompletePro\AutocompletePro.dll

O2 - BHO: PriceGong - {1631550F-191D-4826-B069-D9439253D926} - C:\Arquivos de programas\PriceGong\2.6.4\PriceGongIE.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: facemoods Helper - {64182481-4F71-486b-A045-B233BD0DA8FC} - C:\Arquivos de programas\facemoods.com\facemoods\1.4.17.11\bh\facemoods.dll

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Arquivos de programas\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: DealPly - {A6174F27-1FFF-E1D6-A93F-BA48AD5DD448} - C:\Arquivos de programas\DealPly\DealPlyIE.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Arquivos de programas\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: SweetPacks Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Arquivos de programas\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

O4 - HKLM\..\Run: [avast5] "C:\Arquivos de programas\Alwil Software\Avast5\avastUI.exe" /nogui

O4 - HKLM\..\Run: [facemoods] "C:\Arquivos de programas\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe" /md I

O4 - HKLM\..\Run: [sweetIM] C:\Arquivos de programas\SweetIM\Messenger\SweetIM.exe

O4 - HKLM\..\Run: [sweetpacks Communicator] C:\Arquivos de programas\SweetIM\Communicator\SweetPacksUpdateManager.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\User\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [Network Host] C:\Documents and Settings\User\Dados de aplicativos\Microsoft\Windows\System\wchks.exe -m

O4 - HKCU\..\Run: [Aboioi] C:\Documents and Settings\User\Dados de aplicativos\Aboioi.exe

O4 - HKCU\..\Run: [Eboiom] C:\Documents and Settings\User\Dados de aplicativos\Eboiom.exe

O4 - HKCU\..\Run: [Microsoft DLL Registration] C:\Documents and Settings\User\Dados de aplicativos\regsrv64.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p

O4 - HKLM\..\Policies\Explorer\Run: [sterupService] C:\Documents and Settings\User\Dados de aplicativos\C.exe

O4 - HKCU\..\Policies\Explorer\Run: [sterupService] C:\Documents and Settings\User\Dados de aplicativos\C.exe

O4 - Startup: Dropbox.lnk = C:\Documents and Settings\User\Dados de aplicativos\Dropbox\bin\Dropbox.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Free YouTube Download - C:\Documents and Settings\User\Dados de aplicativos\DVDVideoSoftIEHelpers\youtubedownload.htm

O8 - Extra context menu item: Search the Web - C:\Arquivos de programas\SweetIM\Toolbars\Internet Explorer\resources\menuext.html

O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Arquivos de programas\PokerStars\PokerStarsUpdate.exe

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O15 - Trusted Zone: http://www.bancobrasil.com.br

O15 - Trusted Zone: http://www.bb.com.br

O15 - Trusted Zone: www.bancobrasil.com.br

O15 - Trusted Zone: www.bb.com.br

O15 - Trusted Zone: www14.bancobrasil.com.br

O15 - Trusted Zone: www2.bancobrasil.com.br

O16 - DPF: {6924091F-CD97-41E1-B1D4-D9079409D413} (IMCv1 Control) - http://voice.ksaxcol.net:1001/talk.cab

O20 - Winlogon Notify: GbPluginBb - C:\Arquivos de programas\GbPlugin\gbieh.dll

O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\Arquivos de programas\Aluria Security Center\ascserv.exe (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe

O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - Firebird Project - C:\Arquivos de programas\Firebird\Firebird_2_1\bin\fbguard.exe

O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - Firebird Project - C:\Arquivos de programas\Firebird\Firebird_2_1\bin\fbserver.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Gbp Service (GbpSv) - - C:\ARQUIV~1\GbPlugin\GbpSv.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Arquivos de programas\Arquivos comuns\Protexis\License Service\PsiService_2.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Arquivos de programas\Arquivos comuns\Ulead Systems\DVD\ULCDRSvr.exe

 

--

End of file - 11082 bytes

[wings 22]

Olá Magro Costa

 

 

O PC está contaminado pelo sality. Um file infector.

 

 

1.

*Desinstale o Spybot

 

 

2.

*Baixe o FixPolicies (...de BillCastner) e extraia para o desktop (Área de Trabalho)

 

*Execute o arquivo Fix_Policies.cmd

 

Não reinicie o PC!

 

 

3.

*Baixe o SalityKiller (...da Kaspersky) e salve-o em C:\

 

*Desative a Restauração do Sistema

*Clique com o botão direito do mouse em Meu Computador e selecione Propriedades

*Clique em Restauração do Sistema

*Selecione a opção Desativar Restauração do Sistema

*Clique [Aplicar] > [sim] > [OK]

*Este programa será executado em 2 janelas distintas ao mesmo tempo!!

 

*A primeira janela:

 

*Clique [iniciar] > [Executar] > copie e cole: C:\salitykiller.exe -m

 

*Clique [OK]

 

*Não feche esta janela!! Se desejar, minimize-a.

 

*A segunda janela:

 

*Clique [iniciar] > [Executar] > copie e cole: C:\salitykiller.exe -y -l sality.txt

 

*Clique [OK]

 

*Ao término, a janela 2 será fechada automaticamente. Feche, então, a janela 1.

