Jump to content



Foto

Analise de log. erro (0xc000007b)




Existem 19 respostas neste tópico

#1 narayann    

narayann
  • Participante
  • 14 mensagens

Publicado 23 February 2009 - 09:40 AM

Penso que o meu computador esta infectado com algum tipo de malware.
Tenho vindo a encontrar este erro quando tento abrir alguns programas:

A aplicação falhou a inicialização correcta (0xc000007b). Clique em OK para terminar a aplicação.

Penso que este erro da-se mais em programas que usam Microsoft Framework .NET
também tenho vindo a ter erros constantes na instalacao/desinstalacao do Framework e outras ferramentas Windows.
Assim como o PC tem tido um desempenho bastante lento, e fora do normal.
Agradeco a ajuda

Log do Hijack:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:33:14, on 23-02-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AEADISRV.EXE
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Programas\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Programas\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Programas\PowerISO\PWRISOVM.EXE
C:\Programas\Java\jre1.6.0_05\bin\jusched.exe
C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe
C:\Programas\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Windows Live\Messenger\MsnMsgr.Exe
C:\Programas\Windows Live\Messenger\usnsvc.exe
C:\Programas\Windows Media Player\wmplayer.exe
C:\Programas\Java\jre1.6.0_05\bin\jucheck.exe
C:\WINDOWS\system32\notepad.exe
C:\Programas\SecondLifeReleaseCandidate\SecondLifeReleaseCandidate.exe
C:\Programas\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.deviantart.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.Microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.Microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://br.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo....?fr=mcafee&p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programas\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {93344865-74BD-4873-BE65-56539D41A65C} - (no file)
O4 - HKLM\..\Run: [RemoteControl] C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Programas\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Programas\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Programas\Ficheiros comuns\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Programas\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programas\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\ADMINI~1\DEFINI~1\Temp\IXP004.TMP\"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [wuyojunove] Rundll32.exe "C:\WINDOWS\system32\mibagoyo.dll",s (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Programas\Ficheiros comuns\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Earn2Life Bar - {07328B93-AFD8-4c6a-99E9-D0B3B5D6DAD9} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Earn2Life Bar - {07328B93-AFD8-4c6a-99E9-D0B3B5D6DAD9} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Programas\Ficheiros comuns\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Programas\Ficheiros comuns\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Programas\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {93344865-74BD-4873-BE65-56539D41A65C} - http://earn2life.com...n/Earn2Life.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B66BA35-9160-44B0-85E3-D8563EF3A6DC}: NameServer = 194.65.47.43,194.65.47.44
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA6278B5-8E09-48B5-B0C9-904A1803E533}: NameServer = 192.168.0.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programas\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHEI~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: wbsys.dll C:\WINDOWS\system32\dofozeha.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Programas\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\WINDOWS\system32\AEADISRV.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programas\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Windows CardSpace (idsvc) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programas\Ficheiros comuns\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Programas\McAfee\SiteAdvisor\McSACore.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Programas\Viewpoint\Common\ViewpointService.exe

--
End of file - 9631 bytes


#2 Mr.Million    

Mr.Million

    Consumer Security MVP

  • Especialista
  • 65384 mensagens

Publicado 23 February 2009 - 11:01 AM

Desabilite o seu Antivírus e AntiSpyware para não haver conflitos. Mantenha-os desativados até terminar as instruções.

Download Banker FIX

Dê um duplo-clique em bankerfix.exe . Dê Enter.

O Internet Explorer será finalizado.aguarde a Ferramenta acabar. Isso pode demorar um pouco.
Quando terminar, aparecerá uma mensagem na tela e então dê Enter.

Reinicie...

Baixe o Malwarebytes' Anti-Malware (MBAM) ou aqui.

Salve ou imprima estas instruções:

Dê um duplo-clique no mbam-setup.exe, escolha a linguagem e na instalação, aceite todas as opções padrão.

Verifique se as caixas Atualizar Malwarebytes Anti-Malware e Executar Malwarebytes Anti-Malware estão marcadas e clique então, em Concluir.

Se houver atualizações a serem feitas, serão baixadas e instaladas.

Ao final da atualização, com o programa aberto, marque Verificação Rápida e clique no botão Verificar.

Começará então o exame. Aguarde, pois pode demorar.

Ao acabar o exame, clique em OK, depois no botão Mostrar Resultados para ver o relatório.

Se houver ítens encontrados, certifique-se de que, estão todos marcados e clique no botão Remover.

Ao final da desinfecção, abrirá o Bloco de notas com um Log e poderá aparecer um aviso se quer reiniciar o PC. (Ver Nota abaixo)

O Log é automaticamente salvo pelo MBAM e para vê-lo, clique na aba Logs na janela principal do programa.

NOTA: Se o MBAM encontrar arquivos que não consiga remover, poderá ter de reiniciar o PC (talvez mais de uma vez). Faça isso imediatamente, ao ser perguntado se quer reiniciar

Selecione, copie e cole o conteúdo do Log do MBAM na sua próxima resposta + o Relatorio.txt que encontrará em C:\LinhaDefensiva + um novo Log do HijackThis .

Depois pode apagar esta Pasta LinhaDefensiva. Habilite novamente o seu Antivírus..
MillionMPV.gif

#3 narayann    

narayann
  • Participante
  • 14 mensagens

Publicado 24 February 2009 - 07:56 AM

Olá, antes de mais nada obrigado por tentar ajudar-me.
Segui as suas instruções, tirando que não consegui remover um Trojan.BHO que o MBAM me detectou, tentei reiniciar varias vezes como indicado, mas nunca foi removido.

Aqui posto os logs como pedidos:

MBAM LOG:

Malwarebytes' Anti-Malware 1.34
Versão do banco de dados: 1798
Windows 5.1.2600 Service Pack 3

24-02-2009 10:54:02
mbam-log-2009-02-24 (10-54-02).txt

Tipo de Verificação: Rápida
Objetos verificados: 66186
Tempo decorrido: 4 minute(s), 44 second(s)

Processos da Memória infectados: 0
Módulos de Memória Infectados: 0
Chaves do Registo infectadas: 1
Valores do Registo infectados: 0
Ítens do Registo infectados: 0
Pastas infectadas: 0
Ficheiros infectados: 0

Processos da Memória infectados:
(Nenhum item malicioso foi detectado)

Módulos de Memória Infectados:
(Nenhum item malicioso foi detectado)

Chaves do Registo infectadas:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.

Valores do Registo infectados:
(Nenhum item malicioso foi detectado)

Ítens do Registo infectados:
(Nenhum item malicioso foi detectado)

Pastas infectadas:
(Nenhum item malicioso foi detectado)

Ficheiros infectados:
(Nenhum item malicioso foi detectado)


- - - - - - -

HiJackThis LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:13, on 24-02-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\AEADISRV.EXE
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Programas\Bonjour\mDNSResponder.exe
C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Programas\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Programas\PowerISO\PWRISOVM.EXE
C:\Programas\Java\jre1.6.0_05\bin\jusched.exe
C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe
C:\Programas\Analog Devices\Core\smax4pnp.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Viewpoint\Common\ViewpointService.exe
C:\Programas\Malwarebytes' Anti-Malware\mbam.exe
C:\Programas\Windows Live\Messenger\usnsvc.exe
C:\Programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.deviantart.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.Microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.Microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://br.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo....?fr=mcafee&p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programas\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {93344865-74BD-4873-BE65-56539D41A65C} - (no file)
O4 - HKLM\..\Run: [RemoteControl] C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Programas\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Programas\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Programas\Ficheiros comuns\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Programas\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programas\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [wuyojunove] Rundll32.exe "C:\WINDOWS\system32\mibagoyo.dll",s (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Programas\Ficheiros comuns\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Earn2Life Bar - {07328B93-AFD8-4c6a-99E9-D0B3B5D6DAD9} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Earn2Life Bar - {07328B93-AFD8-4c6a-99E9-D0B3B5D6DAD9} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Programas\Ficheiros comuns\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Programas\Ficheiros comuns\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Programas\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {93344865-74BD-4873-BE65-56539D41A65C} - http://earn2life.com...n/Earn2Life.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B66BA35-9160-44B0-85E3-D8563EF3A6DC}: NameServer = 194.65.47.43,194.65.47.44
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA6278B5-8E09-48B5-B0C9-904A1803E533}: NameServer = 192.168.0.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programas\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHEI~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: wbsys.dll C:\WINDOWS\system32\dofozeha.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Programas\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\WINDOWS\system32\AEADISRV.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programas\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Windows CardSpace (idsvc) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programas\Ficheiros comuns\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Programas\McAfee\SiteAdvisor\McSACore.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Programas\Viewpoint\Common\ViewpointService.exe

