Ir ao conteúdo
  • Comunicados

    • diego_moicano

      Gostaria de se tornar um analista em Remoção de Malware?   07-12-2015

      Gostaria de se tornar um analista em Remoção de Malware? O Fórum Clube do Hardware deu início a um programa de treinamento em análises de log. Os interessados deverão enviar um email para aprendizes (arroba) clubedohardware (ponto) com (ponto) br respondendo as seguintes perguntas: Por que você gostaria de aprender a analisar logs? Possui tempo hábil para o treinamento? Tem conhecimentos em informática? Se sim descreva-os. Possui inglês para leitura? Qual seu objetivo após completar o treinamento?   Não se esqueça de incluir no e-mail o seu nome de usuário (fornecer o link também), idade e cidade onde vive. Adicione também qualquer experiência e/ou razão sobre o porquê você seria um bom Analista. É digno de nota que apenas os que forem selecionados receberão resposta por MP (Mensagem Pessoal), não existe um padrão na escolha dos futuros aprendizes, todos os e-mails serão lidos e serão analisados de forma imparcial, portanto não será permitido reclamações neste aspecto. O treinamento é dado no próprio fórum. Quando um aprendiz é selecionado ele é movido para um novo grupo, onde terá acesso a fóruns fechados para os demais usuários onde poderá dar inicio ao seu treinamento. Importante: A cada 30 dias os e-mails não selecionados serão apagados, portanto você pode enviar um novo e-mail após 1 mês, e-mails enviados antes serão desconsiderados.  
    • Gabriel Torres

      Seja um moderador do Clube do Hardware!   12-02-2016

      Prezados membros do Clube do Hardware, Está aberto o processo de seleção de novos moderadores para diversos setores ou áreas do Clube do Hardware. Os requisitos são:   Pelo menos 500 posts e um ano de cadastro; Boa frequência de participação; Ser respeitoso, cordial e educado com os demais membros; Ter bom nível de português; Ter razoável conhecimento da área em que pretende atuar; Saber trabalhar em equipe (com os moderadores, coordenadores e administradores).   Os interessados deverão enviar uma mensagem privada para o usuário @Equipe Clube do Hardware com o título "Candidato a moderador". A mensagem deverá conter respostas às perguntas abaixo:   Qual o seu nome completo? Qual sua data de nascimento? Qual sua formação/profissão? Já atuou como moderador em algo outro fórum, se sim, qual? De forma sucinta, explique o porquê de querer ser moderador do fórum e conte-nos um pouco sobre você.   OBS: Não se trata de função remunerada. Todos que fazem parte do staff são voluntários.
Entre para seguir isso  
Maklack

Log do hijackthis (Smitfraud e Virtumonde)

Recommended Posts

Olá, estou ciente que já houve um caso de infestação por esses dois programas... está escrito aqui em cima mesmo... mas eu queria saber se os procedimentos vão depender do meu log do hijackthis. Caso afirmativo, por favor, me dêem uma luz! Em caso negativo, vou realizar os procedimentos que foram indicados ao homerx em seu tópico. Segue o meu log:

Logfile of HijackThis v1.99.1

Scan saved at 21:00:09, on 6/10/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\All Users\Dados de aplicativos\jkxkbany\juxmhurw.exe

C:\WINDOWS\services.exe

C:\WINDOWS\system32\VTTimer.exe

C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\vsnpstd.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe

C:\WINDOWS\system32\atovabon.exe

C:\Documents and Settings\Particular\Meus documentos\Protect\Spybot - Search & Destroy\TeaTimer.exe

C:\Arquivos de programas\Winamp Remote\bin\Orb.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Particular\Meus documentos\Tibia\Tibia.exe

C:\WINDOWS\system32\osk.exe

C:\WINDOWS\system32\MSSWCHX.EXE

C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Particular\Desktop\SMITE\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\PARTIC~1\MEUSDO~1\Protect\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe

O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Emurayden PSX Emulator] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\RunOnce: [spybotDeletingA7489] command /c del "C:\WINDOWS\system32\netode.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC7481] cmd /c del "C:\WINDOWS\system32\netode.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA2709] command /c del "C:\WINDOWS\system32\newsd32.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC7970] cmd /c del "C:\WINDOWS\system32\newsd32.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA8781] command /c del "C:\WINDOWS\system32\ps1.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC3078] cmd /c del "C:\WINDOWS\system32\ps1.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA5811] command /c del "C:\WINDOWS\system32\psof1.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC9988] cmd /c del "C:\WINDOWS\system32\psof1.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA3340] command /c del "C:\WINDOWS\system32\regc64.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC2174] cmd /c del "C:\WINDOWS\system32\regc64.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA4779] command /c del "C:\WINDOWS\system32\regm64.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC9804] cmd /c del "C:\WINDOWS\system32\regm64.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA1266] command /c del "C:\WINDOWS\system32\Rundl1.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA1014] command /c del "C:\WINDOWS\system32\ssvchost.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC6096] cmd /c del "C:\WINDOWS\system32\ssvchost.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA4042] command /c del "C:\WINDOWS\system32\sysreq.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC3902] cmd /c del "C:\WINDOWS\system32\sysreq.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA4896] command /c del "C:\WINDOWS\system32\taack.dat"

O4 - HKLM\..\RunOnce: [spybotDeletingC2435] cmd /c del "C:\WINDOWS\system32\taack.dat"

O4 - HKLM\..\RunOnce: [spybotDeletingA1943] command /c del "C:\WINDOWS\system32\taack.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC1612] cmd /c del "C:\WINDOWS\system32\taack.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA2376] command /c del "C:\WINDOWS\system32\temp#01.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC4966] cmd /c del "C:\WINDOWS\system32\temp#01.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA5088] command /c del "C:\WINDOWS\system32\thun.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC2483] cmd /c del "C:\WINDOWS\system32\thun.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA6576] command /c del "C:\WINDOWS\system32\thun32.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC4477] cmd /c del "C:\WINDOWS\system32\thun32.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA4318] command /c del "C:\WINDOWS\system32\VBIEWER.OCX"

O4 - HKLM\..\RunOnce: [spybotDeletingC3866] cmd /c del "C:\WINDOWS\system32\VBIEWER.OCX"

O4 - HKLM\..\RunOnce: [spybotDeletingA3097] command /c del "C:\WINDOWS\system32\vbsys2.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC6934] cmd /c del "C:\WINDOWS\system32\vbsys2.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA5771] command /c del "C:\WINDOWS\system32\vcatchpi.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC5801] cmd /c del "C:\WINDOWS\system32\vcatchpi.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA4475] command /c del "C:\WINDOWS\system32\winlogonpc.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC9600] cmd /c del "C:\WINDOWS\system32\winlogonpc.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC4718] cmd /c del "C:\WINDOWS\system32\winsystem.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA2333] command /c del "C:\WINDOWS\system32\WINWGPX.EXE"

O4 - HKLM\..\RunOnce: [spybotDeletingA5784] command /c del "C:\WINDOWS\base64.tmp"

O4 - HKLM\..\RunOnce: [spybotDeletingA3803] command /c del "C:\WINDOWS\bdn.com"

O4 - HKLM\..\RunOnce: [spybotDeletingC3063] cmd /c del "C:\WINDOWS\bdn.com"

O4 - HKLM\..\RunOnce: [spybotDeletingA3330] command /c del "C:\WINDOWS\FVProtect.exe"

O4 - HKCU\..\Run: [Orb] "C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe" /background

O4 - HKCU\..\Run: [DbSmartSh] C:\WINDOWS\system32\atovabon.exe

O4 - HKCU\..\Run: [actmsgstr] C:\WINDOWS\system32\cbotadud.exe

O4 - HKCU\..\Run: [AdmActCom] C:\WINDOWS\system32\gnkfmlud.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Documents and Settings\Particular\Meus documentos\Protect\Spybot - Search & Destroy\TeaTimer.exe

O8 - Extra context menu item: &Windows Live Search - res://C:\Arquivos de programas\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\PARTIC~1\MEUSDO~1\Protect\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\PARTIC~1\MEUSDO~1\Protect\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} -

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Compartilhar este post


Link para o post
Compartilhar em outros sites

Olá Maklack

Bem vindo à Remoção de Malware

Recomendo que salve este tópico em seus Favoritos para facilitar na hora de encontrá-la novamente.

Atente para o seguinte, por favor:

1) Estarei acompanhado os procedimentos de análise de seu log, retornarei tão logo que seja possível!;

2) Não tome nenhum procedimento até começarmos;

3) O que será passado aqui somente será com relação ao problema do seu computador portanto, não faça mais em nenhum outro;

4) Caso tenha outro computador abra um novo tópico com seu respectivo log;

5) Siga, por favor, atentamente as instruções passadas e em caso de dúvidas não hesite em perguntá-las;

6) Sempre coloque suas respostas neste tópico... Não abra outro!

Observação: Não tome outra medida além das passadas aqui; atente para que, caso peça ajuda em outro fórum, não deixe de nos informar sob risco de desconfigurar seu computador!

Abraços :D

Compartilhar este post


Link para o post
Compartilhar em outros sites

Caro Maklack

O seu PC está infectado por um Backdoor.

Importante: Backdoor/IRCBot Trojans são extremamente perigosos, pois providenciam meios de acesso ao sistema operativo do computador. Atacantes remotos utilizam este tipo de malwares para ganhar acesso não autorizado ao seu PC e podem tomar total controlo sem o seu conhecimento.

Se você faz ou fez algum tipo de transações financeiras (aceder a bancos, compras, etc) com este PC, ou se ele contém alguma informação sensível, recomendo-lhe que:

  1. Evite ao máximo utilizar a internet neste pc, até que ele esteja limpo.
  2. Use um PC limpo e seguro e troque todas as suas palavras-passe ou palavras-chave (online passwords).
  3. Entre em contacto com as suas instituições financeiras e informe-as desta sua situação.

Muitos dos especialistas em segurança acreditam que após um PC ser infectado com este tipo de malwares, a melhor coisa a fazer é formatar e reinstalar novamente o Sistema Operacional.

Deixo ao seu critério se quer formatar ou não o PC. As infeções estão identificadas e podemos removê-las, o que não lhe posso garantir com 100% de certeza é que o seu PC fique seguro.

Caso opte pela remoção, siga os passos abaixo. Se optar por formatar, por favor informe-me disso na sua próxima resposta.

# Etapa nº 1 #

O seu programa HijackThis está sendo executado a partir duma localização não recomendável e assim os backups que fizermos não estarão seguros.

Antes de iniciarmos a resolução dos problemas do seu PC, necessitamos de corrigir a localização do HijackThis; por favor, faça o seguinte:

  • Clique com o botão direito do mouse numa área vazia do seu desktop (área de trabalho).
  • Escolha Nova -> Pasta -> escreva HJT e dê o Enter.
  • Agora clique direito do mouse em HijackThis.exe, escolha -> recortar
  • Clique direito do mouse numa área vazia e escolha colar.
  • Agora, clique direito do mouse pasta HJT e escolha -> recortar.
  • Clique em -> Iniciar -> O Meu Computador -> clique direito do mouse em -> Disco Local (normalmente C:\) -> Explorar.
  • Clique direito do mouse numa área vazia e escolha colar.

Imprima ou salve estas instruções, pois vais segui-las sem acesso à internet
# Etapa nº 2 #
Faça o download SDFix
  • Salve-o no seu desktop.
  • Dê o duplo clique no SDFix.exe e a ferramenta será instalada em %SystemDrive%\SDFix
  • (Normalmente para o drive que contém o Windows. Habitualmente:
    C:\SDFix).
  • Não o utilize ainda

# Etapa nº 3 #

Reinicie o computador em Modo Seguro (pressione a tecla F8 intermitentemente, ou F5 em alguns casos, durante a inicialização)

# Etapa nº 4 #

Rode o SDFix.

  • Entre na pasta SDFix que foi instalada no seu computador e dê um duplo clique no arquivo RunThis.bat
  • Tecle Y para que a ferramenta inicie o processo de remoção
  • Quando tudo terminar, você verá um aviso dizendo para apertar qualquer tecla para continuar. Ao pressionar qualquer tecla, o computador será reiniciado automaticamente
  • Após reiniciar, a ferramenta ainda será executada novamente e irá terminar o seu trabalho e a palavra Finished irá aparecer. Pressione qualquer tecla.
  • Uma janela com o relatório do SDFix irá aparecer.
  • Copie e cole este relatório na sua resposta. Caso você tenha fechado a janela, uma cópia do relatório estará na pasta SDFix com o nome Report.txt
  • Gere e cole também um novo log do HijackThis.

-- Caso uma janela abra e feche de repente, por favor vá até Iniciar -> Executar -> e copie e cole o seguinte texto:

%systemdrive%\SDFix\apps\FixPath.exe /Q

Reinicie o PC e rode novamente o SDFix.

