Ir ao conteúdo
  • Cadastre-se
wan.dll

Logs para análise

Recommended Posts

Meu problema é o seguinte:

Meu antivirus (e praticamente todos os meus outros programas) pararam de funcionar. Tentei reinstalar o antivirus, não deu certo. Tentei instalar outros antivirus e também não obtive êxito. Pesquisando no tio google descobri que estou com sérios problemas, por isso peço ajuda aos amigos aqui do fórum.

LOG DDS

DDS (Ver_09-02-01.01) - NTFSx86

Run by Administrador at 17:05:44,01 on sex 27/02/2009

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07

Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.223.24 [GMT -3:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Prevx\prevx.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Arquivos de programas\Spyware Terminator\sp_rsser.exe

C:\Arquivos de programas\Prevx\prevx.exe

C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\xakit.exe

C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\ycrmob.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Administrador\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com

uStart Page = hxxp://www.google.com.br/

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\arquivos de programas\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\arquivos de programas\siteadvisor\6253\SiteAdv.dll

BHO: ssh2 Class: {2e3c3651-b19c-4dd9-a979-901ec3e930af} - c:\arquivos de programas\scpad\scpsssh2.dll

BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\arquivos de programas\siber systems\ai roboform\roboform.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\arquivos de programas\java\jre1.6.0_07\bin\ssv.dll

BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\arquivos de programas\arquivos comuns\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\arquivos de programas\google\googletoolbar3.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\arquivos de programas\google\googletoolbarnotifier\3.1.807.1746\swg.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\arquivos de programas\google\googletoolbar3.dll

TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\arquivos de programas\siteadvisor\6253\SiteAdv.dll

TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\arquivos de programas\siber systems\ai roboform\roboform.dll

TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] c:\arquivos de programas\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

uRun: [kamsoft] c:\windows\system32\kamsoft.exe

uRun: [cdoosoft] c:\windows\system32\olhrwef.exe

mRun: [avgnt] "c:\arquivos de programas\avira\antivir personaledition classic\avgnt.exe" /min

mRun: [QuickTime Task] "c:\arquivos de programas\k-lite codec pack\quicktime\qttask.exe" -atboottime

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [MsnMsgr] "c:\arquivos de programas\msn messenger\MsnMsgr.Exe" /background

dRun: [swg] c:\arquivos de programas\google\googletoolbarnotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

dRunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"

dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe

dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\GetFlash.exe

mPolicies-explorer: ForceClassicControlPanel = 1 (0x1)

mPolicies-system: EnableLUA = 0 (0x0)

IE: Barra de Ferramentas do RF - file://c:\arquivos de programas\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\micros~1\office11\EXCEL.EXE/3000

IE: Personalizar Menu - file://c:\arquivos de programas\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html

IE: Preencher - file://c:\arquivos de programas\siber systems\ai roboform\RoboFormComFillForms.html

IE: Salvar Formulários - file://c:\arquivos de programas\siber systems\ai roboform\RoboFormComSavePass.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\arquivos de programas\siber systems\ai roboform\RoboFormComFillForms.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\arquivos de programas\siber systems\ai roboform\RoboFormComSavePass.html

IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\arquivos de programas\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\arquivos de programas\java\jre1.6.0_07\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\arquiv~1\micros~1\office11\REFIEBAR.DLL

Trusted Zone: google.com\www

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://wantwon.spaces.live.com//PhotoUpload/MsnPUpld.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\arquivos de programas\hp\hpcoretech\comp\hpuiprot.dll

Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\arquivos de programas\siteadvisor\6253\SiteAdv.dll

SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - c:\arquivos de programas\scpad\scpLIB.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

STS: compIB Class: {a3717295-941d-416f-9384-ed1736729f1c} - c:\arquivos de programas\scpad\scpLIB.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\dadosd~1\mozilla\firefox\profiles\pbl4gy8w.default\

FF - component: c:\documents and settings\administrador\dados de aplicativos\mozilla\firefox\profiles\pbl4gy8w.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll

FF - component: c:\documents and settings\administrador\dados de aplicativos\mozilla\firefox\profiles\pbl4gy8w.default\extensions\piclens@cooliris.com\components\coolirisstub.dll

FF - plugin: c:\arquivos de programas\k-lite codec pack\quicktime\plugins\npqtplugin.dll

FF - plugin: c:\arquivos de programas\k-lite codec pack\quicktime\plugins\npqtplugin2.dll

FF - plugin: c:\arquivos de programas\k-lite codec pack\quicktime\plugins\npqtplugin3.dll

FF - plugin: c:\arquivos de programas\k-lite codec pack\quicktime\plugins\npqtplugin4.dll

FF - plugin: c:\arquivos de programas\k-lite codec pack\quicktime\plugins\npqtplugin5.dll

FF - plugin: c:\arquivos de programas\k-lite codec pack\quicktime\plugins\npqtplugin6.dll

FF - plugin: c:\arquivos de programas\k-lite codec pack\real\browser\plugins\nppl3260.dll

FF - plugin: c:\arquivos de programas\k-lite codec pack\real\browser\plugins\nprpjplug.dll

FF - plugin: c:\arquivos de programas\mozilla firefox\plugins\npmozax.dll

---- FIREFOX POLICIES ----

c:\arquivos de programas\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

============= SERVICES / DRIVERS ===============

R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-2-20 28544]

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-2-27 22536]

R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2009-2-27 3968]

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2008-4-19 141312]

R2 CSIScanner;CSIScanner;c:\arquivos de programas\prevx\prevx.exe [2009-2-27 4150840]

R3 asc3360pr;asc3360pr;\??\c:\windows\system32\drivers\gmnhjn.sys --> c:\windows\system32\drivers\gmnhjn.sys [?]

S0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2005-9-19 77312]

S1 avgio;avgio;\??\c:\arquivos de programas\avira\antivir personaledition classic\avgio.sys --> c:\arquivos de programas\avira\antivir personaledition classic\avgio.sys [?]

S2 AntiVirScheduler;AntiVir PersonalEdition Classic Scheduler;"c:\arquivos de programas\avira\antivir personaledition classic\sched.exe" --> c:\arquivos de programas\avira\antivir personaledition classic\sched.exe [?]

S2 AntiVirService;AntiVir PersonalEdition Classic Guard;"c:\arquivos de programas\avira\antivir personaledition classic\avguard.exe" --> c:\arquivos de programas\avira\antivir personaledition classic\avguard.exe [?]

S3 avgntflt;avgntflt;\??\c:\arquivos de programas\avira\antivir personaledition classic\avgntflt.sys --> c:\arquivos de programas\avira\antivir personaledition classic\avgntflt.sys [?]

============== File Associations ===============

txtfile=Notepad.exe "%1"

=============== Created Last 30 ================

2009-02-27 15:56 3,968 a------- c:\windows\system32\drivers\AvgArCln.sys

2009-02-27 15:35 22,536 a------- c:\windows\system32\drivers\pxscan.sys

2009-02-27 15:35 <DIR> --d----- c:\arquivos de programas\Prevx

2009-02-27 15:35 67 a------- c:\windows\wininit.ini

2009-02-27 15:35 <DIR> --d----- c:\docume~1\alluse~1\dadosd~1\PrevxCSI

2009-02-27 15:26 107,008 ---shr-- C:\gi2ky.exe

2009-02-26 20:11 105,854 ---shr-- C:\i6g6x.cmd

2009-02-26 10:11 103,663 ---shr-- C:\wx8o0bt1.com

2009-02-25 09:38 104,250 ---shr-- C:\qxty9be.cmd

2009-02-21 10:07 107,796 ---shr-- C:\2fiy.bat

2009-02-20 19:16 28,544 a------- c:\windows\system32\drivers\pavboot.sys

2009-02-20 19:15 <DIR> --d----- c:\arquivos de programas\Panda Security

2009-02-20 19:10 563 ---shr-- C:\autorun.inf

2009-02-20 09:09 106,970 ---shr-- C:\w2.com

2009-02-19 17:12 94,720 ---shr-- c:\windows\system32\nmdfgds1.dll

2009-02-18 17:12 106,861 ---shr-- C:\cv22.cmd

2009-02-18 17:11 107,008 ---shr-- c:\windows\system32\olhrwef.exe

2009-02-18 17:11 94,720 ---shr-- c:\windows\system32\nmdfgds0.dll

2009-02-18 17:11 180,224 ---shr-- C:\abk.bat

2009-02-18 17:11 180,224 ---shr-- c:\windows\system32\kamsoft.exe

2009-02-18 17:11 85,504 ---shr-- c:\windows\system32\gasretyw0.dll

==================== Find3M ====================

2009-02-20 19:42 98,304 a------- c:\windows\DUMP4b51.tmp

2009-02-14 23:14 422,176 a------- c:\windows\system32\perfh016.dat

2009-02-14 23:14 65,992 a------- c:\windows\system32\perfc016.dat

2008-12-13 03:37 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll

2008-12-12 15:09 126,032 a------- C:\cc_20081212_160909.reg

2008-12-11 08:57 333,184 -------- c:\windows\system32\dllcache\srv.sys

2008-11-23 05:12 180,224 ---shr-- c:\windows\system32\kamsoft.exe

============= FINISH: 17:06:36,98 ===============

LOG Gmer

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2009-02-27 17:35:56

Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.14 ----

INT 0x62 ? 81361BF8

INT 0x82 ? 81361BF8

INT 0x83 ? 8130CBF8

---- Kernel code sections - GMER 1.0.14 ----

? splo.sys O sistema não pode encontrar o arquivo especificado. !

.text USBPORT.SYS!DllUnload F923F62C 5 Bytes JMP 811A61D8

.text a1ebcqxh.SYS F8D3C384 1 Byte [ 20 ]

.text a1ebcqxh.SYS F8D3C386 35 Bytes [ 00, 68, 00, 00, 00, 00, 00, ... ]

.text a1ebcqxh.SYS F8D3C3AA 24 Bytes [ 00, 00, 20, 00, 00, E0, 00, ... ]

.text a1ebcqxh.SYS F8D3C3C4 3 Bytes [ 00, 00, 00 ]

.text a1ebcqxh.SYS F8D3C3C9 1 Byte [ 00 ]

.text ...

? C:\WINDOWS\system32\drivers\gmnhjn.sys O sistema não pode encontrar o arquivo especificado. !