 

*Cole o resumo localizado no final do arquivo C:\sality.txt, conforme mostrado abaixo:

23:57:51:0 Infected files: 8

23:57:51:0 Infected processes: 0

23:57:51:0 Infected threads: 2

23:57:51:0 Cured files: 8

23:57:51:0 Executed registry scripts: 1

[Magro Costa 0]

Boa tarde o Fix Policies executei conforme escreveu.

 

 

O sality fiz conforme escreveu mas não executou.

Deu o seguinte erro: O Windows não consegue encontrar C:\salitykiller.exe -m.

Obrigado...

No aguardo

[wings 22]

Boa tarde o Fix Policies executei conforme escreveu.

 

 

O sality fiz conforme escreveu mas não executou.

Deu o seguinte erro: O Windows não consegue encontrar C:\salitykiller.exe -m.

Obrigado...

No aguardo

Se ocorreu esta resposta é sinal de que você não seguiu as orientações conforme descrevi.

 

Resumindo:

 

Você salvou o salitykiller em C:\ ?

 

Aposto que não!

 

Este é o motivo do Windows não ter encontrado o arquivo.

[Magro Costa 0]

Bom dia

 

Realmente não fiz conforme.....

Agora salvei em C: e executei conforme escreveu, foi normal, só que não abriu as janelas, apenas executou....

Estou aguardando para ver se vai ter algum log e posto em seguida.

Aguardei 1 hora e nada, quando executei ele abriu a janela e logo em seguida fechou, e como você citou acima:

*Não feche esta janela!! Se desejar, minimize-a

Aqui não abriu as janelas....

Obrigado

[wings 22]

Delete o salitykiller

 

Refaça todo o procedimento que solicitei usando o FixPolicies e depois o salitykiller.

 

Leia atentamente o procedimento.

[Magro Costa 0]

Boa tarde,

 

Agora sim foi.

Segue:

 

15:27:51:109 3284 Infected files: 580

15:27:51:218 3284 Infected processes: 0

15:27:51:296 3284 Infected threads: 2

15:27:51:375 3284 Cured files: 579

15:27:51:468 3284 Will be cured on reboot: 1

15:27:51:578 3284 Executed registry scripts: 1

 

O que estranhei é que quando tento acessar o Disco C:, aparece a seguinte msg: Caption Hello World.

 

Obrigado

[wings 22]

1.

*Delete o SalityKiller e o relatório C:\sality.txt

 

 

2.

*Baixe o OTL (...de Old_Timer) e salve-o no desktop (Área de Trabalho)

 

*Execute-o. Usuários do Windows Vista ou do Windows 7 devem clicar com o botão direito do mouse no arquivo e selecionar Executar como administrador

 

*Selecione as opções:

Verificar All Users

Verificar Lop

Verificar Purity

 

Imagem do OTL configurado

 

 

*Clique [Verificar] e cole os relatórios OTL.txt e Extras.txt criados no desktop (Área de Trabalho)

 

*Acesse este link

 

*Clique [selecionar arquivo...]

 

*Localize o relatório OTL.txt no desktop (Área de Trabalho) e clique [Abrir]

 

*Clique [upload file]

 

*Cole o link gerado ao lado de Download link:

 

*Repita o procedimento para o relatório Extras.txt

[Magro Costa 0]

Segue o link:

 

http://wikisend.com/download/758710/OTL.Txt

 

http://wikisend.com/download/500368/Extras.Txt

[wings 22]

1.

*Desinstale o Spybot

 

Trata-se de um programa ultrapassado e que só irá consumir recursos do seu PC.

 

 

2.

*Execute novamente o FixPolicies.cmd

 

 

3.

*Reinicie o PC

 

 

4.

*Cole um novo log do OTL

[Magro Costa 0]

Boa dia,

 

O spy já tinha deletado ontem.

Refiz os procedimentos, apenas o OTL não saiu o log de extras.

 

Segue o link:

http://wikisend.com/download/507736/OTL.Txt

[wings 22]

1.

*Baixe este arquivo e salve-o no Desktop

 

*Clique com o botão direito do mouse nele e selecione Mesclar

 

*Reinicie o PC

 

 

2.

*Execute o OTL

 

*Cole as linhas em azul no espaço abaixo de Exames Personalizados/Correções:

:OTL

SRV - [2004/08/04 00:45:24 | 000,167,324 | RHS- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\psxgmp.dll -- (wzbuzemwv)

DRV - File not found [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\bldy2ace-2b11.sys -- (bldy2ace-2b11)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\iokmr.sys -- (amsint32)

O4 - HKU\S-1-5-21-1177238915-2139871995-1801674531-1003..\Run: [Eboiom] C:\Documents and Settings\User\Dados de aplicativos\Eboiom.exe ()

O33 - MountPoints2\{00f420c8-d812-11e0-ad73-0019d12ca2b1}\Shell\AutoRun\command - "" = F:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe

O33 - MountPoints2\{00f420c8-d812-11e0-ad73-0019d12ca2b1}\Shell\open\command - "" = F:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe

