Ir ao conteúdo
  • Comunicados

    • diego_moicano

      Gostaria de se tornar um analista em Remoção de Malware?   07-12-2015

      Gostaria de se tornar um analista em Remoção de Malware? O Fórum Clube do Hardware deu início a um programa de treinamento em análises de log. Os interessados deverão enviar um email para aprendizes (arroba) clubedohardware (ponto) com (ponto) br respondendo as seguintes perguntas: Por que você gostaria de aprender a analisar logs? Possui tempo hábil para o treinamento? Tem conhecimentos em informática? Se sim descreva-os. Possui inglês para leitura? Qual seu objetivo após completar o treinamento?   Não se esqueça de incluir no e-mail o seu nome de usuário (fornecer o link também), idade e cidade onde vive. Adicione também qualquer experiência e/ou razão sobre o porquê você seria um bom Analista. É digno de nota que apenas os que forem selecionados receberão resposta por MP (Mensagem Pessoal), não existe um padrão na escolha dos futuros aprendizes, todos os e-mails serão lidos e serão analisados de forma imparcial, portanto não será permitido reclamações neste aspecto. O treinamento é dado no próprio fórum. Quando um aprendiz é selecionado ele é movido para um novo grupo, onde terá acesso a fóruns fechados para os demais usuários onde poderá dar inicio ao seu treinamento. Importante: A cada 30 dias os e-mails não selecionados serão apagados, portanto você pode enviar um novo e-mail após 1 mês, e-mails enviados antes serão desconsiderados.  
    • Gabriel Torres

      Seja um moderador do Clube do Hardware!   12-02-2016

      Prezados membros do Clube do Hardware, Está aberto o processo de seleção de novos moderadores para diversos setores ou áreas do Clube do Hardware. Os requisitos são:   Pelo menos 500 posts e um ano de cadastro; Boa frequência de participação; Ser respeitoso, cordial e educado com os demais membros; Ter bom nível de português; Ter razoável conhecimento da área em que pretende atuar; Saber trabalhar em equipe (com os moderadores, coordenadores e administradores).   Os interessados deverão enviar uma mensagem privada para o usuário @Equipe Clube do Hardware com o título "Candidato a moderador". A mensagem deverá conter respostas às perguntas abaixo:   Qual o seu nome completo? Qual sua data de nascimento? Qual sua formação/profissão? Já atuou como moderador em algo outro fórum, se sim, qual? De forma sucinta, explique o porquê de querer ser moderador do fórum e conte-nos um pouco sobre você.   OBS: Não se trata de função remunerada. Todos que fazem parte do staff são voluntários.
Entre para seguir isso  
Maklack

Log do hijackthis (Smitfraud e Virtumonde)

Recommended Posts

Olá, estou ciente que já houve um caso de infestação por esses dois programas... está escrito aqui em cima mesmo... mas eu queria saber se os procedimentos vão depender do meu log do hijackthis. Caso afirmativo, por favor, me dêem uma luz! Em caso negativo, vou realizar os procedimentos que foram indicados ao homerx em seu tópico. Segue o meu log:

Logfile of HijackThis v1.99.1

Scan saved at 21:00:09, on 6/10/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\All Users\Dados de aplicativos\jkxkbany\juxmhurw.exe

C:\WINDOWS\services.exe

C:\WINDOWS\system32\VTTimer.exe

C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\vsnpstd.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe

C:\WINDOWS\system32\atovabon.exe

C:\Documents and Settings\Particular\Meus documentos\Protect\Spybot - Search & Destroy\TeaTimer.exe

C:\Arquivos de programas\Winamp Remote\bin\Orb.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Particular\Meus documentos\Tibia\Tibia.exe

C:\WINDOWS\system32\osk.exe

C:\WINDOWS\system32\MSSWCHX.EXE

C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Particular\Desktop\SMITE\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\PARTIC~1\MEUSDO~1\Protect\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe

O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Emurayden PSX Emulator] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\RunOnce: [spybotDeletingA7489] command /c del "C:\WINDOWS\system32\netode.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC7481] cmd /c del "C:\WINDOWS\system32\netode.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA2709] command /c del "C:\WINDOWS\system32\newsd32.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC7970] cmd /c del "C:\WINDOWS\system32\newsd32.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA8781] command /c del "C:\WINDOWS\system32\ps1.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC3078] cmd /c del "C:\WINDOWS\system32\ps1.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA5811] command /c del "C:\WINDOWS\system32\psof1.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC9988] cmd /c del "C:\WINDOWS\system32\psof1.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA3340] command /c del "C:\WINDOWS\system32\regc64.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC2174] cmd /c del "C:\WINDOWS\system32\regc64.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA4779] command /c del "C:\WINDOWS\system32\regm64.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC9804] cmd /c del "C:\WINDOWS\system32\regm64.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA1266] command /c del "C:\WINDOWS\system32\Rundl1.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA1014] command /c del "C:\WINDOWS\system32\ssvchost.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC6096] cmd /c del "C:\WINDOWS\system32\ssvchost.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA4042] command /c del "C:\WINDOWS\system32\sysreq.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC3902] cmd /c del "C:\WINDOWS\system32\sysreq.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA4896] command /c del "C:\WINDOWS\system32\taack.dat"

O4 - HKLM\..\RunOnce: [spybotDeletingC2435] cmd /c del "C:\WINDOWS\system32\taack.dat"

O4 - HKLM\..\RunOnce: [spybotDeletingA1943] command /c del "C:\WINDOWS\system32\taack.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC1612] cmd /c del "C:\WINDOWS\system32\taack.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA2376] command /c del "C:\WINDOWS\system32\temp#01.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC4966] cmd /c del "C:\WINDOWS\system32\temp#01.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA5088] command /c del "C:\WINDOWS\system32\thun.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC2483] cmd /c del "C:\WINDOWS\system32\thun.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA6576] command /c del "C:\WINDOWS\system32\thun32.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC4477] cmd /c del "C:\WINDOWS\system32\thun32.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA4318] command /c del "C:\WINDOWS\system32\VBIEWER.OCX"

O4 - HKLM\..\RunOnce: [spybotDeletingC3866] cmd /c del "C:\WINDOWS\system32\VBIEWER.OCX"

O4 - HKLM\..\RunOnce: [spybotDeletingA3097] command /c del "C:\WINDOWS\system32\vbsys2.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC6934] cmd /c del "C:\WINDOWS\system32\vbsys2.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA5771] command /c del "C:\WINDOWS\system32\vcatchpi.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC5801] cmd /c del "C:\WINDOWS\system32\vcatchpi.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA4475] command /c del "C:\WINDOWS\system32\winlogonpc.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC9600] cmd /c del "C:\WINDOWS\system32\winlogonpc.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC4718] cmd /c del "C:\WINDOWS\system32\winsystem.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA2333] command /c del "C:\WINDOWS\system32\WINWGPX.EXE"

O4 - HKLM\..\RunOnce: [spybotDeletingA5784] command /c del "C:\WINDOWS\base64.tmp"

O4 - HKLM\..\RunOnce: [spybotDeletingA3803] command /c del "C:\WINDOWS\bdn.com"

O4 - HKLM\..\RunOnce: [spybotDeletingC3063] cmd /c del "C:\WINDOWS\bdn.com"

O4 - HKLM\..\RunOnce: [spybotDeletingA3330] command /c del "C:\WINDOWS\FVProtect.exe"

O4 - HKCU\..\Run: [Orb] "C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe" /background

O4 - HKCU\..\Run: [DbSmartSh] C:\WINDOWS\system32\atovabon.exe

O4 - HKCU\..\Run: [actmsgstr] C:\WINDOWS\system32\cbotadud.exe

O4 - HKCU\..\Run: [AdmActCom] C:\WINDOWS\system32\gnkfmlud.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Documents and Settings\Particular\Meus documentos\Protect\Spybot - Search & Destroy\TeaTimer.exe

O8 - Extra context menu item: &Windows Live Search - res://C:\Arquivos de programas\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\PARTIC~1\MEUSDO~1\Protect\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\PARTIC~1\MEUSDO~1\Protect\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} -

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Compartilhar este post


Link para o post
Compartilhar em outros sites

Olá Maklack

Bem vindo à Remoção de Malware

Recomendo que salve este tópico em seus Favoritos para facilitar na hora de encontrá-la novamente.

Atente para o seguinte, por favor:

1) Estarei acompanhado os procedimentos de análise de seu log, retornarei tão logo que seja possível!;

2) Não tome nenhum procedimento até começarmos;

3) O que será passado aqui somente será com relação ao problema do seu computador portanto, não faça mais em nenhum outro;

4) Caso tenha outro computador abra um novo tópico com seu respectivo log;

5) Siga, por favor, atentamente as instruções passadas e em caso de dúvidas não hesite em perguntá-las;

6) Sempre coloque suas respostas neste tópico... Não abra outro!

Observação: Não tome outra medida além das passadas aqui; atente para que, caso peça ajuda em outro fórum, não deixe de nos informar sob risco de desconfigurar seu computador!

Abraços :D

Compartilhar este post


Link para o post
Compartilhar em outros sites

Caro Maklack

O seu PC está infectado por um Backdoor.

Importante: Backdoor/IRCBot Trojans são extremamente perigosos, pois providenciam meios de acesso ao sistema operativo do computador. Atacantes remotos utilizam este tipo de malwares para ganhar acesso não autorizado ao seu PC e podem tomar total controlo sem o seu conhecimento.

Se você faz ou fez algum tipo de transações financeiras (aceder a bancos, compras, etc) com este PC, ou se ele contém alguma informação sensível, recomendo-lhe que:

  1. Evite ao máximo utilizar a internet neste pc, até que ele esteja limpo.
  2. Use um PC limpo e seguro e troque todas as suas palavras-passe ou palavras-chave (online passwords).
  3. Entre em contacto com as suas instituições financeiras e informe-as desta sua situação.

Muitos dos especialistas em segurança acreditam que após um PC ser infectado com este tipo de malwares, a melhor coisa a fazer é formatar e reinstalar novamente o Sistema Operacional.

Deixo ao seu critério se quer formatar ou não o PC. As infeções estão identificadas e podemos removê-las, o que não lhe posso garantir com 100% de certeza é que o seu PC fique seguro.

Caso opte pela remoção, siga os passos abaixo. Se optar por formatar, por favor informe-me disso na sua próxima resposta.

# Etapa nº 1 #

O seu programa HijackThis está sendo executado a partir duma localização não recomendável e assim os backups que fizermos não estarão seguros.

Antes de iniciarmos a resolução dos problemas do seu PC, necessitamos de corrigir a localização do HijackThis; por favor, faça o seguinte:

  • Clique com o botão direito do mouse numa área vazia do seu desktop (área de trabalho).
  • Escolha Nova -> Pasta -> escreva HJT e dê o Enter.
  • Agora clique direito do mouse em HijackThis.exe, escolha -> recortar
  • Clique direito do mouse numa área vazia e escolha colar.
  • Agora, clique direito do mouse pasta HJT e escolha -> recortar.
  • Clique em -> Iniciar -> O Meu Computador -> clique direito do mouse em -> Disco Local (normalmente C:\) -> Explorar.
  • Clique direito do mouse numa área vazia e escolha colar.

Imprima ou salve estas instruções, pois vais segui-las sem acesso à internet
# Etapa nº 2 #
Faça o download SDFix
  • Salve-o no seu desktop.
  • Dê o duplo clique no SDFix.exe e a ferramenta será instalada em %SystemDrive%\SDFix
  • (Normalmente para o drive que contém o Windows. Habitualmente:
    C:\SDFix).
  • Não o utilize ainda

# Etapa nº 3 #

Reinicie o computador em Modo Seguro (pressione a tecla F8 intermitentemente, ou F5 em alguns casos, durante a inicialização)

# Etapa nº 4 #

Rode o SDFix.

  • Entre na pasta SDFix que foi instalada no seu computador e dê um duplo clique no arquivo RunThis.bat
  • Tecle Y para que a ferramenta inicie o processo de remoção
  • Quando tudo terminar, você verá um aviso dizendo para apertar qualquer tecla para continuar. Ao pressionar qualquer tecla, o computador será reiniciado automaticamente
  • Após reiniciar, a ferramenta ainda será executada novamente e irá terminar o seu trabalho e a palavra Finished irá aparecer. Pressione qualquer tecla.
  • Uma janela com o relatório do SDFix irá aparecer.
  • Copie e cole este relatório na sua resposta. Caso você tenha fechado a janela, uma cópia do relatório estará na pasta SDFix com o nome Report.txt
  • Gere e cole também um novo log do HijackThis.