--
End of file - 9223 bytes


- - - - - - -


BankerFIX relatorio.txt:


BankerFix 3.0 VALKYRIE - Removedor de Bankers
Linha Defensiva | http://www.linhadefensiva.org
http://www.linhadefe....org/bankerfix/
-------------------------------------------------------
Data: 2009-02-24 - 10:40
-------------------------------------------------------
Lista de Definição: 2009-01-21-2 | CORE: 2009-01-21-1
=======================================================



----- Fim -------------------------

#4 Mr.Million    

Mr.Million

    Consumer Security MVP

  • Especialista
  • 65384 mensagens

Publicado 24 February 2009 - 09:29 AM

Ok, continuando.....

Desabilite o seu Antivírus, AntiSpyware e Firewall para não haver conflitos. Mantenha-os desativados até terminar as instruções.

Faça o download do ComboFix

Salve no seu Desktop ( Para que a Ferramenta seja executada corretamente é necessário que esteja no Desktop (Área de trabalho)

Feche todas as janelas e programas.

Dê um duplo-clique no combofix.exe, tecle 1 e em seguida Enter para prosseguir o Fix. Aguarde, pois é um pouco demorado.

OBS: Caso não queira que seja instalado o Console de Recuperação do Windows, clique em "Não" e depois concorde para que a verificação prossiga.
Ao ser instalado o Console, na Inicialização do Sistema será apresentada a tela para Seleção dos Sistemas Operacionais.
Mais informações sobre o Console: http://support.Microsoft.com/kb/307654/pt-br


O ComboFix reiniciará o PC automaticamente para completar o processo de remoção. Caso isso não aconteça, reinicie manualmente.

Quando acabar, será gerado um Log, que estará em C:\ComboFix.txt.

IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando. Para parar ou sair do ComboFix, tecle "N".

Selecione, copie e cole o conteúdo do ComboFix.txt na sua próxima resposta + um novo Log do HijackThis .

OBS 2: Não execute o ComboFix mais do que uma vez. Isso irá sobreescrever o Log e dificultará a remoção do(s) malware(s)

Caso ocorra algum erro, reinicie o computador em Modo Seguro (pressione a tecla F8 intermitentemente, ou F5 em alguns casos, durante a inicialização) e repita o procedimento.
MillionMPV.gif

#5 narayann    

narayann
  • Participante
  • 14 mensagens

Publicado 24 February 2009 - 11:18 AM

Obrigado pela resposta rapida e ajuda continua (Y)
Segui novamente os passos indicados, aqui estao os logs pedidos.

ComboFix LOG:

ComboFix 09-02-21.01 - Administrador 2009-02-24 14:02:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.2070.18.2047.1581 [GMT 0:00]
Executando de: c:\documents and settings\Administrador\Ambiente de trabalho\ComboFix.exe
* Criado um novo ponto de restauro
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

c:\windows\explorer.exe . . . está infetado!!

.
(((((((((((((((( Arquivos/Ficheiros criados de 2009-01-24 to 2009-02-24 ))))))))))))))))))))))))))))
.

2009-02-23 09:31 . 2009-02-23 09:31 <DIR> d-------- c:\programas\Trend Micro
2009-02-23 09:30 . 2009-02-23 09:31 <DIR> d-------- C:\CCleaner
2009-02-23 09:26 . 2009-02-23 09:26 <DIR> d-------- c:\programas\CCleaner
2009-02-22 17:23 . 2009-02-22 17:23 <DIR> d-------- c:\programas\Microsoft.NET
2009-02-22 17:15 . 2009-02-22 17:15 <DIR> d-------- C:\8ec090f8f29fcc45890e684b3c64bb
2009-02-22 17:15 . 2009-02-22 17:15 <DIR> d-------- C:\52287885bfe694d80d7cbb
2009-02-22 11:39 . 2009-02-22 11:39 <DIR> d-------- c:\windows\system32\URTTemp
2009-02-22 11:29 . 2009-02-22 11:46 <DIR> d-------- c:\windows\SxsCaPendDel
2009-02-22 10:58 . 2009-02-24 10:02 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-02-22 10:58 . 2009-02-22 10:58 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-02-22 10:58 . 2009-02-22 10:58 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-02-22 10:58 . 2009-02-22 10:58 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-02-21 18:48 . 2009-02-21 18:48 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2009-02-20 18:45 . 2009-02-21 18:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-02-20 18:43 . 2009-02-21 19:13 <DIR> d-------- c:\programas\McAfee
2009-02-20 18:38 . 2009-02-21 19:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-02-20 17:15 . 2008-04-14 21:39 870,784 --------- c:\windows\system32\ati3d1ag.dll
2009-02-20 17:15 . 2008-04-14 21:39 377,984 --------- c:\windows\system32\ati2dvaa.dll
2009-02-20 17:15 . 2008-04-14 21:39 32,768 --------- c:\windows\system32\ativtmxx.dll
2009-02-20 17:15 . 2008-04-14 21:40 23,040 --------- c:\windows\system32\ativmvxx.ax
2009-02-20 17:15 . 2008-04-14 21:40 9,728 --------- c:\windows\system32\ativdaxx.ax
2009-02-20 16:31 . 2006-12-29 00:31 19,569 --a------ c:\windows\000001_.tmp
2009-02-20 16:25 . 2009-02-20 16:54 <DIR> d-------- C:\b4af109b097d9f47026ba7ffff
2009-02-20 15:56 . 2009-02-20 15:56 <DIR> d-------- c:\documents and settings\LocalService\Ambiente de trabalho
2009-02-20 14:50 . 2009-02-20 14:50 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-02-20 13:44 . 2009-02-20 21:21 593,920 --a------ c:\windows\system32\ati2sgag.exe
2009-02-20 13:28 . 2009-02-20 13:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\SonicFocus
2009-02-20 12:43 . 2009-02-20 12:52 <DIR> d-------- c:\programas\Driver Checker
2009-02-20 12:28 . 2009-02-20 13:30 <DIR> d-------- c:\programas\ATI
2009-02-20 12:24 . 2008-12-04 09:31 53,248 --a------ c:\windows\system32\CSVer.dll
2009-02-20 12:23 . 2009-02-20 12:23 <DIR> d-------- c:\programas\Realtek
2009-02-20 12:23 . 2009-01-16 22:45 73,728 --a------ c:\windows\system32\RtNicProp32.dll
2009-02-20 12:07 . 2009-02-20 13:29 <DIR> d-------- c:\programas\Driver-Soft
2009-02-20 12:07 . 2007-09-02 20:56 1,686,016 --a------ c:\windows\system32\clinetsuitex6.ocx
2009-02-20 12:07 . 2004-03-09 16:45 662,288 --a------ c:\windows\system32\MSCOMCT2.OCX
2009-02-20 12:07 . 2004-06-14 14:56 427,864 --a------ c:\windows\system32\XceedZip.dll
2009-02-20 11:58 . 2009-02-20 11:58 <DIR> d-------- c:\programas\iXi Tools
2009-02-20 11:56 . 2009-02-20 11:56 <DIR> d-------- c:\documents and settings\Administrador\Application Data\Thinstall
2009-02-20 11:47 . 2009-02-20 11:47 <DIR> d-------- c:\programas\XPC Tools
2009-02-20 10:56 . 2009-02-20 10:56 <DIR> d-------- c:\programas\Analog Devices
2009-02-20 10:54 . 2009-02-20 10:54 <DIR> d-------- C:\Intel
2009-02-20 10:54 . 2009-02-20 10:54 <DIR> d-------- C:\Drivers
2009-02-20 10:44 . 2009-02-20 10:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\DriverScanner
2009-02-16 20:17 . 2009-02-16 20:17 <DIR> d-------- c:\windows\system32\VirtualExpander
2009-02-15 10:46 . 2009-02-22 10:44 <DIR> d-------- c:\documents and settings\Administrador\Application Data\SecondLife
2009-02-15 10:44 . 2009-02-15 10:44 <DIR> d-------- c:\programas\SecondLifeReleaseCandidate
2009-02-12 20:08 . 2009-02-15 09:56 <DIR> d-------- c:\documents and settings\Administrador\Application Data\OnRez
2009-02-09 22:52 . 2009-02-09 22:52 <DIR> d-------- c:\documents and settings\Administrador\Application Data\id Software
2009-02-09 22:50 . 2009-02-09 22:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\id Software
2009-02-09 22:50 . 2009-02-20 21:25 2,266,642 --a------ c:\windows\system32\pbsvc.exe
2009-02-09 22:50 . 2009-02-11 20:02 188,896 --a------ c:\windows\system32\PnkBstrB.exe
2009-02-09 22:50 . 2009-02-11 20:02 138,784 --a------ c:\windows\system32\drivers\PnkBstrK.sys
2009-02-09 22:50 . 2009-02-11 20:02 70,968 --a------ c:\windows\system32\PnkBstrA.exe
2009-02-09 22:50 . 2009-02-09 22:50 22,328 --a------ c:\documents and settings\Administrador\Application Data\PnkBstrK.sys
2009-01-24 14:15 . 2009-01-24 14:15 <DIR> d-------- c:\programas\Adobe Media Player
2009-01-24 14:12 . 2009-01-24 14:12 <DIR> d-------- c:\programas\Ficheiros comuns\Adobe AIR
2009-01-24 12:02 . 2009-01-24 12:13 <DIR> d-------- c:\documents and settings\Administrador\Application Data\Download Manager