O33 - MountPoints2\{0e5832a3-0389-11de-a5b5-0019d12ca2b1}\Shell - "" = AutoRun

O33 - MountPoints2\{0e5832a3-0389-11de-a5b5-0019d12ca2b1}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn

O33 - MountPoints2\{34b4c974-36eb-11dc-8a51-806d6172696f}\Shell\AutoPLay\coMmAnd - "" = C:\yrrjd.pif -- [2012/06/14 10:54:15 | 000,033,508 | ---- | M] ()

O33 - MountPoints2\{34b4c974-36eb-11dc-8a51-806d6172696f}\Shell\AutoRun\command - "" = C:\yrrjd.pif -- [2012/06/14 10:54:15 | 000,033,508 | ---- | M] ()

O33 - MountPoints2\{34b4c974-36eb-11dc-8a51-806d6172696f}\Shell\exPlorE\CommaNd - "" = C:\yrrjd.pif -- [2012/06/14 10:54:15 | 000,033,508 | ---- | M] ()

O33 - MountPoints2\{34b4c974-36eb-11dc-8a51-806d6172696f}\Shell\OpeN\commanD - "" = C:\yrrjd.pif -- [2012/06/14 10:54:15 | 000,033,508 | ---- | M] ()

O33 - MountPoints2\{35f9d7df-7a08-11e1-adfe-0019d12ca2b1}\Shell - "" = AutoRun

O33 - MountPoints2\{35f9d7df-7a08-11e1-adfe-0019d12ca2b1}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn

O33 - MountPoints2\{42c010ea-b8de-11dc-a308-0019d12ca2b1}\Shell\AutoRun\command - "" = D:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe

O33 - MountPoints2\{42c010ea-b8de-11dc-a308-0019d12ca2b1}\Shell\open\command - "" = D:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe

O33 - MountPoints2\{e951c2ec-d26b-11df-ac31-806d6172696f}\Shell\autOpLay\ComMand - "" = D:\anqw.pif -- [2012/06/14 11:07:42 | 000,033,508 | ---- | M] ()

O33 - MountPoints2\{e951c2ec-d26b-11df-ac31-806d6172696f}\Shell\AutoRun\command - "" = D:\anqw.pif -- [2012/06/14 11:07:42 | 000,033,508 | ---- | M] ()

O33 - MountPoints2\{e951c2ec-d26b-11df-ac31-806d6172696f}\Shell\eXPlORE\CoMMAnD - "" = D:\anqw.pif -- [2012/06/14 11:07:42 | 000,033,508 | ---- | M] ()

O33 - MountPoints2\{e951c2ec-d26b-11df-ac31-806d6172696f}\Shell\OPEN\commaND - "" = D:\anqw.pif -- [2012/06/14 11:07:42 | 000,033,508 | ---- | M] ()

O33 - MountPoints2\{f62816eb-5e7e-11de-b701-0019d12ca2b1}\Shell\AutoRun\command - "" = D:\webdtv.exe

O33 - MountPoints2\{f62816eb-5e7e-11de-b701-0019d12ca2b1}\Shell\explore\Command - "" = D:\webdtv.exe

O33 - MountPoints2\{f62816eb-5e7e-11de-b701-0019d12ca2b1}\Shell\open\Command - "" = D:\webdtv.exe

[2012/06/14 13:52:48 | 000,254,805 | ---- | M] (mohameed r) -- C:\Documents and Settings\User\sawe.exe

[2012/06/14 13:46:23 | 000,254,805 | ---- | M] (mohameed r) -- C:\Documents and Settings\User\isee32.exe

[2012/06/14 13:46:08 | 000,256,153 | ---- | M] (mohameed r) -- C:\Documents and Settings\User\iee32.exe

[2012/06/14 13:23:41 | 000,352,256 | ---- | M] () -- C:\Documents and Settings\User\Dados de aplicativos\Eboiom.exe

[2012/06/14 13:22:19 | 000,389,120 | ---- | M] () -- C:\Documents and Settings\User\Dados de aplicativos\B.exe

[2012/06/14 13:21:59 | 000,147,456 | ---- | M] (sensi be) -- C:\Documents and Settings\User\Dados de aplicativos\115.exe

[2012/06/14 13:21:50 | 000,147,456 | ---- | M] (sensi be) -- C:\Documents and Settings\User\Dados de aplicativos\114.exe

[2012/06/14 10:54:15 | 000,033,508 | ---- | M] () -- C:\yrrjd.pif

[2012/01/21 21:13:27 | 000,017,819 | ---- | C] () -- C:\Documents and Settings\User\Dados de aplicativos\1C.exe

[2012/01/21 19:26:29 | 000,017,819 | ---- | C] () -- C:\Documents and Settings\User\Dados de aplicativos\2D.exe

 

:Files

netsh firewall reset /c

 

:Commands

[EMPTYTEMP]

*Clique [Consertar]

 

*Clique [OK] e o PC será reiniciado

 

*Cole o relatório apresentado

[Magro Costa 0]

Boa tarde,

 

Segue o log:

 

All processes killed

========== OTL ==========

Service wzbuzemwv stopped successfully!