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F9C77046] splo.sys

IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F9C77142] splo.sys

IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F9C770C4] splo.sys

IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F9C777CE] splo.sys

IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F9C776A4] splo.sys

IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F9C82D7A] splo.sys

IAT \SystemRoot\System32\Drivers\a1ebcqxh.SYS[HAL.dll!KfAcquireSpinLock] 0A64D90F

IAT \SystemRoot\System32\Drivers\a1ebcqxh.SYS[HAL.dll!READ_PORT_UCHAR] 046FD406

IAT \SystemRoot\System32\Drivers\a1ebcqxh.SYS[HAL.dll!KeGetCurrentIrql] 1672C31D

IAT \SystemRoot\System32\Drivers\a1ebcqxh.SYS[HAL.dll!KfRaiseIrql] 1879CE14

IAT \SystemRoot\System32\Drivers\a1ebcqxh.SYS[HAL.dll!KfLowerIrql] 3248ED2B

IAT \SystemRoot\System32\Drivers\a1ebcqxh.SYS[HAL.dll!HalGetInterruptVector] 3C43E022

IAT \SystemRoot\System32\Drivers\a1ebcqxh.SYS[HAL.dll!HalTranslateBusAddress] 2E5EF739

IAT \SystemRoot\System32\Drivers\a1ebcqxh.SYS[HAL.dll!KeStallExecutionProcessor] 2055FA30

IAT \SystemRoot\System32\Drivers\a1ebcqxh.SYS[HAL.dll!KfReleaseSpinLock] EC01B79A

IAT \SystemRoot\System32\Drivers\a1ebcqxh.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] E20ABA93

IAT \SystemRoot\System32\Drivers\a1ebcqxh.SYS[HAL.dll!READ_PORT_USHORT] F017AD88

IAT \SystemRoot\System32\Drivers\a1ebcqxh.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] FE1CA081

IAT \SystemRoot\System32\Drivers\a1ebcqxh.SYS[HAL.dll!WRITE_PORT_UCHAR] D42D83BE

IAT \SystemRoot\System32\Drivers\a1ebcqxh.SYS[WMILIB.SYS!WmiSystemControl] C83B99AC

IAT \SystemRoot\System32\Drivers\a1ebcqxh.SYS[WMILIB.SYS!WmiCompleteRequest] C63094A5

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8135F1F8

Device \FileSystem\Fastfat \FatCdrom FF5B9500

Device \Driver\PCI_PNP8132 \Device\00000044 splo.sys

Device \Driver\usbuhci \Device\USBPDO-0 811A31F8

Device \Driver\NetBT \Device\NetBT_Tcpip_{F6E7E0E8-8C05-4316-A573-597A61BC0053} FF6A1500

Device \Driver\usbuhci \Device\USBPDO-1 811A31F8

Device \Driver\dmio \Device\DmControl\DmIoDaemon 8130A1F8

Device \Driver\dmio \Device\DmControl\DmConfig 8130A1F8

Device \Driver\dmio \Device\DmControl\DmPnP 8130A1F8

Device \Driver\dmio \Device\DmControl\DmInfo 8130A1F8

Device \Driver\usbuhci \Device\USBPDO-2 811A31F8

Device \Driver\usbuhci \Device\USBPDO-3 811A31F8

Device \Driver\usbehci \Device\USBPDO-4 811891F8

Device \Driver\sptd \Device\1160386882 splo.sys

Device \Driver\Ftdisk \Device\HarddiskVolume1 813621F8

Device \Driver\Cdrom \Device\CdRom0 813601F8

Device \Driver\atapi \Device\Ide\IdePort0 813611F8

Device \Driver\atapi \Device\Ide\IdePort1 813611F8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 813611F8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 813611F8

Device \Driver\Cdrom \Device\CdRom1 813601F8

Device \Driver\Cdrom \Device\CdRom2 813601F8

Device \Driver\NetBT \Device\NetBt_Wins_Export FF6A1500

Device \Driver\NetBT \Device\NetbiosSmb FF6A1500

Device \Driver\usbuhci \Device\USBFDO-0 811A31F8

Device \Driver\usbuhci \Device\USBFDO-1 811A31F8

Device \Driver\usbuhci \Device\USBFDO-2 811A31F8

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver FF5CB1F8

Device \Driver\usbuhci \Device\USBFDO-3 811A31F8

Device \FileSystem\MRxSmb \Device\LanmanRedirector FF5CB1F8

Device \Driver\Ftdisk \Device\FtControl 813621F8

Device \Driver\usbehci \Device\USBFDO-4 811891F8

Device \Driver\a1ebcqxh \Device\Scsi\a1ebcqxh1Port3Path0Target0Lun0 FF8ED1F8

Device \Driver\viamraid \Device\Scsi\viamraid1 813091F8

Device \Driver\a1ebcqxh \Device\Scsi\a1ebcqxh1 FF8ED1F8

Device \Driver\a1ebcqxh \Device\Scsi\a1ebcqxh1Port3Path0Target1Lun0 FF8ED1F8

Device \FileSystem\Fastfat \Fat FF5B9500

Device \FileSystem\Cdfs \Cdfs FF5B3500

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Arquivos de programas\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x0B 0xE1 0xBF 0x59 ...

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x3C 0x30 0x3F 0x53 ...

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xF5 0x15 0xC4 0xCC ...

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x6A 0x72 0x54 0x45 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Arquivos de programas\DAEMON Tools Lite\

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x0B 0xE1 0xBF 0x59 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x3C 0x30 0x3F 0x53 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xF5 0x15 0xC4 0xCC ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x6A 0x72 0x54 0x45 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Arquivos de programas\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x0B 0xE1 0xBF 0x59 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x3C 0x30 0x3F 0x53 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xF5 0x15 0xC4 0xCC ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x6A 0x72 0x54 0x45 ...

---- EOF - GMER 1.0.14 ----

Compartilhar este post


Link para o post
Compartilhar em outros sites

Leia as instruções contidas neste link:

Nas instruções contidas no link acima, poderá verificar quais os fóruns onde os Analistas estão devidamente habilitados a utilizar corretamente a ferramenta:"Fóruns para receber ajuda com logs do ComboFix"

  1. Faça o download do ComboFix de um dos links oficiais listados abaixo e salve no seu desktop:

[*]Temporariamente e durante a execução destas instruções, é muito importante que mantenha desabilitados os seus programas de proteção (Antivirus, Antispyware e Firewall). Reative as proteções após a execução do(s) procedimento(s) abaixo mencionado(s).[*]Duplo clique no icone desktopicon.png que está no desktop.[*]Leia e aceite as condições, digitando 1 e enter.[*]Computadores com Windows XP deverão instalar o Console de Recuperação:

  • Se o seu computador tem instalado o Windows XP e ainda não tem instalado o Console de Recuperação, por favor certifique-se que está conectado à Internet, e clique em "Sim".
  • Clique em "OK" ao EULA.
  • Quando o Console de Recuperação estiver já instalado, clique em "SIM" para continuar.

[*]O ComboFix será executado, por favor seja paciente e aguarde. [*]Atenção: Não utilize o mouse nem o teclado enquanto a ferramenta estiver sendo executada, isso pode fazer com que o computador pare.[*]Poderá surgir o aviso que é necessário reiniciar o computador.

NÃO REINICIE!!! O ComboFix reiniciará o computador automaticamente.[*]Quando a ferramenta terminar de rodar, gerará um log (o arquivo C:\ComboFix.txt). Copie e cole o conteúdo desse arquivo na sua proxima resposta.

NÃO utilize a ferramenta por conta própria. É uma ferramenta poderosa criada pra lidar com infecções sofisticadas e caso não a utilize corretamente poderá danificar o seu computador.

  • Existem vários malwares que impedem a execução correta da ferramenta e com isso danificar gravemente o computador. Analistas habilitados a utilizar o ComboFix conhecem esses casos e sabem lidar com estas situações.
  • Muitos dos Analistas não respondem a topicos em que vejam que o ComboFix foi utilizado sem supervisão.
  • Existem varias ferramentas anti-malware generalistas em que os autores ao elaborarem a programação das mesmas, estão pensando nos usuários finais e para serem usadas sem supervisão. O Combofix não é uma ferramenta desse tipo, e assim sendo e até por respeito ao autor da ferramenta, não utilize sem supervisão.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Primeiramente gostaria de agradecer ao amigo Renato Mejias pela atenção

Abaixo segue o relatório do ComboFix, como foi solicitado:

ComboFix 09-02-28.01 - Administrador 2009-02-28 18:21:25.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.223.68 [GMT -3:00]

Executando de: c:\documents and settings\Administrador\Desktop\ComboFix.exe

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

* Criado um novo ponto de restauro

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\2fiy.bat

C:\abk.bat

C:\Autorun.inf

C:\cv22.cmd

C:\i6g6x.cmd

C:\InfoSat.txt

C:\Muestras

c:\muestras\Desktop.ini

c:\muestras\SCPLIB.DLL

C:\qxty9be.cmd

c:\windows\IE4 Error Log.txt

c:\windows\system32\gasretyw0.dll

c:\windows\system32\kamsoft.exe

c:\windows\system32\nmdfgds0.dll

c:\windows\system32\nmdfgds1.dll

c:\windows\system32\olhrwef.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ASC3360PR

-------\Service_asc3360pr

(((((((((((((((( Arquivos/Ficheiros criados de 2009-01-28 to 2009-02-28 ))))))))))))))))))))))))))))

.

2009-02-27 17:17 . 2009-02-27 17:26 250 --a------ c:\windows\gmer.ini

2009-02-27 15:56 . 2007-01-18 09:00 3,968 --a------ c:\windows\system32\drivers\AvgArCln.sys

2009-02-27 15:35 . 2009-02-27 15:37 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\PrevxCSI

2009-02-27 15:35 . 2009-02-27 15:35 <DIR> d-------- c:\arquivos de programas\Prevx

2009-02-27 15:35 . 2009-02-27 15:35 22,536 --a------ c:\windows\system32\drivers\pxscan.sys

2009-02-27 15:35 . 2009-02-27 15:35 67 --a------ c:\windows\wininit.ini

2009-02-27 15:26 . 2009-02-28 10:52 108,843 -r-hs---- C:\gi2ky.exe

2009-02-26 10:11 . 2009-02-26 10:10 103,663 -r-hs---- C:\wx8o0bt1.com

2009-02-20 19:16 . 2008-06-19 16:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys

2009-02-20 19:15 . 2009-02-20 19:15 <DIR> d-------- c:\arquivos de programas\Panda Security

2009-02-20 09:09 . 2009-02-20 09:09 106,970 -r-hs---- C:\w2.com

2009-02-03 20:04 . 2009-02-03 20:10 1,355 --a------ c:\windows\imsins.BAK

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-27 18:34 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\PrevxCSI

2009-02-20 22:42 98,304 ----a-w c:\windows\DUMP4b51.tmp

2009-02-14 15:40 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\LimeWire

2009-02-05 12:14 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\Orbit

2009-02-01 00:10 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Spyware Terminator

2009-02-01 00:10 --------- d-----w c:\arquivos de programas\Spyware Terminator

2009-01-31 23:59 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\Spyware Terminator

2009-01-31 23:19 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\uTorrent

2009-01-24 00:12 --------- d-----w c:\arquivos de programas\MSN Messenger

2009-01-23 13:54 --------- d-----w c:\arquivos de programas\DAEMON Tools Lite

2008-12-12 18:09 126,032 ----a-w C:\cc_20081212_160909.reg

.