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 10:20 --------- d-----w c:\programas\Malwarebytes' Anti-Malware
2009-02-22 20:19 --------- d-----w c:\documents and settings\Administrador\Application Data\Azureus
2009-02-22 10:58 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-02-21 15:00 --------- d-----w c:\programas\Lavasoft
2009-02-21 15:00 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-20 21:02 70,656 ----a-w c:\windows\notepad.exe
2009-02-20 21:02 327,168 ----a-w c:\windows\IsUn0816.exe
2009-02-20 21:02 323,072 ----a-w c:\windows\IsUninst.exe
2009-02-20 21:02 310,784 ----a-w c:\windows\IsUn0416.exe
2009-02-20 21:02 299,008 ----a-w c:\windows\uninst.exe
2009-02-20 21:02 288,256 ----a-w c:\windows\winhlp32.exe
2009-02-20 21:02 25,600 ----a-w c:\windows\twunk_32.exe
2009-02-20 21:02 15,872 ----a-w c:\windows\TASKMAN.EXE
2009-02-20 21:02 122,880 ----a-w c:\windows\UnGins.exe
2009-02-20 21:01 35,328 ----a-w c:\windows\emAMCAP.exe
2009-02-20 21:01 20,480 ----a-w c:\windows\HyperDrive.exe
2009-02-20 21:01 188,416 ----a-w c:\windows\emSTI.exe
2009-02-20 21:01 10,752 ----a-w c:\windows\hh.exe
2009-02-20 20:29 --------- d-----w c:\programas\PBP Unpacker
2009-02-20 19:59 --------- d-----w c:\programas\GSalive CS 1.6 NS
2009-02-20 19:03 126,976 ----a-w C:\W3XMapHack120E2.exe
2009-02-20 19:00 1,035,776 ----a-w c:\windows\explorer.exe
2009-02-20 17:54 --------- d-----w c:\programas\MagicISO
2009-02-20 13:34 --------- d-----w c:\programas\ATI Technologies
2009-02-20 13:30 --------- d-----w c:\programas\Ficheiros comuns\Wise Installation Wizard
2009-02-20 12:29 --------- d--h--w c:\programas\InstallShield Installation Information
2009-02-20 10:58 --------- d-----w c:\documents and settings\Administrador\Application Data\Uniblue
2009-02-17 16:48 70,512 ----a-w c:\documents and settings\Administrador\Application Data\GDIPFONTCACHEV1.DAT
2009-02-17 14:20 --------- d-----w c:\documents and settings\Administrador\Application Data\Skype
2009-02-17 14:17 --------- d-----w c:\documents and settings\Administrador\Application Data\skypePM
2009-02-13 12:35 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-02-12 22:30 --------- d-----w c:\programas\Valve
2009-02-11 17:28 --------- d-----w c:\programas\Messenger Plus! Live
2009-02-11 10:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-29 23:49 196,608 ----a-w c:\windows\system32\drivers\aStandard.bin
2009-01-29 13:03 --------- d-----w c:\programas\Vuze
2009-01-24 16:43 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-24 14:48 --------- d-----w c:\programas\Macromedia
2009-01-24 14:17 --------- d-----w c:\programas\Ficheiros comuns\Adobe
2009-01-24 13:50 --------- d-----w c:\programas\Ficheiros comuns\Macromedia
2009-01-21 15:49 118,656 ----a-w c:\windows\system32\drivers\Rtnicxp.sys
2009-01-21 11:12 --------- d-----w c:\programas\CoreCodec
2009-01-19 12:25 --------- d-----w c:\programas\Soulseek
2009-01-18 21:38 --------- d-----w c:\documents and settings\All Users\Application Data\NexonUS
2009-01-18 21:15 --------- d-----w c:\programas\Pando Networks
2009-01-18 21:15 --------- d-----w c:\documents and settings\All Users\Application Data\PMB Files
2009-01-17 17:38 --------- d-----w c:\documents and settings\Administrador\Application Data\GameScanner
2009-01-17 15:28 --------- d-----w c:\programas\Hewlett-Packard
2009-01-17 15:23 --------- d-----w c:\programas\Pcsx2_0.9.4
2009-01-17 13:27 --------- d-----w c:\programas\K-Lite Codec Pack
2009-01-17 13:26 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-17 13:26 --------- d-----w c:\documents and settings\Administrador\Application Data\Apple Computer
2009-01-17 13:24 --------- d-----w c:\programas\Haali
2009-01-14 07:14 3,455,488 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2009-01-14 03:43 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2009-01-12 19:45 --------- d-----w c:\programas\XVideoConverter
2009-01-12 19:24 --------- d-----w c:\programas\Azureus
2009-01-12 18:48 --------- d-----w c:\programas\Bluefox Studio
2009-01-12 17:33 --------- d-----w c:\programas\SUPERAntiSpyware
2009-01-12 17:33 --------- d-----w c:\documents and settings\Administrador\Application Data\SUPERAntiSpyware.com
2009-01-12 17:31 --------- d-----w c:\documents and settings\Administrador\Application Data\uTorrent
2009-01-10 20:20 4,608 ----a-w c:\windows\cocowawa.dll
2009-01-10 19:01 --------- d-----w c:\programas\WinXMedia
2009-01-10 15:02 --------- d-----w c:\programas\Ficheiros comuns\xing shared
2009-01-10 15:02 --------- d-----w c:\programas\Ficheiros comuns\Real
2009-01-05 17:24 --------- d-----w c:\programas\Torrent Harvester
2009-01-05 13:45 --------- d-----w c:\programas\Epic MegaGames
2009-01-05 13:07 --------- d-----w c:\programas\eMule
2009-01-03 00:04 --------- d-----w c:\documents and settings\All Users\Application Data\GameScanner
2009-01-03 00:01 --------- d-----w c:\programas\GameSpy Arcade
2009-01-01 12:36 --------- d-----w c:\programas\DarkCheats
2008-12-28 18:21 --------- d-----w c:\programas\Fortego Security
2008-12-27 14:56 --------- d-----w c:\programas\AlienGUIse
2007-11-15 20:17 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-10-25 09:16 32,768 --sha-w c:\windows\system32\config\systemprofile\Definições locais\Histórico\History.IE5\MSHist012008102520081026\index.dat
.