-- Caso uma janela abra e feche de repente, por favor vá até Iniciar -> Executar -> e copie e cole o seguinte texto:

%systemdrive%\SDFix\apps\FixPath.exe /Q

Reinicie o PC e rode novamente o SDFix.

-- Se mesmo assim o SDFix não rodar, verifique a variável %comspec%. Clique direito do mouse em Meu Computador -> Propriedades -> Avançadas -> Variáveis do Ambiente e verifique se a variável ComSpec tê o valor para o cmd.exe. %SystemRoot%\system32\cmd.exe

Abraços :D

Compartilhar este post


Link para o post
Compartilhar em outros sites

Fatal error: Maximum execution time of 30 seconds exceeded in /www/forum/includes/functions.php on line 1736

Não consigo postar o log do sdfix

Vou continuar tentando

Logfile of HijackThis v1.99.1

Scan saved at 22:38:54, on 7/10/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\VTTimer.exe

C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\vsnpstd.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe

C:\WINDOWS\system32\cbotadud.exe

C:\Documents and Settings\Particular\Meus documentos\Protect\Spybot - Search & Destroy\TeaTimer.exe

C:\Arquivos de programas\Winamp Remote\bin\Orb.exe

C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\PARTIC~1\MEUSDO~1\Protect\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Emurayden PSX Emulator] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe

O4 - HKLM\..\RunOnce: [spybotDeletingA7489] command /c del "C:\WINDOWS\system32\netode.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC7481] cmd /c del "C:\WINDOWS\system32\netode.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA2709] command /c del "C:\WINDOWS\system32\newsd32.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC7970] cmd /c del "C:\WINDOWS\system32\newsd32.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA8781] command /c del "C:\WINDOWS\system32\ps1.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC3078] cmd /c del "C:\WINDOWS\system32\ps1.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA5811] command /c del "C:\WINDOWS\system32\psof1.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC9988] cmd /c del "C:\WINDOWS\system32\psof1.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA3340] command /c del "C:\WINDOWS\system32\regc64.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC2174] cmd /c del "C:\WINDOWS\system32\regc64.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA4779] command /c del "C:\WINDOWS\system32\regm64.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC9804] cmd /c del "C:\WINDOWS\system32\regm64.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA1266] command /c del "C:\WINDOWS\system32\Rundl1.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA1014] command /c del "C:\WINDOWS\system32\ssvchost.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC6096] cmd /c del "C:\WINDOWS\system32\ssvchost.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA4042] command /c del "C:\WINDOWS\system32\sysreq.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC3902] cmd /c del "C:\WINDOWS\system32\sysreq.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA4896] command /c del "C:\WINDOWS\system32\taack.dat"

O4 - HKLM\..\RunOnce: [spybotDeletingC2435] cmd /c del "C:\WINDOWS\system32\taack.dat"

O4 - HKLM\..\RunOnce: [spybotDeletingA1943] command /c del "C:\WINDOWS\system32\taack.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC1612] cmd /c del "C:\WINDOWS\system32\taack.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA2376] command /c del "C:\WINDOWS\system32\temp#01.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC4966] cmd /c del "C:\WINDOWS\system32\temp#01.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA5088] command /c del "C:\WINDOWS\system32\thun.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC2483] cmd /c del "C:\WINDOWS\system32\thun.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA6576] command /c del "C:\WINDOWS\system32\thun32.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC4477] cmd /c del "C:\WINDOWS\system32\thun32.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA4318] command /c del "C:\WINDOWS\system32\VBIEWER.OCX"

O4 - HKLM\..\RunOnce: [spybotDeletingC3866] cmd /c del "C:\WINDOWS\system32\VBIEWER.OCX"

O4 - HKLM\..\RunOnce: [spybotDeletingA3097] command /c del "C:\WINDOWS\system32\vbsys2.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC6934] cmd /c del "C:\WINDOWS\system32\vbsys2.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA5771] command /c del "C:\WINDOWS\system32\vcatchpi.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC5801] cmd /c del "C:\WINDOWS\system32\vcatchpi.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA4475] command /c del "C:\WINDOWS\system32\winlogonpc.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC9600] cmd /c del "C:\WINDOWS\system32\winlogonpc.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC4718] cmd /c del "C:\WINDOWS\system32\winsystem.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA2333] command /c del "C:\WINDOWS\system32\WINWGPX.EXE"

O4 - HKLM\..\RunOnce: [spybotDeletingA5784] command /c del "C:\WINDOWS\base64.tmp"

O4 - HKLM\..\RunOnce: [spybotDeletingA3803] command /c del "C:\WINDOWS\bdn.com"

O4 - HKLM\..\RunOnce: [spybotDeletingC3063] cmd /c del "C:\WINDOWS\bdn.com"

O4 - HKLM\..\RunOnce: [spybotDeletingA3330] command /c del "C:\WINDOWS\FVProtect.exe"

O4 - HKCU\..\Run: [Orb] "C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe" /background

O4 - HKCU\..\Run: [DbSmartSh] C:\WINDOWS\system32\atovabon.exe

O4 - HKCU\..\Run: [actmsgstr] C:\WINDOWS\system32\cbotadud.exe

O4 - HKCU\..\Run: [AdmActCom] C:\WINDOWS\system32\gnkfmlud.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Documents and Settings\Particular\Meus documentos\Protect\Spybot - Search & Destroy\TeaTimer.exe

O8 - Extra context menu item: &Windows Live Search - res://C:\Arquivos de programas\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\PARTIC~1\MEUSDO~1\Protect\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\PARTIC~1\MEUSDO~1\Protect\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} -

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Editado por Maklack

Compartilhar este post


Link para o post
Compartilhar em outros sites

Vou tentar postar em 2 pedaços.

Primeira parte do log do SDfix:

SDFix: Version 1.233

Run by Particular on ter 07/10/2008 at 22:22

Microsoft Windows XP [versÆo 5.1.2600]

Running From: C:\SDFix

Checking Services :

Restoring Default Security Values

Restoring Default Hosts File

Resetting SecurityProviders Value

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\~.exe - Deleted

C:\WINDOWS\system32\wpv962.cpx - Deleted

C:\WINDOWS\system32\wpv962.cpx - Deleted

C:\WINDOWS\msauc.exe - Deleted

C:\WINDOWS\services.exe - Deleted

C:\WINDOWS\system32\shell31.dll - Deleted

C:\WINDOWS\wiaservb.log - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-07 22:26:56

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ContentIndex\Catalogs\System]

"Location"="D:\System Volume Information"

"IsIndexingW3Svc"=dword:00000000

"IsIndexingNNTPSvc"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\ACPI\PNP0C0C\aa]

"Capabilities"=dword:00000070

"ConfigFlags"=dword:00000000

"HardwareID"=str(7):"ACPI\PNP0C0C\0*PNP0C0C\0"

"ClassGUID"="{4D36E97D-E325-11CE-BFC1-08002BE10318}"

"Class"="System"

"Driver"="{4D36E97D-E325-11CE-BFC1-08002BE10318}\0011"

"Mfg"="(Dispositivos de sistema padrão)"

"DeviceDesc"="Botão ligar/desligar ACPI"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\ACPI\PNP0C0C\aa\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SWPRV]

"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SWPRV\0000]

"Service"="SwPrv"

"Legacy"=dword:00000001

"ConfigFlags"=dword:00000000

"Class"="LegacyDriver"

"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"

"DeviceDesc"="MS Software Shadow Copy Provider"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Abiosdsk]

"ErrorControl"=dword:00000000

"Group"="Primary disk"

"Start"=dword:00000004

"Tag"=dword:00000003

"Type"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\abiosdsk]

"EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll"

"TypesSupported"=dword:00000007

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\intelide]

"EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\Drivers\IntelIde.sys"

"TypesSupported"=dword:00000007

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\PptpMiniport]

"EventMessageFile"=str(2):"%SystemRoot%\System32\netevent.dll"

"TypesSupported"=dword:00000007

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HDAudBus]

"Type"=dword:00000001

"Start"=dword:00000003

"ErrorControl"=dword:00000001

"Tag"=dword:00000008

"ImagePath"=str(2):"system32\DRIVERS\HDAudBus.sys"

"DisplayName"="Microsoft UAA Bus Driver for High Definition Audio"

"Group"="Extended Base"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IntelIde]

"ErrorControl"=dword:00000001

"Group"="System Bus estender"

"Start"=dword:00000004

"Tag"=dword:00000004

"Type"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PptpMiniport]

"Type"=dword:00000001

"Start"=dword:00000003

"ErrorControl"=dword:00000001

"ImagePath"=str(2):"system32\DRIVERS\raspptp.sys"

"DisplayName"="Miniporta de rede remota (PPTP)"

"Description"="Miniporta de rede remota (PPTP)"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PptpMiniport\Security]

"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ptvnrrlx]

"Type"=dword:00000001

"Start"=dword:00000002

"ErrorControl"=dword:00000001

"ImagePath"=str(2):"\??\C:\WINDOWS\system32\drivers\ptvnrrlx.sys"

"DisplayName"="ptvnrrlx"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ptvnrrlx\Security]

"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch]

"Epoch"=dword:00018789

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]

"DhcpNameServer"="200.250.77.87 200.250.77.85"

"DhcpDomain"="ctb.virtua.com.br"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B00663B4-E6F4-44E2-B51C-6A8E361328A4}]

"LeaseObtainedTime"=dword:48ec0be2

"T1"=dword:48ec0c61

"T2"=dword:48ec0cc1

"LeaseTerminatesTime"=dword:48ec0ce1

"DhcpRetryTime"=dword:0000007d

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{B00663B4-E6F4-44E2-B51C-6A8E361328A4}\Parameters\Tcpip]

"LeaseObtainedTime"=dword:48ec0be2

"T1"=dword:48ec0c61

"T2"=dword:48ec0cc1

"LeaseTerminatesTime"=dword:48ec0ce1

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\ContentIndex\Catalogs\System]

"Location"="D:\System Volume Information"

"IsIndexingW3Svc"=dword:00000000

"IsIndexingNNTPSvc"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\ACPI\PNP0C0C\aa]

"Capabilities"=dword:00000070

"ConfigFlags"=dword:00000000

"HardwareID"=str(7):"ACPI\PNP0C0C\0*PNP0C0C\0"

"ClassGUID"="{4D36E97D-E325-11CE-BFC1-08002BE10318}"

"Class"="System"

"Driver"="{4D36E97D-E325-11CE-BFC1-08002BE10318}\0011"

"Mfg"="(Dispositivos de sistema padrão)"

"DeviceDesc"="Botão ligar/desligar ACPI"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\ACPI\PNP0C0C\aa\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SWPRV]

"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SWPRV\0000]

"Service"="SwPrv"

"Legacy"=dword:00000001

"ConfigFlags"=dword:00000000

"Class"="LegacyDriver"

"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"

"DeviceDesc"="MS Software Shadow Copy Provider"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Abiosdsk]

"ErrorControl"=dword:00000000

"Group"="Primary disk"

"Start"=dword:00000004

"Tag"=dword:00000003

"Type"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\System\abiosdsk]

"EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll"

"TypesSupported"=dword:00000007

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\System\intelide]

"EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\Drivers\IntelIde.sys"

"TypesSupported"=dword:00000007

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\System\PptpMiniport]

"EventMessageFile"=str(2):"%SystemRoot%\System32\netevent.dll"

"TypesSupported"=dword:00000007

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\HDAudBus]

"Type"=dword:00000001

"Start"=dword:00000003

"ErrorControl"=dword:00000001

"Tag"=dword:00000008

"ImagePath"=str(2):"system32\DRIVERS\HDAudBus.sys"

"DisplayName"="Microsoft UAA Bus Driver for High Definition Audio"

"Group"="Extended Base"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\IntelIde]

"ErrorControl"=dword:00000001

"Group"="System Bus estender"

"Start"=dword:00000004

"Tag"=dword:00000004

"Type"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PptpMiniport]

"Type"=dword:00000001

"Start"=dword:00000003

"ErrorControl"=dword:00000001

"ImagePath"=str(2):"system32\DRIVERS\raspptp.sys"

"DisplayName"="Miniporta de rede remota (PPTP)"

"Description"="Miniporta de rede remota (PPTP)"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PptpMiniport\Security]

"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ptvnrrlx]

"Type"=dword:00000001

"Start"=dword:00000002

"ErrorControl"=dword:00000001

"ImagePath"=str(2):"\??\C:\WINDOWS\system32\drivers\ptvnrrlx.sys"

"DisplayName"="ptvnrrlx"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ptvnrrlx\Security]

"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WinSock2]

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\DeluxeCD\Providers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CSSFilters]

"oavredirect"="{999937BC-30FE-11D4-BA52-00C04F6843FA}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartMenu\StartMenuRun]

"Type"="checkbox"