------- Sigcheck -------

2005-09-19 16:45 57856 ad3d9d191aea7b5445fe1d82ffbb4788 c:\windows\system32\spoolsv.exe

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"swg"="c:\arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 146680]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\arquivos de programas\K-Lite Codec Pack\QuickTime\qttask.exe" [2008-05-27 491520]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

"MsnMsgr"="c:\arquivos de programas\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5858672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nlsf"="move" [X]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.I420"= i263_32.drv

"vidc.DIV3"= DivXc32.dll

"vidc.DIV4"= DivXc32f.dll

"vidc.3iv2"= 3ivxVfWCodec.dll

"msacm.divxa32"= divxa32.acm

"VIDC.HFYU"= huffyuv.dll

"VIDC.i263"= i263_32.drv

"msacm.imc"= imc32.acm

"VIDC.VP31"= vp31vfw.dll

"msacm.avis"= ff_acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^Administrador^Menu Iniciar^Programas^Inicializar^PowerReg Scheduler.exe]

path=c:\documents and settings\Administrador\Menu Iniciar\Programas\Inicializar\PowerReg Scheduler.exe

backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Check for Updates.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Check for Updates.lnk

backup=c:\windows\pss\Check for Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Discador Oi Internet.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Discador Oi Internet.lnk

backup=c:\windows\pss\Discador Oi Internet.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Install Guide.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Install Guide.lnk

backup=c:\windows\pss\Install Guide.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Manual.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Manual.lnk

backup=c:\windows\pss\Manual.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Readme.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Readme.lnk

backup=c:\windows\pss\Readme.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^RollerCoaster Tycoon® 3.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\RollerCoaster Tycoon® 3.lnk

backup=c:\windows\pss\RollerCoaster Tycoon® 3.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Uninstall RollerCoaster Tycoon® 3.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Uninstall RollerCoaster Tycoon® 3.lnk

backup=c:\windows\pss\Uninstall RollerCoaster Tycoon® 3.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]

--a------ 2004-03-21 13:20 268800 c:\arquivos de programas\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

--a------ 2004-08-04 00:45 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]

--a------ 2007-01-01 19:54 3817472 c:\arquivos de programas\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

--a------ 2003-12-22 08:38 311296 c:\arquivos de programas\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2004-02-18 14:55 126976 c:\arquivos de programas\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]

--a------ 2004-03-04 12:46 172032 c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

--a------ 2007-01-19 11:54 5858672 c:\arquivos de programas\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-05-27 10:50 491520 c:\arquivos de programas\K-Lite Codec Pack\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]

--a------ 2007-03-30 12:42 36904 c:\arquivos de programas\SiteAdvisor\6172\SiteAdv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareTerminator]

--a------ 2008-08-18 09:55 1783808 c:\arquivos de programas\Spyware Terminator\SpywareTerminatorShield.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2008-06-10 04:27 222608 c:\arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

--a------ 2007-07-28 18:43 146680 c:\arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]

-ra------ 2004-01-29 21:33 180224 c:\windows\system32\pctspk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

-ra------ 2005-06-20 10:42 77824 c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]

-ra------ 2004-07-12 22:57 53248 c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]

-ra------ 2004-06-21 15:57 143360 c:\windows\system32\VTTrayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"W32Time"=2 (0x2)

"gusvc"=3 (0x3)

"SandraTheSrv"=3 (0x3)

"SandraDataSrv"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Arquivos de programas\\K-Lite Codec Pack\\QuickTime\\qttask.exe"=

"c:\\Arquivos de programas\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=

"c:\\Arquivos de programas\\MSN Messenger\\usnsvc.exe"=

"c:\\WINDOWS\\system32\\taskmgr.exe"=

"c:\\WINDOWS\\system32\\userinit.exe"=

"c:\\WINDOWS\\NIRCMD.exe"=

"c:\\Arquivos de programas\\Prevx\\prevx.exe"=

"c:\\WINDOWS\\TEMP\\pmsqn.exe"=

"c:\\WINDOWS\\TEMP\\cqkcc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-02-20 28544]

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-02-27 22536]

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2008-04-19 141312]

S0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2005-09-19 77312]

--- ---

*NewlyCreated* - ASC3360PR

*Deregistered* - AudioSrv

*Deregistered* - BITS

*Deregistered* - Browser

*Deregistered* - CryptSvc

*Deregistered* - CSIScanner

*Deregistered* - DcomLaunch

*Deregistered* - Dhcp

*Deregistered* - dmserver

*Deregistered* - Dnscache

*Deregistered* - ERSvc

*Deregistered* - EventSystem

*Deregistered* - FastUserSwitchingCompatibility

*Deregistered* - helpsvc

*Deregistered* - lanmanserver

*Deregistered* - lanmanworkstation

*Deregistered* - LmHosts

*Deregistered* - MDM

*Deregistered* - Netman

*Deregistered* - Nla

*Deregistered* - PolicyAgent

*Deregistered* - ProtectedStorage

*Deregistered* - RasMan

*Deregistered* - RemoteRegistry

*Deregistered* - RpcSs

*Deregistered* - SamSs

*Deregistered* - Schedule

*Deregistered* - seclogon

*Deregistered* - SENS

*Deregistered* - SharedAccess

*Deregistered* - ShellHWDetection

*Deregistered* - sp_rssrv

*Deregistered* - Spooler

*Deregistered* - srservice

*Deregistered* - SSDPSRV

*Deregistered* - TapiSrv

*Deregistered* - TermService

*Deregistered* - Themes

*Deregistered* - TrkWks

*Deregistered* - WebClient

*Deregistered* - winmgmt

*Deregistered* - wscsvc

*Deregistered* - wuauserv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0a52874e-bdc2-11dd-8504-00142adfb199}]

\sHElL\autopLay\cOMmaND - G:\phjko.exe

\sHElL\AutoRun\command - G:\phjko.exe

\sHElL\ExpLoRe\COmmANd - G:\phjko.exe

\sHElL\open\commAnd - G:\phjko.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a1388646-e954-11dd-8575-00142adfb199}]

\sheLl\autoplAy\coMMANd - G:\olmy.pif

\sheLl\AutoRun\command - G:\olmy.pif

\sheLl\explORE\coMMaNd - G:\olmy.pif

\sheLl\opEn\COmmANd - G:\olmy.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a1a46018-46e4-11dd-838b-00142adfb199}]

\Shell\AutoRun\command - ranvrgn.exe

\Shell\explore\Command - ranvrgn.exe

\Shell\open\Command - ranvrgn.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2be20d6-46b5-11dd-838a-00142adfb199}]

\Shell\AutoRun\command - G:\ranvrgn.exe

\Shell\explore\Command - G:\ranvrgn.exe

\Shell\open\Command - G:\ranvrgn.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9f5e844-8022-11dd-8439-00142adfb199}]

\Shell\AutoRun\command - G:\abk.bat

\Shell\explore\Command - G:\abk.bat

\Shell\open\Command - G:\abk.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7f11368-c713-11dd-8520-00142adfb199}]

\Shell\auto\command - cmd /c @start k.exe

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL cmd /c @start k.exe

.

- - - - ORFÃOS REMOVIDOS - - - -

HKCU-Run-cdoosoft - c:\windows\system32\olhrwef.exe

HKLM-Run-avgnt - c:\arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe

HKU-Default-Run-swg - c:\arquivos de programas\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

HKU-Default-RunOnce-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\GetFlash.exe

MSConfigStartUp-AVG7_CC - c:\arquiv~1\Grisoft\AVG7\avgcc.exe

MSConfigStartUp-DAEMON Tools Lite - c:\arquivos de programas\DAEMON Tools Lite\daemon.exe

MSConfigStartUp-Glass2k - c:\documents and settings\Administrador\Configurações locais\Temporary Internet Files\Content.IE5\O5U3WTE3\Glass2k[1].exe

MSConfigStartUp-SymantecFilterCheck - c:\windows\system32\gmilogof.exe

MSConfigStartUp-WinRegork - c:\windows\system32\Walcult.exe

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.google.com.br/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Barra de Ferramentas do RF - file://c:\arquivos de programas\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

IE: Personalizar Menu - file://c:\arquivos de programas\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: Preencher - file://c:\arquivos de programas\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: Salvar Formulários - file://c:\arquivos de programas\Siber Systems\AI RoboForm\RoboFormComSavePass.html

Trusted Zone: google.com\www

FF - ProfilePath - c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\pbl4gy8w.default\

FF - component: c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\pbl4gy8w.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll

FF - component: c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\pbl4gy8w.default\extensions\piclens@cooliris.com\components\coolirisstub.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin2.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin3.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin4.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin5.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin6.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\real\browser\plugins\nppl3260.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\real\browser\plugins\nprpjplug.dll

FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\npmozax.dll

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-28 18:25:31

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\Administrator\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\Administrator\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]

@Denied: (Full) (LocalSystem)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•6~*]

"6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

------------------------ Outros Processos em Execução ------------------------

.

c:\arquivos de programas\Prevx\prevx.exe

c:\arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\arquivos de programas\Spyware Terminator\sp_rsser.exe

c:\arquivos de programas\Prevx\prevx.exe

c:\windows\system32\notepad.exe

c:\windows\system32\wscntfy.exe

c:\windows\temp\pmsqn.exe

c:\windows\temp\cqkcc.exe

.

**************************************************************************

.

Tempo para conclusão: 2009-02-28 18:39:41 - Máquina reiniciou

ComboFix-quarantined-files.txt 2009-02-28 21:39:30

Pré-execução: 19 pasta(s) 36.885.520.384 bytes disponíveis

Pós execução: 18 pasta(s) 37,098,569,728 bytes disponíveis

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

329 --- E O F --- 2009-02-03 23:14:29

Compartilhar este post


Link para o post
Compartilhar em outros sites

Conecte suas mídias removíveis no computador.

Temporariamente e durante a execução destas instruções, é muito importante que mantenha desabilitados os seus programas de proteção (Antivirus, Antispyware e Firewall). Reative as proteções após a execução do(s) procedimento(s) abaixo mencionado(s).

Abra o seu Bloco de Notas, copie (control + c) e cole (control + v) todo o texto que está dentro do "Código":


File::
C:\gi2ky.exe
C:\wx8o0bt1.com
C:\w2.com
G:\phjko.exe
G:\olmy.pif
G:\ranvrgn.exe
G:\abk.bat
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\TEMP\\pmsqn.exe"=-
"c:\\WINDOWS\\TEMP\\cqkcc.exe"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0a52874e-bdc2-11dd-8504-00142adfb199}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a1388646-e954-11dd-8575-00142adfb199}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a1a46018-46e4-11dd-838b-00142adfb199}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2be20d6-46b5-11dd-838a-00142adfb199}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9f5e844-8022-11dd-8439-00142adfb199}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7f11368-c713-11dd-8520-00142adfb199}]

  • Salve este arquivo como: CFScript.txt
    CFScriptB-4.gif
  • Tal com exemplificado na foto acima, arraste o arquivo CFScript.txt para dentro do ComboFix.exe
  • Quando a ferramenta terminar de rodar, gerará um log. Poste esse arquivo C:\ComboFix.txt.
  • Faça também um novo log do DDS para colocar na sua resposta.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Mais uma vez grato pela atenção!!

seguem abaixo os relatorios tal como solicitado:

LOG ComboFix

ComboFix 09-02-28.01 - Administrador 2009-03-01 10:01:59.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.223.82 [GMT -3:00]

Executando de: c:\documents and settings\Administrador\Desktop\ComboFix.exe

Comandos utilizados :: c:\documents and settings\Administrador\Desktop\CFScript.txt

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

* Criado um novo ponto de restauro

FILE ::

C:\gi2ky.exe

C:\w2.com

C:\wx8o0bt1.com

G:\abk.bat

G:\olmy.pif

G:\phjko.exe

G:\ranvrgn.exe

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\gi2ky.exe

C:\w2.com

C:\wx8o0bt1.com

E:\autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ASC3360PR

-------\Service_asc3360pr

(((((((((((((((( Arquivos/Ficheiros criados de 2009-02-01 to 2009-03-01 ))))))))))))))))))))))))))))

.

2009-02-27 17:17 . 2009-02-27 17:26 250 --a------ c:\windows\gmer.ini

2009-02-27 15:35 . 2009-02-27 15:37 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\PrevxCSI

2009-02-27 15:35 . 2009-02-27 15:35 <DIR> d-------- c:\arquivos de programas\Prevx

2009-02-27 15:35 . 2009-02-27 15:35 22,536 --a------ c:\windows\system32\drivers\pxscan.sys

2009-02-27 15:35 . 2009-02-27 15:35 67 --a------ c:\windows\wininit.ini

2009-02-20 19:15 . 2009-02-28 19:22 <DIR> d-------- c:\arquivos de programas\Panda Security

2009-02-03 20:04 . 2009-02-03 20:13 1,355 --a------ c:\windows\imsins.BAK

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-28 23:00 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Spyware Terminator

2009-02-28 23:00 --------- d-----w c:\arquivos de programas\Spyware Terminator

2009-02-28 22:47 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\Spyware Terminator

2009-02-27 18:34 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\PrevxCSI

2009-02-20 22:42 98,304 ----a-w c:\windows\DUMP4b51.tmp

2009-02-14 15:40 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\LimeWire

2009-02-05 12:14 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\Orbit

2009-01-31 23:19 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\uTorrent

2009-01-24 00:12 --------- d-----w c:\arquivos de programas\MSN Messenger

2008-12-12 18:09 126,032 ----a-w C:\cc_20081212_160909.reg

.