------- Sigcheck -------

2009-02-20 19:00 1035776 9a0cfda7a8061eae1b49f1c591cd588c c:\windows\explorer.exe
2009-02-20 21:03 1035264 e4786809a1e3cbec2ce929d6b1283f1b c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2009-02-20 21:05 1052165 ff72246732eae3f3076bf7df675c7995 c:\windows\$NtServicePackUninstall$\explorer.exe
2009-02-20 21:07 1034240 8ce395dd09c0fbe82c8ff529528242b0 c:\windows\$NtUninstallKB938828$\explorer.exe
2009-02-20 21:14 1035776 9a0cfda7a8061eae1b49f1c591cd588c c:\windows\ServicePackFiles\i386\explorer.exe

2004-08-03 23:56 32768 db37a839f4a2be4f93cf7e614bab63d2 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2009-02-20 21:14 15360 93f93102a8c5d0da6750b25a0c339b66 c:\windows\ServicePackFiles\i386\ctfmon.exe
2009-02-20 19:00 15360 93f93102a8c5d0da6750b25a0c339b66 c:\windows\system32\ctfmon.exe

2004-08-03 23:57 42496 bbdb97f728c2eab8b139e78bb8c79579 c:\windows\$NtServicePackUninstall$\userinit.exe
2009-02-20 21:19 26624 7ce5eb4e0a3c37c4c660b626df3db9be c:\windows\ServicePackFiles\i386\userinit.exe
2009-02-20 21:27 26624 7ce5eb4e0a3c37c4c660b626df3db9be c:\windows\system32\userinit.exe
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2009-02-20 15360]
"MsnMsgr"="c:\programas\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\programas\CyberLink\PowerDVD\PDVDServ.exe" [2009-02-20 32768]
"AdobeVersionCue"="c:\programas\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2003-10-13 1753088]
"PWRISOVM.EXE"="c:\programas\PowerISO\PWRISOVM.EXE" [2009-02-20 200704]
"SunJavaUpdateSched"="c:\programas\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"TkBellExe"="c:\programas\Ficheiros comuns\Real\Update_OB\realsched.exe" [2009-01-17 185872]
"AdobeCS4ServiceManager"="c:\programas\Ficheiros comuns\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"ATICustomerCare"="c:\programas\ATI\ATICustomerCare\ATICustomerCare.exe" [2009-02-20 307200]
"SoundMAXPnP"="c:\programas\Analog Devices\Core\smax4pnp.exe" [2009-02-20 1040384]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2009-02-20 171520]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2009-02-20 c:\windows\system32\HdAShCut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2009-02-20 15360]

c:\documents and settings\All Users\Menu Iniciar\Programas\Arranque\
Adobe Reader Speed Launch.lnk - c:\programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Microsoft Office.lnk - c:\programas\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\Microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 22:34 24576 c:\programas\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\Microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-22 10:58 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\Microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\Microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.ac3filter"= ac3filter.acm
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\software\Microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2009-02-22 10:58 1601304 c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\Microsoft\shared tools\msconfig\services]
"avg8wd"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\Microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programas\\Messenger\\msmsgs.exe"=
"c:\\Programas\\mIRC\\mirc.exe"=
"c:\\Programas\\NetMeeting\\conf.exe"=
"c:\\Hybrid\\Hybrid.exe"=
"c:\\Programas\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Programas\\Autodesk\\Backburner\\manager.exe"=
"c:\\Programas\\Autodesk\\Backburner\\server.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Os meus documentos\\Azureus Downloads\\Star Wars Jedi Knight - Jedi Academy\\GameData\\GameData\\jamp.exe"=
"c:\\Programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programas\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Programas\\Soulseek\\slsk.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Programas\\Bonjour\\mDNSResponder.exe"=
"c:\\Programas\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Programas\\Ficheiros comuns\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Programas\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Programas\\AVG\\AVG8\\avgupd.exe"=
"c:\\Programas\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Blizzard Downloader
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"13050:UDP"= 13050:UDP:SecondLife
"58036:TCP"= 58036:TCP:Pando Media Booster
"58036:UDP"= 58036:UDP:Pando Media Booster
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-22 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-02-22 107272]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\programas\Viewpoint\Common\ViewpointService.exe [2008-03-29 24576]
S2 IKANLOADER2;General Purpose USB Driver (e4ldr.sys);c:\windows\system32\Drivers\e4ldr.sys --> c:\windows\system32\Drivers\e4ldr.sys [?]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\programas\McAfee\SiteAdvisor\McSACore.exe" --> c:\programas\McAfee\SiteAdvisor\McSACore.exe [?]
S3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;c:\windows\system32\drivers\atl01_xp.sys [2002-06-11 34048]
S3 e4usbaw;USB ADSL2 WAN Adapter;c:\windows\system32\DRIVERS\e4usbaw.sys --> c:\windows\system32\DRIVERS\e4usbaw.sys [?]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-22 298264]
S4 Dpt42swmcnzat;Dpt42swmcnzat; [x]

[HKEY_CURRENT_USER\software\Microsoft\windows\currentversion\explorer\mountpoints2\{fc990470-1880-11dd-89af-00173f99dbc7}]
\Shell\Auto\command - McRegWizz.exe e
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL McRegWizz.exe e
.
Conteúdo da pasta 'Tarefas Agendadas'

2009-02-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\programas\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []
.
- - - - ORFÃOS REMOVIDOS - - - -

Toolbar-{93344865-74BD-4873-BE65-56539D41A65C} - (no file)


.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.deviantart.com/
mStart Page = hxxp://br.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\programas\Ficheiros comuns\SourceTec\SWF Catcher\InternetExplorer.htm
IE: {{07328B93-AFD8-4c6a-99E9-D0B3B5D6DAD9} - {93344865-74BD-4873-BE65-56539D41A65C} -
TCP: {5B66BA35-9160-44B0-85E3-D8563EF3A6DC} = 194.65.47.43,194.65.47.44
TCP: {BA6278B5-8E09-48B5-B0C9-904A1803E533} = 192.168.0.1
DPF: {93344865-74BD-4873-BE65-56539D41A65C} - hxxp://earn2life.com/plugin/Earn2Life.cab
FF - ProfilePath - c:\documents and settings\Administrador\Application Data\Mozilla\Firefox\Profiles\qffrjskl.nightelfmohawk\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.bleachexile.com
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - component: c:\programas\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: c:\programas\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\programas\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\programas\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-24 14:05:47
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OMSCAN]
"ImagePath"="\Sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\Administrator\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)

[HKEY_USERS\Administrator\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{43613DEA-565E-A006-2C4B-FC450A21DB9C}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaebnkomfijooflbpk"=hex:6a,61,6e,62,63,61,68,62,68,6b,69,6d,66,67,61,70,63,68,
63,63,00,00
"haknhmigdicaonnh"=hex:6a,61,6e,62,63,61,68,62,68,6b,69,6d,66,67,61,70,63,68,
63,63,00,ff
"iaaacenelhmpapmpjl"=hex:63,61,62,63,6f,61,00,7c

[HKEY_USERS\Administrator\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8F7F8EFB-70A2-EDC4-812A-8D0FFECE72AA}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"ialpdhnmpoiemphijc"=hex:6a,61,68,65,6c,6d,70,63,69,66,64,65,6c,67,62,67,69,68,
70,6c,00,00
"hafoffinekdamfej"=hex:69,61,6b,65,66,6e,63,6e,6b,63,70,68,67,62,70,6d,65,70,
00,00

[HKEY_USERS\Administrator\SOFTWARE\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b2,d1,fc,91,95,2f,7e,04,60,b8,4b,41,9d,42,17,d3,80,92,4f,14,62,79,d3,
28,5b,e1,f2,44,72,cf,86,65,8a,60,36,6a,bd,65,78,be,60,72,27,3c,f1,b4,45,09,\
"??"=hex:25,52,30,17,cb,a9,95,ed,7b,3b,30,64,7b,4d,07,ff

