Analise - o que fazer?

Question

Bom dia,

Estou com virus aqui no computador da empresa. provavelmente trojan que rouba dados banc&aacute;rios.

O meu antivirus detectou os seguintes virus:

trojanspy:Win32/bancos.abt
trojanspy:Win32/bancos.acb

algu&eacute;m pode me ajudar..

segue o log do compurtador abaixo:

Logfile of HijackThis v1.99.1
Scan saved at 09:24:12, on 27/7/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Arquivos de programas\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe
C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe
C:\Arquivos de programas\Lexmark 5400 Series\ezprint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\aetcrss1.exe
C:\Arquivos de programas\Ask.com\Updater\Updater.exe
C:\Arquivos de programas\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\33.exe
C:\WINDOWS\system32\win64.exe
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Atalho_.pif
C:\WINDOWS\system32\sistray.exe
C:\Arquivos de programas\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Arquivos de programas\Nero\Update\NASvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\ARQUIV~1\MICROS~2\Office12\OUTLOOK.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Documents and Settings\REVESTIR REVESTINDO\Desktop\Nova pasta (2)\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000000} - C:\WINDOWS\system32\smss.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: G-Buster Browser Defense Banco Real - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\ARQUIV~1\GbPlugin\gbiehAbn.dll (file missing)
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Arquivos de programas\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Foxit PDF Creator Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Arquivos de programas\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe
O4 - HKLM\..\Run: [GrooveMonitor] C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe -start
O4 - HKLM\..\Run: [lxctmon.exe] C:\Arquivos de programas\Lexmark 5400 Series\lxctmon.exe
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] C:\Arquivos de programas\Lexmark 5400 Series\fm3032.exe /s
O4 - HKLM\..\Run: [EzPrint] C:\Arquivos de programas\Lexmark 5400 Series\ezprint.exe
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [CertificateRegistration] aetcrss1.exe
O4 - HKLM\..\Run: [ApnUpdater] C:\Arquivos de programas\Ask.com\Updater\Updater.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\Arquivos de programas\QuickTime\qttask.exe -atboottime
O4 - HKLM\..\Run: [31] C:\WINDOWS\system32\31.exe
O4 - HKLM\..\Run: [MSC] c:\Arquivos de programas\Microsoft Security Client\msseces.exe -hide -runkey
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] C:\Documents and Settings\REVESTIR REVESTINDO\Configura&ccedil;&otilde;es locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe /c
O4 - HKCU\..\Run: [Dolby&reg; Audio Digital] C:\WINDOWS\system32\33.exe
O4 - HKCU\..\Run: [win64.exe] C:\WINDOWS\system32\win64.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Atalho_.pif = ?
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Windows Search.lnk = C:\Arquivos de programas\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O15 - Trusted Zone: http://www.bancoreal.com.br
O15 - Trusted Zone: http://www.bancosantander.com.br
O15 - Trusted Zone: http://www.santander.com.br
O15 - Trusted Zone: http://www.santanderempresarial.com.br
O16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class) - https://certapp01.certificadodigital.com.br/testecd/scripts/capicom.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\ARQUIV~1\ARQUIV~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify:  GbPluginAbn - C:\ARQUIV~1\GbPlugin\gbiehAbn.dll (file missing)
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\ARQUIV~1\GbPlugin\GbpSv.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Arquivos de programas\Java\jre6\bin\jqs.exe -service -config C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: lxct_device -   - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: @C:\Arquivos de programas\Nero\Update\NASvc.exe,-200 (NAUpdate) - Nero AG - C:\Arquivos de programas\Nero\Update\NASvc.exe

Answer

Gere um log com o Hijackthis atualizado: vers&atilde;o 2.0.4

Answer

Ol&aacute;, j&aacute; consultou o Departamento de Tecnologia da empresa ?! =D

Answer

[quote=cleberbbs, post: 5530327]Ol&aacute;, j&aacute; consultou o Departamento de Tecnologia da empresa ?! =D[/quote]

a empresa &eacute; pequena, n&atilde;o tem esse departamento.