-- Se mesmo assim o SDFix não rodar, verifique a variável %comspec%. Clique direito do mouse em Meu Computador -> Propriedades -> Avançadas -> Variáveis do Ambiente e verifique se a variável ComSpec tê o valor para o cmd.exe. %SystemRoot%\system32\cmd.exe

Abraços :D

Compartilhar este post


Link para o post
Compartilhar em outros sites
  • Autor do tópico
  • Fatal error: Maximum execution time of 30 seconds exceeded in /www/forum/includes/functions.php on line 1736

    Não consigo postar o log do sdfix

    Vou continuar tentando

    Logfile of HijackThis v1.99.1

    Scan saved at 22:38:54, on 7/10/2008

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

    C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

    C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

    C:\WINDOWS\system32\nvsvc32.exe

    C:\WINDOWS\system32\svchost.exe

    C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

    C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

    C:\WINDOWS\Explorer.EXE

    C:\WINDOWS\system32\wscntfy.exe

    C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe

    C:\WINDOWS\system32\notepad.exe

    C:\WINDOWS\system32\VTTimer.exe

    C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

    C:\WINDOWS\SOUNDMAN.EXE

    C:\WINDOWS\vsnpstd.exe

    C:\WINDOWS\system32\RUNDLL32.EXE

    C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

    C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe

    C:\WINDOWS\system32\cbotadud.exe

    C:\Documents and Settings\Particular\Meus documentos\Protect\Spybot - Search & Destroy\TeaTimer.exe

    C:\Arquivos de programas\Winamp Remote\bin\Orb.exe

    C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

    C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

    C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

    C:\HJT\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\PARTIC~1\MEUSDO~1\Protect\SPYBOT~1\SDHelper.dll

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

    O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe"

    O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

    O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe

    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

    O4 - HKLM\..\Run: [Emurayden PSX Emulator] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

    O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

    O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe

    O4 - HKLM\..\RunOnce: [spybotDeletingA7489] command /c del "C:\WINDOWS\system32\netode.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingC7481] cmd /c del "C:\WINDOWS\system32\netode.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingA2709] command /c del "C:\WINDOWS\system32\newsd32.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingC7970] cmd /c del "C:\WINDOWS\system32\newsd32.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingA8781] command /c del "C:\WINDOWS\system32\ps1.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingC3078] cmd /c del "C:\WINDOWS\system32\ps1.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingA5811] command /c del "C:\WINDOWS\system32\psof1.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingC9988] cmd /c del "C:\WINDOWS\system32\psof1.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingA3340] command /c del "C:\WINDOWS\system32\regc64.dll"

    O4 - HKLM\..\RunOnce: [spybotDeletingC2174] cmd /c del "C:\WINDOWS\system32\regc64.dll"

    O4 - HKLM\..\RunOnce: [spybotDeletingA4779] command /c del "C:\WINDOWS\system32\regm64.dll"

    O4 - HKLM\..\RunOnce: [spybotDeletingC9804] cmd /c del "C:\WINDOWS\system32\regm64.dll"

    O4 - HKLM\..\RunOnce: [spybotDeletingA1266] command /c del "C:\WINDOWS\system32\Rundl1.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingA1014] command /c del "C:\WINDOWS\system32\ssvchost.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingC6096] cmd /c del "C:\WINDOWS\system32\ssvchost.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingA4042] command /c del "C:\WINDOWS\system32\sysreq.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingC3902] cmd /c del "C:\WINDOWS\system32\sysreq.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingA4896] command /c del "C:\WINDOWS\system32\taack.dat"

    O4 - HKLM\..\RunOnce: [spybotDeletingC2435] cmd /c del "C:\WINDOWS\system32\taack.dat"

    O4 - HKLM\..\RunOnce: [spybotDeletingA1943] command /c del "C:\WINDOWS\system32\taack.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingC1612] cmd /c del "C:\WINDOWS\system32\taack.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingA2376] command /c del "C:\WINDOWS\system32\temp#01.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingC4966] cmd /c del "C:\WINDOWS\system32\temp#01.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingA5088] command /c del "C:\WINDOWS\system32\thun.dll"

    O4 - HKLM\..\RunOnce: [spybotDeletingC2483] cmd /c del "C:\WINDOWS\system32\thun.dll"

    O4 - HKLM\..\RunOnce: [spybotDeletingA6576] command /c del "C:\WINDOWS\system32\thun32.dll"

    O4 - HKLM\..\RunOnce: [spybotDeletingC4477] cmd /c del "C:\WINDOWS\system32\thun32.dll"

    O4 - HKLM\..\RunOnce: [spybotDeletingA4318] command /c del "C:\WINDOWS\system32\VBIEWER.OCX"

    O4 - HKLM\..\RunOnce: [spybotDeletingC3866] cmd /c del "C:\WINDOWS\system32\VBIEWER.OCX"

    O4 - HKLM\..\RunOnce: [spybotDeletingA3097] command /c del "C:\WINDOWS\system32\vbsys2.dll"

    O4 - HKLM\..\RunOnce: [spybotDeletingC6934] cmd /c del "C:\WINDOWS\system32\vbsys2.dll"

    O4 - HKLM\..\RunOnce: [spybotDeletingA5771] command /c del "C:\WINDOWS\system32\vcatchpi.dll"

    O4 - HKLM\..\RunOnce: [spybotDeletingC5801] cmd /c del "C:\WINDOWS\system32\vcatchpi.dll"

    O4 - HKLM\..\RunOnce: [spybotDeletingA4475] command /c del "C:\WINDOWS\system32\winlogonpc.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingC9600] cmd /c del "C:\WINDOWS\system32\winlogonpc.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingC4718] cmd /c del "C:\WINDOWS\system32\winsystem.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingA2333] command /c del "C:\WINDOWS\system32\WINWGPX.EXE"

    O4 - HKLM\..\RunOnce: [spybotDeletingA5784] command /c del "C:\WINDOWS\base64.tmp"

    O4 - HKLM\..\RunOnce: [spybotDeletingA3803] command /c del "C:\WINDOWS\bdn.com"

    O4 - HKLM\..\RunOnce: [spybotDeletingC3063] cmd /c del "C:\WINDOWS\bdn.com"

    O4 - HKLM\..\RunOnce: [spybotDeletingA3330] command /c del "C:\WINDOWS\FVProtect.exe"

    O4 - HKCU\..\Run: [Orb] "C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe" /background

    O4 - HKCU\..\Run: [DbSmartSh] C:\WINDOWS\system32\atovabon.exe

    O4 - HKCU\..\Run: [actmsgstr] C:\WINDOWS\system32\cbotadud.exe

    O4 - HKCU\..\Run: [AdmActCom] C:\WINDOWS\system32\gnkfmlud.exe

    O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Documents and Settings\Particular\Meus documentos\Protect\Spybot - Search & Destroy\TeaTimer.exe

    O8 - Extra context menu item: &Windows Live Search - res://C:\Arquivos de programas\Windows Live Toolbar\msntb.dll/search.htm

    O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

    O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

    O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\PARTIC~1\MEUSDO~1\Protect\SPYBOT~1\SDHelper.dll

    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\PARTIC~1\MEUSDO~1\Protect\SPYBOT~1\SDHelper.dll

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

    O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

    O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab

    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab

    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} -

    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

    O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe

    O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

    O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    Editado por Maklack

    Compartilhar este post


    Link para o post
    Compartilhar em outros sites
  • Autor do tópico
  • Vou tentar postar em 2 pedaços.

    Primeira parte do log do SDfix:

    SDFix: Version 1.233

    Run by Particular on ter 07/10/2008 at 22:22

    Microsoft Windows XP [versÆo 5.1.2600]

    Running From: C:\SDFix

    Checking Services :

    Restoring Default Security Values

    Restoring Default Hosts File

    Resetting SecurityProviders Value

    Rebooting

    Checking Files :

    Trojan Files Found:

    C:\WINDOWS\system32\~.exe - Deleted

    C:\WINDOWS\system32\wpv962.cpx - Deleted

    C:\WINDOWS\system32\wpv962.cpx - Deleted

    C:\WINDOWS\msauc.exe - Deleted

    C:\WINDOWS\services.exe - Deleted

    C:\WINDOWS\system32\shell31.dll - Deleted

    C:\WINDOWS\wiaservb.log - Deleted

    Removing Temp Files

    ADS Check :

    Final Check :

    catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

    Rootkit scan 2008-10-07 22:26:56

    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ContentIndex\Catalogs\System]

    "Location"="D:\System Volume Information"

    "IsIndexingW3Svc"=dword:00000000

    "IsIndexingNNTPSvc"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\ACPI\PNP0C0C\aa]

    "Capabilities"=dword:00000070

    "ConfigFlags"=dword:00000000

    "HardwareID"=str(7):"ACPI\PNP0C0C\0*PNP0C0C\0"

    "ClassGUID"="{4D36E97D-E325-11CE-BFC1-08002BE10318}"

    "Class"="System"

    "Driver"="{4D36E97D-E325-11CE-BFC1-08002BE10318}\0011"

    "Mfg"="(Dispositivos de sistema padrão)"

    "DeviceDesc"="Botão ligar/desligar ACPI"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\ACPI\PNP0C0C\aa\LogConf]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SWPRV]

    "NextInstance"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SWPRV\0000]

    "Service"="SwPrv"

    "Legacy"=dword:00000001

    "ConfigFlags"=dword:00000000

    "Class"="LegacyDriver"

    "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"

    "DeviceDesc"="MS Software Shadow Copy Provider"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Abiosdsk]

    "ErrorControl"=dword:00000000

    "Group"="Primary disk"

    "Start"=dword:00000004

    "Tag"=dword:00000003

    "Type"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\abiosdsk]

    "EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll"

    "TypesSupported"=dword:00000007

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\intelide]

    "EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\Drivers\IntelIde.sys"

    "TypesSupported"=dword:00000007

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\PptpMiniport]

    "EventMessageFile"=str(2):"%SystemRoot%\System32\netevent.dll"

    "TypesSupported"=dword:00000007

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HDAudBus]

    "Type"=dword:00000001

    "Start"=dword:00000003

    "ErrorControl"=dword:00000001

    "Tag"=dword:00000008

    "ImagePath"=str(2):"system32\DRIVERS\HDAudBus.sys"

    "DisplayName"="Microsoft UAA Bus Driver for High Definition Audio"

    "Group"="Extended Base"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IntelIde]

    "ErrorControl"=dword:00000001

    "Group"="System Bus estender"

    "Start"=dword:00000004

    "Tag"=dword:00000004

    "Type"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PptpMiniport]

    "Type"=dword:00000001

    "Start"=dword:00000003

    "ErrorControl"=dword:00000001

    "ImagePath"=str(2):"system32\DRIVERS\raspptp.sys"

    "DisplayName"="Miniporta de rede remota (PPTP)"

    "Description"="Miniporta de rede remota (PPTP)"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PptpMiniport\Security]

    "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ptvnrrlx]

    "Type"=dword:00000001

    "Start"=dword:00000002

    "ErrorControl"=dword:00000001

    "ImagePath"=str(2):"\??\C:\WINDOWS\system32\drivers\ptvnrrlx.sys"

    "DisplayName"="ptvnrrlx"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ptvnrrlx\Security]

    "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch]

    "Epoch"=dword:00018789

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]

    "DhcpNameServer"="200.250.77.87 200.250.77.85"

    "DhcpDomain"="ctb.virtua.com.br"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B00663B4-E6F4-44E2-B51C-6A8E361328A4}]

    "LeaseObtainedTime"=dword:48ec0be2

    "T1"=dword:48ec0c61

    "T2"=dword:48ec0cc1

    "LeaseTerminatesTime"=dword:48ec0ce1

    "DhcpRetryTime"=dword:0000007d

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{B00663B4-E6F4-44E2-B51C-6A8E361328A4}\Parameters\Tcpip]

    "LeaseObtainedTime"=dword:48ec0be2

    "T1"=dword:48ec0c61

    "T2"=dword:48ec0cc1

    "LeaseTerminatesTime"=dword:48ec0ce1

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\ContentIndex\Catalogs\System]

    "Location"="D:\System Volume Information"

    "IsIndexingW3Svc"=dword:00000000

    "IsIndexingNNTPSvc"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\ACPI\PNP0C0C\aa]

    "Capabilities"=dword:00000070

    "ConfigFlags"=dword:00000000

    "HardwareID"=str(7):"ACPI\PNP0C0C\0*PNP0C0C\0"

    "ClassGUID"="{4D36E97D-E325-11CE-BFC1-08002BE10318}"

    "Class"="System"

    "Driver"="{4D36E97D-E325-11CE-BFC1-08002BE10318}\0011"

    "Mfg"="(Dispositivos de sistema padrão)"

    "DeviceDesc"="Botão ligar/desligar ACPI"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\ACPI\PNP0C0C\aa\LogConf]

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SWPRV]

    "NextInstance"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SWPRV\0000]

    "Service"="SwPrv"

    "Legacy"=dword:00000001

    "ConfigFlags"=dword:00000000

    "Class"="LegacyDriver"

    "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"

    "DeviceDesc"="MS Software Shadow Copy Provider"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Abiosdsk]

    "ErrorControl"=dword:00000000

    "Group"="Primary disk"

    "Start"=dword:00000004

    "Tag"=dword:00000003

    "Type"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\System\abiosdsk]

    "EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll"

    "TypesSupported"=dword:00000007

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\System\intelide]

    "EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\Drivers\IntelIde.sys"

    "TypesSupported"=dword:00000007

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\System\PptpMiniport]

    "EventMessageFile"=str(2):"%SystemRoot%\System32\netevent.dll"

    "TypesSupported"=dword:00000007

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\HDAudBus]

    "Type"=dword:00000001

    "Start"=dword:00000003

    "ErrorControl"=dword:00000001

    "Tag"=dword:00000008

    "ImagePath"=str(2):"system32\DRIVERS\HDAudBus.sys"

    "DisplayName"="Microsoft UAA Bus Driver for High Definition Audio"

    "Group"="Extended Base"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\IntelIde]

    "ErrorControl"=dword:00000001

    "Group"="System Bus estender"

    "Start"=dword:00000004

    "Tag"=dword:00000004

    "Type"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PptpMiniport]

    "Type"=dword:00000001

    "Start"=dword:00000003

    "ErrorControl"=dword:00000001

    "ImagePath"=str(2):"system32\DRIVERS\raspptp.sys"

    "DisplayName"="Miniporta de rede remota (PPTP)"

    "Description"="Miniporta de rede remota (PPTP)"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PptpMiniport\Security]

    "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ptvnrrlx]

    "Type"=dword:00000001

    "Start"=dword:00000002

    "ErrorControl"=dword:00000001

    "ImagePath"=str(2):"\??\C:\WINDOWS\system32\drivers\ptvnrrlx.sys"

    "DisplayName"="ptvnrrlx"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ptvnrrlx\Security]

    "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WinSock2]

    scanning hidden registry entries ...