Service wzbuzemwv deleted successfully!

File move failed. C:\WINDOWS\system32\psxgmp.dll scheduled to be moved on reboot.

Service bldy2ace-2b11 stopped successfully!

Service bldy2ace-2b11 deleted successfully!

File C:\WINDOWS\system32\bldy2ace-2b11.sys not found.

Service amsint32 stopped successfully!

Service amsint32 deleted successfully!

File C:\WINDOWS\system32\drivers\iokmr.sys not found.

Registry value HKEY_USERS\S-1-5-21-1177238915-2139871995-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Run\\Eboiom deleted successfully.

C:\Documents and Settings\User\Dados de aplicativos\Eboiom.exe moved successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{00f420c8-d812-11e0-ad73-0019d12ca2b1}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00f420c8-d812-11e0-ad73-0019d12ca2b1}\ not found.

File F:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{00f420c8-d812-11e0-ad73-0019d12ca2b1}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00f420c8-d812-11e0-ad73-0019d12ca2b1}\ not found.

File F:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0e5832a3-0389-11de-a5b5-0019d12ca2b1}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0e5832a3-0389-11de-a5b5-0019d12ca2b1}\ not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0e5832a3-0389-11de-a5b5-0019d12ca2b1}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0e5832a3-0389-11de-a5b5-0019d12ca2b1}\ not found.

File C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{34b4c974-36eb-11dc-8a51-806d6172696f}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{34b4c974-36eb-11dc-8a51-806d6172696f}\ not found.

C:\yrrjd.pif moved successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{34b4c974-36eb-11dc-8a51-806d6172696f}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{34b4c974-36eb-11dc-8a51-806d6172696f}\ not found.

File C:\yrrjd.pif not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{34b4c974-36eb-11dc-8a51-806d6172696f}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{34b4c974-36eb-11dc-8a51-806d6172696f}\ not found.

File C:\yrrjd.pif not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{34b4c974-36eb-11dc-8a51-806d6172696f}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{34b4c974-36eb-11dc-8a51-806d6172696f}\ not found.

File C:\yrrjd.pif not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{35f9d7df-7a08-11e1-adfe-0019d12ca2b1}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35f9d7df-7a08-11e1-adfe-0019d12ca2b1}\ not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{35f9d7df-7a08-11e1-adfe-0019d12ca2b1}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35f9d7df-7a08-11e1-adfe-0019d12ca2b1}\ not found.

File C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{42c010ea-b8de-11dc-a308-0019d12ca2b1}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42c010ea-b8de-11dc-a308-0019d12ca2b1}\ not found.

File D:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{42c010ea-b8de-11dc-a308-0019d12ca2b1}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42c010ea-b8de-11dc-a308-0019d12ca2b1}\ not found.

File D:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e951c2ec-d26b-11df-ac31-806d6172696f}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e951c2ec-d26b-11df-ac31-806d6172696f}\ not found.

D:\anqw.pif moved successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e951c2ec-d26b-11df-ac31-806d6172696f}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e951c2ec-d26b-11df-ac31-806d6172696f}\ not found.

File D:\anqw.pif not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e951c2ec-d26b-11df-ac31-806d6172696f}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e951c2ec-d26b-11df-ac31-806d6172696f}\ not found.

File D:\anqw.pif not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e951c2ec-d26b-11df-ac31-806d6172696f}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e951c2ec-d26b-11df-ac31-806d6172696f}\ not found.

File D:\anqw.pif not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f62816eb-5e7e-11de-b701-0019d12ca2b1}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f62816eb-5e7e-11de-b701-0019d12ca2b1}\ not found.

File D:\webdtv.exe not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f62816eb-5e7e-11de-b701-0019d12ca2b1}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f62816eb-5e7e-11de-b701-0019d12ca2b1}\ not found.

File D:\webdtv.exe not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f62816eb-5e7e-11de-b701-0019d12ca2b1}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f62816eb-5e7e-11de-b701-0019d12ca2b1}\ not found.

File D:\webdtv.exe not found.

C:\Documents and Settings\User\sawe.exe moved successfully.

C:\Documents and Settings\User\isee32.exe moved successfully.

C:\Documents and Settings\User\iee32.exe moved successfully.

File C:\Documents and Settings\User\Dados de aplicativos\Eboiom.exe not found.

C:\Documents and Settings\User\Dados de aplicativos\B.exe moved successfully.

C:\Documents and Settings\User\Dados de aplicativos\115.exe moved successfully.

C:\Documents and Settings\User\Dados de aplicativos\114.exe moved successfully.

File C:\yrrjd.pif not found.

C:\Documents and Settings\User\Dados de aplicativos\1C.exe moved successfully.

C:\Documents and Settings\User\Dados de aplicativos\2D.exe moved successfully.

========== FILES ==========

< netsh firewall reset /c >

Ok.

C:\Documents and Settings\User\Desktop\cmd.bat deleted successfully.

C:\Documents and Settings\User\Desktop\cmd.txt deleted successfully.