[quote=quemsou_naodigo, post: 5530307]Gere um log com o Hijackthis atualizado: vers&atilde;o 2.0.4[/quote]

pronto:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:00:27, on 27/7/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Arquivos de programas\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe
C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe
C:\Arquivos de programas\Lexmark 5400 Series\ezprint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\aetcrss1.exe
C:\Arquivos de programas\Ask.com\Updater\Updater.exe
C:\Arquivos de programas\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\33.exe
C:\WINDOWS\system32\win64.exe
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Atalho_.pif
C:\WINDOWS\system32\sistray.exe
C:\Arquivos de programas\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Arquivos de programas\Nero\Update\NASvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\ARQUIV~1\MICROS~2\Office12\OUTLOOK.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Documents and Settings\REVESTIR REVESTINDO\Desktop\Nova pasta (2)\HijackThis(1).exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000000} - C:\WINDOWS\system32\smss.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: G-Buster Browser Defense Banco Real - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\ARQUIV~1\GbPlugin\gbiehAbn.dll (file missing)
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Arquivos de programas\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Foxit PDF Creator Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Arquivos de programas\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe
O4 - HKLM\..\Run: [GrooveMonitor] C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe -start
O4 - HKLM\..\Run: [lxctmon.exe] C:\Arquivos de programas\Lexmark 5400 Series\lxctmon.exe
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] C:\Arquivos de programas\Lexmark 5400 Series\fm3032.exe /s
O4 - HKLM\..\Run: [EzPrint] C:\Arquivos de programas\Lexmark 5400 Series\ezprint.exe
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [CertificateRegistration] aetcrss1.exe
O4 - HKLM\..\Run: [ApnUpdater] C:\Arquivos de programas\Ask.com\Updater\Updater.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\Arquivos de programas\QuickTime\qttask.exe -atboottime
O4 - HKLM\..\Run: [31] C:\WINDOWS\system32\31.exe
O4 - HKLM\..\Run: [MSC] c:\Arquivos de programas\Microsoft Security Client\msseces.exe -hide -runkey
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] C:\Documents and Settings\REVESTIR REVESTINDO\Configura&ccedil;&otilde;es locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe /c
O4 - HKCU\..\Run: [Dolby&reg; Audio Digital] C:\WINDOWS\system32\33.exe
O4 - HKCU\..\Run: [win64.exe] C:\WINDOWS\system32\win64.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Atalho_.pif = ?
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Windows Search.lnk = C:\Arquivos de programas\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O15 - Trusted Zone: http://www.bancoreal.com.br
O15 - Trusted Zone: http://www.bancosantander.com.br
O15 - Trusted Zone: http://www.santander.com.br
O15 - Trusted Zone: http://www.santanderempresarial.com.br
O16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class) - https://certapp01.certificadodigital.com.br/testecd/scripts/capicom.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify:  GbPluginAbn - C:\ARQUIV~1\GbPlugin\gbiehAbn.dll (file missing)
O22 - SharedTaskScheduler: Pr&eacute;-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\ARQUIV~1\GbPlugin\GbpSv.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: lxct_device -   - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: @C:\Arquivos de programas\Nero\Update\NASvc.exe,-200 (NAUpdate) - Nero AG - C:\Arquivos de programas\Nero\Update\NASvc.exe

--
End of file - 9446 bytes

Answer

algu&eacute;m pode me ajudar?

Answer

* fa&ccedil;a o download do ComboFix., salve-o no desktop:
http://www.bleepingcomputer.com/download/anti-virus/combofix	
	
* Desative temporariamente o seu Antivirus.
* Execute-o - Aceite o contrato.

* Caso o console de recupera&ccedil;&atilde;o j&aacute; esteja instalado o ComboFix ir&aacute; continuar o processo automaticamente.
* Caso n&atilde;o esteja, uma janela, ser&aacute; exibida solicitando a instala&ccedil;&atilde;o. Clique em [SIM] para aceit&aacute;-la.

Importante: enquanto o ComboFix estiver em execu&ccedil;&atilde;o, n&atilde;o use o mouse nem o teclado!!.
&ndash; O programa ser&aacute; fechado automaticamente. --

* envie o relat&oacute;rio criado em C:\combofix.txt e um novo Log do hijackthis.