"Text"="@shell32.dll,-30474"

"HKeyRoot"=dword:80000001

"RegPath"="Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"

"ValueName"="StartMenuRun"

"CheckedValue"=dword:00000001

"UncheckedValue"=dword:00000000

"DefaultValue"=dword:00000001

"HelpID"="windows.hlp#51142"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartPanel\ShowPrinters]

"Type"="checkbox"

"Text"="@shell32.dll,-30493"

"HKeyRoot"=dword:80000001

"RegPath"="Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"

"ValueName"="Start_ShowPrinters"

"CheckedValue"=dword:00000001

"UncheckedValue"=dword:00000000

"DefaultValue"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\cj.com]

@=dword:00000005

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\ssby.com]

@=dword:00000005

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\ACTIVE_CONTENT\AUTOMATIC_ACTIVEX_UI\DISABLE]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Desativar"

"PlugUIText"="@inetcplc.dll,-4805"

"ValueName"="2201"

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\ACTIVE_CONTENT\BBHVR\DISABLE]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Desativar"

"PlugUIText"="@inetcplc.dll,-4805"

"ValueName"="2000"

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\DOWNLOAD\AUTOMATIC_DOWNLOAD_UI\DISABLE]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Desativar"

"PlugUIText"="@inetcplc.dll,-4805"

"ValueName"="2200"

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\JAVAPER\JAVA\DISABLE]

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\FORMDATA]

"Type"="group"

"Text"="Submeter dados de formulário não criptografados"

"PlugUIText"="@inetcplc.dll,-4797"

"Bitmap"="C:\WINDOWS\system32\inetcpl.cpl,4443"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\FORMDATA\ALLOW]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Ativar"

"PlugUIText"="@inetcplc.dll,-4803"

"ValueName"="1601"

"CheckedValue"=dword:00000000

"DefaultValue"=dword:00000003

"Mask"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\FORMDATA\DENY]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Desativar"

"PlugUIText"="@inetcplc.dll,-4805"

"ValueName"="1601"

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

"Mask"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\FORMDATA\QUERY]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Avisar"

"PlugUIText"="@inetcplc.dll,-4804"

"ValueName"="1601"

"CheckedValue"=dword:00000001

"DefaultValue"=dword:00000003

"Mask"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\MIME_SNIFFING\DISABLE]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Desativar"

"PlugUIText"="@inetcplc.dll,-4805"

"ValueName"="2100"

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\RESTRICTED_PROTOCOLS\DISABLE]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Desativar"

"PlugUIText"="@inetcplc.dll,-4805"

"ValueName"="2300"

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\WINDOW_RESTRICTIONS\DISABLE]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Desativar"

"PlugUIText"="@inetcplc.dll,-4805"

"ValueName"="2102"

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\ZONE_ELEVATION\DISABLE]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Desativar"

"PlugUIText"="@inetcplc.dll,-4805"

"ValueName"="2101"

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\ACTIVE_CONTENT\AUTOMATIC_ACTIVEX_UI\DISABLE]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Desativar"

"PlugUIText"="@inetcplc.dll,-4805"

"ValueName"="2201"

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\ACTIVE_CONTENT\BBHVR\DISABLE]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Desativar"

"PlugUIText"="@inetcplc.dll,-4805"

"ValueName"="2000"

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\DOWNLOAD\AUTOMATIC_DOWNLOAD_UI\DISABLE]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Desativar"

"PlugUIText"="@inetcplc.dll,-4805"

"ValueName"="2200"

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\JAVAPER\JAVA\DISABLE]

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Desativar Java"

"PlugUIText"="@inetcplc.dll,-4818"

"ValueName"="1C00"

"CheckedValue"=dword:00000000

"DefaultValue"=dword:00000000

"HKeyRoot"=dword:80000002

"HelpID"="iexplore.hlp#50241"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\FORMDATA]

"Type"="group"

"Text"="Submeter dados de formulário não criptografados"

"PlugUIText"="@inetcplc.dll,-4797"

"Bitmap"="C:\WINDOWS\system32\inetcpl.cpl,4443"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\FORMDATA\ALLOW]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Ativar"

"PlugUIText"="@inetcplc.dll,-4803"

"ValueName"="1601"

"CheckedValue"=dword:00000000

"DefaultValue"=dword:00000003

"HKeyRoot"=dword:80000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\FORMDATA\DENY]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Desativar"

"PlugUIText"="@inetcplc.dll,-4805"

"ValueName"="1601"

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

"HKeyRoot"=dword:80000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\FORMDATA\QUERY]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Avisar"

"PlugUIText"="@inetcplc.dll,-4804"

"ValueName"="1601"

"CheckedValue"=dword:00000001

"DefaultValue"=dword:00000003

"HKeyRoot"=dword:80000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\MIME_SNIFFING\DISABLE]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Desativar"

"PlugUIText"="@inetcplc.dll,-4805"

"ValueName"="2100"

"CheckedValue"=dword:00000003

Compartilhar este post


Link para o post
Compartilhar em outros sites

Segunda parte do log do SDfix:

"DefaultValue"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\RESTRICTED_PROTOCOLS\DISABLE]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Desativar"

"PlugUIText"="@inetcplc.dll,-4805"

"ValueName"="2300"

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\WINDOW_RESTRICTIONS\DISABLE]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Desativar"

"PlugUIText"="@inetcplc.dll,-4805"

"ValueName"="2102"

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\ZONE_ELEVATION\DISABLE]

"Type"="radio"

"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

"Text"="Desativar"

"PlugUIText"="@inetcplc.dll,-4805"

"ValueName"="2101"

"CheckedValue"=dword:00000003

"DefaultValue"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\begun.ru\autocontext]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bestmanage.org\a]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bestmanage.org\f5]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cookingluck.com\f5]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\nipd.it]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\redir.ws]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\redir.ws\www]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ssby.com]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\thezirius.com\f5]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\truth-is-out-there.org\f5]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\unini.it]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\unini.it\www]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\unobo.it]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\unobo.it\www]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\urlstat.ru]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\begun.ru\autocontext]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\bestmanage.org\a]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\bestmanage.org\f5]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\cookingluck.com\f5]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\nipd.it]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\redir.ws]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\redir.ws\www]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\ssby.com]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\thezirius.com\f5]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\truth-is-out-there.org\f5]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\unini.it]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\unini.it\www]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\unobo.it]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\unobo.it\www]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\urlstat.ru]

"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\aa]

"a"="C:\Documents and Settings\Particular\Desktop\Discovery.Channel-Mega.Construcoes-O.Metro.de.Nova.York-upload.by.Maua.wmv.aa"

"MRUList"="a"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\CleanupWiz]

"Days between clean up"=dword:0000003c

"NoRun"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU]

"0"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"1"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"2"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"3"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"4"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"5"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"6"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"7"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"8"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"9"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"10"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"11"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"12"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"13"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"14"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"15"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"16"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"17"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"18"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"19"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"20"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"21"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"22"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"23"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"24"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"25"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"26"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"27"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"28"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"29"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"30"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"31"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"32"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"33"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..

"34"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"35"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"36"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"37"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"MRUListEx"=hex:d6,00,00,00,d5,00,00,00,d4,00,00,00,d3,00,00,00,d2,00,00,00,d1,..

"38"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"39"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"40"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"41"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"42"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"43"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"44"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"45"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"46"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"47"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"48"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"49"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"50"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"51"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"52"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"53"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"54"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"55"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"56"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"57"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"58"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"59"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"60"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"61"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"62"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"63"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"64"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"65"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"66"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"67"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"68"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"69"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"70"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"71"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"72"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"73"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"74"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"75"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"76"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"77"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"78"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"79"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"80"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"81"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"82"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"83"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"84"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"85"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"86"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"87"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"88"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"89"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"90"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"91"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"92"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"93"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"94"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"95"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"96"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"97"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"98"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"99"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"100"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"101"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"102"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"103"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"104"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"105"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"106"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"107"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

Compartilhar este post


Link para o post
Compartilhar em outros sites

Pois é, teve que ser em 3 partes. Aí vai a última:

"108"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"109"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"110"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"111"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"112"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"113"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"114"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"115"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"116"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"117"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"118"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"119"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"120"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"121"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"122"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"123"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"124"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"125"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"126"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"127"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"128"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"129"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"130"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"131"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"132"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"133"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"134"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"135"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"136"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"137"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"138"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"139"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"140"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"141"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"142"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"143"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"144"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"145"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"146"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"147"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"148"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"149"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"150"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"151"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"152"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"153"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"154"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"155"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"156"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"157"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"158"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"159"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"160"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"161"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"162"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"163"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"164"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"165"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"166"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"167"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"168"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"169"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"170"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"171"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"172"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"173"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"174"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"175"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"176"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"177"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"178"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"179"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"180"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"181"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"182"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"183"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"184"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"185"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"186"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"187"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"188"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"189"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"190"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"191"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"192"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"193"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"194"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"195"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"196"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"197"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"198"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"199"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"200"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"201"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"202"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"203"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"204"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"205"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"206"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"207"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"208"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"209"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"210"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"211"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"212"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"213"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

"214"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalUser]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\cj.com]

@=dword:00000005

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\ssby.com]

@=dword:00000005

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bb.org]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\begun.ru\autocontext]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bestmanage.org\a]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bestmanage.org\f5]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cookingluck.com\f5]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\muul.com]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\nipd.it]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\norsty.net]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\redir.ws]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\redir.ws\www]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ssby.com]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\thezirius.com\f5]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\truth-is-out-there.org\f5]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\unini.it]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\unini.it\www]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\unobo.it]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\unobo.it\www]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\urlstat.ru]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\begun.ru\autocontext]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\bestmanage.org\a]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\bestmanage.org\f5]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\cookingluck.com\f5]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\nipd.it]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\redir.ws]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\redir.ws\www]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\ssby.com]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\thezirius.com\f5]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\truth-is-out-there.org\f5]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\unini.it]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\unini.it\www]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\unobo.it]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\unobo.it\www]

"*"=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\urlstat.ru]

"*"=dword:00000004

scanning hidden files ...

C:\WINDOWS\system32\drivers\PxHelp20.sys 43528 bytes executable

scan completed successfully

hidden processes: 0

hidden services: 4

hidden files: 1

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Arquivos de programas\\InterVideo\\DVD5\\WinDVD.exe"="C:\\Arquivos de programas\\InterVideo\\DVD5\\WinDVD.exe:*:Enabled:WinDVD"

"C:\\Arquivos de programas\\MSN Messenger\\msncall.exe"="C:\\Arquivos de programas\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"

"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"="C:\\Arquivos de programas\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

"D:\\Call of Duth 2\\CoD2MP_s.exe"="D:\\Call of Duth 2\\CoD2MP_s.exe:*:Enabled:CoD2MP_s"

"D:\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"="D:\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"

"C:\\Arquivos de programas\\Winamp Remote\\bin\\Orb.exe"="C:\\Arquivos de programas\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb"

"C:\\Arquivos de programas\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Arquivos de programas\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray"

"C:\\Arquivos de programas\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Arquivos de programas\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"

"C:\\Documents and Settings\\Particular\\Meus documentos\\Zsnes\\zsnesw.exe"="C:\\Documents and Settings\\Particular\\Meus documentos\\Zsnes\\zsnesw.exe:*:Enabled:zsnesw"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Arquivos de programas\\MSN Messenger\\msncall.exe"="C:\\Arquivos de programas\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"

"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"="C:\\Arquivos de programas\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 20 Oct 2003 73,688 ..SHR --- "C:\Arquivos de programas\Autodesk\Autodesk DWF Viewer\Setup.exe"

Sat 24 Jan 2004 5,120 A.SHR --- "C:\Arquivos de programas\Autodesk\Autodesk DWF Viewer\_Setupx.dll"

Mon 22 Jul 2002 418,816 ...HR --- "C:\WINDOWS\system32\Tools\All.exe"

Fri 19 Jul 2002 390,144 ...HR --- "C:\WINDOWS\system32\Tools\Change.exe"

Fri 19 Jul 2002 574,464 ...HR --- "C:\WINDOWS\system32\Tools\CheckPath.exe"

Tue 20 Aug 2002 430,592 ...HR --- "C:\WINDOWS\system32\Tools\Counter.exe"

Tue 23 Jul 2002 390,656 ...HR --- "C:\WINDOWS\system32\Tools\DelFolders.exe"

Fri 22 Nov 2002 399,872 ...HR --- "C:\WINDOWS\system32\Tools\DirectSetup.exe"

Fri 19 Jul 2002 388,096 ...HR --- "C:\WINDOWS\system32\Tools\RegClean.exe"

Fri 19 Jul 2002 388,608 ...HR --- "C:\WINDOWS\system32\Tools\Regexe.exe"

Mon 2 Dec 2002 431,616 ...HR --- "C:\WINDOWS\system32\Tools\Restart.exe"

Fri 19 Jul 2002 388,096 ...HR --- "C:\WINDOWS\system32\Tools\RunRegexe.exe"

Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Documents and Settings\Particular\Meus documentos\Protect\Spybot - Search & Destroy\SDHelper.dll"

Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Documents and Settings\Particular\Meus documentos\Protect\Spybot - Search & Destroy\SDUpdate.exe"

Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Documents and Settings\Particular\Meus documentos\Protect\Spybot - Search & Destroy\SpybotSD.exe"

Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Documents and Settings\Particular\Meus documentos\Protect\Spybot - Search & Destroy\TeaTimer.exe"

Finished!