------- Sigcheck -------

2005-09-19 16:45 57856 ad3d9d191aea7b5445fe1d82ffbb4788 c:\windows\system32\spoolsv.exe

.

((((((((((((((((((((((((((((( SnapShot@2009-02-28_18.30.57.12 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-02-03 23:14:21 593,920 ----a-r c:\windows\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\accicons.exe

+ 2009-03-01 12:08:37 593,920 ----a-r c:\windows\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\accicons.exe

- 2009-02-03 23:14:21 12,288 ----a-r c:\windows\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\cagicon.exe

+ 2009-03-01 12:08:37 12,288 ----a-r c:\windows\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\cagicon.exe

- 2009-02-03 23:14:21 86,016 ----a-r c:\windows\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\inficon.exe

+ 2009-03-01 12:08:37 86,016 ----a-r c:\windows\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\inficon.exe

- 2009-02-03 23:14:20 135,168 ----a-r c:\windows\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\misc.exe

+ 2009-03-01 12:08:37 135,168 ----a-r c:\windows\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\misc.exe

- 2009-02-03 23:14:21 11,264 ----a-r c:\windows\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\mspicons.exe

+ 2009-03-01 12:08:37 11,264 ----a-r c:\windows\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\mspicons.exe

- 2009-02-03 23:14:21 27,136 ----a-r c:\windows\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\oisicon.exe

+ 2009-03-01 12:08:37 27,136 ----a-r c:\windows\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\oisicon.exe

- 2009-02-03 23:14:21 4,096 ----a-r c:\windows\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\opwicon.exe

+ 2009-03-01 12:08:37 4,096 ----a-r c:\windows\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\opwicon.exe

- 2009-02-03 23:14:21 794,624 ----a-r c:\windows\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\outicon.exe

+ 2009-03-01 12:08:37 794,624 ----a-r c:\windows\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\outicon.exe

- 2009-02-03 23:14:20 249,856 ----a-r c:\windows\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\pptico.exe

+ 2009-03-01 12:08:37 249,856 ----a-r c:\windows\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\pptico.exe

- 2009-02-03 23:14:20 61,440 ----a-r c:\windows\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\pubs.exe

+ 2009-03-01 12:08:37 61,440 ----a-r c:\windows\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\pubs.exe

- 2009-02-03 23:14:21 23,040 ----a-r c:\windows\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\unbndico.exe

+ 2009-03-01 12:08:37 23,040 ----a-r c:\windows\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\unbndico.exe

- 2009-02-03 23:14:20 286,720 ----a-r c:\windows\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\wordicon.exe

+ 2009-03-01 12:08:37 286,720 ----a-r c:\windows\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\wordicon.exe

- 2009-02-03 23:14:20 409,600 ----a-r c:\windows\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\xlicons.exe

+ 2009-03-01 12:08:36 409,600 ----a-r c:\windows\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\xlicons.exe

- 2008-06-26 21:58:30 25,214 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1046-7B44-A71000000002}\SC_Reader.exe

+ 2009-02-28 22:24:18 25,214 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1046-7B44-A71000000002}\SC_Reader.exe

- 2000-08-31 11:00:00 107,520 ----a-w c:\windows\NIRCMD.exe

+ 2000-08-31 11:00:00 29,696 ----a-w c:\windows\NIRCMD.exe

- 1998-09-04 21:58:16 67,072 ----a-w c:\windows\system32\Gksui16.exe

+ 1998-09-04 21:58:16 140,800 ----a-w c:\windows\system32\Gksui16.exe

- 2009-01-09 19:35:30 20,853,704 ----a-w c:\windows\system32\MRT.exe

+ 2009-02-12 04:56:17 21,244,872 ----a-w c:\windows\system32\MRT.exe

- 2007-11-30 12:39:04 18,296 ------w c:\windows\system32\spmsg.dll

+ 2008-07-09 07:34:50 18,296 ------w c:\windows\system32\spmsg.dll

+ 2009-03-01 13:06:29 16,384 ----atw c:\windows\temp\Perflib_Perfdata_790.dat

.

-- Snapshot resetado para data atual --

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"swg"="c:\arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 146680]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\arquivos de programas\K-Lite Codec Pack\QuickTime\qttask.exe" [2008-05-27 491520]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

"MsnMsgr"="c:\arquivos de programas\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5858672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nlsf"="move" [X]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

Adobe Reader Speed Launch.lnk - c:\arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 107520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.I420"= i263_32.drv

"vidc.DIV3"= DivXc32.dll

"vidc.DIV4"= DivXc32f.dll

"vidc.3iv2"= 3ivxVfWCodec.dll

"msacm.divxa32"= divxa32.acm

"VIDC.HFYU"= huffyuv.dll

"VIDC.i263"= i263_32.drv

"msacm.imc"= imc32.acm

"VIDC.VP31"= vp31vfw.dll

"msacm.avis"= ff_acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^Administrador^Menu Iniciar^Programas^Inicializar^PowerReg Scheduler.exe]

path=c:\documents and settings\Administrador\Menu Iniciar\Programas\Inicializar\PowerReg Scheduler.exe

backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Check for Updates.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Check for Updates.lnk

backup=c:\windows\pss\Check for Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Discador Oi Internet.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Discador Oi Internet.lnk

backup=c:\windows\pss\Discador Oi Internet.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Install Guide.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Install Guide.lnk

backup=c:\windows\pss\Install Guide.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Manual.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Manual.lnk

backup=c:\windows\pss\Manual.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Readme.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Readme.lnk

backup=c:\windows\pss\Readme.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^RollerCoaster Tycoon® 3.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\RollerCoaster Tycoon® 3.lnk

backup=c:\windows\pss\RollerCoaster Tycoon® 3.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Uninstall RollerCoaster Tycoon® 3.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Uninstall RollerCoaster Tycoon® 3.lnk

backup=c:\windows\pss\Uninstall RollerCoaster Tycoon® 3.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]

--a------ 2004-03-21 13:20 268800 c:\arquivos de programas\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

--a------ 2004-08-04 00:45 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]

--a------ 2007-01-01 19:54 3817472 c:\arquivos de programas\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

--a------ 2003-12-22 08:38 311296 c:\arquivos de programas\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2004-02-18 14:55 126976 c:\arquivos de programas\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]

--a------ 2004-03-04 12:46 172032 c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

--a------ 2007-01-19 11:54 5858672 c:\arquivos de programas\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-05-27 10:50 491520 c:\arquivos de programas\K-Lite Codec Pack\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]

--a------ 2007-03-30 12:42 36904 c:\arquivos de programas\SiteAdvisor\6172\SiteAdv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareTerminator]

--a------ 2008-08-18 09:55 1783808 c:\arquivos de programas\Spyware Terminator\SpywareTerminatorShield.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2008-06-10 04:27 222608 c:\arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

--a------ 2007-07-28 18:43 146680 c:\arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]

-ra------ 2004-01-29 21:33 180224 c:\windows\system32\pctspk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

-ra------ 2005-06-20 10:42 77824 c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]

-ra------ 2004-07-12 22:57 53248 c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]

-ra------ 2004-06-21 15:57 143360 c:\windows\system32\VTTrayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"W32Time"=2 (0x2)

"gusvc"=3 (0x3)

"SandraTheSrv"=3 (0x3)

"SandraDataSrv"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Arquivos de programas\\K-Lite Codec Pack\\QuickTime\\qttask.exe"=

"c:\\Arquivos de programas\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=

"c:\\Arquivos de programas\\MSN Messenger\\usnsvc.exe"=

"c:\\WINDOWS\\system32\\taskmgr.exe"=

"c:\\WINDOWS\\system32\\userinit.exe"=

"c:\\WINDOWS\\NIRCMD.exe"=

"c:\\Arquivos de programas\\Prevx\\prevx.exe"=

"c:\\Arquivos de programas\\Adobe\\Acrobat 7.0\\Reader\\reader_sl.exe"=

"c:\\WINDOWS\\system32\\wuauclt.exe"=

"c:\\WINDOWS\\system32\\CF974.exe"=

"c:\\WINDOWS\\TEMP\\meyv.exe"=

"c:\\WINDOWS\\TEMP\\cmfffj.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-02-27 22536]

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2008-04-19 141312]

R2 CSIScanner;CSIScanner;c:\arquivos de programas\Prevx\prevx.exe [2009-02-27 4228664]

S0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2005-09-19 77312]

--- ---

*NewlyCreated* - ASC3360PR

*NewlyCreated* - PXSCAN

.

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.google.com.br/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Barra de Ferramentas do RF - file://c:\arquivos de programas\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

IE: Personalizar Menu - file://c:\arquivos de programas\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: Preencher - file://c:\arquivos de programas\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: Salvar Formulários - file://c:\arquivos de programas\Siber Systems\AI RoboForm\RoboFormComSavePass.html

Trusted Zone: google.com\www

FF - ProfilePath - c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\pbl4gy8w.default\

FF - component: c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\pbl4gy8w.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll

FF - component: c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\pbl4gy8w.default\extensions\piclens@cooliris.com\components\coolirisstub.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin2.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin3.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin4.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin5.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin6.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\real\browser\plugins\nppl3260.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\real\browser\plugins\nprpjplug.dll

FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\npmozax.dll

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-01 10:06:22

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\Administrator\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\Administrator\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]

@Denied: (Full) (LocalSystem)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•6~*]

"6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

------------------------ Outros Processos em Execução ------------------------

.

c:\arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\arquivos de programas\Spyware Terminator\sp_rsser.exe

c:\windows\system32\wscntfy.exe

c:\windows\temp\meyv.exe

c:\windows\temp\cmfffj.exe

.

**************************************************************************

.

Tempo para conclusão: 2009-03-01 10:11:34 - Máquina reiniciou

ComboFix-quarantined-files.txt 2009-03-01 13:11:29

ComboFix2.txt 2009-02-28 21:39:45

Pré-execução: 18 pasta(s) 37.040.140.288 bytes disponíveis

Pós execução: 18 pasta(s) 37,029,302,272 bytes disponíveis

281 --- E O F --- 2009-03-01 12:11:18

LOG DDS

DDS (Ver_09-02-01.01) - NTFSx86

Run by Administrador at 10:16:01,95 on dom 01/03/2009

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07

Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.223.83 [GMT -3:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Arquivos de programas\Spyware Terminator\sp_rsser.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\WINDOWS\TEMP\meyv.exe

C:\WINDOWS\TEMP\cmfffj.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\Administrador\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.br/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\arquivos de programas\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\arquivos de programas\siteadvisor\6253\SiteAdv.dll

BHO: ssh2 Class: {2e3c3651-b19c-4dd9-a979-901ec3e930af} - c:\arquivos de programas\scpad\scpsssh2.dll

BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\arquivos de programas\siber systems\ai roboform\roboform.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\arquivos de programas\java\jre1.6.0_07\bin\ssv.dll

BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\arquivos de programas\arquivos comuns\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\arquivos de programas\google\googletoolbar3.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\arquivos de programas\google\googletoolbarnotifier\3.1.807.1746\swg.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\arquivos de programas\google\googletoolbar3.dll

TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\arquivos de programas\siteadvisor\6253\SiteAdv.dll

TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\arquivos de programas\siber systems\ai roboform\roboform.dll

TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] c:\arquivos de programas\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

mRun: [QuickTime Task] "c:\arquivos de programas\k-lite codec pack\quicktime\qttask.exe" -atboottime