Answer

depois que eu executo o combofix, fica parado em uma tela azul com a seguinte mensagem:

reiniciando o windows aguarde.

s&oacute; fica fica nisso por muito tempo, e n&atilde;o sai.

reiniciei o windows e fiz de novo o procedimento, mas nada adiantou.

fui em c: e n&atilde;o tinha o arquivo combofix.txt.

o que fa&ccedil;o? algum jeito diferente?

abra&ccedil;os

Answer

log combo fix:
 
ComboFix 11-07-28.02 - REVESTIR REVESTINDO 28/07/2011  11:09:17.3.4 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.55.1046.18.2935.2473 [GMT -3:00]
Executando de: c:\documents and settings\REVESTIR REVESTINDO\Desktop\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((((   Outras Exclus&otilde;es   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\desktop_
c:\windows\Media\Body.bcc
c:\windows\Media\BoxFile.bcc
c:\windows\system32\31.exe
c:\windows\system32\33.exe
c:\windows\system32\Beholder.exe
c:\windows\system32\messenger.exe
c:\windows\system32\smss.dll
.
---- Execu&ccedil;&otilde;es precedente -------
.
c:\windows\desktop_
c:\windows\Media\Body.bcc
c:\windows\Media\BoxFile.bcc
c:\windows\system32\31.exe
c:\windows\system32\33.exe
c:\windows\system32\Beholder.exe
c:\windows\system32\messenger.exe
c:\windows\system32\smss.dll
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Servi&ccedil;os   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_WSearch
-------\Service_WSearch
-------\Legacy_PELODLO
-------\Service_pelodlo
.
.
((((((((((((((((   Arquivos/Ficheiros criados de 2011-06-28 to 2011-07-28  ))))))))))))))))))))))))))))
.
.
2011-07-28 14:17 . 2011-07-28 14:17 233367 ----a-w- c:\windows\system32\smss.dll
2011-07-28 14:16 . 2011-07-28 14:16 2661109 ----a-w- c:\windows\system32\Beholder.exe
2011-07-28 14:16 . 2011-07-28 14:17 1379840 ----a-w- c:\windows\system32\33.exe
2011-07-27 22:08 . 2011-07-28 14:14 9216 ----a-w- c:\windows\system32\driversrse.sys
2011-07-27 21:08 . 2011-07-27 21:08 2855936 ----a-w- c:\documents and settings\REVESTIR REVESTINDO\Configura&ccedil;&otilde;es locais\Dados de aplicativos\ctfmonn.exe
2011-07-27 13:48 . 2006-06-29 20:20 48896 ----a-w- c:\windows\system32\drivers\PhSerUsb.sys
2011-07-27 12:51 . 2008-11-28 15:32 559024 ----a-w- c:\windows\system32\Codejock.SkinFramework.v12.1.1.ocx
2011-07-27 12:23 . 2011-07-27 12:23 -------- d-----w- C:\Program Files
2011-07-26 16:43 . 2011-07-26 16:43 2054144 ----a-w- c:\windows\system32\win64.exe
2011-07-15 18:47 . 2011-07-15 18:47 -------- d-----w- c:\documents and settings\REVESTIR REVESTINDO\Dados de aplicativos\Media Player Classic
2011-07-15 18:30 . 2011-07-15 18:30 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\vsosdk
2011-07-15 17:34 . 2009-09-02 15:44 65602 ----a-w- c:\windows\system32\cook3260.dll
2011-07-15 17:34 . 2009-09-02 15:44 626688 ----a-w- c:\windows\system32\vp7vfw.dll
2011-07-15 17:34 . 2009-09-02 15:44 217127 ----a-w- c:\windows\system32\drv43260.dll
2011-07-15 17:34 . 2009-09-02 15:44 208935 ----a-w- c:\windows\system32\drv33260.dll
2011-07-15 17:34 . 2009-09-02 15:44 176165 ----a-w- c:\windows\system32\drv23260.dll
2011-07-15 17:34 . 2009-09-02 15:44 1184984 ----a-w- c:\windows\system32\wvc1dmod.dll
2011-07-15 17:34 . 2009-09-02 15:44 102439 ----a-w- c:\windows\system32\sipr3260.dll
2011-07-15 17:34 . 2011-07-15 17:34 -------- d-----w- c:\arquivos de programas\VSO
2011-07-15 17:21 . 2011-07-15 20:31 -------- d-----w- c:\documents and settings\REVESTIR REVESTINDO\Dados de aplicativos\Vso
2011-07-12 18:17 . 2011-07-12 18:23 -------- d-----w- c:\documents and settings\REVESTIR REVESTINDO\Configura&ccedil;&otilde;es locais\Dados de aplicativos\Google