========== COMMANDS ==========

 

[EMPTYTEMP]

 

User: Administrador

->Temp folder emptied: 25214 bytes

->Temporary Internet Files folder emptied: 33170 bytes

 

User: All Users

 

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

 

User: LocalService

->Temp folder emptied: 65984 bytes

->Temporary Internet Files folder emptied: 33170 bytes

 

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

 

User: User

->Temp folder emptied: 48774243 bytes

->Temporary Internet Files folder emptied: 2793865 bytes

->Java cache emptied: 3463076 bytes

->FireFox cache emptied: 89393930 bytes

->Google Chrome cache emptied: 52580237 bytes

->Flash cache emptied: 3894 bytes

 

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\dllcache .tmp files removed: 17408 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 81920 bytes

RecycleBin emptied: 93378221 bytes

 

Total Files Cleaned = 277,00 mb

 

 

OTL by OldTimer - Version 3.2.48.0 log created on 06152012_142241

 

Files\Folders moved on Reboot...

C:\WINDOWS\system32\psxgmp.dll moved successfully.

File\Folder C:\WINDOWS\temp\Perflib_Perfdata_fc.dat not found!

 

Registry entries deleted on Reboot...

[wings 22]

Estamos encerrando....:)

 

Havia muita contaminação.

 

 

1.

*Delete o sharedaccess.reg

 

 

2.

*Delete o FixPolicies

 

 

3.

*Baixe o SafeBootWinXP e salve-o no desktop

 

*Clique com o botão direito do mouse nele e selecione Mesclar

 

*Reinicie o PC

 

 

4.

*Baixe o AdwCleaner (...de Xplode) e salve-o no desktop (Área de Trabalho)

 

*Execute-o.

 

 

*Clique [Delete]

 

*Cole o relatório apresentado

[Magro Costa 0]

Obrigado pela ajuda, este pc não queria formatar,desculpe por tanto trabalho.

Ainda não consigo acessar meu C: pede pra eu escolher um programa para abrir.

 

Segue o log: # AdwCleaner v1.609 - Logfile created 06/15/2012 at 14:50:14

# Updated 10/06/2012 by Xplode

# Operating system : Microsoft Windows XP Service Pack 2 (32 bits)

# User : User - HOME2

# Running from : C:\Documents and Settings\User\Desktop\adwcleaner.exe

# Option [Delete]

 

 

***** [services] *****

 

 

***** [Files / Folders] *****

 

Folder Deleted : C:\Documents and Settings\User\Dados de aplicativos\Babylon

Folder Deleted : C:\Documents and Settings\User\Dados de aplicativos\facemoods.com

Folder Deleted : C:\Documents and Settings\User\Dados de aplicativos\OpenCandy

Folder Deleted : C:\Documents and Settings\User\Dados de aplicativos\pdfforge

Folder Deleted : C:\Documents and Settings\User\Dados de aplicativos\PriceGong

Folder Deleted : C:\Documents and Settings\All Users\Dados de aplicativos\Babylon

Folder Deleted : C:\Documents and Settings\All Users\Dados de aplicativos\SweetIM

Folder Deleted : C:\Documents and Settings\All Users\Menu Iniciar\Programas\DealPly

Folder Deleted : C:\Documents and Settings\All Users\Menu Iniciar\Programas\PriceGong

Folder Deleted : C:\Arquivos de programas\AutocompletePro

Folder Deleted : C:\Arquivos de programas\DealPly

Folder Deleted : C:\Arquivos de programas\facemoods.com

Folder Deleted : C:\Arquivos de programas\PriceGong

Folder Deleted : C:\Arquivos de programas\SweetIM

Folder Deleted : C:\WINDOWS\Installer\{0965F857-DAAD-4F93-8054-0E2EC3C8C5B0}

Folder Deleted : C:\WINDOWS\Installer\{FB697452-8CA4-46B4-98B1-165C922A2EF3}

 

***** [Registry] *****

 