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{8F7F8EFB-70A2-EDC4-812A-8D0FFECE72AA}\InProcServer32*]
"jajpohhbpmdnpbbpkbad"=hex:6a,61,68,65,6c,6d,70,63,69,66,64,65,6c,67,62,67,69,
68,70,6c,00,00
"iajpienhbgmfjcdgnc"=hex:69,61,6b,65,66,6e,63,6e,6b,63,70,68,67,62,70,6d,65,70,
00,00
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\Ati2evxx.dll
c:\programas\AlienGUIse\fastload.dll
c:\programas\Bonjour\mdnsNSP.dll
.
------------------------ Outros Processos em Execução ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\programas\AVG\AVG8\avgrsx.exe
c:\windows\system32\AEADISRV.EXE
c:\windows\ATKKBService.exe
c:\programas\Bonjour\mDNSResponder.exe
c:\programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\notepad.exe
.
**************************************************************************
.
Tempo para conclusão: 2009-02-24 14:11:14 - Máquina reiniciou
ComboFix-quarantined-files.txt 2009-02-24 14:10:12

Pré-execução: 38.908.866.560 bytes livres
Pós execução: 40,386,924,544 bytes livres

WindowsXP-KB310994-SP2-Pro-BootDisk-PTB.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

371 --- E O F --- 2009-02-22 17:28:23


-------------------


HiJackThis LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:12:17, on 24-02-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programas\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AEADISRV.EXE
C:\WINDOWS\ATKKBService.exe
C:\Programas\Bonjour\mDNSResponder.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Viewpoint\Common\ViewpointService.exe
C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Programas\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Programas\PowerISO\PWRISOVM.EXE
C:\Programas\Java\jre1.6.0_05\bin\jusched.exe
C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe
C:\Programas\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.deviantart.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.Microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.Microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.Microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://br.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo....?fr=mcafee&p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programas\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RemoteControl] C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Programas\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Programas\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Programas\Ficheiros comuns\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Programas\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programas\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Programas\Ficheiros comuns\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Earn2Life Bar - {07328B93-AFD8-4c6a-99E9-D0B3B5D6DAD9} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Earn2Life Bar - {07328B93-AFD8-4c6a-99E9-D0B3B5D6DAD9} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Programas\Ficheiros comuns\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Programas\Ficheiros comuns\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Programas\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B66BA35-9160-44B0-85E3-D8563EF3A6DC}: NameServer = 194.65.47.43,194.65.47.44
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA6278B5-8E09-48B5-B0C9-904A1803E533}: NameServer = 192.168.0.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programas\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHEI~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Programas\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\WINDOWS\system32\AEADISRV.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programas\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Windows CardSpace (idsvc) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programas\Ficheiros comuns\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Programas\McAfee\SiteAdvisor\McSACore.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Programas\Viewpoint\Common\ViewpointService.exe

--
End of file - 8550 bytes

#6 Mr.Million    

Mr.Million

    Consumer Security MVP

  • Especialista
  • 65384 mensagens

Publicado 24 February 2009 - 12:09 PM

Clique em Iniciar -> Executar e digite msconfig -> Ok. Na guia Inicializar -> Marque todos os itens e confirme.

Reinicie e poste um novo Log do Hijackthis feito em Modo Normal.
MillionMPV.gif

#7 narayann    

narayann
  • Participante
  • 14 mensagens

Publicado 24 February 2009 - 01:45 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:46:33, on 24-02-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\AEADISRV.EXE
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Programas\Bonjour\mDNSResponder.exe
C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Programas\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Programas\PowerISO\PWRISOVM.EXE
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\Programas\Java\jre1.6.0_05\bin\jusched.exe
C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe
C:\Programas\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Viewpoint\Common\ViewpointService.exe
C:\Programas\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.deviantart.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.Microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.Microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.Microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://br.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo....?fr=mcafee&p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programas\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RemoteControl] C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Programas\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Programas\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Programas\Ficheiros comuns\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Programas\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programas\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Programas\Ficheiros comuns\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Earn2Life Bar - {07328B93-AFD8-4c6a-99E9-D0B3B5D6DAD9} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Earn2Life Bar - {07328B93-AFD8-4c6a-99E9-D0B3B5D6DAD9} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Programas\Ficheiros comuns\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Programas\Ficheiros comuns\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Programas\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B66BA35-9160-44B0-85E3-D8563EF3A6DC}: NameServer = 194.65.47.43,194.65.47.44
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA6278B5-8E09-48B5-B0C9-904A1803E533}: NameServer = 192.168.0.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programas\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHEI~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Programas\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\WINDOWS\system32\AEADISRV.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programas\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Windows CardSpace (idsvc) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programas\Ficheiros comuns\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Programas\McAfee\SiteAdvisor\McSACore.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Programas\Viewpoint\Common\ViewpointService.exe

--
End of file - 8807 bytes

#8 Mr.Million    

Mr.Million

    Consumer Security MVP

  • Especialista
  • 65384 mensagens

Publicado 24 February 2009 - 02:22 PM

Se tiver um Pendrive ou um drive de MP3 ou MP4, conecte no PC (se tiver mais de um, tem de conectar todos). Não os tire até completar todas as instruções.

Delete a pasta qoobox que está localizada em C:\, delete também o Log ComboFix.txt também localizado em C:\.

Sugiro que imprima ou salve os procedimentos abaixo, e não use a Internet até terminado o procedimento.

Selecione e copie o texto dentro do QUOTE (caixa cinza) abaixo. Abra o Bloco de notas e cole o que copiou. Salve então, na Área de Trabalho ( Desktop), com o nome de CFScript.txt.

File::
c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL McRegWizz.exe
Registry::
[-HKEY_CURRENT_USER\software\Microsoft\windows\currentversion\explorer\mountpoints2\{fc990470-1880-11dd-89af-00173f99dbc7}]


Arraste agora o CFScript.txt para o ComboFix conforme a demonstração abaixo.

http://users.pandora...es/CFScript.gif

O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção.

IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando.

Quando acabar, será gerado um Log, que estará em C:\ComboFix.txt.

Faça um novo Log com o HijackThis em Modo Normal e poste + o ComboFix.txt.
MillionMPV.gif

#9 narayann    

narayann
  • Participante
  • 14 mensagens

Publicado 24 February 2009 - 03:04 PM

Aqui estao:

ComboFIX:

ComboFix 09-02-21.01 - Administrador 2009-02-24 17:55:34.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.2070.18.2047.1586 [GMT 0:00]
Executando de: c:\documents and settings\Administrador\Ambiente de trabalho\ComboFix.exe
Comandos utilizados :: c:\documents and settings\Administrador\Ambiente de trabalho\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Criado um novo ponto de restauro

FILE ::
c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL McRegWizz.exe
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\explorer.exe . . . está infetado!!

.
(((((((((((((((( Arquivos/Ficheiros criados de 2009-01-24 to 2009-02-24 ))))))))))))))))))))))))))))
.