2011-07-12 18:16 . 2011-07-12 18:17 -------- d-----w- c:\documents and settings\REVESTIR REVESTINDO\Configura&ccedil;&otilde;es locais\Dados de aplicativos\Deployment
2011-07-05 19:04 . 2011-07-05 19:04 -------- d-----w- c:\documents and settings\REVESTIR REVESTINDO\Dados de aplicativos\PDF Writer
2011-07-05 19:04 . 2011-07-05 19:04 -------- d-----w- c:\documents and settings\REVESTIR REVESTINDO\Configura&ccedil;&otilde;es locais\Dados de aplicativos\PDF Writer
2011-07-05 19:04 . 2011-07-05 19:04 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\PDF Writer
2011-07-05 18:58 . 2011-07-05 18:58 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Bullzip
2011-07-05 18:58 . 2010-09-27 18:27 135168 ----a-w- c:\windows\system32\bzpdfc.dll
2011-07-05 18:58 . 2008-10-31 02:15 227840 ----a-w- c:\windows\system32\bzFlRdr.dll
2011-07-05 18:58 . 2008-07-10 03:19 103424 ----a-w- c:\windows\system32\bzDCT.dll
2011-07-05 18:58 . 2010-09-27 18:28 196096 ----a-w- c:\windows\system32\bzpdf.dll
2011-07-05 18:58 . 2011-07-05 18:58 -------- d-----w- c:\arquivos de programas\Bullzip
2011-07-04 11:22 . 2011-07-04 11:22 2106216 ----a-w- c:\arquivos de programas\Mozilla Firefox\D3DCompiler_43.dll
2011-07-04 11:22 . 2011-07-04 11:22 1998168 ----a-w- c:\arquivos de programas\Mozilla Firefox\d3dx9_43.dll
2011-06-30 16:58 . 2011-06-30 16:58 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\gas
.
.
.
(((((((((((((((((((((((((((((((((((((   Relat&oacute;rio Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-21 15:09 . 2011-06-21 15:09 1409 ----a-w- c:\windows\QTFont.for
2011-06-09 12:45 . 2011-06-09 12:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-06 11:35 . 2004-08-04 03:38 1859072 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 15:31 . 2011-04-18 16:33 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-04 03:45 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-08-04 02:15 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-04 11:22 . 2011-04-19 00:45 142296 ----a-w- c:\arquivos de programas\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((   Pontos de Carregamento do Registro   )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e leg&iacute;timas por padr&atilde;o n&atilde;o s&atilde;o apresentadas. 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-05-17 16:29 1490312 ----a-w- c:\arquivos de programas\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{D4027C7F-154A-4066-A1AD-4243D8127440}= c:\arquivos de programas\Ask.com\GenericAskToolbar.dll [2011-05-17 1490312]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
{D4027C7F-154A-4066-A1AD-4243D8127440}= c:\arquivos de programas\Ask.com\GenericAskToolbar.dll [2011-05-17 1490312]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Dolby&reg; Audio Digital=c:\windows\system32\33.exe [2011-07-28 1379840]
win64.exe=c:\windows\system32\win64.exe [2011-07-26 2054144]
Beholder.exe=c:\windows\system32\Beholder.exe [2011-07-28 2855936]
ctfmonn.exe=c:\documents and settings\REVESTIR REVESTINDO\Configura&ccedil;&otilde;es locais\Dados de aplicativos\ctfmonn.exe [2011-07-27 2855936]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SiSPower=SiSPower.dll [2005-06-09 49152]
SunJavaUpdateSched=c:\arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe [2010-10-29 249064]
GrooveMonitor=c:\arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe [2008-10-25 31072]
ISUSPM Startup=c:\arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe [2005-08-11 249856]
ISUSScheduler=c:\arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe [2005-08-11 81920]