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\DeluxeCD\Providers]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CSSFilters]

    "oavredirect"="{999937BC-30FE-11D4-BA52-00C04F6843FA}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartMenu\StartMenuRun]

    "Type"="checkbox"

    "Text"="@shell32.dll,-30474"

    "HKeyRoot"=dword:80000001

    "RegPath"="Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"

    "ValueName"="StartMenuRun"

    "CheckedValue"=dword:00000001

    "UncheckedValue"=dword:00000000

    "DefaultValue"=dword:00000001

    "HelpID"="windows.hlp#51142"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartPanel\ShowPrinters]

    "Type"="checkbox"

    "Text"="@shell32.dll,-30493"

    "HKeyRoot"=dword:80000001

    "RegPath"="Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"

    "ValueName"="Start_ShowPrinters"

    "CheckedValue"=dword:00000001

    "UncheckedValue"=dword:00000000

    "DefaultValue"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\cj.com]

    @=dword:00000005

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\ssby.com]

    @=dword:00000005

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\ACTIVE_CONTENT\AUTOMATIC_ACTIVEX_UI\DISABLE]

    "Type"="radio"

    "RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "Text"="Desativar"

    "PlugUIText"="@inetcplc.dll,-4805"

    "ValueName"="2201"

    "CheckedValue"=dword:00000003

    "DefaultValue"=dword:00000003

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\ACTIVE_CONTENT\BBHVR\DISABLE]

    "Type"="radio"

    "RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "Text"="Desativar"

    "PlugUIText"="@inetcplc.dll,-4805"

    "ValueName"="2000"

    "CheckedValue"=dword:00000003

    "DefaultValue"=dword:00000003

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\DOWNLOAD\AUTOMATIC_DOWNLOAD_UI\DISABLE]

    "Type"="radio"

    "RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "Text"="Desativar"

    "PlugUIText"="@inetcplc.dll,-4805"

    "ValueName"="2200"

    "CheckedValue"=dword:00000003

    "DefaultValue"=dword:00000003

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\JAVAPER\JAVA\DISABLE]

    "RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\FORMDATA]

    "Type"="group"

    "Text"="Submeter dados de formulário não criptografados"

    "PlugUIText"="@inetcplc.dll,-4797"

    "Bitmap"="C:\WINDOWS\system32\inetcpl.cpl,4443"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\FORMDATA\ALLOW]

    "Type"="radio"

    "RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "Text"="Ativar"

    "PlugUIText"="@inetcplc.dll,-4803"

    "ValueName"="1601"

    "CheckedValue"=dword:00000000

    "DefaultValue"=dword:00000003

    "Mask"=dword:00000003

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\FORMDATA\DENY]

    "Type"="radio"

    "RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "Text"="Desativar"

    "PlugUIText"="@inetcplc.dll,-4805"

    "ValueName"="1601"

    "CheckedValue"=dword:00000003

    "DefaultValue"=dword:00000003

    "Mask"=dword:00000003

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\FORMDATA\QUERY]

    "Type"="radio"

    "RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "Text"="Avisar"

    "PlugUIText"="@inetcplc.dll,-4804"

    "ValueName"="1601"

    "CheckedValue"=dword:00000001

    "DefaultValue"=dword:00000003

    "Mask"=dword:00000003

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\MIME_SNIFFING\DISABLE]

    "Type"="radio"

    "RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "Text"="Desativar"

    "PlugUIText"="@inetcplc.dll,-4805"

    "ValueName"="2100"

    "CheckedValue"=dword:00000003

    "DefaultValue"=dword:00000003

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\RESTRICTED_PROTOCOLS\DISABLE]

    "Type"="radio"

    "RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "Text"="Desativar"

    "PlugUIText"="@inetcplc.dll,-4805"

    "ValueName"="2300"

    "CheckedValue"=dword:00000003

    "DefaultValue"=dword:00000003

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\WINDOW_RESTRICTIONS\DISABLE]

    "Type"="radio"

    "RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "Text"="Desativar"

    "PlugUIText"="@inetcplc.dll,-4805"

    "ValueName"="2102"

    "CheckedValue"=dword:00000003

    "DefaultValue"=dword:00000003

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\ZONE_ELEVATION\DISABLE]

    "Type"="radio"

    "RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "Text"="Desativar"

    "PlugUIText"="@inetcplc.dll,-4805"

    "ValueName"="2101"

    "CheckedValue"=dword:00000003

    "DefaultValue"=dword:00000003

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\ACTIVE_CONTENT\AUTOMATIC_ACTIVEX_UI\DISABLE]

    "Type"="radio"

    "RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "Text"="Desativar"

    "PlugUIText"="@inetcplc.dll,-4805"

    "ValueName"="2201"

    "CheckedValue"=dword:00000003

    "DefaultValue"=dword:00000003

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\ACTIVE_CONTENT\BBHVR\DISABLE]

    "Type"="radio"

    "RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "Text"="Desativar"

    "PlugUIText"="@inetcplc.dll,-4805"

    "ValueName"="2000"

    "CheckedValue"=dword:00000003

    "DefaultValue"=dword:00000003

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\DOWNLOAD\AUTOMATIC_DOWNLOAD_UI\DISABLE]

    "Type"="radio"

    "RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "Text"="Desativar"

    "PlugUIText"="@inetcplc.dll,-4805"

    "ValueName"="2200"

    "CheckedValue"=dword:00000003

    "DefaultValue"=dword:00000003

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\JAVAPER\JAVA\DISABLE]

    "RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "Type"="radio"

    "RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "Text"="Desativar Java"

    "PlugUIText"="@inetcplc.dll,-4818"

    "ValueName"="1C00"

    "CheckedValue"=dword:00000000

    "DefaultValue"=dword:00000000

    "HKeyRoot"=dword:80000002

    "HelpID"="iexplore.hlp#50241"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\FORMDATA]

    "Type"="group"

    "Text"="Submeter dados de formulário não criptografados"

    "PlugUIText"="@inetcplc.dll,-4797"

    "Bitmap"="C:\WINDOWS\system32\inetcpl.cpl,4443"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\FORMDATA\ALLOW]

    "Type"="radio"

    "RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "Text"="Ativar"

    "PlugUIText"="@inetcplc.dll,-4803"

    "ValueName"="1601"

    "CheckedValue"=dword:00000000

    "DefaultValue"=dword:00000003

    "HKeyRoot"=dword:80000002

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\FORMDATA\DENY]

    "Type"="radio"

    "RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "Text"="Desativar"

    "PlugUIText"="@inetcplc.dll,-4805"

    "ValueName"="1601"

    "CheckedValue"=dword:00000003

    "DefaultValue"=dword:00000003

    "HKeyRoot"=dword:80000002

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\FORMDATA\QUERY]

    "Type"="radio"

    "RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "Text"="Avisar"

    "PlugUIText"="@inetcplc.dll,-4804"

    "ValueName"="1601"

    "CheckedValue"=dword:00000001

    "DefaultValue"=dword:00000003

    "HKeyRoot"=dword:80000002

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\MIME_SNIFFING\DISABLE]

    "Type"="radio"

    "RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "Text"="Desativar"

    "PlugUIText"="@inetcplc.dll,-4805"

    "ValueName"="2100"

    "CheckedValue"=dword:00000003

    Compartilhar este post


    Link para o post
    Compartilhar em outros sites
  • Autor do tópico
  • Segunda parte do log do SDfix:

    "DefaultValue"=dword:00000003

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\RESTRICTED_PROTOCOLS\DISABLE]

    "Type"="radio"

    "RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "Text"="Desativar"

    "PlugUIText"="@inetcplc.dll,-4805"

    "ValueName"="2300"

    "CheckedValue"=dword:00000003

    "DefaultValue"=dword:00000003

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\WINDOW_RESTRICTIONS\DISABLE]

    "Type"="radio"

    "RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "Text"="Desativar"

    "PlugUIText"="@inetcplc.dll,-4805"

    "ValueName"="2102"

    "CheckedValue"=dword:00000003

    "DefaultValue"=dword:00000003

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\ZONE_ELEVATION\DISABLE]

    "Type"="radio"

    "RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

    "Text"="Desativar"

    "PlugUIText"="@inetcplc.dll,-4805"

    "ValueName"="2101"

    "CheckedValue"=dword:00000003

    "DefaultValue"=dword:00000003

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\begun.ru\autocontext]

    "*"=dword:00000004

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bestmanage.org\a]

    "*"=dword:00000004

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bestmanage.org\f5]

    "*"=dword:00000004

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cookingluck.com\f5]

    "*"=dword:00000004

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\nipd.it]

    "*"=dword:00000004

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\redir.ws]

    "*"=dword:00000004

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\redir.ws\www]

    "*"=dword:00000004

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ssby.com]

    "*"=dword:00000004

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\thezirius.com\f5]

    "*"=dword:00000004

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\truth-is-out-there.org\f5]

    "*"=dword:00000004

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\unini.it]

    "*"=dword:00000004

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\unini.it\www]

    "*"=dword:00000004

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\unobo.it]

    "*"=dword:00000004

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\unobo.it\www]

    "*"=dword:00000004

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\urlstat.ru]

    "*"=dword:00000004

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\begun.ru\autocontext]

    "*"=dword:00000004

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\bestmanage.org\a]

    "*"=dword:00000004

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\bestmanage.org\f5]

    "*"=dword:00000004

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\cookingluck.com\f5]

    "*"=dword:00000004

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\nipd.it]

    "*"=dword:00000004

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\redir.ws]

    "*"=dword:00000004

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\redir.ws\www]

    "*"=dword:00000004

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\ssby.com]

    "*"=dword:00000004

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\thezirius.com\f5]

    "*"=dword:00000004

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\truth-is-out-there.org\f5]

    "*"=dword:00000004

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\unini.it]

    "*"=dword:00000004

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\unini.it\www]

    "*"=dword:00000004

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\unobo.it]

    "*"=dword:00000004

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\unobo.it\www]

    "*"=dword:00000004

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\urlstat.ru]

    "*"=dword:00000004

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

    "DLLName"="wlnotify.dll"

    "Logon"="RegisterTicketExpiredNotificationEvent"

    "Logoff"="UnregisterTicketExpiredNotificationEvent"

    "Impersonate"=dword:00000001

    "Asynchronous"=dword:00000001

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\aa]

    "a"="C:\Documents and Settings\Particular\Desktop\Discovery.Channel-Mega.Construcoes-O.Metro.de.Nova.York-upload.by.Maua.wmv.aa"

    "MRUList"="a"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\CleanupWiz]

    "Days between clean up"=dword:0000003c

    "NoRun"=dword:00000001

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU]

    "0"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

    "1"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

    "2"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

    "3"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

    "4"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

    "5"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

    "6"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

    "7"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

    "8"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

    "9"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

    "10"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

    "11"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

    "12"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

    "13"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

    "14"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

    "15"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

    "16"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

    "17"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

    "18"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

    "19"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

    "20"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

    "21"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

    "22"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

    "23"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

    "24"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

    "25"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

    "26"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

    "27"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

    "28"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

    "29"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

    "30"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

    "31"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

    "32"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

    "33"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

    "34"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "35"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "36"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "37"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "MRUListEx"=hex:d6,00,00,00,d5,00,00,00,d4,00,00,00,d3,00,00,00,d2,00,00,00,d1,..

    "38"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "39"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "40"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "41"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "42"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "43"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "44"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "45"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "46"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "47"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "48"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "49"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "50"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "51"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "52"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "53"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "54"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "55"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "56"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "57"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "58"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "59"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "60"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "61"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "62"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "63"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "64"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "65"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "66"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "67"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "68"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "69"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "70"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "71"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "72"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "73"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "74"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "75"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "76"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "77"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "78"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "79"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "80"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "81"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "82"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "83"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "84"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "85"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "86"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "87"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "88"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "89"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "90"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "91"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "92"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "93"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "94"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "95"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "96"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "97"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "98"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "99"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "100"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "101"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "102"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "103"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "104"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "105"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "106"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "107"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    Compartilhar este post


    Link para o post
    Compartilhar em outros sites
  • Autor do tópico
  • Pois é, teve que ser em 3 partes. Aí vai a última:

    "108"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "109"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "110"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "111"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "112"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "113"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "114"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "115"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "116"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "117"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "118"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "119"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "120"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "121"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "122"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "123"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "124"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "125"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "126"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "127"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "128"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "129"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "130"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "131"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "132"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "133"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "134"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "135"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "136"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "137"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "138"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "139"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "140"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "141"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "142"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "143"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "144"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "145"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "146"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "147"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "148"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "149"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "150"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "151"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "152"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "153"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "154"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "155"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "156"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "157"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "158"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "159"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "160"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "161"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "162"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "163"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "164"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "165"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "166"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "167"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "168"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "169"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "170"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "171"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "172"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "173"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "174"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "175"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "176"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "177"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "178"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "179"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "180"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "181"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "182"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "183"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "184"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "185"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "186"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "187"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "188"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "189"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "190"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "191"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "192"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "193"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "194"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "195"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "196"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "197"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "198"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "199"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "200"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "201"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "202"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "203"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "204"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "205"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "206"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "207"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "208"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "209"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "210"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "211"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "212"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "213"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    "214"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalUser]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\cj.com]

    @=dword:00000005

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\ssby.com]

    @=dword:00000005

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bb.org]

    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\begun.ru\autocontext]

    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bestmanage.org\a]

    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bestmanage.org\f5]

    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cookingluck.com\f5]

    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\muul.com]

    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\nipd.it]

    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\norsty.net]

    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\redir.ws]

    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\redir.ws\www]

    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ssby.com]

    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\thezirius.com\f5]

    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\truth-is-out-there.org\f5]

    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\unini.it]

    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\unini.it\www]

    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\unobo.it]

    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\unobo.it\www]

    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\urlstat.ru]

    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\begun.ru\autocontext]

    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\bestmanage.org\a]

    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\bestmanage.org\f5]

    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\cookingluck.com\f5]

    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\nipd.it]

    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\redir.ws]

    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\redir.ws\www]

    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\ssby.com]

    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\thezirius.com\f5]

    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\truth-is-out-there.org\f5]

    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\unini.it]

    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\unini.it\www]

    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\unobo.it]

    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\unobo.it\www]

    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\urlstat.ru]

    "*"=dword:00000004

    scanning hidden files ...

    C:\WINDOWS\system32\drivers\PxHelp20.sys 43528 bytes executable

    scan completed successfully

    hidden processes: 0

    hidden services: 4

    hidden files: 1

    Remaining Services :

    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

    "C:\\Arquivos de programas\\InterVideo\\DVD5\\WinDVD.exe"="C:\\Arquivos de programas\\InterVideo\\DVD5\\WinDVD.exe:*:Enabled:WinDVD"

    "C:\\Arquivos de programas\\MSN Messenger\\msncall.exe"="C:\\Arquivos de programas\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"

    "C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

    "C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"="C:\\Arquivos de programas\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

    "D:\\Call of Duth 2\\CoD2MP_s.exe"="D:\\Call of Duth 2\\CoD2MP_s.exe:*:Enabled:CoD2MP_s"

    "D:\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"="D:\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"

    "C:\\Arquivos de programas\\Winamp Remote\\bin\\Orb.exe"="C:\\Arquivos de programas\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb"

    "C:\\Arquivos de programas\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Arquivos de programas\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray"

    "C:\\Arquivos de programas\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Arquivos de programas\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"

    "C:\\Documents and Settings\\Particular\\Meus documentos\\Zsnes\\zsnesw.exe"="C:\\Documents and Settings\\Particular\\Meus documentos\\Zsnes\\zsnesw.exe:*:Enabled:zsnesw"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

    "C:\\Arquivos de programas\\MSN Messenger\\msncall.exe"="C:\\Arquivos de programas\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"

    "C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

    "C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"="C:\\Arquivos de programas\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

    Remaining Files :

    File Backups: - C:\SDFix\backups\backups.zip

    Files with Hidden Attributes :

    Mon 20 Oct 2003 73,688 ..SHR --- "C:\Arquivos de programas\Autodesk\Autodesk DWF Viewer\Setup.exe"

    Sat 24 Jan 2004 5,120 A.SHR --- "C:\Arquivos de programas\Autodesk\Autodesk DWF Viewer\_Setupx.dll"

    Mon 22 Jul 2002 418,816 ...HR --- "C:\WINDOWS\system32\Tools\All.exe"

    Fri 19 Jul 2002 390,144 ...HR --- "C:\WINDOWS\system32\Tools\Change.exe"

    Fri 19 Jul 2002 574,464 ...HR --- "C:\WINDOWS\system32\Tools\CheckPath.exe"

    Tue 20 Aug 2002 430,592 ...HR --- "C:\WINDOWS\system32\Tools\Counter.exe"

    Tue 23 Jul 2002 390,656 ...HR --- "C:\WINDOWS\system32\Tools\DelFolders.exe"

    Fri 22 Nov 2002 399,872 ...HR --- "C:\WINDOWS\system32\Tools\DirectSetup.exe"

    Fri 19 Jul 2002 388,096 ...HR --- "C:\WINDOWS\system32\Tools\RegClean.exe"

    Fri 19 Jul 2002 388,608 ...HR --- "C:\WINDOWS\system32\Tools\Regexe.exe"

    Mon 2 Dec 2002 431,616 ...HR --- "C:\WINDOWS\system32\Tools\Restart.exe"

    Fri 19 Jul 2002 388,096 ...HR --- "C:\WINDOWS\system32\Tools\RunRegexe.exe"

    Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Documents and Settings\Particular\Meus documentos\Protect\Spybot - Search & Destroy\SDHelper.dll"

    Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Documents and Settings\Particular\Meus documentos\Protect\Spybot - Search & Destroy\SDUpdate.exe"

    Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Documents and Settings\Particular\Meus documentos\Protect\Spybot - Search & Destroy\SpybotSD.exe"

    Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Documents and Settings\Particular\Meus documentos\Protect\Spybot - Search & Destroy\TeaTimer.exe"

    Finished!