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [MsnMsgr] "c:\arquivos de programas\msn messenger\MsnMsgr.Exe" /background

dRunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"

dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe

StartupFolder: c:\docume~1\alluse~1\menuin~1\progra~1\inicia~1\adober~1.lnk - c:\arquivos de programas\adobe\acrobat 7.0\reader\reader_sl.exe

mPolicies-explorer: ForceClassicControlPanel = 1 (0x1)

mPolicies-system: EnableLUA = 0 (0x0)

IE: Barra de Ferramentas do RF - file://c:\arquivos de programas\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\micros~1\office11\EXCEL.EXE/3000

IE: Personalizar Menu - file://c:\arquivos de programas\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html

IE: Preencher - file://c:\arquivos de programas\siber systems\ai roboform\RoboFormComFillForms.html

IE: Salvar Formulários - file://c:\arquivos de programas\siber systems\ai roboform\RoboFormComSavePass.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\arquivos de programas\siber systems\ai roboform\RoboFormComFillForms.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\arquivos de programas\siber systems\ai roboform\RoboFormComSavePass.html

IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\arquivos de programas\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\arquivos de programas\java\jre1.6.0_07\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\arquiv~1\micros~1\office11\REFIEBAR.DLL

Trusted Zone: google.com\www

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://wantwon.spaces.live.com//PhotoUpload/MsnPUpld.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\arquivos de programas\hp\hpcoretech\comp\hpuiprot.dll

Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\arquivos de programas\siteadvisor\6253\SiteAdv.dll

SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - c:\arquivos de programas\scpad\scpLIB.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

STS: compIB Class: {a3717295-941d-416f-9384-ed1736729f1c} - c:\arquivos de programas\scpad\scpLIB.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\dadosd~1\mozilla\firefox\profiles\pbl4gy8w.default\

FF - component: c:\documents and settings\administrador\dados de aplicativos\mozilla\firefox\profiles\pbl4gy8w.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll

FF - component: c:\documents and settings\administrador\dados de aplicativos\mozilla\firefox\profiles\pbl4gy8w.default\extensions\piclens@cooliris.com\components\coolirisstub.dll

FF - plugin: c:\arquivos de programas\k-lite codec pack\quicktime\plugins\npqtplugin.dll

FF - plugin: c:\arquivos de programas\k-lite codec pack\quicktime\plugins\npqtplugin2.dll

FF - plugin: c:\arquivos de programas\k-lite codec pack\quicktime\plugins\npqtplugin3.dll

FF - plugin: c:\arquivos de programas\k-lite codec pack\quicktime\plugins\npqtplugin4.dll

FF - plugin: c:\arquivos de programas\k-lite codec pack\quicktime\plugins\npqtplugin5.dll

FF - plugin: c:\arquivos de programas\k-lite codec pack\quicktime\plugins\npqtplugin6.dll

FF - plugin: c:\arquivos de programas\k-lite codec pack\real\browser\plugins\nppl3260.dll

FF - plugin: c:\arquivos de programas\k-lite codec pack\real\browser\plugins\nprpjplug.dll

FF - plugin: c:\arquivos de programas\mozilla firefox\plugins\npmozax.dll

---- FIREFOX POLICIES ----

c:\arquivos de programas\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

============= SERVICES / DRIVERS ===============

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-2-27 22536]

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2008-4-19 141312]

RUnknown asc3360pr;asc3360pr; [x]

S0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2005-9-19 77312]

S1 avgio;avgio;\??\c:\arquivos de programas\avira\antivir personaledition classic\avgio.sys --> c:\arquivos de programas\avira\antivir personaledition classic\avgio.sys [?]

S2 AntiVirScheduler;AntiVir PersonalEdition Classic Scheduler;"c:\arquivos de programas\avira\antivir personaledition classic\sched.exe" --> c:\arquivos de programas\avira\antivir personaledition classic\sched.exe [?]

S2 AntiVirService;AntiVir PersonalEdition Classic Guard;"c:\arquivos de programas\avira\antivir personaledition classic\avguard.exe" --> c:\arquivos de programas\avira\antivir personaledition classic\avguard.exe [?]

S2 CSIScanner;CSIScanner;c:\arquivos de programas\prevx\prevx.exe [2009-2-27 4228664]

S3 avgntflt;avgntflt;\??\c:\arquivos de programas\avira\antivir personaledition classic\avgntflt.sys --> c:\arquivos de programas\avira\antivir personaledition classic\avgntflt.sys [?]

============== File Associations ===============

txtfile=Notepad.exe "%1"

=============== Created Last 30 ================

2009-02-28 18:20 <DIR> a-dshr-- C:\cmdcons

2009-02-28 18:16 161,792 a------- c:\windows\SWREG.exe

2009-02-28 18:16 98,816 a------- c:\windows\sed.exe

2009-02-27 17:17 250 a------- c:\windows\gmer.ini

2009-02-27 15:35 22,536 a------- c:\windows\system32\drivers\pxscan.sys

2009-02-27 15:35 <DIR> --d----- c:\arquivos de programas\Prevx

2009-02-27 15:35 67 a------- c:\windows\wininit.ini

2009-02-27 15:35 <DIR> --d----- c:\docume~1\alluse~1\dadosd~1\PrevxCSI

2009-02-20 19:15 <DIR> --d----- c:\arquivos de programas\Panda Security

==================== Find3M ====================

2009-02-20 19:42 98,304 a------- c:\windows\DUMP4b51.tmp

2009-02-14 23:14 422,176 a------- c:\windows\system32\perfh016.dat

2009-02-14 23:14 65,992 a------- c:\windows\system32\perfc016.dat

2008-12-13 03:37 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll

2008-12-12 15:09 126,032 a------- C:\cc_20081212_160909.reg

2008-12-11 08:57 333,184 -------- c:\windows\system32\dllcache\srv.sys

============= FINISH: 10:16:27,35 ===============

Compartilhar este post


Link para o post
Compartilhar em outros sites

Temporariamente e durante a execução destas instruções, é muito importante que mantenha desabilitados os seus programas de proteção (Antivirus, Antispyware e Firewall). Reative as proteções após a execução do(s) procedimento(s) abaixo mencionado(s).

Abra o seu Bloco de Notas, copie (control + c) e cole (control + v) todo o texto que está dentro do "Código":


File::
c:\windows\temp\pmsqn.exe
c:\windows\temp\cqkcc.exe

  • Salve este arquivo como: CFScript.txt
    CFScriptB-4.gif
  • Tal com exemplificado na foto acima, arraste o arquivo CFScript.txt para dentro do ComboFix.exe
  • Quando a ferramenta terminar de rodar, gerará um log. Poste esse arquivo C:\ComboFix.txt.

Compartilhar este post


Link para o post
Compartilhar em outros sites

segue abaixo o relatorio do ComboFix e mais uma vez obrigado

ComboFix 09-03-02.03 - Administrador 2009-03-03 21:39:58.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.223.80 [GMT -3:00]

Executando de: c:\documents and settings\Administrador\Desktop\ComboFix.exe

Comandos utilizados :: c:\documents and settings\Administrador\Desktop\CFScript.txt

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

* Criado um novo ponto de restauro

FILE ::

c:\windows\temp\cqkcc.exe

c:\windows\temp\pmsqn.exe

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ASC3360PR

-------\Service_asc3360pr

(((((((((((((((( Arquivos/Ficheiros criados de 2009-02-04 to 2009-03-04 ))))))))))))))))))))))))))))

.

2009-02-27 17:17 . 2009-02-27 17:26 250 --a------ c:\windows\gmer.ini

2009-02-27 15:35 . 2009-02-27 15:37 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\PrevxCSI

2009-02-27 15:35 . 2009-02-27 15:35 <DIR> d-------- c:\arquivos de programas\Prevx

2009-02-27 15:35 . 2009-02-27 15:35 22,536 --a------ c:\windows\system32\drivers\pxscan.sys

2009-02-27 15:35 . 2009-02-27 15:35 67 --a------ c:\windows\wininit.ini

2009-02-20 19:15 . 2009-02-28 19:22 <DIR> d-------- c:\arquivos de programas\Panda Security

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-28 23:00 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Spyware Terminator

2009-02-28 23:00 --------- d-----w c:\arquivos de programas\Spyware Terminator

2009-02-28 22:47 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\Spyware Terminator

2009-02-27 18:34 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\PrevxCSI

2009-02-20 22:42 98,304 ----a-w c:\windows\DUMP4b51.tmp

2009-02-14 15:40 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\LimeWire

2009-02-05 12:14 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\Orbit

2009-01-31 23:19 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\uTorrent

2009-01-24 00:12 --------- d-----w c:\arquivos de programas\MSN Messenger

2008-12-12 18:09 126,032 ----a-w C:\cc_20081212_160909.reg

.

------- Sigcheck -------

2005-09-19 16:45 57856 ad3d9d191aea7b5445fe1d82ffbb4788 c:\windows\system32\spoolsv.exe

.

((((((((((((((((((((((((((((( SnapShot_2009-03-01_10.09.34.70 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-10-16 20:23:05 124,928 -c----w c:\windows\ie7updates\KB961260-IE7\advpack.dll

+ 2008-10-16 20:23:05 347,136 -c----w c:\windows\ie7updates\KB961260-IE7\dxtmsft.dll

+ 2008-10-16 20:23:05 214,528 -c----w c:\windows\ie7updates\KB961260-IE7\dxtrans.dll

+ 2008-10-16 20:23:05 133,120 -c----w c:\windows\ie7updates\KB961260-IE7\extmgr.dll

+ 2008-10-16 20:23:05 63,488 -c----w c:\windows\ie7updates\KB961260-IE7\icardie.dll

+ 2008-10-16 13:15:01 70,656 -c----w c:\windows\ie7updates\KB961260-IE7\ie4uinit.exe

+ 2008-10-16 20:23:05 153,088 -c----w c:\windows\ie7updates\KB961260-IE7\ieakeng.dll

+ 2008-10-16 20:23:05 230,400 -c----w c:\windows\ie7updates\KB961260-IE7\ieaksie.dll

+ 2008-10-15 07:04:53 161,792 -c----w c:\windows\ie7updates\KB961260-IE7\ieakui.dll

+ 2008-10-16 20:23:05 383,488 -c----w c:\windows\ie7updates\KB961260-IE7\ieapfltr.dll

+ 2008-10-16 20:23:05 384,512 -c----w c:\windows\ie7updates\KB961260-IE7\iedkcs32.dll

+ 2008-10-16 20:23:06 6,066,176 -c----w c:\windows\ie7updates\KB961260-IE7\ieframe.dll

+ 2008-10-16 20:23:06 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\iernonce.dll

+ 2008-10-16 20:23:06 267,776 -c----w c:\windows\ie7updates\KB961260-IE7\iertutil.dll

+ 2008-10-16 13:11:09 13,824 -c----w c:\windows\ie7updates\KB961260-IE7\ieudinit.exe

+ 2008-10-15 07:06:26 633,632 -c----w c:\windows\ie7updates\KB961260-IE7\iexplore.exe

+ 2008-10-16 20:23:06 27,648 -c----w c:\windows\ie7updates\KB961260-IE7\jsproxy.dll

+ 2008-10-16 20:23:06 459,264 -c----w c:\windows\ie7updates\KB961260-IE7\msfeeds.dll

+ 2008-10-16 20:23:06 52,224 -c----w c:\windows\ie7updates\KB961260-IE7\msfeedsbs.dll

+ 2008-12-13 06:37:59 3,593,216 -c----w c:\windows\ie7updates\KB961260-IE7\mshtml.dll

+ 2008-10-16 20:23:07 477,696 -c----w c:\windows\ie7updates\KB961260-IE7\mshtmled.dll

+ 2008-10-16 20:23:07 193,024 -c----w c:\windows\ie7updates\KB961260-IE7\msrating.dll

+ 2008-10-16 20:23:07 671,232 -c----w c:\windows\ie7updates\KB961260-IE7\mstime.dll