Key Deleted : HKCU\Software\AutocompletePro

Key Deleted : HKCU\Software\AutocompleteProBHO

Key Deleted : HKCU\Software\DealPly

Key Deleted : HKCU\Software\facemoods.com

Key Deleted : HKCU\Software\PriceGong

Key Deleted : HKCU\Software\Softonic

Key Deleted : HKCU\Software\SweetIm

Key Deleted : HKLM\SOFTWARE\Babylon

Key Deleted : HKLM\SOFTWARE\DealPly

Key Deleted : HKLM\SOFTWARE\facemoods.com

Key Deleted : HKLM\SOFTWARE\SweetIM

Key Deleted : HKLM\SOFTWARE\VDownloader\OpenCandy

Key Deleted : HKLM\SOFTWARE\Classes\esrv.escrtSrvc

Key Deleted : HKLM\SOFTWARE\Classes\esrv.escrtSrvc.1

Key Deleted : HKLM\SOFTWARE\Classes\facemoods.facemoodsHlpr

Key Deleted : HKLM\SOFTWARE\Classes\facemoods.facemoodsHlpr.1

Key Deleted : HKLM\SOFTWARE\Classes\facemoods.xtrnl

Key Deleted : HKLM\SOFTWARE\Classes\facemoods.xtrnl.1

Key Deleted : HKLM\SOFTWARE\Classes\facemoodsApp.appCore

Key Deleted : HKLM\SOFTWARE\Classes\facemoodsApp.appCore.1

Key Deleted : HKLM\SOFTWARE\Classes\MediaPlayer.GraphicsUtils

Key Deleted : HKLM\SOFTWARE\Classes\MediaPlayer.GraphicsUtils.1

Key Deleted : HKLM\SOFTWARE\Classes\MgMediaPlayer.GifAnimator

Key Deleted : HKLM\SOFTWARE\Classes\MgMediaPlayer.GifAnimator.1

Key Deleted : HKLM\SOFTWARE\Classes\PriceFactorIE.PriceGongBHO

Key Deleted : HKLM\SOFTWARE\Classes\PriceFactorIE.PriceGongBHO.1

Key Deleted : HKLM\SOFTWARE\Classes\PriceGongIE.PriceGongCtrl

Key Deleted : HKLM\SOFTWARE\Classes\PriceGongIE.PriceGongCtrl.1

Key Deleted : HKLM\SOFTWARE\Classes\sim-packages

Key Deleted : HKLM\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO

Key Deleted : HKLM\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO.1

Key Deleted : HKLM\SOFTWARE\Classes\SWEETIE.IEToolbar

Key Deleted : HKLM\SOFTWARE\Classes\SWEETIE.IEToolbar.1

Key Deleted : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook

Key Deleted : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook.1

Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.sweetie

Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.sweetie.1

Key Deleted : HKLM\SOFTWARE\Classes\AppID\AutocompletePro.DLL

Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL

Key Deleted : HKLM\SOFTWARE\Classes\AppID\PriceGongIE.DLL

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\pricegong

Key Deleted : HKCU\Software\Google\Chrome\Extensions\gaiilaahiahdejapggenmdmafpmbipje

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\defdhglnppeioeflggkmglipcecffkhk

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\bkomkajifikmkfnjgphkjcfeepbnojok

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\gaiilaahiahdejapggenmdmafpmbipje

Key Deleted : HKLM\SOFTWARE\Google\chrome\Extensions\ihflimipbcaljfnojhhknppphnnciiif

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jcdgjdiieiljkfkdcloehkohchhpekkn

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\PriceGong

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SweetIM.exe

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0965F857-DAAD-4F93-8054-0E2EC3C8C5B0}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FB697452-8CA4-46B4-98B1-165C922A2EF3}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4183178B-4D4E-48A7-9257-454BA90A760E}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AutocompletePro3_is1

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DealPly

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\facemoods

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PriceGong

Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [facemoods]

Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [sweetIM]

Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [sweetpacks Communicator]

 

***** [Registre - GUID] *****

 

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{442F13BC-2031-42D5-9520-437F65271153}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{5B1881D1-D9C7-46DF-B041-1E593282C7D0}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{835315FC-1BF6-4CA9-80CD-F6C158D40692}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{AD25754E-D76C-42B3-A335-2F81478B722F}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1631550F-191D-4826-B069-D9439253D926}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{64182481-4F71-486B-A045-B233BD0DA8FC}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{82AC53B4-164C-4B07-A016-437A8388B81A}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A4A0CB15-8465-4F58-A7E5-73084EA2A064}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A5B99E41-E157-4209-8AAC-DB003A816079}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AD20D01C-C939-4DD2-8C55-56935A48987E}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D2A2595C-4FE4-4315-AA9B-19DBD6271B71}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DDE2C74F-58CC-4D71-8CE1-09DEBB8CFB78}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E95EAD3F-18C6-4304-9DC6-BD6FD8E11D37}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EEE6C35B-6118-11DC-9C72-001320C79847}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EEE6C35C-6118-11DC-9C72-001320C79847}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EEE6C35D-6118-11DC-9C72-001320C79847}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{542FA950-C57A-4E17-B3E1-D935DFE15DEE}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5B035F86-41B5-40F1-AAAD-3D219F30244E}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6365AC7B-9920-4D8B-AF5D-3BDFEAC340A8}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6A934270-717F-4BC3-BA59-BC9BED47A8D2}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{74C012C4-00FB-4F04-9AFB-4AD5449D2018}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{78888F8B-D5E4-43CE-89F5-C8C18223AF64}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79B13431-CCAC-4097-8889-D0289E5E924F}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8B8558F6-DC26-4F39-8417-34B8934AA459}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8C8D5C57-3CAD-4CF9-BCAD-F873678DA883}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{981334CB-7B8B-431F-B86D-67B7426B125B}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A3A2A5C0-1306-4D1A-A093-9CECA4230002}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A439801C-961D-452C-AB42-7848E9CBD289}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A9379648-F6EB-4F65-A624-1C10411A15D0}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C1C2FC43-F042-4F17-AEDB-C5ABF3B42E4B}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EEE6C358-6118-11DC-9C72-001320C79847}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EEE6C359-6118-11DC-9C72-001320C79847}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EEE6C35A-6118-11DC-9C72-001320C79847}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F16AB1DB-15C0-4456-A29E-4DF24FB9E3D2}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F4EBB1E2-21F3-4786-8CF4-16EC5925867F}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F7EC6286-297C-4981-9DCC-FD7F57BC24C9}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{01BCB858-2F62-4F06-A8F4-48F927C15333}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{12A5F606-B1EC-474C-83ED-95E99FD8058E}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4D3B167E-5FD8-4276-8FD7-9DF19C1E4D19}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{8B3372D0-09F0-41A5-8D9B-134E148672FB}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{AD25754E-D76C-42B3-A335-2F81478B722F}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B12E99ED-69BD-437C-86BE-C862B9E5444D}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EEE6C367-6118-11DC-9C72-001320C79847}