    Compartilhar este post


    Link para o post
    Compartilhar em outros sites

    Caro Maklack

    Muito bem :)

    Siga as instruções contidas no link abaixo e instale e execute o Combofix:

    http://www.bleepingcomputer.com/combofix/pt/como-usar-o-combofix

    • É importante que instale a console de recuperação também.
    • Quando a ferramenta terminar de rodar, gerará um log (o arquivo C:\ComboFix.txt).
    • Cole o conteúdo desse arquivo e faça também um novo log do HijackThis para colocar na sua resposta.

    Atenção: Não utilize o mouse nem o teclado enquanto a ferramenta estiver rodando, isso pode fazer com que o pc pare.

    Nota: Por favor, NÃO utilize o ComboFix sozinho. É uma ferramenta poderosa criada pra lidar com infeções sofisticadas e caso não a utilize correctamente poderá danificar o seu computador. A ferramenta apenas deve ser utilizada sob supervisão de Assistentes de remoção de malware.

    Abraços :D

    Compartilhar este post


    Link para o post
    Compartilhar em outros sites
  • Autor do tópico
  • ComboFix 08-10-08.02 - Particular 2008-10-08 20:58:00.1 - NTFSx86

    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.1671 [GMT -3:00]

    Executando de: C:\Documents and Settings\Particular\Desktop\ComboFix.exe

    Comandos utilizados :: C:\Documents and Settings\Particular\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-PTB.exe

    * Criado um novo ponto de restauro

    .

    ((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    C:\WINDOWS\IE4 Error Log.txt

    C:\WINDOWS\system32\drivers\ptvnrrlx.sys

    .

    ((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

    .

    -------\Legacy_PTVNRRLX

    -------\Service_ptvnrrlx

    ((((((((((((((((((((((( Ficheiros criados de 2008-09-09 to 2008-10-09 ))))))))))))))))))))))))))))))))

    .

    2008-10-07 22:19 . 2008-10-07 22:19 <DIR> d-------- C:\WINDOWS\ERUNT

    2008-10-07 22:11 . 2008-10-07 22:34 <DIR> d-------- C:\SDFix

    2008-10-07 22:05 . 2008-10-07 22:38 <DIR> d-------- C:\HJT

    2008-10-07 01:28 . 2008-10-07 01:25 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys

    2008-10-07 01:25 . 2008-10-07 01:35 <DIR> d-------- C:\Documents and Settings\Particular\.housecall6.6

    2008-10-06 23:25 . 2008-10-06 23:26 <DIR> d-------- C:\ElistarA

    2008-10-06 23:18 . 2008-10-06 23:18 <DIR> d-------- C:\clean

    2008-10-06 23:11 . 2008-10-06 23:11 226,258 --a------ C:\clean.zip

    2008-10-06 14:20 . 2008-10-06 14:20 106,496 --a------ C:\WINDOWS\system32\apkzytkr.exe

    2008-10-06 03:56 . 2008-10-06 03:56 98,304 --a------ C:\WINDOWS\system32\gnkfmlud.exe

    2008-10-06 03:47 . 2008-09-20 12:52 <DIR> d-------- C:\WINDOWS\system32\SmitfraudFix

    2008-10-06 03:41 . 2008-10-06 03:41 <DIR> d-------- C:\WINDOWS\Content.IE5

    2008-10-06 01:46 . 2008-10-06 01:46 98,304 --a------ C:\WINDOWS\system32\atovabon.exe

    2008-10-06 00:00 . 2008-10-06 00:00 98,304 --a------ C:\WINDOWS\system32\fcrghghu.exe

    2008-10-05 13:55 . 2008-10-06 01:32 2,994 --a------ C:\WINDOWS\wininit.ini

    2008-10-04 17:44 . 2008-10-05 14:10 <DIR> d-a------ C:\Documents and Settings\All Users\Dados de aplicativos\TEMP

    2008-10-04 04:09 . 2008-10-04 04:09 29 --a------ C:\WINDOWS\system32\ttfiggif.tmp

    2008-10-04 04:08 . 2008-10-04 04:08 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\jkxkbany

    2008-10-04 04:08 . 2008-10-04 04:08 114,688 --a------ C:\WINDOWS\system32\cbotadud.exe

    2008-10-03 12:10 . 2008-10-04 00:45 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

    2008-09-30 19:14 . 2008-09-30 19:17 <DIR> d-------- C:\Documents and Settings\Particular\Dados de aplicativos\Tibia

    .

    ((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    2008-10-08 23:19 --------- d-----w C:\Arquivos de programas\Winamp Remote

    2008-10-01 18:51 87,552 ----a-w C:\WINDOWS\system32\VACFix.exe

    2008-09-19 15:26 82,944 ----a-w C:\WINDOWS\system32\o4Patch.exe

    2008-09-19 15:26 82,944 ----a-w C:\WINDOWS\system32\IEDFix.C.exe

    2008-09-16 00:52 --------- d-----w C:\Arquivos de programas\Java

    2008-09-09 02:38 88,576 ----a-w C:\WINDOWS\system32\AntiXPVSTFix.exe

    2008-09-03 01:31 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Real

    2008-09-03 01:20 --------- d-----w C:\Arquivos de programas\NeXus RV10 & MKV Filtres

    2008-08-18 15:19 82,432 ----a-w C:\WINDOWS\system32\404Fix.exe

    2008-08-12 02:47 --------- d-----w C:\Documents and Settings\Particular\Dados de aplicativos\Hamachi

    2008-08-06 01:12 2,829 ----a-w C:\WINDOWS\War3Unin.pif

    2008-08-06 01:12 139,264 ----a-w C:\WINDOWS\War3Unin.exe

    .

    (((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

    .

    .

    *Nota* entradas vazias e legítimas por defeito não são mostradas.

    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "Orb"="C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe" [2008-01-07 495616]

    "DbSmartSh"="C:\WINDOWS\system32\atovabon.exe" [2008-10-06 98304]

    "actmsgstr"="C:\WINDOWS\system32\cbotadud.exe" [2008-10-04 114688]

    "AdmActCom"="C:\WINDOWS\system32\gnkfmlud.exe" [2008-10-06 98304]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

    "snpstd"="C:\WINDOWS\vsnpstd.exe" [2004-06-10 286720]

    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 86016]

    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 7700480]

    "Emurayden PSX Emulator"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2005-03-12 98352]

    "avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2005-03-12 98352]

    "VTTrayp"="VTtrayp.exe" [2006-08-30 C:\WINDOWS\system32\VTTrayp.exe]

    "VTTimer"="VTTimer.exe" [2006-08-03 C:\WINDOWS\system32\VTTimer.exe]

    "SoundMan"="SOUNDMAN.EXE" [2006-03-01 C:\WINDOWS\soundman.exe]

    "nwiz"="nwiz.exe" [2007-04-19 C:\WINDOWS\system32\nwiz.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

    "vidc.ffds"= C:\ARQUIV~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Gamma Loader.lnk]

    path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Gamma Loader.lnk

    backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^AutoCAD Startup Accelerator.lnk]

    path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\AutoCAD Startup Accelerator.lnk

    backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^InterVideo WinCinema Manager.lnk]

    path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\InterVideo WinCinema Manager.lnk

    backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

    --a----t- 2008-09-03 00:13 133104 C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]

    -ra------ 2006-11-22 00:50 704512 C:\Arquivos de programas\VIA\VIAudioi\HDADeck\HDeck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

    --------- 2004-08-04 00:56 1667584 C:\Arquivos de programas\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

    --a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

    --a------ 2007-10-10 02:28 36352 C:\Documents and Settings\Particular\Meus documentos\Winamp\winampa.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

    "%windir%\\system32\\sessmgr.exe"=

    "C:\\Arquivos de programas\\InterVideo\\DVD5\\WinDVD.exe"=

    "C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

    "C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

    "D:\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=

    "C:\\Arquivos de programas\\Winamp Remote\\bin\\Orb.exe"=

    "C:\\Arquivos de programas\\Winamp Remote\\bin\\OrbTray.exe"=

    "C:\\Arquivos de programas\\Winamp Remote\\bin\\OrbStreamerClient.exe"=

    "C:\\Documents and Settings\\Particular\\Meus documentos\\Zsnes\\zsnesw.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

    "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

    R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-02-23 9728]

    R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-02-23 11264]

    S2 GF0012;TF Filter Driver B;C:\WINDOWS\system32\DRIVERS\GF0012.sys [2007-12-12 11520]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{655d6058-87a1-11dc-b765-001a4dab7b24}]

    \Shell\AutoRun\command - F:\LaunchU3.exe

    .

    Conteúdo da pasta 'Tarefas Agendadas'

    2008-10-08 C:\WINDOWS\Tasks\GoogleUpdateTaskUser.job

    - C:\Documents and Settings\Particular\Configura []

    2008-10-08 C:\WINDOWS\Tasks\Verificar Atualizações para a Barra de Ferramentas do Windows Live.job

    - C:\Arquivos de programas\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 16:39]

    .

    .

    ------- Ccan Suplementar -------

    .

    O8 -: &Windows Live Search - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll/search.htm

    O8 -: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

    O8 -: E&xportar para o Microsoft Excel - C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

    O16 -: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48}

    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

    Rootkit scan 2008-10-08 21:02:25

    Windows 5.1.2600 Service Pack 2 NTFS

    Procurando processos ocultos ...

    Procurando entradas auto inicializáveis ocultas ...

    Procurando ficheiros ocultos ...

    Varredura completada com sucesso

    Ficheiros ocultos: 0

    **************************************************************************

    .

    ------------------------ Outros Processos em Execução ------------------------

    .

    C:\WINDOWS\system32\rundll32.exe

    C:\Arquivos de programas\Winamp Remote\bin\Orb.exe

    C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

    C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

    C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

    C:\WINDOWS\system32\nvsvc32.exe

    C:\WINDOWS\system32\wdfmgr.exe

    C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

    C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

    .

    **************************************************************************

    .

    Tempo para conclusão: 2008-10-08 21:03:47 - Maquina reiniciou

    ComboFix-quarantined-files.txt 2008-10-09 00:03:43

    Pré-execução: 12 pasta(s) 30.292.434.944 bytes disponíveis

    Pós execução: 15 pasta(s) 32,309,387,264 bytes disponíveis

    WindowsXP-KB310994-SP2-Pro-BootDisk-PTB.exe

    [boot loader]

    timeout=2

    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

    [operating systems]

    C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    168

    Compartilhar este post


    Link para o post
    Compartilhar em outros sites
  • Autor do tópico
  • Logfile of HijackThis v1.99.1

    Scan saved at 21:08:02, on 8/10/2008

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\WINDOWS\system32\VTTimer.exe

    C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

    C:\WINDOWS\SOUNDMAN.EXE

    C:\WINDOWS\system32\RUNDLL32.EXE

    C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

    C:\WINDOWS\system32\atovabon.exe

    C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

    C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

    C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

    C:\WINDOWS\system32\nvsvc32.exe

    C:\WINDOWS\system32\svchost.exe

    C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

    C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

    C:\WINDOWS\system32\wuauclt.exe

    C:\WINDOWS\explorer.exe

    C:\WINDOWS\system32\notepad.exe

    C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

    C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

    C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

    C:\HJT\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

    O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe"

    O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

    O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe

    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

    O4 - HKLM\..\Run: [Emurayden PSX Emulator] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

    O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

    O4 - HKCU\..\Run: [Orb] "C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe" /background

    O4 - HKCU\..\Run: [DbSmartSh] C:\WINDOWS\system32\atovabon.exe

    O4 - HKCU\..\Run: [actmsgstr] C:\WINDOWS\system32\cbotadud.exe

    O4 - HKCU\..\Run: [AdmActCom] C:\WINDOWS\system32\gnkfmlud.exe

    O8 - Extra context menu item: &Windows Live Search - res://C:\Arquivos de programas\Windows Live Toolbar\msntb.dll/search.htm

    O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

    O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

    O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

    O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

    O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab

    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab

    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} -

    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

    O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe

    O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

    O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    Compartilhar este post


    Link para o post
    Compartilhar em outros sites
  • Autor do tópico
  • Enquanto eu deixei o firewall desativado pra realizar os procedimentos indicados, a mensagem do vírus parou de aparecer (a mensagem fala que o firewall do windows detectou um tipo de vírus dentre vários que mostra aleatoriamente e pede pra mim ir baixar um antivirus num site fornecido pela mensagem). Assim que eu reativei o firewall a mensagem voltou a aparecer.

    Compartilhar este post


    Link para o post
    Compartilhar em outros sites

    Caro Maklack

    # Etapa nº 1 #

    Visite este site:

    http://www.bleepingcomputer.com/submit-malware.php?channel=4

    • Na caixa "Link to topic where this file was requested:", copie e cole o link deste topico:
    http://forum.clubedohardware.com.br/log-hijackthis-smitfraud/587369

    • Na caixa "Browse to the file you want to submit:", coloque:
      • C:\WINDOWS\system32\apkzytkr.exe

      [*]Clique no botão Browse...[*]Na caixa " Leave any comments, further information about this file, or contact information: ", coloque:

      • diego_moicano - Forum Clube do Hardware
    • Clique no botão Send File
    • Repita o procedimento e envie também esses arquivos:
    • C:\WINDOWS\system32\gnkfmlud.exe
    • C:\WINDOWS\system32\atovabon.exe
    • C:\WINDOWS\system32\fcrghghu.exe
    • C:\WINDOWS\system32\ttfiggif.tmp
    • C:\WINDOWS\system32\cbotadud.exe

    Obrigado

    # Etapa nº 2 #

    Temporariamente e durante a execução destas instruções, é muito importante que mantenha desabilitados os seus programas de proteção (Antivirus, Antispyware e Firewall). Reative as proteções após a execução do(s) procedimento(s) abaixo mencionado(s).