+ 2008-10-16 20:23:07 102,912 -c----w c:\windows\ie7updates\KB961260-IE7\occache.dll

+ 2008-10-16 20:23:07 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\pngfilt.dll

+ 2007-03-06 01:01:00 215,264 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\spuninst.exe

+ 2007-03-06 01:02:08 384,224 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\updspapi.dll

+ 2008-10-16 20:23:07 105,984 -c----w c:\windows\ie7updates\KB961260-IE7\url.dll

+ 2008-10-16 20:23:07 1,160,192 -c----w c:\windows\ie7updates\KB961260-IE7\urlmon.dll

+ 2008-10-16 20:23:07 233,472 -c----w c:\windows\ie7updates\KB961260-IE7\webcheck.dll

+ 2008-10-16 20:23:07 826,368 -c----w c:\windows\ie7updates\KB961260-IE7\wininet.dll

- 2008-10-16 20:23:05 124,928 ----a-w c:\windows\system32\advpack.dll

+ 2008-12-20 22:46:47 124,928 ----a-w c:\windows\system32\advpack.dll

- 2008-10-16 20:23:05 124,928 ------w c:\windows\system32\DllCache\advpack.dll

+ 2008-12-20 22:46:47 124,928 ------w c:\windows\system32\DllCache\advpack.dll

- 2008-10-16 20:23:05 347,136 ----a-w c:\windows\system32\DllCache\dxtmsft.dll

+ 2008-12-20 22:46:47 347,136 ----a-w c:\windows\system32\DllCache\dxtmsft.dll

- 2008-10-16 20:23:05 214,528 ----a-w c:\windows\system32\DllCache\dxtrans.dll

+ 2008-12-20 22:46:48 214,528 ----a-w c:\windows\system32\DllCache\dxtrans.dll

- 2008-10-16 20:23:05 133,120 ----a-w c:\windows\system32\DllCache\extmgr.dll

+ 2008-12-20 22:46:48 133,120 ----a-w c:\windows\system32\DllCache\extmgr.dll

- 2008-10-16 20:23:05 63,488 ------w c:\windows\system32\DllCache\icardie.dll

+ 2008-12-20 22:46:48 63,488 ------w c:\windows\system32\DllCache\icardie.dll

- 2008-10-16 13:15:01 70,656 ------w c:\windows\system32\DllCache\ie4uinit.exe

+ 2008-12-19 09:14:21 70,656 ------w c:\windows\system32\DllCache\ie4uinit.exe

- 2008-10-16 20:23:05 153,088 ------w c:\windows\system32\DllCache\ieakeng.dll

+ 2008-12-20 22:46:48 153,088 ------w c:\windows\system32\DllCache\ieakeng.dll

- 2008-10-16 20:23:05 230,400 ------w c:\windows\system32\DllCache\ieaksie.dll

+ 2008-12-20 22:46:48 230,400 ------w c:\windows\system32\DllCache\ieaksie.dll

- 2008-10-15 07:04:53 161,792 ------w c:\windows\system32\DllCache\ieakui.dll

+ 2008-12-19 05:23:56 161,792 ------w c:\windows\system32\DllCache\ieakui.dll

- 2008-10-16 20:23:05 383,488 ------w c:\windows\system32\DllCache\ieapfltr.dll

+ 2008-12-20 22:46:49 383,488 ------w c:\windows\system32\DllCache\ieapfltr.dll

- 2008-10-16 20:23:05 384,512 ------w c:\windows\system32\DllCache\iedkcs32.dll

+ 2008-12-20 22:46:50 384,512 ------w c:\windows\system32\DllCache\iedkcs32.dll

- 2008-10-16 20:23:06 6,066,176 ------w c:\windows\system32\DllCache\ieframe.dll

+ 2008-12-20 22:46:53 6,066,688 ------w c:\windows\system32\DllCache\ieframe.dll

- 2008-10-16 20:23:06 44,544 ------w c:\windows\system32\DllCache\iernonce.dll

+ 2008-12-20 22:46:53 44,544 ------w c:\windows\system32\DllCache\iernonce.dll

- 2008-10-16 20:23:06 267,776 ------w c:\windows\system32\DllCache\iertutil.dll

+ 2008-12-20 22:46:54 267,776 ------w c:\windows\system32\DllCache\iertutil.dll

- 2008-10-16 13:11:09 13,824 ------w c:\windows\system32\DllCache\ieudinit.exe

+ 2008-12-19 09:10:15 13,824 ------w c:\windows\system32\DllCache\ieudinit.exe

- 2008-10-15 07:06:26 633,632 ------w c:\windows\system32\DllCache\iexplore.exe

+ 2008-12-19 05:25:25 634,024 ------w c:\windows\system32\DllCache\iexplore.exe

- 2008-10-16 20:23:06 27,648 ----a-w c:\windows\system32\DllCache\jsproxy.dll

+ 2008-12-20 22:46:55 27,648 ----a-w c:\windows\system32\DllCache\jsproxy.dll

- 2008-10-16 20:23:06 459,264 ------w c:\windows\system32\DllCache\msfeeds.dll

+ 2008-12-20 22:46:56 459,264 ------w c:\windows\system32\DllCache\msfeeds.dll

- 2008-10-16 20:23:06 52,224 ------w c:\windows\system32\DllCache\msfeedsbs.dll

+ 2008-12-20 22:46:56 52,224 ------w c:\windows\system32\DllCache\msfeedsbs.dll

- 2008-12-13 06:37:59 3,593,216 ----a-w c:\windows\system32\DllCache\mshtml.dll

+ 2009-01-17 00:16:40 3,594,752 ----a-w c:\windows\system32\DllCache\mshtml.dll

- 2008-10-16 20:23:07 477,696 ----a-w c:\windows\system32\DllCache\mshtmled.dll

+ 2008-12-20 22:47:00 477,696 ----a-w c:\windows\system32\DllCache\mshtmled.dll

- 2008-10-16 20:23:07 193,024 ----a-w c:\windows\system32\DllCache\msrating.dll

+ 2008-12-20 22:47:00 193,024 ----a-w c:\windows\system32\DllCache\msrating.dll

- 2008-10-16 20:23:07 671,232 ----a-w c:\windows\system32\DllCache\mstime.dll

+ 2008-12-20 22:47:01 671,232 ----a-w c:\windows\system32\DllCache\mstime.dll

- 2008-10-16 20:23:07 102,912 ------w c:\windows\system32\DllCache\occache.dll

+ 2008-12-20 22:47:01 102,912 ------w c:\windows\system32\DllCache\occache.dll

- 2008-10-16 20:23:07 44,544 ----a-w c:\windows\system32\DllCache\pngfilt.dll

+ 2008-12-20 22:47:01 44,544 ----a-w c:\windows\system32\DllCache\pngfilt.dll

- 2007-10-25 16:57:15 8,484,352 ------w c:\windows\system32\DllCache\shell32.dll

+ 2008-07-03 13:15:47 8,484,352 ------w c:\windows\system32\DllCache\shell32.dll

- 2008-10-16 20:23:07 105,984 ------w c:\windows\system32\DllCache\url.dll

+ 2008-12-20 22:47:01 105,984 ------w c:\windows\system32\DllCache\url.dll

- 2008-10-16 20:23:07 1,160,192 ----a-w c:\windows\system32\DllCache\urlmon.dll

+ 2008-12-20 22:47:02 1,160,192 ----a-w c:\windows\system32\DllCache\urlmon.dll

- 2008-10-16 20:23:07 233,472 ------w c:\windows\system32\DllCache\webcheck.dll

+ 2008-12-20 22:47:03 233,472 ------w c:\windows\system32\DllCache\webcheck.dll

- 2008-10-16 20:23:07 826,368 ----a-w c:\windows\system32\DllCache\wininet.dll

+ 2008-12-20 22:47:03 826,368 ----a-w c:\windows\system32\DllCache\wininet.dll

- 2008-10-16 20:23:05 347,136 ----a-w c:\windows\system32\dxtmsft.dll

+ 2008-12-20 22:46:47 347,136 ----a-w c:\windows\system32\dxtmsft.dll

- 2008-10-16 20:23:05 214,528 ----a-w c:\windows\system32\dxtrans.dll

+ 2008-12-20 22:46:48 214,528 ----a-w c:\windows\system32\dxtrans.dll

- 2008-10-16 20:23:05 133,120 ----a-w c:\windows\system32\extmgr.dll

+ 2008-12-20 22:46:48 133,120 ----a-w c:\windows\system32\extmgr.dll

- 2008-10-16 20:23:05 63,488 ----a-w c:\windows\system32\icardie.dll

+ 2008-12-20 22:46:48 63,488 ----a-w c:\windows\system32\icardie.dll

- 2008-10-16 13:15:01 70,656 ----a-w c:\windows\system32\ie4uinit.exe

+ 2008-12-19 09:14:21 70,656 ----a-w c:\windows\system32\ie4uinit.exe

- 2008-10-16 20:23:05 153,088 ----a-w c:\windows\system32\ieakeng.dll

+ 2008-12-20 22:46:48 153,088 ----a-w c:\windows\system32\ieakeng.dll

- 2008-10-16 20:23:05 230,400 ----a-w c:\windows\system32\ieaksie.dll

+ 2008-12-20 22:46:48 230,400 ----a-w c:\windows\system32\ieaksie.dll

- 2008-10-15 07:04:53 161,792 ----a-w c:\windows\system32\ieakui.dll

+ 2008-12-19 05:23:56 161,792 ----a-w c:\windows\system32\ieakui.dll

- 2008-10-16 20:23:05 383,488 ----a-w c:\windows\system32\ieapfltr.dll

+ 2008-12-20 22:46:49 383,488 ----a-w c:\windows\system32\ieapfltr.dll

- 2008-10-16 20:23:05 384,512 ----a-w c:\windows\system32\iedkcs32.dll

+ 2008-12-20 22:46:50 384,512 ----a-w c:\windows\system32\iedkcs32.dll

- 2008-10-16 20:23:06 6,066,176 ----a-w c:\windows\system32\ieframe.dll

+ 2008-12-20 22:46:53 6,066,688 ----a-w c:\windows\system32\ieframe.dll

- 2008-10-16 20:23:06 44,544 ----a-w c:\windows\system32\iernonce.dll

+ 2008-12-20 22:46:53 44,544 ----a-w c:\windows\system32\iernonce.dll

- 2008-10-16 20:23:06 267,776 ----a-w c:\windows\system32\iertutil.dll

+ 2008-12-20 22:46:54 267,776 ----a-w c:\windows\system32\iertutil.dll

- 2008-10-16 13:11:09 13,824 ----a-w c:\windows\system32\ieudinit.exe

+ 2008-12-19 09:10:15 13,824 ----a-w c:\windows\system32\ieudinit.exe

- 2008-10-16 20:23:06 27,648 ----a-w c:\windows\system32\jsproxy.dll

+ 2008-12-20 22:46:55 27,648 ----a-w c:\windows\system32\jsproxy.dll

- 2008-10-16 20:23:06 459,264 ----a-w c:\windows\system32\msfeeds.dll

+ 2008-12-20 22:46:56 459,264 ----a-w c:\windows\system32\msfeeds.dll

- 2008-10-16 20:23:06 52,224 ----a-w c:\windows\system32\msfeedsbs.dll

+ 2008-12-20 22:46:56 52,224 ----a-w c:\windows\system32\msfeedsbs.dll

- 2008-12-13 06:37:59 3,593,216 ----a-w c:\windows\system32\mshtml.dll

+ 2009-01-17 00:16:40 3,594,752 ----a-w c:\windows\system32\mshtml.dll

- 2008-10-16 20:23:07 477,696 ----a-w c:\windows\system32\mshtmled.dll

+ 2008-12-20 22:47:00 477,696 ----a-w c:\windows\system32\mshtmled.dll

- 2008-10-16 20:23:07 193,024 ----a-w c:\windows\system32\msrating.dll

+ 2008-12-20 22:47:00 193,024 ----a-w c:\windows\system32\msrating.dll

- 2008-10-16 20:23:07 671,232 ----a-w c:\windows\system32\mstime.dll

+ 2008-12-20 22:47:01 671,232 ----a-w c:\windows\system32\mstime.dll

- 2008-10-16 20:23:07 102,912 ----a-w c:\windows\system32\occache.dll

+ 2008-12-20 22:47:01 102,912 ----a-w c:\windows\system32\occache.dll

- 2008-10-16 20:23:07 44,544 ----a-w c:\windows\system32\pngfilt.dll

+ 2008-12-20 22:47:01 44,544 ----a-w c:\windows\system32\pngfilt.dll

- 2007-10-25 16:57:15 8,484,352 ----a-w c:\windows\system32\shell32.dll

+ 2008-07-03 13:15:47 8,484,352 ----a-w c:\windows\system32\shell32.dll

- 2008-10-16 20:23:07 105,984 ----a-w c:\windows\system32\url.dll

+ 2008-12-20 22:47:01 105,984 ----a-w c:\windows\system32\url.dll

- 2008-10-16 20:23:07 1,160,192 ----a-w c:\windows\system32\urlmon.dll

+ 2008-12-20 22:47:02 1,160,192 ----a-w c:\windows\system32\urlmon.dll

- 2008-10-16 20:23:07 233,472 ----a-w c:\windows\system32\webcheck.dll

+ 2008-12-20 22:47:03 233,472 ----a-w c:\windows\system32\webcheck.dll

- 2008-10-16 20:23:07 826,368 ----a-w c:\windows\system32\wininet.dll

+ 2008-12-20 22:47:03 826,368 ----a-w c:\windows\system32\wininet.dll

+ 2009-03-04 00:44:52 16,384 ----atw c:\windows\temp\Perflib_Perfdata_940.dat

.

-- Snapshot resetado para data atual --

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"swg"="c:\arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 146680]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\arquivos de programas\K-Lite Codec Pack\QuickTime\qttask.exe" [2008-05-27 491520]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

"MsnMsgr"="c:\arquivos de programas\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5858672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nlsf"="move" [X]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

Adobe Reader Speed Launch.lnk - c:\arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 107520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.I420"= i263_32.drv

"vidc.DIV3"= DivXc32.dll

"vidc.DIV4"= DivXc32f.dll

"vidc.3iv2"= 3ivxVfWCodec.dll

"msacm.divxa32"= divxa32.acm

"VIDC.HFYU"= huffyuv.dll

"VIDC.i263"= i263_32.drv

"msacm.imc"= imc32.acm

"VIDC.VP31"= vp31vfw.dll