Compartilhar este post


Link para o post
Compartilhar em outros sites

Caro Maklack

Muito bem :)

Siga as instruções contidas no link abaixo e instale e execute o Combofix:

http://www.bleepingcomputer.com/combofix/pt/como-usar-o-combofix

  • É importante que instale a console de recuperação também.
  • Quando a ferramenta terminar de rodar, gerará um log (o arquivo C:\ComboFix.txt).
  • Cole o conteúdo desse arquivo e faça também um novo log do HijackThis para colocar na sua resposta.

Atenção: Não utilize o mouse nem o teclado enquanto a ferramenta estiver rodando, isso pode fazer com que o pc pare.

Nota: Por favor, NÃO utilize o ComboFix sozinho. É uma ferramenta poderosa criada pra lidar com infeções sofisticadas e caso não a utilize correctamente poderá danificar o seu computador. A ferramenta apenas deve ser utilizada sob supervisão de Assistentes de remoção de malware.

Abraços :D

Compartilhar este post


Link para o post
Compartilhar em outros sites

ComboFix 08-10-08.02 - Particular 2008-10-08 20:58:00.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.1671 [GMT -3:00]

Executando de: C:\Documents and Settings\Particular\Desktop\ComboFix.exe

Comandos utilizados :: C:\Documents and Settings\Particular\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-PTB.exe

* Criado um novo ponto de restauro

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\IE4 Error Log.txt

C:\WINDOWS\system32\drivers\ptvnrrlx.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_PTVNRRLX

-------\Service_ptvnrrlx

((((((((((((((((((((((( Ficheiros criados de 2008-09-09 to 2008-10-09 ))))))))))))))))))))))))))))))))

.

2008-10-07 22:19 . 2008-10-07 22:19 <DIR> d-------- C:\WINDOWS\ERUNT

2008-10-07 22:11 . 2008-10-07 22:34 <DIR> d-------- C:\SDFix

2008-10-07 22:05 . 2008-10-07 22:38 <DIR> d-------- C:\HJT

2008-10-07 01:28 . 2008-10-07 01:25 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys

2008-10-07 01:25 . 2008-10-07 01:35 <DIR> d-------- C:\Documents and Settings\Particular\.housecall6.6

2008-10-06 23:25 . 2008-10-06 23:26 <DIR> d-------- C:\ElistarA

2008-10-06 23:18 . 2008-10-06 23:18 <DIR> d-------- C:\clean

2008-10-06 23:11 . 2008-10-06 23:11 226,258 --a------ C:\clean.zip

2008-10-06 14:20 . 2008-10-06 14:20 106,496 --a------ C:\WINDOWS\system32\apkzytkr.exe

2008-10-06 03:56 . 2008-10-06 03:56 98,304 --a------ C:\WINDOWS\system32\gnkfmlud.exe

2008-10-06 03:47 . 2008-09-20 12:52 <DIR> d-------- C:\WINDOWS\system32\SmitfraudFix

2008-10-06 03:41 . 2008-10-06 03:41 <DIR> d-------- C:\WINDOWS\Content.IE5

2008-10-06 01:46 . 2008-10-06 01:46 98,304 --a------ C:\WINDOWS\system32\atovabon.exe

2008-10-06 00:00 . 2008-10-06 00:00 98,304 --a------ C:\WINDOWS\system32\fcrghghu.exe

2008-10-05 13:55 . 2008-10-06 01:32 2,994 --a------ C:\WINDOWS\wininit.ini

2008-10-04 17:44 . 2008-10-05 14:10 <DIR> d-a------ C:\Documents and Settings\All Users\Dados de aplicativos\TEMP

2008-10-04 04:09 . 2008-10-04 04:09 29 --a------ C:\WINDOWS\system32\ttfiggif.tmp

2008-10-04 04:08 . 2008-10-04 04:08 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\jkxkbany

2008-10-04 04:08 . 2008-10-04 04:08 114,688 --a------ C:\WINDOWS\system32\cbotadud.exe

2008-10-03 12:10 . 2008-10-04 00:45 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2008-09-30 19:14 . 2008-09-30 19:17 <DIR> d-------- C:\Documents and Settings\Particular\Dados de aplicativos\Tibia

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-08 23:19 --------- d-----w C:\Arquivos de programas\Winamp Remote

2008-10-01 18:51 87,552 ----a-w C:\WINDOWS\system32\VACFix.exe

2008-09-19 15:26 82,944 ----a-w C:\WINDOWS\system32\o4Patch.exe

2008-09-19 15:26 82,944 ----a-w C:\WINDOWS\system32\IEDFix.C.exe

2008-09-16 00:52 --------- d-----w C:\Arquivos de programas\Java

2008-09-09 02:38 88,576 ----a-w C:\WINDOWS\system32\AntiXPVSTFix.exe

2008-09-03 01:31 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Real

2008-09-03 01:20 --------- d-----w C:\Arquivos de programas\NeXus RV10 & MKV Filtres

2008-08-18 15:19 82,432 ----a-w C:\WINDOWS\system32\404Fix.exe

2008-08-12 02:47 --------- d-----w C:\Documents and Settings\Particular\Dados de aplicativos\Hamachi

2008-08-06 01:12 2,829 ----a-w C:\WINDOWS\War3Unin.pif

2008-08-06 01:12 139,264 ----a-w C:\WINDOWS\War3Unin.exe

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Orb"="C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe" [2008-01-07 495616]

"DbSmartSh"="C:\WINDOWS\system32\atovabon.exe" [2008-10-06 98304]

"actmsgstr"="C:\WINDOWS\system32\cbotadud.exe" [2008-10-04 114688]

"AdmActCom"="C:\WINDOWS\system32\gnkfmlud.exe" [2008-10-06 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"snpstd"="C:\WINDOWS\vsnpstd.exe" [2004-06-10 286720]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 86016]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 7700480]

"Emurayden PSX Emulator"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2005-03-12 98352]

"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2005-03-12 98352]

"VTTrayp"="VTtrayp.exe" [2006-08-30 C:\WINDOWS\system32\VTTrayp.exe]

"VTTimer"="VTTimer.exe" [2006-08-03 C:\WINDOWS\system32\VTTimer.exe]

"SoundMan"="SOUNDMAN.EXE" [2006-03-01 C:\WINDOWS\soundman.exe]

"nwiz"="nwiz.exe" [2007-04-19 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.ffds"= C:\ARQUIV~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Gamma Loader.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Gamma Loader.lnk

backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^AutoCAD Startup Accelerator.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\AutoCAD Startup Accelerator.lnk

backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^InterVideo WinCinema Manager.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\InterVideo WinCinema Manager.lnk

backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

--a----t- 2008-09-03 00:13 133104 C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]

-ra------ 2006-11-22 00:50 704512 C:\Arquivos de programas\VIA\VIAudioi\HDADeck\HDeck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2004-08-04 00:56 1667584 C:\Arquivos de programas\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

--a------ 2007-10-10 02:28 36352 C:\Documents and Settings\Particular\Meus documentos\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\InterVideo\\DVD5\\WinDVD.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

"D:\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=

"C:\\Arquivos de programas\\Winamp Remote\\bin\\Orb.exe"=

"C:\\Arquivos de programas\\Winamp Remote\\bin\\OrbTray.exe"=

"C:\\Arquivos de programas\\Winamp Remote\\bin\\OrbStreamerClient.exe"=

"C:\\Documents and Settings\\Particular\\Meus documentos\\Zsnes\\zsnesw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-02-23 9728]

R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-02-23 11264]

S2 GF0012;TF Filter Driver B;C:\WINDOWS\system32\DRIVERS\GF0012.sys [2007-12-12 11520]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{655d6058-87a1-11dc-b765-001a4dab7b24}]

\Shell\AutoRun\command - F:\LaunchU3.exe

.

Conteúdo da pasta 'Tarefas Agendadas'

2008-10-08 C:\WINDOWS\Tasks\GoogleUpdateTaskUser.job

- C:\Documents and Settings\Particular\Configura []

2008-10-08 C:\WINDOWS\Tasks\Verificar Atualizações para a Barra de Ferramentas do Windows Live.job

- C:\Arquivos de programas\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 16:39]

.

.

------- Ccan Suplementar -------

.

O8 -: &Windows Live Search - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll/search.htm

O8 -: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 -: E&xportar para o Microsoft Excel - C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 -: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48}

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-08 21:02:25

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso

Ficheiros ocultos: 0

**************************************************************************

.

------------------------ Outros Processos em Execução ------------------------

.

C:\WINDOWS\system32\rundll32.exe

C:\Arquivos de programas\Winamp Remote\bin\Orb.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

.

**************************************************************************

.

Tempo para conclusão: 2008-10-08 21:03:47 - Maquina reiniciou

ComboFix-quarantined-files.txt 2008-10-09 00:03:43

Pré-execução: 12 pasta(s) 30.292.434.944 bytes disponíveis

Pós execução: 15 pasta(s) 32,309,387,264 bytes disponíveis

WindowsXP-KB310994-SP2-Pro-BootDisk-PTB.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

168

Compartilhar este post


Link para o post
Compartilhar em outros sites

Logfile of HijackThis v1.99.1

Scan saved at 21:08:02, on 8/10/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\VTTimer.exe

C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\atovabon.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Emurayden PSX Emulator] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [Orb] "C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe" /background

O4 - HKCU\..\Run: [DbSmartSh] C:\WINDOWS\system32\atovabon.exe

O4 - HKCU\..\Run: [actmsgstr] C:\WINDOWS\system32\cbotadud.exe

O4 - HKCU\..\Run: [AdmActCom] C:\WINDOWS\system32\gnkfmlud.exe

O8 - Extra context menu item: &Windows Live Search - res://C:\Arquivos de programas\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} -

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Compartilhar este post


Link para o post
Compartilhar em outros sites

Enquanto eu deixei o firewall desativado pra realizar os procedimentos indicados, a mensagem do vírus parou de aparecer (a mensagem fala que o firewall do windows detectou um tipo de vírus dentre vários que mostra aleatoriamente e pede pra mim ir baixar um antivirus num site fornecido pela mensagem). Assim que eu reativei o firewall a mensagem voltou a aparecer.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Caro Maklack

# Etapa nº 1 #

Visite este site:

http://www.bleepingcomputer.com/submit-malware.php?channel=4

  • Na caixa "Link to topic where this file was requested:", copie e cole o link deste topico:
http://forum.clubedohardware.com.br/log-hijackthis-smitfraud/587369

  • Na caixa "Browse to the file you want to submit:", coloque:
    • C:\WINDOWS\system32\apkzytkr.exe

    [*]Clique no botão Browse...[*]Na caixa " Leave any comments, further information about this file, or contact information: ", coloque:

    • diego_moicano - Forum Clube do Hardware
  • Clique no botão Send File
  • Repita o procedimento e envie também esses arquivos:
  • C:\WINDOWS\system32\gnkfmlud.exe
  • C:\WINDOWS\system32\atovabon.exe
  • C:\WINDOWS\system32\fcrghghu.exe
  • C:\WINDOWS\system32\ttfiggif.tmp
  • C:\WINDOWS\system32\cbotadud.exe

Obrigado

# Etapa nº 2 #

Temporariamente e durante a execução destas instruções, é muito importante que mantenha desabilitados os seus programas de proteção (Antivirus, Antispyware e Firewall). Reative as proteções após a execução do(s) procedimento(s) abaixo mencionado(s).

Abra o seu Bloco de Notas, copie (control + c) e cole (control + v) todo o texto que está dentro do "Código":

File::
C:\WINDOWS\system32\apkzytkr.exe
C:\WINDOWS\system32\gnkfmlud.exe
C:\WINDOWS\system32\atovabon.exe
C:\WINDOWS\system32\fcrghghu.exe
C:\WINDOWS\system32\ttfiggif.tmp
C:\WINDOWS\system32\cbotadud.exe
C:\Documents and Settings\All Users\Dados de aplicativos\jkxkbany
F:\LaunchU3.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DbSmartSh"=-
"actmsgstr"=-
"AdmActCom"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{655d6058-87a1-11dc-b765-001a4dab7b24}]

Salve este arquivo como: CFScript.txt

2872959479_997d4500c4_o.gif

Tal com exemplificado na foto acima, arraste o arquivo CFScript.txt para dentro do ComboFix.exe. Quando a ferramenta terminar de rodar, gerará um log. Poste esse arquivo C:\ComboFix.txt.