    Abra o seu Bloco de Notas, copie (control + c) e cole (control + v) todo o texto que está dentro do "Código":

    File::
    C:\WINDOWS\system32\apkzytkr.exe
    C:\WINDOWS\system32\gnkfmlud.exe
    C:\WINDOWS\system32\atovabon.exe
    C:\WINDOWS\system32\fcrghghu.exe
    C:\WINDOWS\system32\ttfiggif.tmp
    C:\WINDOWS\system32\cbotadud.exe
    C:\Documents and Settings\All Users\Dados de aplicativos\jkxkbany
    F:\LaunchU3.exe

    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DbSmartSh"=-
    "actmsgstr"=-
    "AdmActCom"=-

    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{655d6058-87a1-11dc-b765-001a4dab7b24}]

    Salve este arquivo como: CFScript.txt

    2872959479_997d4500c4_o.gif

    Tal com exemplificado na foto acima, arraste o arquivo CFScript.txt para dentro do ComboFix.exe. Quando a ferramenta terminar de rodar, gerará um log. Poste esse arquivo C:\ComboFix.txt.

    Abraços :D

    Compartilhar este post


    Link para o post
    Compartilhar em outros sites
  • Autor do tópico
  • ComboFix 08-10-08.02 - Particular 2008-10-09 20:39:41.2 - NTFSx86

    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.1642 [GMT -3:00]

    Executando de: C:\Documents and Settings\Particular\Desktop\ComboFix.exe

    Comandos utilizados :: C:\Documents and Settings\Particular\Desktop\CFScript.txt

    * Criado um novo ponto de restauro

    FILE ::

    C:\Documents and Settings\All Users\Dados de aplicativos\jkxkbany

    C:\WINDOWS\system32\apkzytkr.exe

    C:\WINDOWS\system32\atovabon.exe

    C:\WINDOWS\system32\cbotadud.exe

    C:\WINDOWS\system32\fcrghghu.exe

    C:\WINDOWS\system32\gnkfmlud.exe

    C:\WINDOWS\system32\ttfiggif.tmp

    F:\LaunchU3.exe

    .

    ((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    C:\DOCUME~1\PARTIC~1\CONFIG~1\Temp\winlogon.exe

    C:\WINDOWS\msauc.exe

    C:\WINDOWS\system32\apkzytkr.exe

    C:\WINDOWS\system32\atovabon.exe

    C:\WINDOWS\system32\cbotadud.exe

    C:\WINDOWS\system32\drivers\qulwqkwt.sys

    C:\WINDOWS\system32\fcrghghu.exe

    C:\WINDOWS\system32\gnkfmlud.exe

    C:\WINDOWS\system32\msansspc.dll

    C:\WINDOWS\system32\shell31.dll

    C:\WINDOWS\system32\ttfiggif.tmp

    C:\WINDOWS\wiaservb.log

    .

    ((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

    .

    -------\Legacy_QULWQKWT

    -------\Service_qulwqkwt

    ((((((((((((((((((((((( Ficheiros criados de 2008-09-09 to 2008-10-09 ))))))))))))))))))))))))))))))))

    .

    2008-10-08 21:27 . 2008-10-08 21:27 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\cjwpsvcp

    2008-10-08 21:26 . 2008-10-08 21:26 73,728 --a------ C:\WINDOWS\system32\wpv3116.cpx.bak

    2008-10-08 21:26 . 2008-10-08 21:26 72,192 --a------ C:\WINDOWS\system32\wpv592.cpx

    2008-10-07 22:19 . 2008-10-07 22:19 <DIR> d-------- C:\WINDOWS\ERUNT

    2008-10-07 22:11 . 2008-10-07 22:34 <DIR> d-------- C:\SDFix

    2008-10-07 22:05 . 2008-10-08 21:07 <DIR> d-------- C:\HJT

    2008-10-07 01:28 . 2008-10-07 01:25 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys

    2008-10-07 01:25 . 2008-10-07 01:35 <DIR> d-------- C:\Documents and Settings\Particular\.housecall6.6

    2008-10-06 23:25 . 2008-10-06 23:26 <DIR> d-------- C:\ElistarA

    2008-10-06 23:18 . 2008-10-06 23:18 <DIR> d-------- C:\clean

    2008-10-06 23:11 . 2008-10-06 23:11 226,258 --a------ C:\clean.zip

    2008-10-06 03:47 . 2008-09-20 12:52 <DIR> d-------- C:\WINDOWS\system32\SmitfraudFix

    2008-10-06 03:41 . 2008-10-06 03:41 <DIR> d-------- C:\WINDOWS\Content.IE5

    2008-10-05 13:55 . 2008-10-06 01:32 2,994 --a------ C:\WINDOWS\wininit.ini

    2008-10-04 17:44 . 2008-10-05 14:10 <DIR> d-a------ C:\Documents and Settings\All Users\Dados de aplicativos\TEMP

    2008-10-04 04:08 . 2008-10-04 04:08 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\jkxkbany

    2008-10-03 12:10 . 2008-10-04 00:45 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

    2008-09-30 19:14 . 2008-09-30 19:17 <DIR> d-------- C:\Documents and Settings\Particular\Dados de aplicativos\Tibia

    .

    ((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    2008-10-09 23:20 --------- d-----w C:\Arquivos de programas\Winamp Remote

    2008-10-01 18:51 87,552 ----a-w C:\WINDOWS\system32\VACFix.exe

    2008-09-19 15:26 82,944 ----a-w C:\WINDOWS\system32\o4Patch.exe

    2008-09-19 15:26 82,944 ----a-w C:\WINDOWS\system32\IEDFix.C.exe

    2008-09-16 00:52 --------- d-----w C:\Arquivos de programas\Java

    2008-09-09 02:38 88,576 ----a-w C:\WINDOWS\system32\AntiXPVSTFix.exe

    2008-09-03 01:31 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Real

    2008-09-03 01:20 --------- d-----w C:\Arquivos de programas\NeXus RV10 & MKV Filtres

    2008-08-18 15:19 82,432 ----a-w C:\WINDOWS\system32\404Fix.exe

    2008-08-12 02:47 --------- d-----w C:\Documents and Settings\Particular\Dados de aplicativos\Hamachi

    2008-08-06 01:12 2,829 ----a-w C:\WINDOWS\War3Unin.pif

    2008-08-06 01:12 139,264 ----a-w C:\WINDOWS\War3Unin.exe

    .

    (((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

    .

    .

    *Nota* entradas vazias e legítimas por defeito não são mostradas.

    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "Orb"="C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe" [2008-01-07 495616]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

    "snpstd"="C:\WINDOWS\vsnpstd.exe" [2004-06-10 286720]

    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 86016]

    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 7700480]

    "Emurayden PSX Emulator"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2005-03-12 98352]

    "avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2005-03-12 98352]

    "VTTrayp"="VTtrayp.exe" [2006-08-30 C:\WINDOWS\system32\VTTrayp.exe]

    "VTTimer"="VTTimer.exe" [2006-08-03 C:\WINDOWS\system32\VTTimer.exe]

    "SoundMan"="SOUNDMAN.EXE" [2006-03-01 C:\WINDOWS\soundman.exe]

    "nwiz"="nwiz.exe" [2007-04-19 C:\WINDOWS\system32\nwiz.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]

    "tWqpf9ZjkH"="C:\Documents and Settings\All Users\Dados de aplicativos\cjwpsvcp\sfahepgz.exe" [2008-10-08 73728]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

    "vidc.ffds"= C:\ARQUIV~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Gamma Loader.lnk]

    path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Gamma Loader.lnk

    backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^AutoCAD Startup Accelerator.lnk]

    path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\AutoCAD Startup Accelerator.lnk

    backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^InterVideo WinCinema Manager.lnk]

    path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\InterVideo WinCinema Manager.lnk

    backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

    --a----t- 2008-09-03 00:13 133104 C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]

    -ra------ 2006-11-22 00:50 704512 C:\Arquivos de programas\VIA\VIAudioi\HDADeck\HDeck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

    --------- 2004-08-04 00:56 1667584 C:\Arquivos de programas\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

    --a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

    --a------ 2007-10-10 02:28 36352 C:\Documents and Settings\Particular\Meus documentos\Winamp\winampa.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

    "%windir%\\system32\\sessmgr.exe"=

    "C:\\Arquivos de programas\\InterVideo\\DVD5\\WinDVD.exe"=

    "C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

    "C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

    "D:\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=

    "C:\\Arquivos de programas\\Winamp Remote\\bin\\Orb.exe"=

    "C:\\Arquivos de programas\\Winamp Remote\\bin\\OrbTray.exe"=

    "C:\\Arquivos de programas\\Winamp Remote\\bin\\OrbStreamerClient.exe"=

    "C:\\Documents and Settings\\Particular\\Meus documentos\\Zsnes\\zsnesw.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

    "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

    R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-02-23 9728]

    R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-02-23 11264]

    S2 GF0012;TF Filter Driver B;C:\WINDOWS\system32\DRIVERS\GF0012.sys [2007-12-12 11520]

    .

    Conteúdo da pasta 'Tarefas Agendadas'

    2008-10-08 C:\WINDOWS\Tasks\GoogleUpdateTaskUser.job

    - C:\Documents and Settings\Particular\Configura []

    2008-10-09 C:\WINDOWS\Tasks\Verificar Atualizações para a Barra de Ferramentas do Windows Live.job

    - C:\Arquivos de programas\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 16:39]

    .

    - - - - ORFAOS REMOVIDOS - - - -

    HKLM-Run-jjbrrbjj - C:\WINDOWS\jjbrrbjj.exe

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

    Rootkit scan 2008-10-09 20:42:20

    Windows 5.1.2600 Service Pack 2 NTFS

    Procurando processos ocultos ...

    Procurando entradas auto inicializáveis ocultas ...

    Procurando ficheiros ocultos ...

    Varredura completada com sucesso

    Ficheiros ocultos: 0

    **************************************************************************

    .

    ------------------------ Outros Processos em Execução ------------------------

    .

    C:\WINDOWS\system32\rundll32.exe

    C:\Arquivos de programas\Winamp Remote\bin\Orb.exe

    C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

    C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

    C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

    C:\WINDOWS\system32\nvsvc32.exe

    C:\WINDOWS\system32\wdfmgr.exe

    C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

    C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

    .

    **************************************************************************

    .

    Tempo para conclusão: 2008-10-09 20:43:38 - Maquina reiniciou

    ComboFix-quarantined-files.txt 2008-10-09 23:43:35

    ComboFix2.txt 2008-10-09 00:03:48

    Pré-execução: 13 pasta(s) 32.280.387.584 bytes disponíveis

    Pós execução: 15 pasta(s) 32,270,467,072 bytes disponíveis

    169

    Compartilhar este post


    Link para o post
    Compartilhar em outros sites
  • Autor do tópico
  • AAA garoto! Acho que isso é um bom sinal.

    Hint of the Day: Click the bar at the right of this to see more information! ()

    Parabéns!: Nenhuma ameaça imediata foi encontrada. ()

    --- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

    2008-07-07 blindman.exe (1.0.0.8)

    2008-07-07 SDFiles.exe (1.6.0.4)

    2008-07-07 SDMain.exe (1.0.0.6)

    2008-07-07 SDShred.exe (1.0.2.3)

    2008-07-07 SDUpdate.exe (1.6.0.8)

    2008-07-07 SDWinSec.exe (1.0.0.12)

    2008-07-07 SpybotSD.exe (1.6.0.30)

    2008-09-16 TeaTimer.exe (1.6.3.25)

    2008-10-03 unins000.exe (51.49.0.0)

    2008-07-07 Update.exe (1.6.0.7)

    2008-07-07 advcheck.dll (1.6.1.12)

    2007-04-02 aports.dll (2.1.0.0)

    2008-06-14 DelZip179.dll (1.79.11.1)

    2008-09-15 SDHelper.dll (1.6.2.14)

    2008-06-19 sqlite3.dll

    2008-07-07 Tools.dll (2.1.5.7)

    2008-09-02 Includes\Adware.sbi (*)

    2008-09-09 Includes\AdwareC.sbi (*)

    2008-06-03 Includes\Cookies.sbi (*)

    2008-09-02 Includes\Dialer.sbi (*)

    2008-09-09 Includes\DialerC.sbi (*)

    2008-07-23 Includes\HeavyDuty.sbi (*)

    2008-09-02 Includes\Hijackers.sbi (*)

    2008-09-02 Includes\HijackersC.sbi (*)

    2008-09-09 Includes\Keyloggers.sbi (*)

    2008-09-30 Includes\KeyloggersC.sbi (*)

    2004-11-29 Includes\LSP.sbi (*)

    2008-09-09 Includes\Malware.sbi (*)

    2008-09-30 Includes\MalwareC.sbi (*)

    2008-09-02 Includes\PUPS.sbi (*)

    2008-09-11 Includes\PUPSC.sbi (*)

    2007-11-07 Includes\Revision.sbi (*)

    2008-06-18 Includes\Security.sbi (*)

    2008-09-30 Includes\SecurityC.sbi (*)

    2008-06-03 Includes\Spybots.sbi (*)

    2008-06-03 Includes\SpybotsC.sbi (*)

    2008-09-09 Includes\Spyware.sbi (*)

    2008-09-23 Includes\SpywareC.sbi (*)

    2008-06-03 Includes\Tracks.uti

    2008-09-30 Includes\Trojans.sbi (*)

    2008-09-30 Includes\TrojansC.sbi (*)

    2008-03-04 Plugins\Chai.dll

    2008-03-05 Plugins\Fennel.dll

    2008-02-26 Plugins\Mate.dll

    2007-12-24 Plugins\TCPIPAddress.dll

    Além disso, parou de dar mensagens do vírus com o firewall de mentira (eu acho) e o avast parou de dar pau. Em contrapartida, acho que a conexão piorou um pouco, mas pode ser só algum problema que não tem nada a ver aqui. Se tiver mais alguma coisa que eu deveria saber, estarei consultando aqui ainda. E muito obrigado!

    PS. vou me voluntariar para aprender a fazer isso que você fez aqui e ajudar o pessoal no fórum também... se eu for aceito e conseguir ter o aprendizado necessário. Muito obrigado de novo!