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FFDF9EF3-3C3A-4F05-9A6E-5D3B778EC567}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{043C5167-00BB-4324-AF7E-62013FAEDACF}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0FB6A909-6086-458F-BD92-1F8EE10042A0}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1631550F-191D-4826-B069-D9439253D926}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{64182481-4F71-486B-A045-B233BD0DA8FC}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3B7599DF-3D5D-4EF5-BF51-9C2EDA788E83}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{043C5167-00BB-4324-AF7E-62013FAEDACF}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0FB6A909-6086-458F-BD92-1F8EE10042A0}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1631550F-191D-4826-B069-D9439253D926}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{64182481-4F71-486B-A045-B233BD0DA8FC}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35B-6118-11DC-9C72-001320C79847}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35C-6118-11DC-9C72-001320C79847}

Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EEE6C35B-6118-11DC-9C72-001320C79847}]

Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]

Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{EEE6C35D-6118-11DC-9C72-001320C79847}]

 

***** [internet Browsers] *****

 

-\\ Internet Explorer v6.0.2900.2180

 

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://search.babylon.com/?AF=101416&tt=290312_bexdll&babsrc=HP_ss&mntrId=704218fa0000000000000019d12ca2b1 --> hxxp://www.google.com

 

*************************

 

AdwCleaner[s1].txt - [12592 octets] - [15/06/2012 14:50:14]

 

########## EOF - C:\AdwCleaner[s1].txt - [12721 octets] ##########

[wings 22]

1.

*Execute o AdwCleaner e clique [uninstall]

 

 

2.

*Clique em [iniciar] > [Executar] > digite: Gpedit.msc

 

*Clique [OK]

 

*Em "Configuração do Computador", expanda "Modelos Administrativos" e clique em "Sistema".

 

*Na coluna a direita, clique com o botão direito do mouse em "Desativar AutoExecutar" e selecione "Propriedades"

 

*Selecione "Ativado"

 

*Na caixa abaixo de onde está escrito "Desativar Executar automaticamente em:" selecione "Todas as unidades"

 

*Clique em [Aplicar] > [OK]

 

*Reinicie o computador

 

 

3.

*Baixe o UsbFix (...de El desaparecido) e salve-o no desktop (Área de Trabalho)

 

*Conecte o pen drive no PC

 

*Execute-o.

 

 

*Clique [Pesquisa]

 

*Cole o relatório apresentado

[Magro Costa 0]

Como não tinha nenhum pen drive no momento aqui(todos que tenho ficaram no carro da esposa) fiz o scaner sem ele.

Espero ter um pen drive para scanear e refazer???

Meu gerenciador de tarefas esta estranho, não abre as abas em cima.

 

############################## | UsbFix V 7.089 | [Pesquisa]

 

Usuário: User (Administrador) # HOME2

Atualizado em 09/06/2012 por El Desaparecido

Começou em 15:20:14 | 15/06/2012

 

Site: http://eldesaparecido.com

Foro: http://forum.eldesaparecido.com

Arquivo suspeito ? : http://eldesaparecido.com/upload.php

Contato: contact@eldesaparecido.com

 

PC: INTEL_ (D11020M_) (X86-based PC) # Desktop Computer

CPU: Intel® Pentium® 4 CPU 3.00GHz (3000)

CPU: Intel® Pentium® 4 CPU 3.00GHz (3000)

RAM -> [Total : 1406 | Free : 839]

BIOS: Default System BIOS

BOOT: Normal boot

 

OS: Microsoft Windows XP Professional (5.1.2600 32-Bit) # Service Pack 2

WB: Windows Internet Explorer 6.0.2900.2180

 

SC: Security Center Service [(!) Disabled]

WU: Windows Update Service [(!) Disabled]

FW: Windows FireWall Service [Enabled]

 

C:\ (%systemdrive%) -> Disco fixo # 75 Gb (23 Mb livre - 31%) [PRINCIPAL] # NTFS

D:\ -> Disco fixo # 75 Gb (29 Mb livre - 39%) [ANTIGA] # NTFS

E:\ -> CD-ROM

 

################## | Processos Ativos |

 

C:\WINDOWS\System32\smss.exe (468)

C:\WINDOWS\system32\csrss.exe (524)

C:\WINDOWS\system32\winlogon.exe (548)

C:\WINDOWS\system32\services.exe (592)

C:\WINDOWS\system32\lsass.exe (604)