Abraços :D

Compartilhar este post


Link para o post
Compartilhar em outros sites

ComboFix 08-10-08.02 - Particular 2008-10-09 20:39:41.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.1642 [GMT -3:00]

Executando de: C:\Documents and Settings\Particular\Desktop\ComboFix.exe

Comandos utilizados :: C:\Documents and Settings\Particular\Desktop\CFScript.txt

* Criado um novo ponto de restauro

FILE ::

C:\Documents and Settings\All Users\Dados de aplicativos\jkxkbany

C:\WINDOWS\system32\apkzytkr.exe

C:\WINDOWS\system32\atovabon.exe

C:\WINDOWS\system32\cbotadud.exe

C:\WINDOWS\system32\fcrghghu.exe

C:\WINDOWS\system32\gnkfmlud.exe

C:\WINDOWS\system32\ttfiggif.tmp

F:\LaunchU3.exe

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\DOCUME~1\PARTIC~1\CONFIG~1\Temp\winlogon.exe

C:\WINDOWS\msauc.exe

C:\WINDOWS\system32\apkzytkr.exe

C:\WINDOWS\system32\atovabon.exe

C:\WINDOWS\system32\cbotadud.exe

C:\WINDOWS\system32\drivers\qulwqkwt.sys

C:\WINDOWS\system32\fcrghghu.exe

C:\WINDOWS\system32\gnkfmlud.exe

C:\WINDOWS\system32\msansspc.dll

C:\WINDOWS\system32\shell31.dll

C:\WINDOWS\system32\ttfiggif.tmp

C:\WINDOWS\wiaservb.log

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_QULWQKWT

-------\Service_qulwqkwt

((((((((((((((((((((((( Ficheiros criados de 2008-09-09 to 2008-10-09 ))))))))))))))))))))))))))))))))

.

2008-10-08 21:27 . 2008-10-08 21:27 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\cjwpsvcp

2008-10-08 21:26 . 2008-10-08 21:26 73,728 --a------ C:\WINDOWS\system32\wpv3116.cpx.bak

2008-10-08 21:26 . 2008-10-08 21:26 72,192 --a------ C:\WINDOWS\system32\wpv592.cpx

2008-10-07 22:19 . 2008-10-07 22:19 <DIR> d-------- C:\WINDOWS\ERUNT

2008-10-07 22:11 . 2008-10-07 22:34 <DIR> d-------- C:\SDFix

2008-10-07 22:05 . 2008-10-08 21:07 <DIR> d-------- C:\HJT

2008-10-07 01:28 . 2008-10-07 01:25 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys

2008-10-07 01:25 . 2008-10-07 01:35 <DIR> d-------- C:\Documents and Settings\Particular\.housecall6.6

2008-10-06 23:25 . 2008-10-06 23:26 <DIR> d-------- C:\ElistarA

2008-10-06 23:18 . 2008-10-06 23:18 <DIR> d-------- C:\clean

2008-10-06 23:11 . 2008-10-06 23:11 226,258 --a------ C:\clean.zip

2008-10-06 03:47 . 2008-09-20 12:52 <DIR> d-------- C:\WINDOWS\system32\SmitfraudFix

2008-10-06 03:41 . 2008-10-06 03:41 <DIR> d-------- C:\WINDOWS\Content.IE5

2008-10-05 13:55 . 2008-10-06 01:32 2,994 --a------ C:\WINDOWS\wininit.ini

2008-10-04 17:44 . 2008-10-05 14:10 <DIR> d-a------ C:\Documents and Settings\All Users\Dados de aplicativos\TEMP

2008-10-04 04:08 . 2008-10-04 04:08 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\jkxkbany

2008-10-03 12:10 . 2008-10-04 00:45 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2008-09-30 19:14 . 2008-09-30 19:17 <DIR> d-------- C:\Documents and Settings\Particular\Dados de aplicativos\Tibia

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-09 23:20 --------- d-----w C:\Arquivos de programas\Winamp Remote

2008-10-01 18:51 87,552 ----a-w C:\WINDOWS\system32\VACFix.exe

2008-09-19 15:26 82,944 ----a-w C:\WINDOWS\system32\o4Patch.exe

2008-09-19 15:26 82,944 ----a-w C:\WINDOWS\system32\IEDFix.C.exe

2008-09-16 00:52 --------- d-----w C:\Arquivos de programas\Java

2008-09-09 02:38 88,576 ----a-w C:\WINDOWS\system32\AntiXPVSTFix.exe

2008-09-03 01:31 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Real

2008-09-03 01:20 --------- d-----w C:\Arquivos de programas\NeXus RV10 & MKV Filtres

2008-08-18 15:19 82,432 ----a-w C:\WINDOWS\system32\404Fix.exe

2008-08-12 02:47 --------- d-----w C:\Documents and Settings\Particular\Dados de aplicativos\Hamachi

2008-08-06 01:12 2,829 ----a-w C:\WINDOWS\War3Unin.pif

2008-08-06 01:12 139,264 ----a-w C:\WINDOWS\War3Unin.exe

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Orb"="C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe" [2008-01-07 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"snpstd"="C:\WINDOWS\vsnpstd.exe" [2004-06-10 286720]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 86016]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 7700480]

"Emurayden PSX Emulator"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2005-03-12 98352]

"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2005-03-12 98352]

"VTTrayp"="VTtrayp.exe" [2006-08-30 C:\WINDOWS\system32\VTTrayp.exe]

"VTTimer"="VTTimer.exe" [2006-08-03 C:\WINDOWS\system32\VTTimer.exe]

"SoundMan"="SOUNDMAN.EXE" [2006-03-01 C:\WINDOWS\soundman.exe]

"nwiz"="nwiz.exe" [2007-04-19 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]

"tWqpf9ZjkH"="C:\Documents and Settings\All Users\Dados de aplicativos\cjwpsvcp\sfahepgz.exe" [2008-10-08 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.ffds"= C:\ARQUIV~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Gamma Loader.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Gamma Loader.lnk

backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^AutoCAD Startup Accelerator.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\AutoCAD Startup Accelerator.lnk

backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^InterVideo WinCinema Manager.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\InterVideo WinCinema Manager.lnk

backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

--a----t- 2008-09-03 00:13 133104 C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]

-ra------ 2006-11-22 00:50 704512 C:\Arquivos de programas\VIA\VIAudioi\HDADeck\HDeck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2004-08-04 00:56 1667584 C:\Arquivos de programas\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

--a------ 2007-10-10 02:28 36352 C:\Documents and Settings\Particular\Meus documentos\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\InterVideo\\DVD5\\WinDVD.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

"D:\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=

"C:\\Arquivos de programas\\Winamp Remote\\bin\\Orb.exe"=

"C:\\Arquivos de programas\\Winamp Remote\\bin\\OrbTray.exe"=

"C:\\Arquivos de programas\\Winamp Remote\\bin\\OrbStreamerClient.exe"=

"C:\\Documents and Settings\\Particular\\Meus documentos\\Zsnes\\zsnesw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-02-23 9728]

R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-02-23 11264]

S2 GF0012;TF Filter Driver B;C:\WINDOWS\system32\DRIVERS\GF0012.sys [2007-12-12 11520]

.

Conteúdo da pasta 'Tarefas Agendadas'

2008-10-08 C:\WINDOWS\Tasks\GoogleUpdateTaskUser.job

- C:\Documents and Settings\Particular\Configura []

2008-10-09 C:\WINDOWS\Tasks\Verificar Atualizações para a Barra de Ferramentas do Windows Live.job

- C:\Arquivos de programas\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 16:39]

.

- - - - ORFAOS REMOVIDOS - - - -

HKLM-Run-jjbrrbjj - C:\WINDOWS\jjbrrbjj.exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-09 20:42:20

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso

Ficheiros ocultos: 0

**************************************************************************

.

------------------------ Outros Processos em Execução ------------------------

.

C:\WINDOWS\system32\rundll32.exe

C:\Arquivos de programas\Winamp Remote\bin\Orb.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

.

**************************************************************************

.

Tempo para conclusão: 2008-10-09 20:43:38 - Maquina reiniciou

ComboFix-quarantined-files.txt 2008-10-09 23:43:35

ComboFix2.txt 2008-10-09 00:03:48

Pré-execução: 13 pasta(s) 32.280.387.584 bytes disponíveis

Pós execução: 15 pasta(s) 32,270,467,072 bytes disponíveis

169

Compartilhar este post


Link para o post
Compartilhar em outros sites

AAA garoto! Acho que isso é um bom sinal.

Hint of the Day: Click the bar at the right of this to see more information! ()

Parabéns!: Nenhuma ameaça imediata foi encontrada. ()

--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

2008-07-07 blindman.exe (1.0.0.8)

2008-07-07 SDFiles.exe (1.6.0.4)

2008-07-07 SDMain.exe (1.0.0.6)

2008-07-07 SDShred.exe (1.0.2.3)

2008-07-07 SDUpdate.exe (1.6.0.8)

2008-07-07 SDWinSec.exe (1.0.0.12)

2008-07-07 SpybotSD.exe (1.6.0.30)

2008-09-16 TeaTimer.exe (1.6.3.25)

2008-10-03 unins000.exe (51.49.0.0)

2008-07-07 Update.exe (1.6.0.7)

2008-07-07 advcheck.dll (1.6.1.12)

2007-04-02 aports.dll (2.1.0.0)

2008-06-14 DelZip179.dll (1.79.11.1)

2008-09-15 SDHelper.dll (1.6.2.14)

2008-06-19 sqlite3.dll

2008-07-07 Tools.dll (2.1.5.7)

2008-09-02 Includes\Adware.sbi (*)

2008-09-09 Includes\AdwareC.sbi (*)

2008-06-03 Includes\Cookies.sbi (*)

2008-09-02 Includes\Dialer.sbi (*)

2008-09-09 Includes\DialerC.sbi (*)

2008-07-23 Includes\HeavyDuty.sbi (*)

2008-09-02 Includes\Hijackers.sbi (*)

2008-09-02 Includes\HijackersC.sbi (*)

2008-09-09 Includes\Keyloggers.sbi (*)

2008-09-30 Includes\KeyloggersC.sbi (*)

2004-11-29 Includes\LSP.sbi (*)

2008-09-09 Includes\Malware.sbi (*)

2008-09-30 Includes\MalwareC.sbi (*)

2008-09-02 Includes\PUPS.sbi (*)

2008-09-11 Includes\PUPSC.sbi (*)

2007-11-07 Includes\Revision.sbi (*)

2008-06-18 Includes\Security.sbi (*)

2008-09-30 Includes\SecurityC.sbi (*)

2008-06-03 Includes\Spybots.sbi (*)

2008-06-03 Includes\SpybotsC.sbi (*)

2008-09-09 Includes\Spyware.sbi (*)

2008-09-23 Includes\SpywareC.sbi (*)

2008-06-03 Includes\Tracks.uti

2008-09-30 Includes\Trojans.sbi (*)

2008-09-30 Includes\TrojansC.sbi (*)

2008-03-04 Plugins\Chai.dll

2008-03-05 Plugins\Fennel.dll

2008-02-26 Plugins\Mate.dll

2007-12-24 Plugins\TCPIPAddress.dll

Além disso, parou de dar mensagens do vírus com o firewall de mentira (eu acho) e o avast parou de dar pau. Em contrapartida, acho que a conexão piorou um pouco, mas pode ser só algum problema que não tem nada a ver aqui. Se tiver mais alguma coisa que eu deveria saber, estarei consultando aqui ainda. E muito obrigado!

PS. vou me voluntariar para aprender a fazer isso que você fez aqui e ajudar o pessoal no fórum também... se eu for aceito e conseguir ter o aprendizado necessário. Muito obrigado de novo!