    Compartilhar este post


    Link para o post
    Compartilhar em outros sites

    Caro Maklack

    PS. vou me voluntariar para aprender a fazer isso que você fez aqui e ajudar o pessoal no fórum também... se eu for aceito e conseguir ter o aprendizado necessário.
    Boa sorte :)

    Etapa nº 1 #

    Visite este site:

    http://www.bleepingcomputer.com/submit-malware.php?channel=4

    • Na caixa "Link to topic where this file was requested:", copie e cole o link deste topico:
    http://forum.clubedohardware.com.br/log-hijackthis-smitfraud/587369

    • Na caixa "Browse to the file you want to submit:", coloque:
      • C:\Documents and Settings\All Users\Dados de aplicativos\cjwpsvcp\sfahepgz.exe

      [*]Clique no botão Browse...[*]Na caixa " Leave any comments, further information about this file, or contact information: ", coloque:

      • diego_moicano - Forum Clube do Hardware
    • Clique no botão Send File

    Obrigado

    Etapa nº 2 #

    Vá até 4y6d3b8.gif" Jotti's malware scan ":

    • Na caixa que fica em cima (File to upload & scan);
    • Copie e cole o seguinte:
      C:\WINDOWS\system32\wpv3116.cpx.bak
    • Clique no botão 688godt.jpg
    • O arquivo irá ser examinado por diferentes programas antivirus, por favor aguarde.
    • Repita e submeta a análise, também este arquivo:C:\WINDOWS\system32\wpv592.cpx
    • Copie e cole os resultados aqui.

    Se o site acima estiver muito congestionado, tente num desses sites:

    Alternativa 1

    Alternativa 2

    Etapa nº 3 #

    Temporariamente e durante a execução destas instruções, é muito importante que mantenha desabilitados os seus programas de proteção (Antivirus, Antispyware e Firewall). Reative as proteções após a execução do(s) procedimento(s) abaixo mencionado(s).

    Abra o seu Bloco de Notas, copie (control + c) e cole (control + v) todo o texto que está dentro do "Código":

    File::
    C:\Documents and Settings\All Users\Dados de aplicativos\cjwpsvcp\sfahepgz.exe
    C:\WINDOWS\system32\drivers\ptvnrrlx.sys

    Folder::
    C:\Documents and Settings\All Users\Dados de aplicativos\cjwpsvcp
    C:\Documents and Settings\All Users\Dados de aplicativos\jkxkbany

    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
    "tWqpf9ZjkH"=-

    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ptvnrrlx]

    Salve este arquivo como: CFScript.txt

    2872959479_997d4500c4_o.gif

    Tal com exemplificado na foto acima, arraste o arquivo CFScript.txt para dentro do ComboFix.exe. Quando a ferramenta terminar de rodar, gerará um log. Poste esse arquivo C:\ComboFix.txt.

    Abraços :D

    Compartilhar este post


    Link para o post
    Compartilhar em outros sites
  • Autor do tópico
  • File: wpv3116.cpx.bak

    Status:

    INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)

    MD5: a044410d8e969670204460b70d2eeed1

    Packers detected:

    -

    Scan taken on 11 Oct 2008 02:58:13 (GMT)

    A-Squared

    Found nothing

    AntiVir

    Found TR/Obfuscated.GX.2450

    ArcaVir

    Found nothing

    Avast

    Found Win32:PureMorph

    AVG Antivirus

    Found nothing

    BitDefender

    Found nothing

    ClamAV

    Found nothing

    CPsecure

    Found nothing

    Dr.Web

    Found nothing

    F-Prot Antivirus

    Found nothing

    F-Secure Anti-Virus

    Found Trojan.Win32.Obfuscated.gx

    G DATA

    Found Win32:PureMorph

    Ikarus

    Found Trojan.Win32.Obfuscated.gx

    Kaspersky Anti-Virus

    Found Trojan.Win32.Obfuscated.gx

    NOD32

    Found Win32/TrojanDownloader.FakeAlert.IQ

    Norman Virus Control

    Found W32/Busky.DRIU

    Panda Antivirus

    Found nothing

    Sophos Antivirus

    Found Mal/Generic-A

    VirusBuster

    Found nothing

    VBA32

    Found nothing

    --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    File: wpv592.cpx

    Status:

    INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)

    MD5: b6f04095ec1b3721af7db92753eb977b

    Packers detected:

    -

    Scan taken on 11 Oct 2008 03:00:49 (GMT)

    A-Squared

    Found nothing

    AntiVir

    Found TR/Dldr.Injecter.ars

    ArcaVir

    Found nothing

    Avast

    Found Win32:Trojan-gen {Other}

    AVG Antivirus

    Found nothing

    BitDefender

    Found nothing

    ClamAV

    Found nothing

    CPsecure

    Found nothing

    Dr.Web

    Found Trojan.PWS.ICQSniff.25

    F-Prot Antivirus

    Found nothing

    F-Secure Anti-Virus

    Found Trojan-Downloader.Win32.Injecter.ars

    G DATA

    Found Win32:Trojan-gen

    Ikarus

    Found nothing

    Kaspersky Anti-Virus

    Found Trojan-Downloader.Win32.Injecter.ars

    NOD32

    Found Win32/Agent.OHK

    Norman Virus Control

    Found W32/Smalltroj.HPSY

    Panda Antivirus

    Found nothing

    Sophos Antivirus

    Found nothing

    VirusBuster

    Found nothing

    VBA32

    Found Malware-Cryptor.Win32.General.3 (probable variant)

    --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    ComboFix 08-10-08.02 - Particular 2008-10-11 0:06:34.3 - NTFSx86

    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.1623 [GMT -3:00]

    Executando de: C:\Documents and Settings\Particular\Desktop\ComboFix.exe

    Comandos utilizados :: C:\Documents and Settings\Particular\Desktop\CFScript.txt

    * Criado um novo ponto de restauro

    FILE ::

    C:\Documents and Settings\All Users\Dados de aplicativos\cjwpsvcp\sfahepgz.exe

    C:\WINDOWS\system32\drivers\ptvnrrlx.sys

    .

    ((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    C:\Documents and Settings\All Users\Dados de aplicativos\cjwpsvcp

    C:\Documents and Settings\All Users\Dados de aplicativos\cjwpsvcp\sfahepgz.exe

    C:\Documents and Settings\All Users\Dados de aplicativos\jkxkbany

    C:\Documents and Settings\All Users\Dados de aplicativos\jkxkbany\juxmhurw.exe

    .

    ((((((((((((((((((((((( Ficheiros criados de 2008-09-11 to 2008-10-11 ))))))))))))))))))))))))))))))))

    .

    2008-10-08 21:26 . 2008-10-08 21:26 73,728 --a------ C:\WINDOWS\system32\wpv3116.cpx.bak

    2008-10-08 21:26 . 2008-10-08 21:26 72,192 --a------ C:\WINDOWS\system32\wpv592.cpx

    2008-10-07 22:19 . 2008-10-07 22:19 <DIR> d-------- C:\WINDOWS\ERUNT

    2008-10-07 22:11 . 2008-10-07 22:34 <DIR> d-------- C:\SDFix

    2008-10-07 22:05 . 2008-10-08 21:07 <DIR> d-------- C:\HJT

    2008-10-07 01:28 . 2008-10-07 01:25 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys

    2008-10-07 01:25 . 2008-10-07 01:35 <DIR> d-------- C:\Documents and Settings\Particular\.housecall6.6

    2008-10-06 23:25 . 2008-10-06 23:26 <DIR> d-------- C:\ElistarA

    2008-10-06 23:18 . 2008-10-06 23:18 <DIR> d-------- C:\clean

    2008-10-06 23:11 . 2008-10-06 23:11 226,258 --a------ C:\clean.zip

    2008-10-06 03:47 . 2008-09-20 12:52 <DIR> d-------- C:\WINDOWS\system32\SmitfraudFix

    2008-10-06 03:41 . 2008-10-06 03:41 <DIR> d-------- C:\WINDOWS\Content.IE5

    2008-10-05 13:55 . 2008-10-06 01:32 2,994 --a------ C:\WINDOWS\wininit.ini

    2008-10-04 17:44 . 2008-10-05 14:10 <DIR> d-a------ C:\Documents and Settings\All Users\Dados de aplicativos\TEMP

    2008-10-03 12:10 . 2008-10-04 00:45 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

    2008-09-30 19:14 . 2008-09-30 19:17 <DIR> d-------- C:\Documents and Settings\Particular\Dados de aplicativos\Tibia

    .

    ((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    2008-10-10 23:25 --------- d-----w C:\Arquivos de programas\Winamp Remote

    2008-10-01 18:51 87,552 ----a-w C:\WINDOWS\system32\VACFix.exe

    2008-09-19 15:26 82,944 ----a-w C:\WINDOWS\system32\o4Patch.exe

    2008-09-19 15:26 82,944 ----a-w C:\WINDOWS\system32\IEDFix.C.exe

    2008-09-16 00:52 --------- d-----w C:\Arquivos de programas\Java

    2008-09-09 02:38 88,576 ----a-w C:\WINDOWS\system32\AntiXPVSTFix.exe

    2008-09-03 01:31 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Real

    2008-09-03 01:20 --------- d-----w C:\Arquivos de programas\NeXus RV10 & MKV Filtres

    2008-08-18 15:19 82,432 ----a-w C:\WINDOWS\system32\404Fix.exe

    2008-08-12 02:47 --------- d-----w C:\Documents and Settings\Particular\Dados de aplicativos\Hamachi

    2008-08-06 01:12 2,829 ----a-w C:\WINDOWS\War3Unin.pif

    2008-08-06 01:12 139,264 ----a-w C:\WINDOWS\War3Unin.exe

    .

    (((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

    .

    .

    *Nota* entradas vazias e legítimas por defeito não são mostradas.

    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "Orb"="C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe" [2008-01-07 495616]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

    "snpstd"="C:\WINDOWS\vsnpstd.exe" [2004-06-10 286720]

    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 86016]

    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 7700480]

    "Emurayden PSX Emulator"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2005-03-12 98352]

    "avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2005-03-12 98352]

    "VTTrayp"="VTtrayp.exe" [2006-08-30 C:\WINDOWS\system32\VTTrayp.exe]

    "VTTimer"="VTTimer.exe" [2006-08-03 C:\WINDOWS\system32\VTTimer.exe]

    "SoundMan"="SOUNDMAN.EXE" [2006-03-01 C:\WINDOWS\soundman.exe]

    "nwiz"="nwiz.exe" [2007-04-19 C:\WINDOWS\system32\nwiz.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

    "vidc.ffds"= C:\ARQUIV~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Gamma Loader.lnk]

    path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Gamma Loader.lnk

    backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^AutoCAD Startup Accelerator.lnk]

    path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\AutoCAD Startup Accelerator.lnk

    backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^InterVideo WinCinema Manager.lnk]

    path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\InterVideo WinCinema Manager.lnk

    backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

    --a----t- 2008-09-03 00:13 133104 C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]

    -ra------ 2006-11-22 00:50 704512 C:\Arquivos de programas\VIA\VIAudioi\HDADeck\HDeck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

    --------- 2004-08-04 00:56 1667584 C:\Arquivos de programas\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

    --a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

    --a------ 2007-10-10 02:28 36352 C:\Documents and Settings\Particular\Meus documentos\Winamp\winampa.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

    "%windir%\\system32\\sessmgr.exe"=

    "C:\\Arquivos de programas\\InterVideo\\DVD5\\WinDVD.exe"=

    "C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

    "C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

    "D:\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=

    "C:\\Arquivos de programas\\Winamp Remote\\bin\\Orb.exe"=

    "C:\\Arquivos de programas\\Winamp Remote\\bin\\OrbTray.exe"=

    "C:\\Arquivos de programas\\Winamp Remote\\bin\\OrbStreamerClient.exe"=

    "C:\\Documents and Settings\\Particular\\Meus documentos\\Zsnes\\zsnesw.exe"=

    "D:\\OnGame\\GunBoundWC\\GunBound.gme"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

    "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

    R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-02-23 9728]

    R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-02-23 11264]

    S2 GF0012;TF Filter Driver B;C:\WINDOWS\system32\DRIVERS\GF0012.sys [2007-12-12 11520]

    .

    Conteúdo da pasta 'Tarefas Agendadas'

    2008-10-08 C:\WINDOWS\Tasks\GoogleUpdateTaskUser.job

    - C:\Documents and Settings\Particular\Configura []

    2008-10-11 C:\WINDOWS\Tasks\Verificar Atualizações para a Barra de Ferramentas do Windows Live.job

    - C:\Arquivos de programas\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 16:39]

    .

    - - - - ORFAOS REMOVIDOS - - - -

    HKCU-Run-DbSmartSh - C:\WINDOWS\system32\atovabon.exe

    HKCU-Run-actmsgstr - C:\WINDOWS\system32\cbotadud.exe

    HKCU-Run-AdmActCom - C:\WINDOWS\system32\gnkfmlud.exe

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

    Rootkit scan 2008-10-11 00:07:27

    Windows 5.1.2600 Service Pack 2 NTFS

    Procurando processos ocultos ...

    Procurando entradas auto inicializáveis ocultas ...

    Procurando ficheiros ocultos ...

    Varredura completada com sucesso

    Ficheiros ocultos: 0

    **************************************************************************

    .

    Tempo para conclusão: 2008-10-11 0:07:56

    ComboFix-quarantined-files.txt 2008-10-11 03:07:52

    ComboFix2.txt 2008-10-09 23:43:39

    ComboFix3.txt 2008-10-09 00:03:48

    Pré-execução: 13 pasta(s) 32.238.862.336 bytes disponíveis

    Pós execução: 14 pasta(s) 32,238,624,768 bytes disponíveis

    137

    Compartilhar este post


    Link para o post
    Compartilhar em outros sites

    Caro Maklack

    Outra vez amigo,

    Etapa nº 1 #

    Visite este site:

    http://www.bleepingcomputer.com/submit-malware.php?channel=4

    • Na caixa "Link to topic where this file was requested:", copie e cole o link deste topico:
    http://forum.clubedohardware.com.br/log-hijackthis-smitfraud/587369

    • Na caixa "Browse to the file you want to submit:", coloque:
      • C:\WINDOWS\system32\wpv3116.cpx.bak

      [*]Clique no botão Browse...[*]Na caixa " Leave any comments, further information about this file, or contact information: ", coloque:

      • diego_moicano - Forum Clube do Hardware
    • Clique no botão Send File
    • Repita o procedimento e envie também este arquivo:C:\WINDOWS\system32\wpv592.cpx

    Obrigado

    Etapa nº 2 #

    Temporariamente e durante a execução destas instruções, é muito importante que mantenha desabilitados os seus programas de proteção (Antivirus, Antispyware e Firewall). Reative as proteções após a execução do(s) procedimento(s) abaixo mencionado(s).

    Abra o seu Bloco de Notas, copie (control + c) e cole (control + v) todo o texto que está dentro do "Código":

    File:: 
    C:\WINDOWS\system32\wpv3116.cpx.bak
    C:\WINDOWS\system32\wpv592.cpx

    Salve este arquivo como: CFScript.txt

    2872959479_997d4500c4_o.gif

    Tal com exemplificado na foto acima, arraste o arquivo CFScript.txt para dentro do ComboFix.exe. Quando a ferramenta terminar de rodar, gerará um log. Poste esse arquivo C:\ComboFix.txt.