C:\ARQUIV~1\GbPlugin\GbpSv.exe (768)

C:\WINDOWS\system32\svchost.exe (852)

C:\WINDOWS\system32\svchost.exe (936)

C:\WINDOWS\System32\svchost.exe (1004)

C:\WINDOWS\system32\svchost.exe (1128)

C:\WINDOWS\system32\svchost.exe (1212)

C:\WINDOWS\system32\spoolsv.exe (1488)

C:\WINDOWS\Explorer.EXE (1536)

C:\Arquivos de programas\Bonjour\mDNSResponder.exe (1740)

C:\Arquivos de programas\Firebird\Firebird_2_1\bin\fbguard.exe (1788)

C:\Arquivos de programas\Java\jre6\bin\jqs.exe (1860)

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE (1876)

c:\Arquivos de programas\Arquivos comuns\Protexis\License Service\PsiService_2.exe (1940)

C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (148)

C:\WINDOWS\system32\svchost.exe (220)

C:\Arquivos de programas\TeamViewer\Version7\TeamViewer_Service.exe (404)

C:\Arquivos de programas\Arquivos comuns\Ulead Systems\DVD\ULCDRSvr.exe (428)

C:\Arquivos de programas\TeamViewer\Version7\TeamViewer.exe (884)

C:\Arquivos de programas\Arquivos comuns\Ahead\lib\NMBgMonitor.exe (1140)

C:\WINDOWS\system32\ctfmon.exe (1152)

C:\Documents and Settings\User\Dados de aplicativos\Dropbox\bin\Dropbox.exe (1088)

C:\Arquivos de programas\TeamViewer\Version7\tv_w32.exe (1320)

C:\Arquivos de programas\Firebird\Firebird_2_1\bin\fbserver.exe (1608)

c:\arquivos de programas\teamviewer\version7\TeamViewer_Desktop.exe (2792)

C:\Arquivos de programas\Mozilla Firefox\firefox.exe (3356)

C:\UsbFix\Go.exe (3820)

C:\WINDOWS\system32\wbem\wmiprvse.exe (3868)

 

################## | Ficheiros # pastas infeciosos |

 

Presente ! C:\Documents and Settings\User\Dados de aplicativos\10.exe

Presente ! C:\Documents and Settings\User\Dados de aplicativos\Temp

Presente ! C:\WINDOWS\system32\services.exe

Presente ! C:\autorun.inf

Presente ! D:\autorun.inf

 

################## | Registro |

 

Presente ! HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\explorer|NoResolveSearch

 

################## | Mountpoints2 |

 

 

 

################## | Vaccin |

 

(!) Este computador não é vacinada!

 

################## | E.O.F |

[wings 22]

Pensei que iríamos terminar...mas, está longe.

 

 

1.

*Baixe o SystemLook (...de jpshortstuff) e salve-o no desktop (Área de Trabalho)

 

*Execute-o.

 

 

*Cole as linhas em azul no espaço em branco:

:reg

HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s

 

:filefind

services.exe

*Clique [Look] e cole o relatório apresentado

[Magro Costa 0]

Missão quase impossivel????

 

 

Segue o log

 

SystemLook 30.07.11 by jpshortstuff

Log created at 15:47 on 15/06/2012 by User

Administrator - Elevation successful

 

========== reg ==========

 

[HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}]

(Unable to open key - key not found)

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}]

@="Microsoft WBEM New Event Subsystem"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]

@="C:\WINDOWS\system32\wbem\wbemess.dll"

"ThreadingModel"="Both"

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}]

@="MruPidlList"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

@="%SystemRoot%\system32\shdocvw.dll"

"ThreadingModel"="Apartment"

 

 

========== filefind ==========

 

Searching for "services.exe"

C:\WINDOWS\system32\services.exe --a---- 108544 bytes [03:45 04/08/2004] [03:45 04/08/2004] CC73C4430C2FC27FDE16A0A4E3678148

C:\WINDOWS\system32\dllcache\services.exe --a--c- 108544 bytes [03:45 04/08/2004] [03:45 04/08/2004] CC73C4430C2FC27FDE16A0A4E3678148

 

-= EOF =-

[wings 22]

OK...

 

 

1.

*Delete o SystemLook e seu relatório, localizados no desktop

 

 

2.

*Execute o UsbFix e clique [uninstall]

 

*Delete o UsbFix e a pasta C:\UsbFix

 

 

3.

*Desative temporariamente seu antivírus

 

*Baixe o ComboFix (...de sUBs) e salve-o no desktop (Área de Trabalho)

 

*Execute-o e aceite o contrato.

 

*Usuários do Windows Vista ou do Windows 7 devem clicar com o botão direito do mouse no arquivo e selecionar Executar como administrador

 

*Usuários do Windows XP: Se o Console de Recuperação do Microsoft Windows não estiver instalado, aceite a sua instalação. Após a instalação do Console, clique [sim].

 

*Aguarde a conclusão das etapas...pode demorar!

 

 

1) Não use o mouse nem o teclado durante as etapas!!

2) Para interromper o scan, tecle N

 

*Cole o relatório apresentado