Compartilhar este post


Link para o post
Compartilhar em outros sites

Caro Maklack

PS. vou me voluntariar para aprender a fazer isso que você fez aqui e ajudar o pessoal no fórum também... se eu for aceito e conseguir ter o aprendizado necessário.
Boa sorte :)

Etapa nº 1 #

Visite este site:

http://www.bleepingcomputer.com/submit-malware.php?channel=4

  • Na caixa "Link to topic where this file was requested:", copie e cole o link deste topico:
http://forum.clubedohardware.com.br/log-hijackthis-smitfraud/587369

  • Na caixa "Browse to the file you want to submit:", coloque:
    • C:\Documents and Settings\All Users\Dados de aplicativos\cjwpsvcp\sfahepgz.exe

    [*]Clique no botão Browse...[*]Na caixa " Leave any comments, further information about this file, or contact information: ", coloque:

    • diego_moicano - Forum Clube do Hardware
  • Clique no botão Send File

Obrigado

Etapa nº 2 #

Vá até 4y6d3b8.gif" Jotti's malware scan ":

  • Na caixa que fica em cima (File to upload & scan);
  • Copie e cole o seguinte:
    C:\WINDOWS\system32\wpv3116.cpx.bak
  • Clique no botão 688godt.jpg
  • O arquivo irá ser examinado por diferentes programas antivirus, por favor aguarde.
  • Repita e submeta a análise, também este arquivo:C:\WINDOWS\system32\wpv592.cpx
  • Copie e cole os resultados aqui.

Se o site acima estiver muito congestionado, tente num desses sites:

Alternativa 1

Alternativa 2

Etapa nº 3 #

Temporariamente e durante a execução destas instruções, é muito importante que mantenha desabilitados os seus programas de proteção (Antivirus, Antispyware e Firewall). Reative as proteções após a execução do(s) procedimento(s) abaixo mencionado(s).

Abra o seu Bloco de Notas, copie (control + c) e cole (control + v) todo o texto que está dentro do "Código":

File::
C:\Documents and Settings\All Users\Dados de aplicativos\cjwpsvcp\sfahepgz.exe
C:\WINDOWS\system32\drivers\ptvnrrlx.sys

Folder::
C:\Documents and Settings\All Users\Dados de aplicativos\cjwpsvcp
C:\Documents and Settings\All Users\Dados de aplicativos\jkxkbany

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"tWqpf9ZjkH"=-

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ptvnrrlx]

Salve este arquivo como: CFScript.txt

2872959479_997d4500c4_o.gif

Tal com exemplificado na foto acima, arraste o arquivo CFScript.txt para dentro do ComboFix.exe. Quando a ferramenta terminar de rodar, gerará um log. Poste esse arquivo C:\ComboFix.txt.

Abraços :D

Compartilhar este post


Link para o post
Compartilhar em outros sites

File: wpv3116.cpx.bak

Status:

INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)

MD5: a044410d8e969670204460b70d2eeed1

Packers detected:

-

Scan taken on 11 Oct 2008 02:58:13 (GMT)

A-Squared

Found nothing

AntiVir

Found TR/Obfuscated.GX.2450

ArcaVir

Found nothing

Avast

Found Win32:PureMorph

AVG Antivirus

Found nothing

BitDefender

Found nothing

ClamAV

Found nothing

CPsecure

Found nothing

Dr.Web

Found nothing

F-Prot Antivirus

Found nothing

F-Secure Anti-Virus

Found Trojan.Win32.Obfuscated.gx

G DATA

Found Win32:PureMorph

Ikarus

Found Trojan.Win32.Obfuscated.gx

Kaspersky Anti-Virus

Found Trojan.Win32.Obfuscated.gx

NOD32

Found Win32/TrojanDownloader.FakeAlert.IQ

Norman Virus Control

Found W32/Busky.DRIU

Panda Antivirus

Found nothing

Sophos Antivirus

Found Mal/Generic-A

VirusBuster

Found nothing

VBA32

Found nothing

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

File: wpv592.cpx

Status:

INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)

MD5: b6f04095ec1b3721af7db92753eb977b

Packers detected:

-

Scan taken on 11 Oct 2008 03:00:49 (GMT)

A-Squared

Found nothing

AntiVir

Found TR/Dldr.Injecter.ars

ArcaVir

Found nothing

Avast

Found Win32:Trojan-gen {Other}

AVG Antivirus

Found nothing

BitDefender

Found nothing

ClamAV

Found nothing

CPsecure

Found nothing

Dr.Web

Found Trojan.PWS.ICQSniff.25

F-Prot Antivirus

Found nothing

F-Secure Anti-Virus

Found Trojan-Downloader.Win32.Injecter.ars

G DATA

Found Win32:Trojan-gen

Ikarus

Found nothing

Kaspersky Anti-Virus

Found Trojan-Downloader.Win32.Injecter.ars

NOD32

Found Win32/Agent.OHK

Norman Virus Control

Found W32/Smalltroj.HPSY

Panda Antivirus

Found nothing

Sophos Antivirus

Found nothing

VirusBuster

Found nothing

VBA32

Found Malware-Cryptor.Win32.General.3 (probable variant)

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

ComboFix 08-10-08.02 - Particular 2008-10-11 0:06:34.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.1623 [GMT -3:00]

Executando de: C:\Documents and Settings\Particular\Desktop\ComboFix.exe

Comandos utilizados :: C:\Documents and Settings\Particular\Desktop\CFScript.txt

* Criado um novo ponto de restauro

FILE ::

C:\Documents and Settings\All Users\Dados de aplicativos\cjwpsvcp\sfahepgz.exe

C:\WINDOWS\system32\drivers\ptvnrrlx.sys

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\All Users\Dados de aplicativos\cjwpsvcp

C:\Documents and Settings\All Users\Dados de aplicativos\cjwpsvcp\sfahepgz.exe

C:\Documents and Settings\All Users\Dados de aplicativos\jkxkbany

C:\Documents and Settings\All Users\Dados de aplicativos\jkxkbany\juxmhurw.exe

.

((((((((((((((((((((((( Ficheiros criados de 2008-09-11 to 2008-10-11 ))))))))))))))))))))))))))))))))

.

2008-10-08 21:26 . 2008-10-08 21:26 73,728 --a------ C:\WINDOWS\system32\wpv3116.cpx.bak

2008-10-08 21:26 . 2008-10-08 21:26 72,192 --a------ C:\WINDOWS\system32\wpv592.cpx

2008-10-07 22:19 . 2008-10-07 22:19 <DIR> d-------- C:\WINDOWS\ERUNT

2008-10-07 22:11 . 2008-10-07 22:34 <DIR> d-------- C:\SDFix

2008-10-07 22:05 . 2008-10-08 21:07 <DIR> d-------- C:\HJT

2008-10-07 01:28 . 2008-10-07 01:25 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys

2008-10-07 01:25 . 2008-10-07 01:35 <DIR> d-------- C:\Documents and Settings\Particular\.housecall6.6

2008-10-06 23:25 . 2008-10-06 23:26 <DIR> d-------- C:\ElistarA

2008-10-06 23:18 . 2008-10-06 23:18 <DIR> d-------- C:\clean

2008-10-06 23:11 . 2008-10-06 23:11 226,258 --a------ C:\clean.zip

2008-10-06 03:47 . 2008-09-20 12:52 <DIR> d-------- C:\WINDOWS\system32\SmitfraudFix

2008-10-06 03:41 . 2008-10-06 03:41 <DIR> d-------- C:\WINDOWS\Content.IE5

2008-10-05 13:55 . 2008-10-06 01:32 2,994 --a------ C:\WINDOWS\wininit.ini

2008-10-04 17:44 . 2008-10-05 14:10 <DIR> d-a------ C:\Documents and Settings\All Users\Dados de aplicativos\TEMP

2008-10-03 12:10 . 2008-10-04 00:45 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2008-09-30 19:14 . 2008-09-30 19:17 <DIR> d-------- C:\Documents and Settings\Particular\Dados de aplicativos\Tibia

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-10 23:25 --------- d-----w C:\Arquivos de programas\Winamp Remote

2008-10-01 18:51 87,552 ----a-w C:\WINDOWS\system32\VACFix.exe

2008-09-19 15:26 82,944 ----a-w C:\WINDOWS\system32\o4Patch.exe

2008-09-19 15:26 82,944 ----a-w C:\WINDOWS\system32\IEDFix.C.exe

2008-09-16 00:52 --------- d-----w C:\Arquivos de programas\Java

2008-09-09 02:38 88,576 ----a-w C:\WINDOWS\system32\AntiXPVSTFix.exe

2008-09-03 01:31 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Real

2008-09-03 01:20 --------- d-----w C:\Arquivos de programas\NeXus RV10 & MKV Filtres

2008-08-18 15:19 82,432 ----a-w C:\WINDOWS\system32\404Fix.exe

2008-08-12 02:47 --------- d-----w C:\Documents and Settings\Particular\Dados de aplicativos\Hamachi

2008-08-06 01:12 2,829 ----a-w C:\WINDOWS\War3Unin.pif

2008-08-06 01:12 139,264 ----a-w C:\WINDOWS\War3Unin.exe

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Orb"="C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe" [2008-01-07 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"snpstd"="C:\WINDOWS\vsnpstd.exe" [2004-06-10 286720]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 86016]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 7700480]

"Emurayden PSX Emulator"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2005-03-12 98352]

"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2005-03-12 98352]

"VTTrayp"="VTtrayp.exe" [2006-08-30 C:\WINDOWS\system32\VTTrayp.exe]

"VTTimer"="VTTimer.exe" [2006-08-03 C:\WINDOWS\system32\VTTimer.exe]

"SoundMan"="SOUNDMAN.EXE" [2006-03-01 C:\WINDOWS\soundman.exe]

"nwiz"="nwiz.exe" [2007-04-19 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.ffds"= C:\ARQUIV~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Gamma Loader.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Gamma Loader.lnk

backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^AutoCAD Startup Accelerator.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\AutoCAD Startup Accelerator.lnk

backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^InterVideo WinCinema Manager.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\InterVideo WinCinema Manager.lnk

backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

--a----t- 2008-09-03 00:13 133104 C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]

-ra------ 2006-11-22 00:50 704512 C:\Arquivos de programas\VIA\VIAudioi\HDADeck\HDeck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2004-08-04 00:56 1667584 C:\Arquivos de programas\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

--a------ 2007-10-10 02:28 36352 C:\Documents and Settings\Particular\Meus documentos\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\InterVideo\\DVD5\\WinDVD.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

"D:\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=

"C:\\Arquivos de programas\\Winamp Remote\\bin\\Orb.exe"=

"C:\\Arquivos de programas\\Winamp Remote\\bin\\OrbTray.exe"=

"C:\\Arquivos de programas\\Winamp Remote\\bin\\OrbStreamerClient.exe"=

"C:\\Documents and Settings\\Particular\\Meus documentos\\Zsnes\\zsnesw.exe"=

"D:\\OnGame\\GunBoundWC\\GunBound.gme"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-02-23 9728]

R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-02-23 11264]

S2 GF0012;TF Filter Driver B;C:\WINDOWS\system32\DRIVERS\GF0012.sys [2007-12-12 11520]

.

Conteúdo da pasta 'Tarefas Agendadas'

2008-10-08 C:\WINDOWS\Tasks\GoogleUpdateTaskUser.job

- C:\Documents and Settings\Particular\Configura []

2008-10-11 C:\WINDOWS\Tasks\Verificar Atualizações para a Barra de Ferramentas do Windows Live.job

- C:\Arquivos de programas\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 16:39]

.

- - - - ORFAOS REMOVIDOS - - - -

HKCU-Run-DbSmartSh - C:\WINDOWS\system32\atovabon.exe

HKCU-Run-actmsgstr - C:\WINDOWS\system32\cbotadud.exe

HKCU-Run-AdmActCom - C:\WINDOWS\system32\gnkfmlud.exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-11 00:07:27

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso

Ficheiros ocultos: 0

**************************************************************************

.

Tempo para conclusão: 2008-10-11 0:07:56

ComboFix-quarantined-files.txt 2008-10-11 03:07:52

ComboFix2.txt 2008-10-09 23:43:39

ComboFix3.txt 2008-10-09 00:03:48

Pré-execução: 13 pasta(s) 32.238.862.336 bytes disponíveis

Pós execução: 14 pasta(s) 32,238,624,768 bytes disponíveis

137

Compartilhar este post


Link para o post
Compartilhar em outros sites

Caro Maklack

Outra vez amigo,

Etapa nº 1 #

Visite este site:

http://www.bleepingcomputer.com/submit-malware.php?channel=4

  • Na caixa "Link to topic where this file was requested:", copie e cole o link deste topico:
http://forum.clubedohardware.com.br/log-hijackthis-smitfraud/587369

  • Na caixa "Browse to the file you want to submit:", coloque:
    • C:\WINDOWS\system32\wpv3116.cpx.bak

    [*]Clique no botão Browse...[*]Na caixa " Leave any comments, further information about this file, or contact information: ", coloque:

    • diego_moicano - Forum Clube do Hardware
  • Clique no botão Send File
  • Repita o procedimento e envie também este arquivo:C:\WINDOWS\system32\wpv592.cpx

Obrigado

Etapa nº 2 #

Temporariamente e durante a execução destas instruções, é muito importante que mantenha desabilitados os seus programas de proteção (Antivirus, Antispyware e Firewall). Reative as proteções após a execução do(s) procedimento(s) abaixo mencionado(s).