2009-02-23 09:31 . 2009-02-23 09:31 <DIR> d-------- c:\programas\Trend Micro
2009-02-23 09:30 . 2009-02-23 09:31 <DIR> d-------- C:\CCleaner
2009-02-23 09:26 . 2009-02-23 09:26 <DIR> d-------- c:\programas\CCleaner
2009-02-22 17:23 . 2009-02-22 17:23 <DIR> d-------- c:\programas\Microsoft.NET
2009-02-22 17:15 . 2009-02-22 17:15 <DIR> d-------- C:\8ec090f8f29fcc45890e684b3c64bb
2009-02-22 17:15 . 2009-02-22 17:15 <DIR> d-------- C:\52287885bfe694d80d7cbb
2009-02-22 11:39 . 2009-02-22 11:39 <DIR> d-------- c:\windows\system32\URTTemp
2009-02-22 11:29 . 2009-02-22 11:46 <DIR> d-------- c:\windows\SxsCaPendDel
2009-02-22 10:58 . 2009-02-24 10:02 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-02-22 10:58 . 2009-02-22 10:58 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-02-22 10:58 . 2009-02-22 10:58 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-02-22 10:58 . 2009-02-22 10:58 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-02-21 18:48 . 2009-02-21 18:48 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2009-02-20 18:45 . 2009-02-21 18:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-02-20 18:43 . 2009-02-21 19:13 <DIR> d-------- c:\programas\McAfee
2009-02-20 18:38 . 2009-02-21 19:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-02-20 17:15 . 2008-04-14 21:39 870,784 --------- c:\windows\system32\ati3d1ag.dll
2009-02-20 17:15 . 2008-04-14 21:39 377,984 --------- c:\windows\system32\ati2dvaa.dll
2009-02-20 17:15 . 2008-04-14 21:39 32,768 --------- c:\windows\system32\ativtmxx.dll
2009-02-20 17:15 . 2008-04-14 21:40 23,040 --------- c:\windows\system32\ativmvxx.ax
2009-02-20 17:15 . 2008-04-14 21:40 9,728 --------- c:\windows\system32\ativdaxx.ax
2009-02-20 16:31 . 2006-12-29 00:31 19,569 --a------ c:\windows\000001_.tmp
2009-02-20 16:25 . 2009-02-20 16:54 <DIR> d-------- C:\b4af109b097d9f47026ba7ffff
2009-02-20 15:56 . 2009-02-20 15:56 <DIR> d-------- c:\documents and settings\LocalService\Ambiente de trabalho
2009-02-20 14:50 . 2009-02-20 14:50 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-02-20 13:44 . 2009-02-20 21:21 593,920 --a------ c:\windows\system32\ati2sgag.exe
2009-02-20 13:28 . 2009-02-20 13:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\SonicFocus
2009-02-20 12:43 . 2009-02-20 12:52 <DIR> d-------- c:\programas\Driver Checker
2009-02-20 12:28 . 2009-02-20 13:30 <DIR> d-------- c:\programas\ATI
2009-02-20 12:24 . 2008-12-04 09:31 53,248 --a------ c:\windows\system32\CSVer.dll
2009-02-20 12:23 . 2009-02-20 12:23 <DIR> d-------- c:\programas\Realtek
2009-02-20 12:23 . 2009-01-16 22:45 73,728 --a------ c:\windows\system32\RtNicProp32.dll
2009-02-20 12:07 . 2009-02-20 13:29 <DIR> d-------- c:\programas\Driver-Soft
2009-02-20 12:07 . 2007-09-02 20:56 1,686,016 --a------ c:\windows\system32\clinetsuitex6.ocx
2009-02-20 12:07 . 2004-03-09 16:45 662,288 --a------ c:\windows\system32\MSCOMCT2.OCX
2009-02-20 12:07 . 2004-06-14 14:56 427,864 --a------ c:\windows\system32\XceedZip.dll
2009-02-20 11:58 . 2009-02-20 11:58 <DIR> d-------- c:\programas\iXi Tools
2009-02-20 11:56 . 2009-02-20 11:56 <DIR> d-------- c:\documents and settings\Administrador\Application Data\Thinstall
2009-02-20 11:47 . 2009-02-20 11:47 <DIR> d-------- c:\programas\XPC Tools
2009-02-20 10:56 . 2009-02-20 10:56 <DIR> d-------- c:\programas\Analog Devices
2009-02-20 10:54 . 2009-02-20 10:54 <DIR> d-------- C:\Intel
2009-02-20 10:54 . 2009-02-20 10:54 <DIR> d-------- C:\Drivers
2009-02-20 10:44 . 2009-02-20 10:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\DriverScanner
2009-02-16 20:17 . 2009-02-16 20:17 <DIR> d-------- c:\windows\system32\VirtualExpander
2009-02-15 10:46 . 2009-02-22 10:44 <DIR> d-------- c:\documents and settings\Administrador\Application Data\SecondLife
2009-02-15 10:44 . 2009-02-15 10:44 <DIR> d-------- c:\programas\SecondLifeReleaseCandidate
2009-02-12 20:08 . 2009-02-15 09:56 <DIR> d-------- c:\documents and settings\Administrador\Application Data\OnRez
2009-02-09 22:52 . 2009-02-09 22:52 <DIR> d-------- c:\documents and settings\Administrador\Application Data\id Software
2009-02-09 22:50 . 2009-02-09 22:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\id Software
2009-02-09 22:50 . 2009-02-20 21:25 2,266,642 --a------ c:\windows\system32\pbsvc.exe
2009-02-09 22:50 . 2009-02-11 20:02 188,896 --a------ c:\windows\system32\PnkBstrB.exe
2009-02-09 22:50 . 2009-02-11 20:02 138,784 --a------ c:\windows\system32\drivers\PnkBstrK.sys
2009-02-09 22:50 . 2009-02-11 20:02 70,968 --a------ c:\windows\system32\PnkBstrA.exe
2009-02-09 22:50 . 2009-02-09 22:50 22,328 --a------ c:\documents and settings\Administrador\Application Data\PnkBstrK.sys
2009-01-24 14:15 . 2009-01-24 14:15 <DIR> d-------- c:\programas\Adobe Media Player
2009-01-24 14:12 . 2009-01-24 14:12 <DIR> d-------- c:\programas\Ficheiros comuns\Adobe AIR
2009-01-24 12:02 . 2009-01-24 12:13 <DIR> d-------- c:\documents and settings\Administrador\Application Data\Download Manager