    Etapa nº 3 #

    Faça um novo log do Hijackthis e poste juntamente com o log do ComboFix.

    Abraços :D

    Compartilhar este post


    Link para o post
    Compartilhar em outros sites
  • Autor do tópico
  • ComboFix 08-10-08.02 - Particular 2008-10-15 9:33:25.4 - NTFSx86

    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.1644 [GMT -3:00]

    Executando de: C:\Documents and Settings\Particular\Desktop\ComboFix.exe

    Comandos utilizados :: C:\Documents and Settings\Particular\Desktop\CFScript.txt

    * Criado um novo ponto de restauro

    FILE ::

    C:\WINDOWS\system32\wpv3116.cpx.bak

    C:\WINDOWS\system32\wpv592.cpx

    .

    ((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    C:\WINDOWS\system32\wpv3116.cpx.bak

    C:\WINDOWS\system32\wpv592.cpx

    .

    ((((((((((((((((((((((( Ficheiros criados de 2008-09-15 to 2008-10-15 ))))))))))))))))))))))))))))))))

    .

    2008-10-07 22:19 . 2008-10-07 22:19 <DIR> d-------- C:\WINDOWS\ERUNT

    2008-10-07 22:11 . 2008-10-07 22:34 <DIR> d-------- C:\SDFix

    2008-10-07 22:05 . 2008-10-08 21:07 <DIR> d-------- C:\HJT

    2008-10-07 01:28 . 2008-10-07 01:25 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys

    2008-10-07 01:25 . 2008-10-07 01:35 <DIR> d-------- C:\Documents and Settings\Particular\.housecall6.6

    2008-10-06 23:25 . 2008-10-06 23:26 <DIR> d-------- C:\ElistarA

    2008-10-06 23:18 . 2008-10-06 23:18 <DIR> d-------- C:\clean

    2008-10-06 23:11 . 2008-10-06 23:11 226,258 --a------ C:\clean.zip

    2008-10-06 03:47 . 2008-09-20 12:52 <DIR> d-------- C:\WINDOWS\system32\SmitfraudFix

    2008-10-06 03:41 . 2008-10-06 03:41 <DIR> d-------- C:\WINDOWS\Content.IE5

    2008-10-05 13:55 . 2008-10-06 01:32 2,994 --a------ C:\WINDOWS\wininit.ini

    2008-10-04 17:44 . 2008-10-05 14:10 <DIR> d-a------ C:\Documents and Settings\All Users\Dados de aplicativos\TEMP

    2008-10-03 12:10 . 2008-10-04 00:45 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

    2008-09-30 19:14 . 2008-09-30 19:17 <DIR> d-------- C:\Documents and Settings\Particular\Dados de aplicativos\Tibia

    .

    ((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    2008-10-15 12:15 --------- d-----w C:\Arquivos de programas\Winamp Remote

    2008-10-01 18:51 87,552 ----a-w C:\WINDOWS\system32\VACFix.exe

    2008-09-19 15:26 82,944 ----a-w C:\WINDOWS\system32\o4Patch.exe

    2008-09-19 15:26 82,944 ----a-w C:\WINDOWS\system32\IEDFix.C.exe

    2008-09-16 00:52 --------- d-----w C:\Arquivos de programas\Java

    2008-09-09 02:38 88,576 ----a-w C:\WINDOWS\system32\AntiXPVSTFix.exe

    2008-09-03 01:31 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Real

    2008-09-03 01:20 --------- d-----w C:\Arquivos de programas\NeXus RV10 & MKV Filtres

    2008-08-18 15:19 82,432 ----a-w C:\WINDOWS\system32\404Fix.exe

    2008-08-06 01:12 2,829 ----a-w C:\WINDOWS\War3Unin.pif

    2008-08-06 01:12 139,264 ----a-w C:\WINDOWS\War3Unin.exe

    .

    (((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

    .

    .

    *Nota* entradas vazias e legítimas por defeito não são mostradas.

    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "Orb"="C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe" [2008-01-07 495616]

    "DbSmartSh"="C:\WINDOWS\system32\atovabon.exe" [bU]

    "actmsgstr"="C:\WINDOWS\system32\cbotadud.exe" [bU]

    "AdmActCom"="C:\WINDOWS\system32\gnkfmlud.exe" [bU]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

    "snpstd"="C:\WINDOWS\vsnpstd.exe" [2004-06-10 286720]

    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 86016]

    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 7700480]

    "Emurayden PSX Emulator"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2005-03-12 98352]

    "avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2005-03-12 98352]

    "VTTrayp"="VTtrayp.exe" [2006-08-30 C:\WINDOWS\system32\VTTrayp.exe]

    "VTTimer"="VTTimer.exe" [2006-08-03 C:\WINDOWS\system32\VTTimer.exe]

    "SoundMan"="SOUNDMAN.EXE" [2006-03-01 C:\WINDOWS\soundman.exe]

    "nwiz"="nwiz.exe" [2007-04-19 C:\WINDOWS\system32\nwiz.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

    "vidc.ffds"= C:\ARQUIV~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Gamma Loader.lnk]

    path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Gamma Loader.lnk

    backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^AutoCAD Startup Accelerator.lnk]

    path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\AutoCAD Startup Accelerator.lnk

    backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^InterVideo WinCinema Manager.lnk]

    path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\InterVideo WinCinema Manager.lnk

    backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

    --a----t- 2008-09-03 00:13 133104 C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]

    -ra------ 2006-11-22 00:50 704512 C:\Arquivos de programas\VIA\VIAudioi\HDADeck\HDeck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

    --------- 2004-08-04 00:56 1667584 C:\Arquivos de programas\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

    --a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

    --a------ 2007-10-10 02:28 36352 C:\Documents and Settings\Particular\Meus documentos\Winamp\winampa.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

    "%windir%\\system32\\sessmgr.exe"=

    "C:\\Arquivos de programas\\InterVideo\\DVD5\\WinDVD.exe"=

    "C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

    "C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

    "D:\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=

    "C:\\Arquivos de programas\\Winamp Remote\\bin\\Orb.exe"=

    "C:\\Arquivos de programas\\Winamp Remote\\bin\\OrbTray.exe"=

    "C:\\Arquivos de programas\\Winamp Remote\\bin\\OrbStreamerClient.exe"=

    "C:\\Documents and Settings\\Particular\\Meus documentos\\Zsnes\\zsnesw.exe"=

    "D:\\OnGame\\GunBoundWC\\GunBound.gme"=

    "C:\\Documents and Settings\\Particular\\Meus documentos\\DreMule\\emule.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

    "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

    R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-02-23 9728]

    R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-02-23 11264]

    S2 GF0012;TF Filter Driver B;C:\WINDOWS\system32\DRIVERS\GF0012.sys [2007-12-12 11520]

    .

    Conteúdo da pasta 'Tarefas Agendadas'

    2008-10-14 C:\WINDOWS\Tasks\GoogleUpdateTaskUser.job

    - C:\Documents and Settings\Particular\Configura []

    2008-10-15 C:\WINDOWS\Tasks\Verificar Atualizações para a Barra de Ferramentas do Windows Live.job

    - C:\Arquivos de programas\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 16:39]

    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

    Rootkit scan 2008-10-15 09:34:25

    Windows 5.1.2600 Service Pack 2 NTFS

    Procurando processos ocultos ...

    Procurando entradas auto inicializáveis ocultas ...

    Procurando ficheiros ocultos ...

    Varredura completada com sucesso

    Ficheiros ocultos: 0

    **************************************************************************

    .

    Tempo para conclusão: 2008-10-15 9:34:53

    ComboFix-quarantined-files.txt 2008-10-15 12:34:50

    ComboFix2.txt 2008-10-11 03:07:57

    ComboFix3.txt 2008-10-09 23:43:39

    ComboFix4.txt 2008-10-09 00:03:48

    Pré-execução: 13 pasta(s) 32.385.363.968 bytes disponíveis

    Pós execução: 15 pasta(s) 32,439,808,000 bytes disponíveis

    133

    ------------------------------------------------------------------------

    Logfile of HijackThis v1.99.1

    Scan saved at 09:37:01, on 15/10/2008

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\WINDOWS\system32\VTTimer.exe

    C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

    C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

    C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe

    C:\Arquivos de programas\Winamp Remote\bin\Orb.exe

    C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

    C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

    C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

    C:\WINDOWS\system32\nvsvc32.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\system32\notepad.exe

    C:\WINDOWS\explorer.exe

    C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

    C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

    C:\HJT\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

    O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe"

    O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

    O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe

    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

    O4 - HKLM\..\Run: [Emurayden PSX Emulator] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

    O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

    O4 - HKCU\..\Run: [Orb] "C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe" /background

    O4 - HKCU\..\Run: [DbSmartSh] C:\WINDOWS\system32\atovabon.exe

    O4 - HKCU\..\Run: [actmsgstr] C:\WINDOWS\system32\cbotadud.exe

    O4 - HKCU\..\Run: [AdmActCom] C:\WINDOWS\system32\gnkfmlud.exe

    O8 - Extra context menu item: &Windows Live Search - res://C:\Arquivos de programas\Windows Live Toolbar\msntb.dll/search.htm

    O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

    O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

    O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

    O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

    O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab

    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab

    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} -

    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

    O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe

    O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

    O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    Compartilhar este post


    Link para o post
    Compartilhar em outros sites

    Caro Maklack

    Continuando...

    # Etapa nº 1 #

    Temporariamente e durante a execução destas instruções, é muito importante que mantenha desabilitados os seus programas de proteção (Antivirus, Antispyware e Firewall). Reative as proteções após a execução do(s) procedimento(s) abaixo mencionado(s).

    Abra o seu Bloco de Notas, copie (control + c) e cole (control + v) todo o texto que está dentro do "Código":

    Files:
    C:\WINDOWS\system32\atovabon.exe
    C:\WINDOWS\system32\cbotadud.exe
    C:\WINDOWS\system32\gnkfmlud.exe

    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DbSmartSh"=-
    "actmsgstr"=-
    "AdmActCom"=-

    Salve este arquivo como: CFScript.txt

    2872959479_997d4500c4_o.gif

    Tal com exemplificado na foto acima, arraste o arquivo CFScript.txt para dentro do ComboFix.exe. Quando a ferramenta terminar de rodar, gerará um log. Poste esse arquivo C:\ComboFix.txt.

    # Etapa nº 2 #

    Faça o download do Gmer e salve no seu desktop (Área de Trabalho).

    • Extraia/tire do zip o arquivo para uma pasta própria.
    • Feito isso, desligue o PC da Internet e feche todos os programas.
      Existe uma pequenissíma hipótese desta aplicação desligar o seu PC. Por isso, salve qualquer trabalho que tenha aberto.
    • Duplo-clique em Gmer.exe.
    • Permita que o driver gmer.sys seja rodado, se lhe for perguntado.
    • Se receber o aviso acerca de actividade de rootkit e para fazer um scan...clique em NO.
    • Clique em "Settings", e marque as 5 (cinco) primeiras:
      *System Protection and Tracing
      *Processes
      *Save created processes to the log
      *Drivers
      *Save loaded drivers to the log
    • Será questionado para reiniciar o PC. Reinicie.

    Rode novamente o Gmer e clique em Rootkit.

    • No lado direito (debaixo de file, desmarque todos os drives excepto o seu disco (usualmente o C).
    • Certifique-se que todas as outras caixas, no lado direito do ecran estão marcadas, EXCEPTO para "Show All".
    • Clique em "Scan" e aguarde que o scan seja efectuado.
      Nota: Antes do scan, certifique-se que todos os outros programas estão fechados. Também não use o computador durente o scan.
    • Quando terminar, clique no botão Copiar e depois clique com o botão direito no seu Desktop, escolha "Novo" e depois -> Documento de Texto. Quando o arquivo tiver sido criado, abra e novamente botão direito e Cole ou Ctrl+V. Salve o arquivo como gmer.txt e poste o conteúdo na sua próxima resposta.
    • Nota: Se tiver problemas, tente rodar o GMER em Modo Seguro

    Importante! Por favor não marque a caixa "Show all" durante o scan.

    Abraços :D

    Compartilhar este post


    Link para o post
    Compartilhar em outros sites
  • Autor do tópico
  • ComboFix 08-10-08.02 - Particular 2008-10-15 22:59:17.5 - NTFSx86

    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.1627 [GMT -3:00]

    Executando de: C:\Documents and Settings\Particular\Desktop\ComboFix.exe

    Comandos utilizados :: C:\Documents and Settings\Particular\Desktop\CFScript.txt

    * Criado um novo ponto de restauro

    .

    ((((((((((((((((((((((( Ficheiros criados de 2008-09-16 to 2008-10-16 ))))))))))))))))))))))))))))))))

    .

    2008-10-07 22:19 . 2008-10-07 22:19 <DIR> d-------- C:\WINDOWS\ERUNT

    2008-10-07 22:11 . 2008-10-07 22:34 <DIR> d-------- C:\SDFix

    2008-10-07 22:05 . 2008-10-15 09:36 <DIR> d-------- C:\HJT

    2008-10-07 01:28 . 2008-10-07 01:25 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys

    2008-10-07 01:25 . 2008-10-07 01:35 <DIR> d-------- C:\Documents and Settings\Particular\.housecall6.6

    2008-10-06 23:25 . 2008-10-06 23:26 <DIR> d-------- C:\ElistarA

    2008-10-06 23:18 . 2008-10-06 23:18 <DIR> d-------- C:\clean

    2008-10-06 23:11 . 2008-10-06 23:11 226,258 --a------ C:\clean.zip

    2008-10-06 03:47 . 2008-09-20 12:52 <DIR> d-------- C:\WINDOWS\system32\SmitfraudFix

    2008-10-06 03:41 . 2008-10-06 03:41 <DIR> d-------- C:\WINDOWS\Content.IE5

    2008-10-05 13:55 . 2008-10-06 01:32 2,994 --a------ C:\WINDOWS\wininit.ini

    2008-10-04 17:44 . 2008-10-05 14:10 <DIR> d-a------ C:\Documents and Settings\All Users\Dados de aplicativos\TEMP

    2008-10-03 12:10 . 2008-10-04 00:45 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

    2008-09-30 19:14 . 2008-09-30 19:17 <DIR> d-------- C:\Documents and Settings\Particular\Dados de aplicativos\Tibia

    .