Abra o seu Bloco de Notas, copie (control + c) e cole (control + v) todo o texto que está dentro do "Código":

File:: 
C:\WINDOWS\system32\wpv3116.cpx.bak
C:\WINDOWS\system32\wpv592.cpx

Salve este arquivo como: CFScript.txt

2872959479_997d4500c4_o.gif

Tal com exemplificado na foto acima, arraste o arquivo CFScript.txt para dentro do ComboFix.exe. Quando a ferramenta terminar de rodar, gerará um log. Poste esse arquivo C:\ComboFix.txt.

Etapa nº 3 #

Faça um novo log do Hijackthis e poste juntamente com o log do ComboFix.

Abraços :D

Compartilhar este post


Link para o post
Compartilhar em outros sites

ComboFix 08-10-08.02 - Particular 2008-10-15 9:33:25.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.1644 [GMT -3:00]

Executando de: C:\Documents and Settings\Particular\Desktop\ComboFix.exe

Comandos utilizados :: C:\Documents and Settings\Particular\Desktop\CFScript.txt

* Criado um novo ponto de restauro

FILE ::

C:\WINDOWS\system32\wpv3116.cpx.bak

C:\WINDOWS\system32\wpv592.cpx

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\wpv3116.cpx.bak

C:\WINDOWS\system32\wpv592.cpx

.

((((((((((((((((((((((( Ficheiros criados de 2008-09-15 to 2008-10-15 ))))))))))))))))))))))))))))))))

.

2008-10-07 22:19 . 2008-10-07 22:19 <DIR> d-------- C:\WINDOWS\ERUNT

2008-10-07 22:11 . 2008-10-07 22:34 <DIR> d-------- C:\SDFix

2008-10-07 22:05 . 2008-10-08 21:07 <DIR> d-------- C:\HJT

2008-10-07 01:28 . 2008-10-07 01:25 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys

2008-10-07 01:25 . 2008-10-07 01:35 <DIR> d-------- C:\Documents and Settings\Particular\.housecall6.6

2008-10-06 23:25 . 2008-10-06 23:26 <DIR> d-------- C:\ElistarA

2008-10-06 23:18 . 2008-10-06 23:18 <DIR> d-------- C:\clean

2008-10-06 23:11 . 2008-10-06 23:11 226,258 --a------ C:\clean.zip

2008-10-06 03:47 . 2008-09-20 12:52 <DIR> d-------- C:\WINDOWS\system32\SmitfraudFix

2008-10-06 03:41 . 2008-10-06 03:41 <DIR> d-------- C:\WINDOWS\Content.IE5

2008-10-05 13:55 . 2008-10-06 01:32 2,994 --a------ C:\WINDOWS\wininit.ini

2008-10-04 17:44 . 2008-10-05 14:10 <DIR> d-a------ C:\Documents and Settings\All Users\Dados de aplicativos\TEMP

2008-10-03 12:10 . 2008-10-04 00:45 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2008-09-30 19:14 . 2008-09-30 19:17 <DIR> d-------- C:\Documents and Settings\Particular\Dados de aplicativos\Tibia

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-15 12:15 --------- d-----w C:\Arquivos de programas\Winamp Remote

2008-10-01 18:51 87,552 ----a-w C:\WINDOWS\system32\VACFix.exe

2008-09-19 15:26 82,944 ----a-w C:\WINDOWS\system32\o4Patch.exe

2008-09-19 15:26 82,944 ----a-w C:\WINDOWS\system32\IEDFix.C.exe

2008-09-16 00:52 --------- d-----w C:\Arquivos de programas\Java

2008-09-09 02:38 88,576 ----a-w C:\WINDOWS\system32\AntiXPVSTFix.exe

2008-09-03 01:31 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Real

2008-09-03 01:20 --------- d-----w C:\Arquivos de programas\NeXus RV10 & MKV Filtres

2008-08-18 15:19 82,432 ----a-w C:\WINDOWS\system32\404Fix.exe

2008-08-06 01:12 2,829 ----a-w C:\WINDOWS\War3Unin.pif

2008-08-06 01:12 139,264 ----a-w C:\WINDOWS\War3Unin.exe

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Orb"="C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe" [2008-01-07 495616]

"DbSmartSh"="C:\WINDOWS\system32\atovabon.exe" [bU]

"actmsgstr"="C:\WINDOWS\system32\cbotadud.exe" [bU]

"AdmActCom"="C:\WINDOWS\system32\gnkfmlud.exe" [bU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"snpstd"="C:\WINDOWS\vsnpstd.exe" [2004-06-10 286720]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 86016]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 7700480]

"Emurayden PSX Emulator"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2005-03-12 98352]

"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2005-03-12 98352]

"VTTrayp"="VTtrayp.exe" [2006-08-30 C:\WINDOWS\system32\VTTrayp.exe]

"VTTimer"="VTTimer.exe" [2006-08-03 C:\WINDOWS\system32\VTTimer.exe]

"SoundMan"="SOUNDMAN.EXE" [2006-03-01 C:\WINDOWS\soundman.exe]

"nwiz"="nwiz.exe" [2007-04-19 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.ffds"= C:\ARQUIV~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Gamma Loader.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Gamma Loader.lnk

backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^AutoCAD Startup Accelerator.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\AutoCAD Startup Accelerator.lnk

backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^InterVideo WinCinema Manager.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\InterVideo WinCinema Manager.lnk

backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

--a----t- 2008-09-03 00:13 133104 C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]

-ra------ 2006-11-22 00:50 704512 C:\Arquivos de programas\VIA\VIAudioi\HDADeck\HDeck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2004-08-04 00:56 1667584 C:\Arquivos de programas\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

--a------ 2007-10-10 02:28 36352 C:\Documents and Settings\Particular\Meus documentos\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\InterVideo\\DVD5\\WinDVD.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

"D:\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=

"C:\\Arquivos de programas\\Winamp Remote\\bin\\Orb.exe"=

"C:\\Arquivos de programas\\Winamp Remote\\bin\\OrbTray.exe"=

"C:\\Arquivos de programas\\Winamp Remote\\bin\\OrbStreamerClient.exe"=

"C:\\Documents and Settings\\Particular\\Meus documentos\\Zsnes\\zsnesw.exe"=

"D:\\OnGame\\GunBoundWC\\GunBound.gme"=

"C:\\Documents and Settings\\Particular\\Meus documentos\\DreMule\\emule.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-02-23 9728]

R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-02-23 11264]

S2 GF0012;TF Filter Driver B;C:\WINDOWS\system32\DRIVERS\GF0012.sys [2007-12-12 11520]

.

Conteúdo da pasta 'Tarefas Agendadas'

2008-10-14 C:\WINDOWS\Tasks\GoogleUpdateTaskUser.job

- C:\Documents and Settings\Particular\Configura []

2008-10-15 C:\WINDOWS\Tasks\Verificar Atualizações para a Barra de Ferramentas do Windows Live.job

- C:\Arquivos de programas\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 16:39]

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-15 09:34:25

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso

Ficheiros ocultos: 0

**************************************************************************

.

Tempo para conclusão: 2008-10-15 9:34:53

ComboFix-quarantined-files.txt 2008-10-15 12:34:50

ComboFix2.txt 2008-10-11 03:07:57

ComboFix3.txt 2008-10-09 23:43:39

ComboFix4.txt 2008-10-09 00:03:48

Pré-execução: 13 pasta(s) 32.385.363.968 bytes disponíveis

Pós execução: 15 pasta(s) 32,439,808,000 bytes disponíveis

133

------------------------------------------------------------------------

Logfile of HijackThis v1.99.1

Scan saved at 09:37:01, on 15/10/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\VTTimer.exe

C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe

C:\Arquivos de programas\Winamp Remote\bin\Orb.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Emurayden PSX Emulator] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [Orb] "C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe" /background

O4 - HKCU\..\Run: [DbSmartSh] C:\WINDOWS\system32\atovabon.exe

O4 - HKCU\..\Run: [actmsgstr] C:\WINDOWS\system32\cbotadud.exe

O4 - HKCU\..\Run: [AdmActCom] C:\WINDOWS\system32\gnkfmlud.exe

O8 - Extra context menu item: &Windows Live Search - res://C:\Arquivos de programas\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} -

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Compartilhar este post


Link para o post
Compartilhar em outros sites

Caro Maklack

Continuando...

# Etapa nº 1 #

Temporariamente e durante a execução destas instruções, é muito importante que mantenha desabilitados os seus programas de proteção (Antivirus, Antispyware e Firewall). Reative as proteções após a execução do(s) procedimento(s) abaixo mencionado(s).

Abra o seu Bloco de Notas, copie (control + c) e cole (control + v) todo o texto que está dentro do "Código":

Files:
C:\WINDOWS\system32\atovabon.exe
C:\WINDOWS\system32\cbotadud.exe
C:\WINDOWS\system32\gnkfmlud.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DbSmartSh"=-
"actmsgstr"=-
"AdmActCom"=-

Salve este arquivo como: CFScript.txt

2872959479_997d4500c4_o.gif

Tal com exemplificado na foto acima, arraste o arquivo CFScript.txt para dentro do ComboFix.exe. Quando a ferramenta terminar de rodar, gerará um log. Poste esse arquivo C:\ComboFix.txt.

# Etapa nº 2 #

Faça o download do Gmer e salve no seu desktop (Área de Trabalho).

  • Extraia/tire do zip o arquivo para uma pasta própria.
  • Feito isso, desligue o PC da Internet e feche todos os programas.
    Existe uma pequenissíma hipótese desta aplicação desligar o seu PC. Por isso, salve qualquer trabalho que tenha aberto.
  • Duplo-clique em Gmer.exe.
  • Permita que o driver gmer.sys seja rodado, se lhe for perguntado.
  • Se receber o aviso acerca de actividade de rootkit e para fazer um scan...clique em NO.
  • Clique em "Settings", e marque as 5 (cinco) primeiras:
    *System Protection and Tracing
    *Processes
    *Save created processes to the log
    *Drivers
    *Save loaded drivers to the log
  • Será questionado para reiniciar o PC. Reinicie.

Rode novamente o Gmer e clique em Rootkit.

  • No lado direito (debaixo de file, desmarque todos os drives excepto o seu disco (usualmente o C).
  • Certifique-se que todas as outras caixas, no lado direito do ecran estão marcadas, EXCEPTO para "Show All".
  • Clique em "Scan" e aguarde que o scan seja efectuado.
    Nota: Antes do scan, certifique-se que todos os outros programas estão fechados. Também não use o computador durente o scan.
  • Quando terminar, clique no botão Copiar e depois clique com o botão direito no seu Desktop, escolha "Novo" e depois -> Documento de Texto. Quando o arquivo tiver sido criado, abra e novamente botão direito e Cole ou Ctrl+V. Salve o arquivo como gmer.txt e poste o conteúdo na sua próxima resposta.
  • Nota: Se tiver problemas, tente rodar o GMER em Modo Seguro

Importante! Por favor não marque a caixa "Show all" durante o scan.

Abraços :D

Compartilhar este post


Link para o post
Compartilhar em outros sites

ComboFix 08-10-08.02 - Particular 2008-10-15 22:59:17.5 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.1627 [GMT -3:00]

Executando de: C:\Documents and Settings\Particular\Desktop\ComboFix.exe

Comandos utilizados :: C:\Documents and Settings\Particular\Desktop\CFScript.txt

* Criado um novo ponto de restauro

.

((((((((((((((((((((((( Ficheiros criados de 2008-09-16 to 2008-10-16 ))))))))))))))))))))))))))))))))

.