"msacm.avis"= ff_acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^Administrador^Menu Iniciar^Programas^Inicializar^PowerReg Scheduler.exe]

path=c:\documents and settings\Administrador\Menu Iniciar\Programas\Inicializar\PowerReg Scheduler.exe

backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Check for Updates.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Check for Updates.lnk

backup=c:\windows\pss\Check for Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Discador Oi Internet.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Discador Oi Internet.lnk

backup=c:\windows\pss\Discador Oi Internet.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Install Guide.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Install Guide.lnk

backup=c:\windows\pss\Install Guide.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Manual.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Manual.lnk

backup=c:\windows\pss\Manual.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Readme.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Readme.lnk

backup=c:\windows\pss\Readme.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^RollerCoaster Tycoon® 3.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\RollerCoaster Tycoon® 3.lnk

backup=c:\windows\pss\RollerCoaster Tycoon® 3.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Uninstall RollerCoaster Tycoon® 3.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Uninstall RollerCoaster Tycoon® 3.lnk

backup=c:\windows\pss\Uninstall RollerCoaster Tycoon® 3.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]

--a------ 2004-03-21 13:20 268800 c:\arquivos de programas\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

--a------ 2004-08-04 00:45 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]

--a------ 2007-01-01 19:54 3817472 c:\arquivos de programas\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

--a------ 2003-12-22 08:38 311296 c:\arquivos de programas\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2004-02-18 14:55 126976 c:\arquivos de programas\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]

--a------ 2004-03-04 12:46 172032 c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

--a------ 2007-01-19 11:54 5858672 c:\arquivos de programas\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-05-27 10:50 491520 c:\arquivos de programas\K-Lite Codec Pack\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]

--a------ 2007-03-30 12:42 36904 c:\arquivos de programas\SiteAdvisor\6172\SiteAdv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareTerminator]

--a------ 2008-08-18 09:55 1783808 c:\arquivos de programas\Spyware Terminator\SpywareTerminatorShield.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2008-06-10 04:27 222608 c:\arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

--a------ 2007-07-28 18:43 146680 c:\arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]

-ra------ 2004-01-29 21:33 180224 c:\windows\system32\pctspk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

-ra------ 2005-06-20 10:42 77824 c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]

-ra------ 2004-07-12 22:57 53248 c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]

-ra------ 2004-06-21 15:57 143360 c:\windows\system32\VTTrayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"W32Time"=2 (0x2)

"gusvc"=3 (0x3)

"SandraTheSrv"=3 (0x3)

"SandraDataSrv"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Arquivos de programas\\K-Lite Codec Pack\\QuickTime\\qttask.exe"=

"c:\\Arquivos de programas\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=

"c:\\Arquivos de programas\\MSN Messenger\\usnsvc.exe"=

"c:\\WINDOWS\\system32\\taskmgr.exe"=

"c:\\WINDOWS\\system32\\userinit.exe"=

"c:\\WINDOWS\\NIRCMD.exe"=

"c:\\Arquivos de programas\\Prevx\\prevx.exe"=

"c:\\Arquivos de programas\\Adobe\\Acrobat 7.0\\Reader\\reader_sl.exe"=

"c:\\WINDOWS\\system32\\wuauclt.exe"=

"c:\\Arquivos de programas\\Mozilla Firefox\\uninstall\\helper.exe"=

"c:\\Arquivos de programas\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=

"c:\\WINDOWS\\system32\\CF13891.exe"=

"c:\\WINDOWS\\TEMP\\winxbmvb.exe"=

"c:\\WINDOWS\\TEMP\\wingbdtt.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-02-27 22536]

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2008-04-19 141312]

R2 CSIScanner;CSIScanner;c:\arquivos de programas\Prevx\prevx.exe [2009-02-27 4228664]

S0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2005-09-19 77312]

--- ---

*NewlyCreated* - ASC3360PR

.

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.google.com.br/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Barra de Ferramentas do RF - file://c:\arquivos de programas\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

IE: Personalizar Menu - file://c:\arquivos de programas\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: Preencher - file://c:\arquivos de programas\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: Salvar Formulários - file://c:\arquivos de programas\Siber Systems\AI RoboForm\RoboFormComSavePass.html

Trusted Zone: google.com\www

FF - ProfilePath - c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\pbl4gy8w.default\

FF - component: c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\pbl4gy8w.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll

FF - component: c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\pbl4gy8w.default\extensions\piclens@cooliris.com\components\coolirisstub.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin2.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin3.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin4.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin5.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin6.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\real\browser\plugins\nppl3260.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\real\browser\plugins\nprpjplug.dll

FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\npmozax.dll

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-03 21:44:46

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\Administrator\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\Administrator\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]

@Denied: (Full) (LocalSystem)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•6~*]

"6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

------------------------ Outros Processos em Execução ------------------------

.

c:\arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\arquivos de programas\Spyware Terminator\sp_rsser.exe

c:\windows\system32\wscntfy.exe

c:\windows\temp\winxbmvb.exe

c:\windows\temp\wingbdtt.exe

.

**************************************************************************

.

Tempo para conclusão: 2009-03-03 21:48:54 - Máquina reiniciou

ComboFix-quarantined-files.txt 2009-03-04 00:48:49

ComboFix2.txt 2009-03-01 13:11:37

ComboFix3.txt 2009-02-28 21:39:45

Pré-execução: 18 pasta(s) 36.929.236.992 bytes disponíveis

Pós execução: 18 pasta(s) 36,919,394,304 bytes disponíveis

386 --- E O F --- 2009-03-01 13:27:49

Compartilhar este post


Link para o post
Compartilhar em outros sites

Está havendo algum ponto de reinfecção, desconecte seu computador da internet ANTES de seguir os procedimentos abaixo:

Temporariamente e durante a execução destas instruções, é muito importante que mantenha desabilitados os seus programas de proteção (Antivirus, Antispyware e Firewall). Reative as proteções após a execução do(s) procedimento(s) abaixo mencionado(s).

Abra o seu Bloco de Notas, copie (control + c) e cole (control + v) todo o texto que está dentro do "Código":


File::

c:\windows\temp\winxbmvb.exe
c:\windows\temp\wingbdtt.exe

Registry::

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\TEMP\\winxbmvb.exe"=-
"c:\\WINDOWS\\TEMP\\wingbdtt.exe"=-

FireFox::

FF - ProfilePath - c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\pbl4gy8w.defa ult\
FF - component: c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\pbl4gy8w.defa ult\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes. dll
FF - component: c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\pbl4gy8w.defa ult\extensions\piclens@cooliris.com\components\coo lirisstub.dll
FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin.dll
FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\npmozax.dll

  • Salve este arquivo como: CFScript.txt
    CFScriptB-4.gif
  • Tal com exemplificado na foto acima, arraste o arquivo CFScript.txt para dentro do ComboFix.exe
  • Quando a ferramenta terminar de rodar, gerará um log. Poste esse arquivo C:\ComboFix.txt.

Compartilhar este post


Link para o post
Compartilhar em outros sites

segue o relatorio

ComboFix 09-03-02.03 - Administrador 2009-03-08 11:10:26.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.223.71 [GMT -3:00]

Executando de: c:\documents and settings\Administrador\Desktop\ComboFix.exe

Comandos utilizados :: c:\documents and settings\Administrador\Desktop\CFScript.txt

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

* Criado um novo ponto de restauro

FILE ::

c:\windows\temp\wingbdtt.exe

c:\windows\temp\winxbmvb.exe

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ASC3360PR

-------\Service_asc3360pr

(((((((((((((((( Arquivos/Ficheiros criados de 2009-02-08 to 2009-03-08 ))))))))))))))))))))))))))))

.

2009-02-27 17:17 . 2009-02-27 17:26 250 --a------ c:\windows\gmer.ini

2009-02-27 15:35 . 2009-02-27 15:37 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\PrevxCSI

2009-02-27 15:35 . 2009-02-27 15:35 <DIR> d-------- c:\arquivos de programas\Prevx

2009-02-27 15:35 . 2009-02-27 15:35 22,536 --a------ c:\windows\system32\drivers\pxscan.sys

2009-02-27 15:35 . 2009-02-27 15:35 67 --a------ c:\windows\wininit.ini

2009-02-20 19:15 . 2009-02-28 19:22 <DIR> d-------- c:\arquivos de programas\Panda Security

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-28 23:00 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Spyware Terminator

2009-02-28 23:00 --------- d-----w c:\arquivos de programas\Spyware Terminator

2009-02-28 22:47 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\Spyware Terminator

2009-02-27 18:34 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\PrevxCSI

2009-02-20 22:42 98,304 ----a-w c:\windows\DUMP4b51.tmp

2009-02-14 15:40 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\LimeWire

2009-02-05 12:14 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\Orbit

2009-01-31 23:19 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\uTorrent

2009-01-24 00:12 --------- d-----w c:\arquivos de programas\MSN Messenger

2008-12-12 18:09 126,032 ----a-w C:\cc_20081212_160909.reg

.