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 17:46 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-02-24 10:20 --------- d-----w c:\programas\Malwarebytes' Anti-Malware
2009-02-22 20:19 --------- d-----w c:\documents and settings\Administrador\Application Data\Azureus
2009-02-21 15:00 --------- d-----w c:\programas\Lavasoft
2009-02-21 15:00 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-20 21:28 32,256 ----a-w c:\windows\system32\wupdmgr.exe
2009-02-20 21:28 32,256 ----a-w c:\windows\system32\wpabaln.exe
2009-02-20 21:28 30,720 ----a-w c:\windows\system32\xcopy.exe
2009-02-20 21:28 28,168 ----a-w c:\windows\system32\wpnpinst.exe
2009-02-20 21:28 17,408 ----a-w c:\windows\system32\wpdshextautoplay.exe
2009-02-20 21:28 163,336 ----a-w c:\windows\system32\WudfHost.exe
2009-02-20 21:28 155,648 ----a-w c:\windows\system32\wscript.exe
2009-02-20 21:26 99,328 ----a-w c:\windows\system32\scardsvr.exe
2009-02-20 21:25 9,728 ----a-w c:\windows\system32\proxycfg.exe
2009-02-20 21:24 87,552 ----a-w c:\windows\system32\netsh.exe
2009-02-20 21:23 9,728 ----a-w c:\windows\system32\label.exe
2009-02-20 21:22 9,728 ----a-w c:\windows\system32\finger.exe
2009-02-20 21:21 98,304 ----a-w c:\windows\system32\ahui.exe
2009-02-20 21:12 769,024 ----a-w c:\windows\pchealth\helpctr\binaries\helpctr.exe
2009-02-20 21:12 744,448 ----a-w c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2009-02-20 21:12 171,520 ----a-w c:\windows\pchealth\helpctr\binaries\msconfig.exe
2009-02-20 21:02 70,656 ----a-w c:\windows\notepad.exe
2009-02-20 21:02 327,168 ----a-w c:\windows\IsUn0816.exe
2009-02-20 21:02 323,072 ----a-w c:\windows\IsUninst.exe
2009-02-20 21:02 310,784 ----a-w c:\windows\IsUn0416.exe
2009-02-20 21:02 299,008 ----a-w c:\windows\uninst.exe
2009-02-20 21:02 288,256 ----a-w c:\windows\winhlp32.exe
2009-02-20 21:02 25,600 ----a-w c:\windows\twunk_32.exe
2009-02-20 21:02 15,872 ----a-w c:\windows\TASKMAN.EXE
2009-02-20 21:02 122,880 ----a-w c:\windows\UnGins.exe
2009-02-20 21:01 35,328 ----a-w c:\windows\emAMCAP.exe
2009-02-20 21:01 20,480 ----a-w c:\windows\HyperDrive.exe
2009-02-20 21:01 188,416 ----a-w c:\windows\emSTI.exe
2009-02-20 21:01 10,752 ----a-w c:\windows\hh.exe
2009-02-20 20:29 --------- d-----w c:\programas\PBP Unpacker
2009-02-20 19:59 --------- d-----w c:\programas\GSalive CS 1.6 NS
2009-02-20 19:03 90,112 ----a-w c:\windows\system32\AEADISRV.EXE
2009-02-20 19:03 126,976 ----a-w C:\W3XMapHack120E2.exe
2009-02-20 19:00 598,016 ----a-w c:\windows\system32\ati2evxx.exe
2009-02-20 19:00 15,360 ----a-w c:\windows\system32\ctfmon.exe
2009-02-20 19:00 1,035,776 ----a-w c:\windows\explorer.exe
2009-02-20 17:54 --------- d-----w c:\programas\MagicISO
2009-02-20 13:34 --------- d-----w c:\programas\ATI Technologies
2009-02-20 13:30 --------- d-----w c:\programas\Ficheiros comuns\Wise Installation Wizard
2009-02-20 12:29 --------- d--h--w c:\programas\InstallShield Installation Information
2009-02-20 10:58 --------- d-----w c:\documents and settings\Administrador\Application Data\Uniblue
2009-02-17 16:48 70,512 ----a-w c:\documents and settings\Administrador\Application Data\GDIPFONTCACHEV1.DAT
2009-02-17 14:20 --------- d-----w c:\documents and settings\Administrador\Application Data\Skype
2009-02-17 14:17 --------- d-----w c:\documents and settings\Administrador\Application Data\skypePM
2009-02-13 12:35 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-02-12 22:30 --------- d-----w c:\programas\Valve
2009-02-11 17:28 --------- d-----w c:\programas\Messenger Plus! Live
2009-02-11 10:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-29 23:49 196,608 ----a-w c:\windows\system32\drivers\aStandard.bin
2009-01-29 13:03 --------- d-----w c:\programas\Vuze
2009-01-24 16:43 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-24 14:48 --------- d-----w c:\programas\Macromedia
2009-01-24 14:17 --------- d-----w c:\programas\Ficheiros comuns\Adobe
2009-01-24 13:50 --------- d-----w c:\programas\Ficheiros comuns\Macromedia
2009-01-21 15:49 118,656 ----a-w c:\windows\system32\drivers\Rtnicxp.sys
2009-01-21 11:12 --------- d-----w c:\programas\CoreCodec
2009-01-19 12:25 --------- d-----w c:\programas\Soulseek
2009-01-18 21:38 --------- d-----w c:\documents and settings\All Users\Application Data\NexonUS
2009-01-18 21:15 --------- d-----w c:\programas\Pando Networks
2009-01-18 21:15 --------- d-----w c:\documents and settings\All Users\Application Data\PMB Files
2009-01-17 17:38 --------- d-----w c:\documents and settings\Administrador\Application Data\GameScanner
2009-01-17 15:28 --------- d-----w c:\programas\Hewlett-Packard
2009-01-17 15:23 --------- d-----w c:\programas\Pcsx2_0.9.4
2009-01-17 13:27 --------- d-----w c:\programas\K-Lite Codec Pack
2009-01-17 13:26 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-17 13:26 --------- d-----w c:\documents and settings\Administrador\Application Data\Apple Computer
2009-01-17 13:24 --------- d-----w c:\programas\Haali
2009-01-14 07:14 3,455,488 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2009-01-14 05:46 11,591,680 ----a-w c:\windows\system32\atioglxx.dll
2009-01-14 04:53 286,720 ----a-w c:\windows\system32\atiok3x2.dll
2009-01-14 04:49 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll
2009-01-14 04:47 323,584 ----a-w c:\windows\system32\ati2dvag.dll
2009-01-14 04:36 196,608 ----a-w c:\windows\system32\atipdlxx.dll
2009-01-14 04:36 151,552 ----a-w c:\windows\system32\Oemdspif.dll
2009-01-14 04:35 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2009-01-14 04:35 155,648 ----a-w c:\windows\system32\ati2evxx.dll
2009-01-14 04:32 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2009-01-14 04:22 4,009,152 ----a-w c:\windows\system32\ati3duag.dll
2009-01-14 04:05 2,500,224 ----a-w c:\windows\system32\ativvaxx.dll
2009-01-14 03:50 48,640 ----a-w c:\windows\system32\amdpcom32.dll
2009-01-14 03:45 401,408 ----a-w c:\windows\system32\atikvmag.dll
2009-01-14 03:44 17,408 ----a-w c:\windows\system32\atitvo32.dll
2009-01-14 03:44 110,592 ----a-w c:\windows\system32\atiadlxx.dll
2009-01-14 03:43 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2009-01-14 03:37 577,536 ----a-w c:\windows\system32\ati2cqag.dll
2009-01-14 03:37 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2009-01-14 02:36 45,056 ----a-w c:\windows\system32\amdcalrt.dll
2009-01-14 02:36 45,056 ----a-w c:\windows\system32\amdcalcl.dll
2009-01-14 02:34 3,227,648 ----a-w c:\windows\system32\Amdcaldd.dll
2009-01-12 19:45 --------- d-----w c:\programas\XVideoConverter
2009-01-12 19:24 --------- d-----w c:\programas\Azureus
2009-01-12 18:48 --------- d-----w c:\programas\Bluefox Studio
2009-01-12 17:33 --------- d-----w c:\programas\SUPERAntiSpyware
2009-01-12 17:33 --------- d-----w c:\documents and settings\Administrador\Application Data\SUPERAntiSpyware.com
2008-10-25 09:16 32,768 --sha-w c:\windows\system32\config\systemprofile\Definições locais\Histórico\History.IE5\MSHist012008102520081026\index.dat
.

------- Sigcheck -------

2009-02-20 19:00 1035776 9a0cfda7a8061eae1b49f1c591cd588c c:\windows\explorer.exe
2009-02-20 21:03 1035264 e4786809a1e3cbec2ce929d6b1283f1b c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2009-02-20 21:05 1052165 ff72246732eae3f3076bf7df675c7995 c:\windows\$NtServicePackUninstall$\explorer.exe
2009-02-20 21:07 1034240 8ce395dd09c0fbe82c8ff529528242b0 c:\windows\$NtUninstallKB938828$\explorer.exe
2009-02-20 21:14 1035776 9a0cfda7a8061eae1b49f1c591cd588c c:\windows\ServicePackFiles\i386\explorer.exe

2004-08-03 23:56 32768 db37a839f4a2be4f93cf7e614bab63d2 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2009-02-20 21:14 15360 93f93102a8c5d0da6750b25a0c339b66 c:\windows\ServicePackFiles\i386\ctfmon.exe
2009-02-20 19:00 15360 93f93102a8c5d0da6750b25a0c339b66 c:\windows\system32\ctfmon.exe