lxctmon.exe=c:\arquivos de programas\Lexmark 5400 Series\lxctmon.exe [2006-06-20 286720]
Lexmark 5400 Series Fax Server=c:\arquivos de programas\Lexmark 5400 Series\fm3032.exe [2006-07-11 294912]
EzPrint=c:\arquivos de programas\Lexmark 5400 Series\ezprint.exe [2006-06-07 98304]
LXCTCATS=c:\windows\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll [2006-06-07 106496]
IgfxTray=c:\windows\system32\igfxtray.exe [2009-12-04 141848]
HotKeysCmds=c:\windows\system32\hkcmd.exe [2009-12-04 173592]
Persistence=c:\windows\system32\igfxpers.exe [2009-12-04 144920]
RTHDCPL=RTHDCPL.EXE [2009-12-03 18789408]
CertificateRegistration=aetcrss1.exe [2008-03-12 208896]
ApnUpdater=c:\arquivos de programas\Ask.com\Updater\Updater.exe [2011-05-17 395144]
QuickTime Task=c:\arquivos de programas\QuickTime\qttask.exe [2011-06-21 155648]
=c:\documents and settings\REVESTIR REVESTINDO\Configura&ccedil;&otilde;es locais\Dados de aplicativos\ctfmonn.exe [2011-07-27 2855936]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE=c:\windows\system32\CTFMON.EXE [2008-04-14 15360]
.
c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\
Adobe Gamma Loader.lnk - c:\arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2011-4-18 110592]
Atalho_.pif [2011-7-26 9728]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2011-4-18 266240]
Windows Search.lnk - c:\arquivos de programas\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
EnableLUA= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
{56F9679E-7826-4C84-81F3-532071A8BCC5}= c:\arquivos de programas\Windows Desktop Search\MSNLNamespaceMgr.dll [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
AntiVirusOverride=dword:00000001
FirewallOverride=dword:00000001
UpdatesOverride=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
UACDisableNotify=dword:00000001
AntiVirusDisableNotify=dword:00000001
FirewallDisableNotify=dword:00000001
AntiVirusOverride=dword:00000001
FirewallOverride=dword:00000001
UpdatesDisableNotify=dword:00000001
UpdatesOverride=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
%windir%\system32\sessmgr.exe=
c:\Arquivos de programas\Microsoft Office\Office12\OUTLOOK.EXE=
c:\Arquivos de programas\Microsoft Office\Office12\GROOVE.EXE=
c:\Arquivos de programas\Microsoft Office\Office12\ONENOTE.EXE=
c:\WINDOWS\system32\spool\drivers\w32x86\3\HP1006MC.EXE=
c:\WINDOWS\system32\lxctcoms.exe=
c:\Arquivos de programas\Java\jre6\bin\javaw.exe=
%windir%\Network Diagnostic\xpnetdiag.exe=
c:\Arquivos de programas\Messenger\msmsgs.exe=
c:\Arquivos de programas\uTorrent\uTorrent.exe=
c:\Arquivos de programas\VectorWorks 2008\VectorWorks2008.exe=
.
R2 NAUpdate;@c:\arquivos de programas\Nero\Update\NASvc.exe,-200;c:\arquivos de programas\Nero\Update\NASvc.exe [4/5/2010 12:07 503080]
R3 cxbu0wdm;CardMan 3x21;c:\windows\system32\drivers\cxbu0wdm.sys [25/1/2010 14:56 97792]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [4/5/2011 10:32 160424]
R3 IntcDAud;&Aacute;udio do v&iacute;deo Intel(R);c:\windows\system32\drivers\IntcDAud.sys [4/5/2011 10:42 215040]
S0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\gbpkm.sys --> c:\windows\system32\drivers\gbpkm.sys [?]
S1 citqtljo;citqtljo;\??\c:\windows\system32\drivers\citqtljo.sys --> c:\windows\system32\drivers\citqtljo.sys [?]
S1 cjfbeydl;cjfbeydl;\??\c:\windows\system32\drivers\cjfbeydl.sys --> c:\windows\system32\drivers\cjfbeydl.sys [?]
S2 GbpSv;Gbp Service;c:\arquiv~1\GbPlugin\GbpSv.exe --> c:\arquiv~1\GbPlugin\GbpSv.exe [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [4/5/2011 10:32 1691480]