    ((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    2008-10-15 12:15 --------- d-----w C:\Arquivos de programas\Winamp Remote

    2008-10-01 18:51 87,552 ----a-w C:\WINDOWS\system32\VACFix.exe

    2008-09-19 15:26 82,944 ----a-w C:\WINDOWS\system32\o4Patch.exe

    2008-09-19 15:26 82,944 ----a-w C:\WINDOWS\system32\IEDFix.C.exe

    2008-09-16 00:52 --------- d-----w C:\Arquivos de programas\Java

    2008-09-09 02:38 88,576 ----a-w C:\WINDOWS\system32\AntiXPVSTFix.exe

    2008-09-03 01:31 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Real

    2008-09-03 01:20 --------- d-----w C:\Arquivos de programas\NeXus RV10 & MKV Filtres

    2008-08-18 15:19 82,432 ----a-w C:\WINDOWS\system32\404Fix.exe

    2008-08-06 01:12 2,829 ----a-w C:\WINDOWS\War3Unin.pif

    2008-08-06 01:12 139,264 ----a-w C:\WINDOWS\War3Unin.exe

    .

    (((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

    .

    .

    *Nota* entradas vazias e legítimas por defeito não são mostradas.

    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "Orb"="C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe" [2008-01-07 495616]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

    "snpstd"="C:\WINDOWS\vsnpstd.exe" [2004-06-10 286720]

    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 86016]

    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 7700480]

    "Emurayden PSX Emulator"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2005-03-12 98352]

    "avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2005-03-12 98352]

    "VTTrayp"="VTtrayp.exe" [2006-08-30 C:\WINDOWS\system32\VTTrayp.exe]

    "VTTimer"="VTTimer.exe" [2006-08-03 C:\WINDOWS\system32\VTTimer.exe]

    "SoundMan"="SOUNDMAN.EXE" [2006-03-01 C:\WINDOWS\soundman.exe]

    "nwiz"="nwiz.exe" [2007-04-19 C:\WINDOWS\system32\nwiz.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

    "vidc.ffds"= C:\ARQUIV~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Gamma Loader.lnk]

    path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Gamma Loader.lnk

    backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^AutoCAD Startup Accelerator.lnk]

    path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\AutoCAD Startup Accelerator.lnk

    backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^InterVideo WinCinema Manager.lnk]

    path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\InterVideo WinCinema Manager.lnk

    backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

    --a----t- 2008-09-03 00:13 133104 C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]

    -ra------ 2006-11-22 00:50 704512 C:\Arquivos de programas\VIA\VIAudioi\HDADeck\HDeck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

    --------- 2004-08-04 00:56 1667584 C:\Arquivos de programas\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

    --a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

    --a------ 2007-10-10 02:28 36352 C:\Documents and Settings\Particular\Meus documentos\Winamp\winampa.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

    "%windir%\\system32\\sessmgr.exe"=

    "C:\\Arquivos de programas\\InterVideo\\DVD5\\WinDVD.exe"=

    "C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

    "C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

    "D:\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=

    "C:\\Arquivos de programas\\Winamp Remote\\bin\\Orb.exe"=

    "C:\\Arquivos de programas\\Winamp Remote\\bin\\OrbTray.exe"=

    "C:\\Arquivos de programas\\Winamp Remote\\bin\\OrbStreamerClient.exe"=

    "C:\\Documents and Settings\\Particular\\Meus documentos\\Zsnes\\zsnesw.exe"=

    "D:\\OnGame\\GunBoundWC\\GunBound.gme"=

    "C:\\Documents and Settings\\Particular\\Meus documentos\\DreMule\\emule.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

    "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

    R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-02-23 9728]

    R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-02-23 11264]

    S2 GF0012;TF Filter Driver B;C:\WINDOWS\system32\DRIVERS\GF0012.sys [2007-12-12 11520]

    .

    Conteúdo da pasta 'Tarefas Agendadas'

    2008-10-15 C:\WINDOWS\Tasks\GoogleUpdateTaskUser.job

    - C:\Documents and Settings\Particular\Configura []

    2008-10-16 C:\WINDOWS\Tasks\Verificar Atualizações para a Barra de Ferramentas do Windows Live.job

    - C:\Arquivos de programas\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 16:39]

    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

    Rootkit scan 2008-10-15 23:00:07

    Windows 5.1.2600 Service Pack 2 NTFS

    Procurando processos ocultos ...

    Procurando entradas auto inicializáveis ocultas ...

    Procurando ficheiros ocultos ...

    Varredura completada com sucesso

    Ficheiros ocultos: 0

    **************************************************************************

    .

    Tempo para conclusão: 2008-10-15 23:00:39

    ComboFix-quarantined-files.txt 2008-10-16 02:00:37

    ComboFix2.txt 2008-10-15 12:34:54

    ComboFix3.txt 2008-10-11 03:07:57

    ComboFix4.txt 2008-10-09 23:43:39

    ComboFix5.txt 2008-10-16 01:59:01

    Pré-execução: 13 pasta(s) 32.417.275.904 bytes disponíveis

    Pós execução: 14 pasta(s) 32,407,425,024 bytes disponíveis

    123

    Compartilhar este post


    Link para o post
    Compartilhar em outros sites
  • Autor do tópico
  • GMER 1.0.14.14536 - http://www.gmer.net

    Rootkit scan 2008-10-15 23:15:32

    Windows 5.1.2600 Service Pack 2

    ---- User code sections - GMER 1.0.14 ----

    .text C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe[404] kernel32.dll!SetUnhandledExceptionFilter 7C810386 5 Bytes JMP 00413A70 C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe (Orb/Orb Networks)

    .text C:\Arquivos de programas\Winamp Remote\bin\Orb.exe[768] kernel32.dll!SetUnhandledExceptionFilter 7C810386 5 Bytes JMP 00402CA0 C:\Arquivos de programas\Winamp Remote\bin\Orb.exe (Orb Application/Orb Networks, Inc.)

    ---- Devices - GMER 1.0.14 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    ---- EOF - GMER 1.0.14 ----

    Compartilhar este post


    Link para o post
    Compartilhar em outros sites
  • Autor do tópico
  • Logfile of HijackThis v1.99.1

    Scan saved at 19:14:41, on 23/10/2008

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\WINDOWS\Explorer.EXE

    C:\WINDOWS\system32\VTTimer.exe

    C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

    C:\WINDOWS\SOUNDMAN.EXE

    C:\WINDOWS\vsnpstd.exe

    C:\WINDOWS\system32\RUNDLL32.EXE

    C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

    C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe

    C:\Documents and Settings\Particular\Meus documentos\Protect\Spybot - Search & Destroy\TeaTimer.exe

    C:\Arquivos de programas\Winamp Remote\bin\Orb.exe

    C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

    C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

    C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

    C:\WINDOWS\system32\nvsvc32.exe

    C:\WINDOWS\system32\svchost.exe

    C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

    C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

    C:\WINDOWS\system32\wuauclt.exe

    C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

    C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

    C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

    C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

    C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

    C:\HJT\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\PARTIC~1\MEUSDO~1\Protect\SPYBOT~1\SDHelper.dll

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

    O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe"

    O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

    O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe

    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

    O4 - HKLM\..\Run: [Emurayden PSX Emulator] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

    O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

    O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe

    O4 - HKLM\..\RunOnce: [spybotDeletingA7489] command /c del "C:\WINDOWS\system32\netode.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingC7481] cmd /c del "C:\WINDOWS\system32\netode.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingA2709] command /c del "C:\WINDOWS\system32\newsd32.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingC7970] cmd /c del "C:\WINDOWS\system32\newsd32.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingA8781] command /c del "C:\WINDOWS\system32\ps1.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingC3078] cmd /c del "C:\WINDOWS\system32\ps1.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingA5811] command /c del "C:\WINDOWS\system32\psof1.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingC9988] cmd /c del "C:\WINDOWS\system32\psof1.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingA3340] command /c del "C:\WINDOWS\system32\regc64.dll"

    O4 - HKLM\..\RunOnce: [spybotDeletingC2174] cmd /c del "C:\WINDOWS\system32\regc64.dll"

    O4 - HKLM\..\RunOnce: [spybotDeletingA4779] command /c del "C:\WINDOWS\system32\regm64.dll"

    O4 - HKLM\..\RunOnce: [spybotDeletingC9804] cmd /c del "C:\WINDOWS\system32\regm64.dll"

    O4 - HKLM\..\RunOnce: [spybotDeletingA1266] command /c del "C:\WINDOWS\system32\Rundl1.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingA1014] command /c del "C:\WINDOWS\system32\ssvchost.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingC6096] cmd /c del "C:\WINDOWS\system32\ssvchost.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingA4042] command /c del "C:\WINDOWS\system32\sysreq.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingC3902] cmd /c del "C:\WINDOWS\system32\sysreq.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingA4896] command /c del "C:\WINDOWS\system32\taack.dat"

    O4 - HKLM\..\RunOnce: [spybotDeletingC2435] cmd /c del "C:\WINDOWS\system32\taack.dat"

    O4 - HKLM\..\RunOnce: [spybotDeletingA1943] command /c del "C:\WINDOWS\system32\taack.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingC1612] cmd /c del "C:\WINDOWS\system32\taack.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingA2376] command /c del "C:\WINDOWS\system32\temp#01.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingC4966] cmd /c del "C:\WINDOWS\system32\temp#01.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingA5088] command /c del "C:\WINDOWS\system32\thun.dll"

    O4 - HKLM\..\RunOnce: [spybotDeletingC2483] cmd /c del "C:\WINDOWS\system32\thun.dll"

    O4 - HKLM\..\RunOnce: [spybotDeletingA6576] command /c del "C:\WINDOWS\system32\thun32.dll"

    O4 - HKLM\..\RunOnce: [spybotDeletingC4477] cmd /c del "C:\WINDOWS\system32\thun32.dll"

    O4 - HKLM\..\RunOnce: [spybotDeletingA4318] command /c del "C:\WINDOWS\system32\VBIEWER.OCX"

    O4 - HKLM\..\RunOnce: [spybotDeletingC3866] cmd /c del "C:\WINDOWS\system32\VBIEWER.OCX"

    O4 - HKLM\..\RunOnce: [spybotDeletingA3097] command /c del "C:\WINDOWS\system32\vbsys2.dll"

    O4 - HKLM\..\RunOnce: [spybotDeletingC6934] cmd /c del "C:\WINDOWS\system32\vbsys2.dll"

    O4 - HKLM\..\RunOnce: [spybotDeletingA5771] command /c del "C:\WINDOWS\system32\vcatchpi.dll"

    O4 - HKLM\..\RunOnce: [spybotDeletingC5801] cmd /c del "C:\WINDOWS\system32\vcatchpi.dll"

    O4 - HKLM\..\RunOnce: [spybotDeletingA4475] command /c del "C:\WINDOWS\system32\winlogonpc.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingC9600] cmd /c del "C:\WINDOWS\system32\winlogonpc.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingC4718] cmd /c del "C:\WINDOWS\system32\winsystem.exe"

    O4 - HKLM\..\RunOnce: [spybotDeletingA2333] command /c del "C:\WINDOWS\system32\WINWGPX.EXE"

    O4 - HKLM\..\RunOnce: [spybotDeletingA5784] command /c del "C:\WINDOWS\base64.tmp"

    O4 - HKLM\..\RunOnce: [spybotDeletingA3803] command /c del "C:\WINDOWS\bdn.com"

    O4 - HKLM\..\RunOnce: [spybotDeletingC3063] cmd /c del "C:\WINDOWS\bdn.com"

    O4 - HKLM\..\RunOnce: [spybotDeletingA3330] command /c del "C:\WINDOWS\FVProtect.exe"

    O4 - HKCU\..\Run: [Orb] "C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe" /background

    O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Documents and Settings\Particular\Meus documentos\Protect\Spybot - Search & Destroy\TeaTimer.exe

    O4 - HKCU\..\Run: [DbSmartSh] C:\WINDOWS\system32\atovabon.exe

    O4 - HKCU\..\Run: [actmsgstr] C:\WINDOWS\system32\cbotadud.exe

    O4 - HKCU\..\Run: [AdmActCom] C:\WINDOWS\system32\gnkfmlud.exe

    O8 - Extra context menu item: &Windows Live Search - res://C:\Arquivos de programas\Windows Live Toolbar\msntb.dll/search.htm

    O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

    O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

    O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\PARTIC~1\MEUSDO~1\Protect\SPYBOT~1\SDHelper.dll

    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\PARTIC~1\MEUSDO~1\Protect\SPYBOT~1\SDHelper.dll

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

    O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

    O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab

    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab

    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} -

    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

    O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe

    O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

    O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    Compartilhar este post


    Link para o post
    Compartilhar em outros sites

    Caro Maklack

    Etapa nº 1 #

    O TeaTimer é uma excelente ferramenta de proteção contra spywares, mas por vezes impossibilita também que as alterações no HijackThis seja efectuadas.

    Por favor desabilite temporáriamente o TeaTimer até que seja terminado o processo de limpeza ao seu PC.

    • Abra o Spybot Search & Destroy.
    • No menu, aceda a "Modo avançado (Advanced mode)" se não estiver já selecionado.
    • Escolha "Sim (Yes)" quando questionado.
    • Expanda o menu "Ferramentas (Tools)".
    • Clique em "Residente (Resident)".
    • Desmarque o "Resident "TeaTimer" (Protection of overall system settings) active.".
    • Clique em "Exit" para sair do Spybot Search & Destroy.

    Etapa nº 2 #

    Rode o HijackThis , clique em Do a system scan only e marque as que encontrar da lista abaixo:

    O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe

    O4 - HKCU\..\Run: [DbSmartSh] C:\WINDOWS\system32\atovabon.exe

    O4 - HKCU\..\Run: [actmsgstr] C:\WINDOWS\system32\cbotadud.exe

    O4 - HKCU\..\Run: [AdmActCom] C:\WINDOWS\system32\gnkfmlud.exe

    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} -

    Depois de marcar estas entradas, feche todas as janelas e clique em ht-fix.png

    Etapa nº 3 #

    Baixe e salve o arquivo no Desktop

    http://downloads.subratam.org/ResetTeaTimer.bat

    Clique duas vezes nele!

    Etapa nº 4 #

    Faça um novo log do Hijackthis e poste aqui!

    Abraços :D

    Compartilhar este post


    Link para o post
    Compartilhar em outros sites

    De acordo com as regras deste fórum, tópicos inativos são arquivados, isto é, fechados e movidos para um fórum de "tópicos arquivados". Caso o autor do tópico necessite poderá entrar em contato com a moderação solicitando a reabertura deste tópico.

    Compartilhar este post


    Link para o post
    Compartilhar em outros sites
    Visitante
    Este tópico está impedido de receber novos posts.
    Entre para seguir isso  





    Sobre o Clube do Hardware

    No ar desde 1996, o Clube do Hardware é uma das maiores, mais antigas e mais respeitadas publicações sobre tecnologia do Brasil. Leia mais

    Direitos autorais

    Não permitimos a cópia ou reprodução do conteúdo do nosso site, fórum, newsletters e redes sociais, mesmo citando-se a fonte. Leia mais

    ×