2004-08-03 23:57 42496 bbdb97f728c2eab8b139e78bb8c79579 c:\windows\$NtServicePackUninstall$\userinit.exe
2009-02-20 21:19 26624 7ce5eb4e0a3c37c4c660b626df3db9be c:\windows\ServicePackFiles\i386\userinit.exe
2009-02-20 21:27 26624 7ce5eb4e0a3c37c4c660b626df3db9be c:\windows\system32\userinit.exe
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2009-02-20 15360]
"MsnMsgr"="c:\programas\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\programas\CyberLink\PowerDVD\PDVDServ.exe" [2009-02-20 32768]
"AdobeVersionCue"="c:\programas\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2003-10-13 1753088]
"PWRISOVM.EXE"="c:\programas\PowerISO\PWRISOVM.EXE" [2009-02-20 200704]
"SunJavaUpdateSched"="c:\programas\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"TkBellExe"="c:\programas\Ficheiros comuns\Real\Update_OB\realsched.exe" [2009-01-17 185872]
"AdobeCS4ServiceManager"="c:\programas\Ficheiros comuns\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"ATICustomerCare"="c:\programas\ATI\ATICustomerCare\ATICustomerCare.exe" [2009-02-20 307200]
"SoundMAXPnP"="c:\programas\Analog Devices\Core\smax4pnp.exe" [2009-02-20 1040384]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-22 1601304]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2009-02-20 c:\windows\system32\HdAShCut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2009-02-20 15360]

c:\documents and settings\All Users\Menu Iniciar\Programas\Arranque\
Adobe Reader Speed Launch.lnk - c:\programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Microsoft Office.lnk - c:\programas\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\Microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 22:34 24576 c:\programas\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\Microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-22 10:58 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\Microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\Microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.ac3filter"= ac3filter.acm
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\software\Microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programas\\Messenger\\msmsgs.exe"=
"c:\\Programas\\mIRC\\mirc.exe"=
"c:\\Programas\\NetMeeting\\conf.exe"=
"c:\\Hybrid\\Hybrid.exe"=
"c:\\Programas\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Programas\\Autodesk\\Backburner\\manager.exe"=
"c:\\Programas\\Autodesk\\Backburner\\server.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Os meus documentos\\Azureus Downloads\\Star Wars Jedi Knight - Jedi Academy\\GameData\\GameData\\jamp.exe"=
"c:\\Programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programas\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Programas\\Soulseek\\slsk.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Programas\\Bonjour\\mDNSResponder.exe"=
"c:\\Programas\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Programas\\Ficheiros comuns\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Programas\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Programas\\AVG\\AVG8\\avgupd.exe"=
"c:\\Programas\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Blizzard Downloader
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"13050:UDP"= 13050:UDP:SecondLife
"58036:TCP"= 58036:TCP:Pando Media Booster
"58036:UDP"= 58036:UDP:Pando Media Booster
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-22 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-02-22 107272]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-22 298264]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\programas\Viewpoint\Common\ViewpointService.exe [2008-03-29 24576]
S2 IKANLOADER2;General Purpose USB Driver (e4ldr.sys);c:\windows\system32\Drivers\e4ldr.sys --> c:\windows\system32\Drivers\e4ldr.sys [?]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\programas\McAfee\SiteAdvisor\McSACore.exe" --> c:\programas\McAfee\SiteAdvisor\McSACore.exe [?]
S2 OMSCAN;OMSCAN;\Sysi --> \Sysi [?]
S3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;c:\windows\system32\drivers\atl01_xp.sys [2002-06-11 34048]
S3 e4usbaw;USB ADSL2 WAN Adapter;c:\windows\system32\DRIVERS\e4usbaw.sys --> c:\windows\system32\DRIVERS\e4usbaw.sys [?]
S4 Dpt42swmcnzat;Dpt42swmcnzat; [x]
.
Conteúdo da pasta 'Tarefas Agendadas'

2009-02-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\programas\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.deviantart.com/
mStart Page = hxxp://br.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\programas\Ficheiros comuns\SourceTec\SWF Catcher\InternetExplorer.htm
IE: {{07328B93-AFD8-4c6a-99E9-D0B3B5D6DAD9} - {93344865-74BD-4873-BE65-56539D41A65C} -
TCP: {5B66BA35-9160-44B0-85E3-D8563EF3A6DC} = 194.65.47.43,194.65.47.44
TCP: {BA6278B5-8E09-48B5-B0C9-904A1803E533} = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Administrador\Application Data\Mozilla\Firefox\Profiles\qffrjskl.nightelfmohawk\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.bleachexile.com
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - component: c:\programas\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: c:\programas\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\programas\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\programas\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-24 17:59:11
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OMSCAN]
"ImagePath"="\Sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\Administrator\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)

[HKEY_USERS\Administrator\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{43613DEA-565E-A006-2C4B-FC450A21DB9C}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaebnkomfijooflbpk"=hex:6a,61,6e,62,63,61,68,62,68,6b,69,6d,66,67,61,70,63,68,
63,63,00,00
"haknhmigdicaonnh"=hex:6a,61,6e,62,63,61,68,62,68,6b,69,6d,66,67,61,70,63,68,
63,63,00,ff
"iaaacenelhmpapmpjl"=hex:63,61,62,63,6f,61,00,7c

[HKEY_USERS\Administrator\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8F7F8EFB-70A2-EDC4-812A-8D0FFECE72AA}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"ialpdhnmpoiemphijc"=hex:6a,61,68,65,6c,6d,70,63,69,66,64,65,6c,67,62,67,69,68,
70,6c,00,00
"hafoffinekdamfej"=hex:69,61,6b,65,66,6e,63,6e,6b,63,70,68,67,62,70,6d,65,70,
00,00

[HKEY_USERS\Administrator\SOFTWARE\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b2,d1,fc,91,95,2f,7e,04,60,b8,4b,41,9d,42,17,d3,80,92,4f,14,62,79,d3,
28,5b,e1,f2,44,72,cf,86,65,8a,60,36,6a,bd,65,78,be,60,72,27,3c,f1,b4,45,09,\
"??"=hex:25,52,30,17,cb,a9,95,ed,7b,3b,30,64,7b,4d,07,ff

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{8F7F8EFB-70A2-EDC4-812A-8D0FFECE72AA}\InProcServer32*]
"jajpohhbpmdnpbbpkbad"=hex:6a,61,68,65,6c,6d,70,63,69,66,64,65,6c,67,62,67,69,
68,70,6c,00,00
"iajpienhbgmfjcdgnc"=hex:69,61,6b,65,66,6e,63,6e,6b,63,70,68,67,62,70,6d,65,70,
00,00
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\Ati2evxx.dll
c:\programas\AlienGUIse\fastload.dll
.
Tempo para conclusão: 2009-02-24 18:01:28
ComboFix-quarantined-files.txt 2009-02-24 18:00:11

Pré-execução: 40.378.363.904 bytes livres
Pós execução: 40,367,415,296 bytes livres

358 --- E O F --- 2009-02-22 17:28:23


- - - -

HiJackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:02:22, on 24-02-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AEADISRV.EXE
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Programas\Bonjour\mDNSResponder.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Programas\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Programas\Java\jre1.6.0_05\bin\jusched.exe
C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe
C:\Programas\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.deviantart.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.Microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.Microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.Microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://br.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo....?fr=mcafee&p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programas\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RemoteControl] C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Programas\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Programas\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Programas\Ficheiros comuns\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Programas\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programas\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Programas\Ficheiros comuns\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Earn2Life Bar - {07328B93-AFD8-4c6a-99E9-D0B3B5D6DAD9} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Earn2Life Bar - {07328B93-AFD8-4c6a-99E9-D0B3B5D6DAD9} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Programas\Ficheiros comuns\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Programas\Ficheiros comuns\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Programas\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B66BA35-9160-44B0-85E3-D8563EF3A6DC}: NameServer = 194.65.47.43,194.65.47.44
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA6278B5-8E09-48B5-B0C9-904A1803E533}: NameServer = 192.168.0.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programas\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHEI~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Programas\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\WINDOWS\system32\AEADISRV.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programas\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Windows CardSpace (idsvc) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programas\Ficheiros comuns\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Programas\McAfee\SiteAdvisor\McSACore.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Programas\Viewpoint\Common\ViewpointService.exe

--
End of file - 8636 bytes

#10 Mr.Million    

Mr.Million

    Consumer Security MVP

  • Especialista
  • 65384 mensagens

Publicado 24 February 2009 - 03:54 PM

Faça download do Kaspersky Removal Tool.

Salve no seu Desktop

Instale o programa normalmente seguindo todos os seus passos.

Na tela principal do programa clique na opção "Meu computador" e depois clique no botão "Scan".

Seja paciente, o scan pode demorar

Se ele encontrar alguma infecção clique em "disinfect".

Após completar tudo clique na aba Events, desmarque a caixa de seleção "Show all events" e depois em "Save to file".

Dê um nome para o Arquivo e salve numa Pasta de sua preferência

Poste o conteúdo desse Arquivo em sua próxima resposta, juntamente com um novo Log do HijackThis.
MillionMPV.gif