S3 PhSerUsb;PHILOG USB Serial Driver;c:\windows\system32\drivers\PhSerUsb.sys [27/7/2011 10:48 48896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\aetsprov]
2008-03-26 15:09 81920 ----a-w- c:\windows\system32\aetsprov.dll
.
Conte&uacute;do da pasta 'Tarefas Agendadas'
.
2011-07-28 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\arquivos de programas\Ask.com\UpdateTask.exe [2011-05-17 16:29]
.
2011-07-28 c:\windows\Tasks\User_Feed_Synchronization-{EC0CDACA-A442-4706-A05C-9D0368BA6F38}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 07:31]
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.google.com.br/
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: bancoreal.com.br\www
Trusted Zone: bancosantander.com.br\www
Trusted Zone: realsecureweb.com.br\www
Trusted Zone: realsecureweb.com.br\www2
Trusted Zone: realsecureweb.com.br\wwws
Trusted Zone: santander.com.br\www
Trusted Zone: santanderempresarial.com.br\www
Trusted Zone: santandernet.com.br\www
Trusted Zone: santandernet.com.br\wwws
Trusted Zone: santandernetibe.com.br\www
Trusted Zone: secureweb.com.br\www
TCP: DhcpNameServer = 200.204.0.10 200.204.0.138
FF - ProfilePath - c:\documents and settings\REVESTIR REVESTINDO\Dados de aplicativos\Mozilla\Firefox\Profiles\u92pawgk.default\
FF - prefs.js: browser.startup.homepage - WWW.GOOGLE.COM.BR
.
.
------- Associa&ccedil;&atilde;o de arquivos/ficheiros -------
.
.scr=AutoCADScriptFile
.
- - - - ORF&Atilde;OS REMOVIDOS - - - -
.
HKLM-Run-31 - c:\windows\system32\31.exe
Notify- GbPluginAbn - c:\arquiv~1\GbPlugin\gbiehAbn.dll
AddRemove-Adobe Photoshop 7.0 - c:\windows\ISUN0416.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-28 11:15
Windows 5.1.2600 Service Pack 3 NTFS
.
Procurando processos ocultos ... 
.
Procurando entradas auto inicializ&aacute;veis ocultas ... 
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  LXCTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? 
.
Procurando ficheiros/arquivos ocultos ... 
.
.
c:\windows\system32\Beholder.exe 2855936 bytes executable
c:\windows\system32\smss.dll 243200 bytes executable
.
Varredura completada com sucesso
arquivos/ficheiros ocultos: 2
.
**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execu&ccedil;&atilde;o ---------------------
.
- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\aetcsss1.dll
c:\windows\system32\aetpkss1.dll
.
- - - - - - - > 'explorer.exe'(2500)
c:\windows\system32\WININET.dll
c:\arquivos de programas\Windows Desktop Search\deskbar.dll
c:\arquivos de programas\Windows Desktop Search\pt-br\dbres.dll.mui
c:\arquivos de programas\Windows Desktop Search\dbres.dll
c:\arquivos de programas\Windows Desktop Search\wordwheel.dll
c:\arquivos de programas\Windows Desktop Search\pt-br\msnlExtRes.dll.mui
c:\arquivos de programas\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Outros Processos em Execu&ccedil;&atilde;o ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\arquivos de programas\Java\jre6\bin\jqs.exe
c:\windows\system32\lxctcoms.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\aetcrss1.exe
c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Atalho_.pif
c:\windows\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
c:\windows\system32\Messenger.exe
.
**************************************************************************
.
Tempo para conclus&atilde;o: 2011-07-28  11:21:38 - M&aacute;quina reiniciou
ComboFix-quarantined-files.txt  2011-07-28 14:21
.
Pr&eacute;-execu&ccedil;&atilde;o: 10 pasta(s) 42.666.987.520 bytes dispon&iacute;veis
P&oacute;s execu&ccedil;&atilde;o: 13 pasta(s) 42.522.460.160 bytes dispon&iacute;veis
.
- - End Of File - - CEB6F8AE2F2663929105FD0CB6F3D734