2008-10-07 22:19 . 2008-10-07 22:19 <DIR> d-------- C:\WINDOWS\ERUNT

2008-10-07 22:11 . 2008-10-07 22:34 <DIR> d-------- C:\SDFix

2008-10-07 22:05 . 2008-10-15 09:36 <DIR> d-------- C:\HJT

2008-10-07 01:28 . 2008-10-07 01:25 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys

2008-10-07 01:25 . 2008-10-07 01:35 <DIR> d-------- C:\Documents and Settings\Particular\.housecall6.6

2008-10-06 23:25 . 2008-10-06 23:26 <DIR> d-------- C:\ElistarA

2008-10-06 23:18 . 2008-10-06 23:18 <DIR> d-------- C:\clean

2008-10-06 23:11 . 2008-10-06 23:11 226,258 --a------ C:\clean.zip

2008-10-06 03:47 . 2008-09-20 12:52 <DIR> d-------- C:\WINDOWS\system32\SmitfraudFix

2008-10-06 03:41 . 2008-10-06 03:41 <DIR> d-------- C:\WINDOWS\Content.IE5

2008-10-05 13:55 . 2008-10-06 01:32 2,994 --a------ C:\WINDOWS\wininit.ini

2008-10-04 17:44 . 2008-10-05 14:10 <DIR> d-a------ C:\Documents and Settings\All Users\Dados de aplicativos\TEMP

2008-10-03 12:10 . 2008-10-04 00:45 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2008-09-30 19:14 . 2008-09-30 19:17 <DIR> d-------- C:\Documents and Settings\Particular\Dados de aplicativos\Tibia

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-15 12:15 --------- d-----w C:\Arquivos de programas\Winamp Remote

2008-10-01 18:51 87,552 ----a-w C:\WINDOWS\system32\VACFix.exe

2008-09-19 15:26 82,944 ----a-w C:\WINDOWS\system32\o4Patch.exe

2008-09-19 15:26 82,944 ----a-w C:\WINDOWS\system32\IEDFix.C.exe

2008-09-16 00:52 --------- d-----w C:\Arquivos de programas\Java

2008-09-09 02:38 88,576 ----a-w C:\WINDOWS\system32\AntiXPVSTFix.exe

2008-09-03 01:31 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Real

2008-09-03 01:20 --------- d-----w C:\Arquivos de programas\NeXus RV10 & MKV Filtres

2008-08-18 15:19 82,432 ----a-w C:\WINDOWS\system32\404Fix.exe

2008-08-06 01:12 2,829 ----a-w C:\WINDOWS\War3Unin.pif

2008-08-06 01:12 139,264 ----a-w C:\WINDOWS\War3Unin.exe

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Orb"="C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe" [2008-01-07 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"snpstd"="C:\WINDOWS\vsnpstd.exe" [2004-06-10 286720]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 86016]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 7700480]

"Emurayden PSX Emulator"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2005-03-12 98352]

"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2005-03-12 98352]

"VTTrayp"="VTtrayp.exe" [2006-08-30 C:\WINDOWS\system32\VTTrayp.exe]

"VTTimer"="VTTimer.exe" [2006-08-03 C:\WINDOWS\system32\VTTimer.exe]

"SoundMan"="SOUNDMAN.EXE" [2006-03-01 C:\WINDOWS\soundman.exe]

"nwiz"="nwiz.exe" [2007-04-19 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.ffds"= C:\ARQUIV~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Gamma Loader.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Gamma Loader.lnk

backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^AutoCAD Startup Accelerator.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\AutoCAD Startup Accelerator.lnk

backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^InterVideo WinCinema Manager.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\InterVideo WinCinema Manager.lnk

backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

--a----t- 2008-09-03 00:13 133104 C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]

-ra------ 2006-11-22 00:50 704512 C:\Arquivos de programas\VIA\VIAudioi\HDADeck\HDeck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2004-08-04 00:56 1667584 C:\Arquivos de programas\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

--a------ 2007-10-10 02:28 36352 C:\Documents and Settings\Particular\Meus documentos\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\InterVideo\\DVD5\\WinDVD.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

"D:\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=

"C:\\Arquivos de programas\\Winamp Remote\\bin\\Orb.exe"=

"C:\\Arquivos de programas\\Winamp Remote\\bin\\OrbTray.exe"=

"C:\\Arquivos de programas\\Winamp Remote\\bin\\OrbStreamerClient.exe"=

"C:\\Documents and Settings\\Particular\\Meus documentos\\Zsnes\\zsnesw.exe"=

"D:\\OnGame\\GunBoundWC\\GunBound.gme"=

"C:\\Documents and Settings\\Particular\\Meus documentos\\DreMule\\emule.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-02-23 9728]

R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-02-23 11264]

S2 GF0012;TF Filter Driver B;C:\WINDOWS\system32\DRIVERS\GF0012.sys [2007-12-12 11520]

.

Conteúdo da pasta 'Tarefas Agendadas'

2008-10-15 C:\WINDOWS\Tasks\GoogleUpdateTaskUser.job

- C:\Documents and Settings\Particular\Configura []

2008-10-16 C:\WINDOWS\Tasks\Verificar Atualizações para a Barra de Ferramentas do Windows Live.job

- C:\Arquivos de programas\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 16:39]

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-15 23:00:07

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso

Ficheiros ocultos: 0

**************************************************************************

.

Tempo para conclusão: 2008-10-15 23:00:39

ComboFix-quarantined-files.txt 2008-10-16 02:00:37

ComboFix2.txt 2008-10-15 12:34:54

ComboFix3.txt 2008-10-11 03:07:57

ComboFix4.txt 2008-10-09 23:43:39

ComboFix5.txt 2008-10-16 01:59:01

Pré-execução: 13 pasta(s) 32.417.275.904 bytes disponíveis

Pós execução: 14 pasta(s) 32,407,425,024 bytes disponíveis

123

Compartilhar este post


Link para o post
Compartilhar em outros sites

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2008-10-15 23:15:32

Windows 5.1.2600 Service Pack 2

---- User code sections - GMER 1.0.14 ----

.text C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe[404] kernel32.dll!SetUnhandledExceptionFilter 7C810386 5 Bytes JMP 00413A70 C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe (Orb/Orb Networks)

.text C:\Arquivos de programas\Winamp Remote\bin\Orb.exe[768] kernel32.dll!SetUnhandledExceptionFilter 7C810386 5 Bytes JMP 00402CA0 C:\Arquivos de programas\Winamp Remote\bin\Orb.exe (Orb Application/Orb Networks, Inc.)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.14 ----

Compartilhar este post


Link para o post
Compartilhar em outros sites

Logfile of HijackThis v1.99.1

Scan saved at 19:14:41, on 23/10/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\VTTimer.exe

C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\vsnpstd.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe

C:\Documents and Settings\Particular\Meus documentos\Protect\Spybot - Search & Destroy\TeaTimer.exe

C:\Arquivos de programas\Winamp Remote\bin\Orb.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\PARTIC~1\MEUSDO~1\Protect\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Emurayden PSX Emulator] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe

O4 - HKLM\..\RunOnce: [spybotDeletingA7489] command /c del "C:\WINDOWS\system32\netode.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC7481] cmd /c del "C:\WINDOWS\system32\netode.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA2709] command /c del "C:\WINDOWS\system32\newsd32.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC7970] cmd /c del "C:\WINDOWS\system32\newsd32.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA8781] command /c del "C:\WINDOWS\system32\ps1.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC3078] cmd /c del "C:\WINDOWS\system32\ps1.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA5811] command /c del "C:\WINDOWS\system32\psof1.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC9988] cmd /c del "C:\WINDOWS\system32\psof1.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA3340] command /c del "C:\WINDOWS\system32\regc64.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC2174] cmd /c del "C:\WINDOWS\system32\regc64.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA4779] command /c del "C:\WINDOWS\system32\regm64.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC9804] cmd /c del "C:\WINDOWS\system32\regm64.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA1266] command /c del "C:\WINDOWS\system32\Rundl1.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA1014] command /c del "C:\WINDOWS\system32\ssvchost.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC6096] cmd /c del "C:\WINDOWS\system32\ssvchost.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA4042] command /c del "C:\WINDOWS\system32\sysreq.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC3902] cmd /c del "C:\WINDOWS\system32\sysreq.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA4896] command /c del "C:\WINDOWS\system32\taack.dat"

O4 - HKLM\..\RunOnce: [spybotDeletingC2435] cmd /c del "C:\WINDOWS\system32\taack.dat"

O4 - HKLM\..\RunOnce: [spybotDeletingA1943] command /c del "C:\WINDOWS\system32\taack.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC1612] cmd /c del "C:\WINDOWS\system32\taack.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA2376] command /c del "C:\WINDOWS\system32\temp#01.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC4966] cmd /c del "C:\WINDOWS\system32\temp#01.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA5088] command /c del "C:\WINDOWS\system32\thun.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC2483] cmd /c del "C:\WINDOWS\system32\thun.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA6576] command /c del "C:\WINDOWS\system32\thun32.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC4477] cmd /c del "C:\WINDOWS\system32\thun32.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA4318] command /c del "C:\WINDOWS\system32\VBIEWER.OCX"

O4 - HKLM\..\RunOnce: [spybotDeletingC3866] cmd /c del "C:\WINDOWS\system32\VBIEWER.OCX"

O4 - HKLM\..\RunOnce: [spybotDeletingA3097] command /c del "C:\WINDOWS\system32\vbsys2.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC6934] cmd /c del "C:\WINDOWS\system32\vbsys2.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA5771] command /c del "C:\WINDOWS\system32\vcatchpi.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC5801] cmd /c del "C:\WINDOWS\system32\vcatchpi.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA4475] command /c del "C:\WINDOWS\system32\winlogonpc.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC9600] cmd /c del "C:\WINDOWS\system32\winlogonpc.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC4718] cmd /c del "C:\WINDOWS\system32\winsystem.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA2333] command /c del "C:\WINDOWS\system32\WINWGPX.EXE"

O4 - HKLM\..\RunOnce: [spybotDeletingA5784] command /c del "C:\WINDOWS\base64.tmp"

O4 - HKLM\..\RunOnce: [spybotDeletingA3803] command /c del "C:\WINDOWS\bdn.com"

O4 - HKLM\..\RunOnce: [spybotDeletingC3063] cmd /c del "C:\WINDOWS\bdn.com"

O4 - HKLM\..\RunOnce: [spybotDeletingA3330] command /c del "C:\WINDOWS\FVProtect.exe"

O4 - HKCU\..\Run: [Orb] "C:\Arquivos de programas\Winamp Remote\bin\OrbTray.exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Documents and Settings\Particular\Meus documentos\Protect\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [DbSmartSh] C:\WINDOWS\system32\atovabon.exe

O4 - HKCU\..\Run: [actmsgstr] C:\WINDOWS\system32\cbotadud.exe

O4 - HKCU\..\Run: [AdmActCom] C:\WINDOWS\system32\gnkfmlud.exe

O8 - Extra context menu item: &Windows Live Search - res://C:\Arquivos de programas\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\PARTIC~1\MEUSDO~1\Protect\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\PARTIC~1\MEUSDO~1\Protect\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} -

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Compartilhar este post


Link para o post
Compartilhar em outros sites

Caro Maklack

Etapa nº 1 #

O TeaTimer é uma excelente ferramenta de proteção contra spywares, mas por vezes impossibilita também que as alterações no HijackThis seja efectuadas.

Por favor desabilite temporáriamente o TeaTimer até que seja terminado o processo de limpeza ao seu PC.

  • Abra o Spybot Search & Destroy.
  • No menu, aceda a "Modo avançado (Advanced mode)" se não estiver já selecionado.
  • Escolha "Sim (Yes)" quando questionado.
  • Expanda o menu "Ferramentas (Tools)".
  • Clique em "Residente (Resident)".
  • Desmarque o "Resident "TeaTimer" (Protection of overall system settings) active.".
  • Clique em "Exit" para sair do Spybot Search & Destroy.

Etapa nº 2 #

Rode o HijackThis , clique em Do a system scan only e marque as que encontrar da lista abaixo:

O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe

O4 - HKCU\..\Run: [DbSmartSh] C:\WINDOWS\system32\atovabon.exe

O4 - HKCU\..\Run: [actmsgstr] C:\WINDOWS\system32\cbotadud.exe

O4 - HKCU\..\Run: [AdmActCom] C:\WINDOWS\system32\gnkfmlud.exe

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} -

Depois de marcar estas entradas, feche todas as janelas e clique em ht-fix.png

Etapa nº 3 #

Baixe e salve o arquivo no Desktop

http://downloads.subratam.org/ResetTeaTimer.bat

Clique duas vezes nele!

Etapa nº 4 #

Faça um novo log do Hijackthis e poste aqui!

Abraços :D

Compartilhar este post


Link para o post
Compartilhar em outros sites

De acordo com as regras deste fórum, tópicos inativos são arquivados, isto é, fechados e movidos para um fórum de "tópicos arquivados". Caso o autor do tópico necessite poderá entrar em contato com a moderação solicitando a reabertura deste tópico.

Compartilhar este post


Link para o post
Compartilhar em outros sites
Visitante
Este tópico está impedido de receber novos posts.
Entre para seguir isso  





Sobre o Clube do Hardware

No ar desde 1996, o Clube do Hardware é uma das maiores, mais antigas e mais respeitadas publicações sobre tecnologia do Brasil. Leia mais

Direitos autorais

Não permitimos a cópia ou reprodução do conteúdo do nosso site, fórum, newsletters e redes sociais, mesmo citando-se a fonte. Leia mais

×