------- Sigcheck -------

2005-09-19 16:45 57856 ad3d9d191aea7b5445fe1d82ffbb4788 c:\windows\system32\spoolsv.exe

.

((((((((((((((((((((((((((((( SnapShot_2009-03-03_21.46.42.17 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-02-15 02:14:19 57,344 ----a-w c:\windows\system32\perfc009.dat

+ 2009-03-06 21:20:43 57,344 ----a-w c:\windows\system32\perfc009.dat

- 2009-02-15 02:14:19 65,992 ----a-w c:\windows\system32\perfc016.dat

+ 2009-03-06 21:20:43 65,992 ----a-w c:\windows\system32\perfc016.dat

- 2009-02-15 02:14:19 389,050 ----a-w c:\windows\system32\perfh009.dat

+ 2009-03-06 21:20:43 389,050 ----a-w c:\windows\system32\perfh009.dat

- 2009-02-15 02:14:19 422,176 ----a-w c:\windows\system32\perfh016.dat

+ 2009-03-06 21:20:43 422,176 ----a-w c:\windows\system32\perfh016.dat

+ 2009-03-08 14:14:56 16,384 ----atw c:\windows\temp\Perflib_Perfdata_1a8.dat

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"swg"="c:\arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 146680]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\arquivos de programas\K-Lite Codec Pack\QuickTime\qttask.exe" [2008-05-27 491520]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

"MsnMsgr"="c:\arquivos de programas\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5858672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nlsf"="move" [X]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

Adobe Reader Speed Launch.lnk - c:\arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 107520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.I420"= i263_32.drv

"vidc.DIV3"= DivXc32.dll

"vidc.DIV4"= DivXc32f.dll

"vidc.3iv2"= 3ivxVfWCodec.dll

"msacm.divxa32"= divxa32.acm

"VIDC.HFYU"= huffyuv.dll

"VIDC.i263"= i263_32.drv

"msacm.imc"= imc32.acm

"VIDC.VP31"= vp31vfw.dll

"msacm.avis"= ff_acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^Administrador^Menu Iniciar^Programas^Inicializar^PowerReg Scheduler.exe]

path=c:\documents and settings\Administrador\Menu Iniciar\Programas\Inicializar\PowerReg Scheduler.exe

backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Check for Updates.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Check for Updates.lnk

backup=c:\windows\pss\Check for Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Discador Oi Internet.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Discador Oi Internet.lnk

backup=c:\windows\pss\Discador Oi Internet.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Install Guide.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Install Guide.lnk

backup=c:\windows\pss\Install Guide.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Manual.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Manual.lnk

backup=c:\windows\pss\Manual.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Readme.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Readme.lnk

backup=c:\windows\pss\Readme.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^RollerCoaster Tycoon® 3.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\RollerCoaster Tycoon® 3.lnk

backup=c:\windows\pss\RollerCoaster Tycoon® 3.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Uninstall RollerCoaster Tycoon® 3.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Uninstall RollerCoaster Tycoon® 3.lnk

backup=c:\windows\pss\Uninstall RollerCoaster Tycoon® 3.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]

--a------ 2004-03-21 13:20 268800 c:\arquivos de programas\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

--a------ 2004-08-04 00:45 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]

--a------ 2007-01-01 19:54 3817472 c:\arquivos de programas\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

--a------ 2003-12-22 08:38 311296 c:\arquivos de programas\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2004-02-18 14:55 126976 c:\arquivos de programas\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]

--a------ 2004-03-04 12:46 172032 c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

--a------ 2007-01-19 11:54 5858672 c:\arquivos de programas\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-05-27 10:50 491520 c:\arquivos de programas\K-Lite Codec Pack\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]

--a------ 2007-03-30 12:42 36904 c:\arquivos de programas\SiteAdvisor\6172\SiteAdv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareTerminator]

--a------ 2008-08-18 09:55 1783808 c:\arquivos de programas\Spyware Terminator\SpywareTerminatorShield.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2008-06-10 04:27 222608 c:\arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

--a------ 2007-07-28 18:43 146680 c:\arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]

-ra------ 2004-01-29 21:33 180224 c:\windows\system32\pctspk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

-ra------ 2005-06-20 10:42 77824 c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]

-ra------ 2004-07-12 22:57 53248 c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]

-ra------ 2004-06-21 15:57 143360 c:\windows\system32\VTTrayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"W32Time"=2 (0x2)

"gusvc"=3 (0x3)

"SandraTheSrv"=3 (0x3)

"SandraDataSrv"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Arquivos de programas\\K-Lite Codec Pack\\QuickTime\\qttask.exe"=

"c:\\Arquivos de programas\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=

"c:\\Arquivos de programas\\MSN Messenger\\usnsvc.exe"=

"c:\\WINDOWS\\system32\\taskmgr.exe"=

"c:\\WINDOWS\\system32\\userinit.exe"=

"c:\\WINDOWS\\NIRCMD.exe"=

"c:\\Arquivos de programas\\Prevx\\prevx.exe"=

"c:\\Arquivos de programas\\Adobe\\Acrobat 7.0\\Reader\\reader_sl.exe"=

"c:\\WINDOWS\\system32\\wuauclt.exe"=

"c:\\Arquivos de programas\\Mozilla Firefox\\uninstall\\helper.exe"=

"c:\\Arquivos de programas\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-02-27 22536]

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2008-04-19 141312]

R2 CSIScanner;CSIScanner;c:\arquivos de programas\Prevx\prevx.exe [2009-02-27 4228664]

S0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2005-09-19 77312]

--- ---

*NewlyCreated* - ASC3360PR

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0a52874e-bdc2-11dd-8504-00142adfb199}]

\sHElL\autopLay\cOMmaND - G:\phjko.exe

\sHElL\AutoRun\command - G:\phjko.exe

\sHElL\ExpLoRe\COmmANd - G:\phjko.exe

\sHElL\open\commAnd - G:\phjko.exe

.

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.google.com.br/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Barra de Ferramentas do RF - file://c:\arquivos de programas\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

IE: Personalizar Menu - file://c:\arquivos de programas\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: Preencher - file://c:\arquivos de programas\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: Salvar Formulários - file://c:\arquivos de programas\Siber Systems\AI RoboForm\RoboFormComSavePass.html

Trusted Zone: google.com\www

FF - ProfilePath - c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\pbl4gy8w.default\

FF - component: c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\pbl4gy8w.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll

FF - component: c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\pbl4gy8w.default\extensions\piclens@cooliris.com\components\coolirisstub.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin2.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin3.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin4.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin5.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin6.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\real\browser\plugins\nppl3260.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\real\browser\plugins\nprpjplug.dll

FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\npmozax.dll

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-08 11:15:09

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\Administrator\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\Administrator\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]

@Denied: (Full) (LocalSystem)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•6~*]

"6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

------------------------ Outros Processos em Execução ------------------------

.

c:\arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\arquivos de programas\Spyware Terminator\sp_rsser.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Tempo para conclusão: 2009-03-08 11:19:48 - Máquina reiniciou

ComboFix-quarantined-files.txt 2009-03-08 14:19:44

ComboFix2.txt 2009-03-04 00:48:57

ComboFix3.txt 2009-03-01 13:11:37

ComboFix4.txt 2009-02-28 21:39:45

Pré-execução: 18 pasta(s) 36.857.700.352 bytes disponíveis

Pós execução: 18 pasta(s) 36,845,064,192 bytes disponíveis

244 --- E O F --- 2009-03-01 13:27:49

Compartilhar este post


Link para o post
Compartilhar em outros sites

O procedimento foi feito desconectado da internet?

Você tem usado pendrives neste computador?

Compartilhar este post


Link para o post
Compartilhar em outros sites

O procedimento foi realizado com o pc desconectado da internet, assim como solicitado, quanto ao uso de pendrives não posso precisar, uma vez q o pc não é utilizado apenas por mim; porém recomendei aos meus irmãos q não utilizassem pendrives tendo em vista q o pc está infectado; por isso não posso afirmar, mas tenho quase certeza q nenhum pendrive foi utilizado nos últimos dias.

PS: só gostaria mais uma vez de agradecer a atenção e o tempo a mim desprendidos; sou grato, realmente muito grato pela ajuda

Compartilhar este post


Link para o post
Compartilhar em outros sites

Ok, precisamos checar a presença de um file infector, pedirei um scan com o Kaspersky, ele me informará se algum arquivo do sistema está infectado.

Faça um Online Scan em kaspersky Virusscanner

  • Clique em Clipboard01-1.jpg
  • Quando questionando para instalar o componente ActiveX, clique em Clipboard015.jpg
  • Aguarde a instalação e a actualização e depois clique em Clipboard013.jpg
  • Clique agora em Clipboard016.jpg
  • Nas opções do scan (settings), certifique-se que as entradas abaixo estão selecionadas:
    • Scan using the following Anti-Virus database:

      Extended (if available otherwise Standard)

    • Scan Options:

      Scan Archives
      Scan Mail Bases

    [*]Clique Clipboard014.jpg

    [*]Clique em My Computer para que seja feito um Scan completo no seu Sistema.

    [*]Será iniciado o scan e poderá demorar um pouco. Seja paciente e aguarde.

    [*]No final do Scan, clique no botão Save as Text

    [*]Salve o log com os resultados e poste na sua próxima resposta.

    [*]Gere e cole também um novo log do HijackThis.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Caro amigo Renato Mejias, infelizmente após várias tentativas cheguei a conclusão de que não consigo acessar o site do link que você me sugeriu. Seja pelo internet explorer, seja pelo firefox, o acesso é negado). Pode ser que o(s) vírus tenha(m) bloqueado o acesso ao site?:wacko:?:wacko:?

Aguardo instruções.

Grato.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Faça download do programa abaixo de um computador não infectado.

Faça download do Kaspersky Removal Tool (Certifique-se de sempre usar o último link que aparece na lista para baixar a versão mais atual do software). Salve no seu desktop (área de trabalho).

  • Instale o programa normalmente seguindo todos os seus passos.
  • Na tela principal do programa clique na opção "Meu computador" e depois clique no botão "Scan".
  • Seja paciente, o scan pode demorar
  • Se ele encontrar alguma infecção clique em "skip".
  • Após completar tudo clique na aba Events, desmarque a caixa de seleção "Show all events" e depois em "Save to file".
  • Dê um nome para o arquivo e salve numa pasta de sua preferência
  • Poste o conteúdo desse arquivo em sua próxima resposta.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Fala Renato, desculpa ter demorado a responder (é que estou trabalhando em duas monografias e tô meio sem tempo).

Cara eu devo baixar o programa que você mencionou de um computador não infectado e salvar (tipo num pendrive) e só aí instalar no meu pc? É isso?

O duro vai ser encontrar um computador sem nenhuma praga. Mas vou tentar. Aguardo mais instruções.

Brigadão, desculpa a demora e mais vez grato pela ajuda.

Compartilhar este post


Link para o post
Compartilhar em outros sites
Cara eu devo baixar o programa que você mencionou de um computador não infectado e salvar (tipo num pendrive) e só aí instalar no meu pc? É isso?

O duro vai ser encontrar um computador sem nenhuma praga. Mas vou tentar.

Eu recomendaria gravar em um CD, visto que o pendrive pode ser comprometido ao ser conectado no computador infectado.

Aguardo mais instruções.

Eu estou no aguardo do log pedido.

Compartilhar este post


Link para o post
Compartilhar em outros sites





Sobre o Clube do Hardware

No ar desde 1996, o Clube do Hardware é uma das maiores, mais antigas e mais respeitadas publicações sobre tecnologia do Brasil. Leia mais

Direitos autorais

Não permitimos a cópia ou reprodução do conteúdo do nosso site, fórum, newsletters e redes sociais, mesmo citando-se a fonte. Leia mais

×