log HijackThis v2.0.4:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:27:25, on 28/7/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Arquivos de programas\Nero\Update\NASvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe
C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe
C:\Arquivos de programas\Lexmark 5400 Series\lxctmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\aetcrss1.exe
C:\Arquivos de programas\Ask.com\Updater\Updater.exe
C:\Arquivos de programas\QuickTime\qttask.exe
C:\WINDOWS\system32\win64.exe
C:\Documents and Settings\REVESTIR REVESTINDO\Configura&ccedil;&otilde;es locais\Dados de aplicativos\ctfmonn.exe
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Atalho_.pif
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
C:\WINDOWS\system32\sistray.exe
C:\Arquivos de programas\Windows Desktop Search\WindowsSearch.exe
C:\Windows\System32\cmd.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Messenger.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\33.exe
C:\WINDOWS\explorer.exe
C:\Arquivos de programas\internet explorer\iexplore.exe
C:\Arquivos de programas\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\REVESTIR REVESTINDO\Desktop\Nova pasta (2)\HijackThis(1).exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000000} - C:\WINDOWS\system32\smss.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: G-Buster Browser Defense Banco Real - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\ARQUIV~1\GbPlugin\gbiehAbn.dll (file missing)
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Arquivos de programas\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Foxit PDF Creator Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Arquivos de programas\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe
O4 - HKLM\..\Run: [GrooveMonitor] C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe -start
O4 - HKLM\..\Run: [lxctmon.exe] C:\Arquivos de programas\Lexmark 5400 Series\lxctmon.exe
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] C:\Arquivos de programas\Lexmark 5400 Series\fm3032.exe /s
O4 - HKLM\..\Run: [EzPrint] C:\Arquivos de programas\Lexmark 5400 Series\ezprint.exe
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [CertificateRegistration] aetcrss1.exe
O4 - HKLM\..\Run: [ApnUpdater] C:\Arquivos de programas\Ask.com\Updater\Updater.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\Arquivos de programas\QuickTime\qttask.exe -atboottime
O4 - HKCU\..\Run: [Dolby&reg; Audio Digital] C:\WINDOWS\system32\33.exe
O4 - HKCU\..\Run: [win64.exe] C:\WINDOWS\system32\win64.exe
O4 - HKCU\..\Run: [Beholder.exe] C:\WINDOWS\system32\Beholder.exe
O4 - HKCU\..\Run: [ctfmonn.exe] C:\Documents and Settings\REVESTIR REVESTINDO\Configura&ccedil;&otilde;es locais\Dados de aplicativos\ctfmonn.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Atalho_.pif = ?
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Windows Search.lnk = C:\Arquivos de programas\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O15 - Trusted Zone: http://www.bancoreal.com.br
O15 - Trusted Zone: http://www.bancosantander.com.br
O15 - Trusted Zone: http://www.santander.com.br
O15 - Trusted Zone: http://www.santanderempresarial.com.br
O16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class) - https://certapp01.certificadodigital.com.br/testecd/scripts/capicom.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Pr&eacute;-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\ARQUIV~1\GbPlugin\GbpSv.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: lxct_device -   - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: @C:\Arquivos de programas\Nero\Update\NASvc.exe,-200 (NAUpdate) - Nero AG - C:\Arquivos de programas\Nero\Update\NASvc.exe
--
End of file - 8725 bytes

Answer

Renomeie o combofix para Uninstall e execute...

fa&ccedil;a o download e execute:
http://www.baixaki.com.br/download/norton-power-eraser.htm

fa&ccedil;a o download:
http://www.simplysup.co.uk/download/dl/trjsetup682.exe

* Instale o aplicativo... execute., permita a atualiza&ccedil;&atilde;o e efetue um scan.

Efetue o procedimento conforme o tutorial abaixo:

* http://www.caixadedicas.com/2009/04/tutorial-do-kaspersky-virus-removal.html *

Ferramentas

Mover Tópico